A hierarchical authority management method based on double serial number establishment and a copy-proof USB disk
The hierarchical access control method established by dual serial numbers, combined with geolocation and behavioral feature analysis, dynamically assesses operational risks, solves the problem of coarse access control in existing technologies, and achieves efficient data copy prevention and operational convenience.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SUZHOU HONGCUNXINJIE TECH CO LTD
- Filing Date
- 2026-03-23
- Publication Date
- 2026-07-10
Smart Images

Figure CN121902181B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of information security technology, and in particular to a hierarchical permission management method based on dual serial numbers and an anti-copying USB flash drive. Background Technology
[0002] In the field of information security, anti-copying technology for data storage devices is a crucial element in protecting core corporate data and personal privacy. With mobile storage devices, especially USB flash drives, becoming the mainstream medium for data exchange due to their convenience, effectively curbing unauthorized data copying has become a focal point for information security. Currently, most anti-copying solutions strive to strike a balance between security (i.e., preventing data leaks) and ease of use (i.e., ensuring a smooth experience for legitimate users). Common existing technologies typically employ single-dimensional protection methods, such as password-based authentication or hardware binding based on device serial numbers. These methods, to a certain extent, build a basic security defense line; their core logic is to verify passwords or single serial numbers, granting full or preset fixed permissions upon successful verification.
[0003] However, existing technologies for preventing copying generally suffer from a major drawback: their access control is coarse-grained and lacks dynamic adaptability. Whether it's password verification or hardware binding, both are essentially static, all-or-nothing protection models. Once a user passes initial verification, the system struggles to finely differentiate subsequent operations. For example, existing technologies often cannot dynamically adjust protection strategies for a legitimate single-file read versus a suspicious batch copying activity. This leads to either overly strict protection that mistakenly blocks legitimate operations, impacting efficiency, or rigid strategies that leave security vulnerabilities, allowing attackers to gain access once the initial defenses are breached. This limitation is particularly pronounced in complex and ever-changing real-world scenarios, failing to meet the combined demands of robust protection and efficient operation. Summary of the Invention
[0004] Therefore, the technical problem to be solved by this invention is to overcome the shortcomings of existing technologies, such as coarse-grained access control and the use of static single verification modes, which make it difficult to balance security and ease of operation when facing sensitive operations. This invention provides a hierarchical access control method based on dual serial numbers, which can achieve fine-grained access control for different types of operations by strongly binding identity and device serial numbers, hierarchical verification based on operation sensitivity, dynamic risk assessment combined with behavior and environment, and real-time transmission feature monitoring. This ensures the security of highly sensitive operations while also ensuring a smooth experience for routine operations.
[0005] To address the aforementioned technical problems, this invention provides a hierarchical access control method based on dual serial numbers, comprising the following steps:
[0006] In response to a device connection request, obtain a first serial number and a second serial number, where the first serial number is the user identifier and the second serial number is the device identifier;
[0007] The first serial number and the second serial number are combined to generate a composite permission query key. Based on the composite permission query key, a preset permission mapping table is queried to determine the set of operation permissions for the user-device combination.
[0008] Receive data operation requests and determine the operation type of the data operation request based on the set of operation permissions;
[0009] For operation requests classified as sensitive, a multi-factor verification process is triggered, including: obtaining real-time geolocation information at the time the data operation request was initiated and the real-time operation sequence of the current connection session; inputting the real-time operation sequence into a pre-trained behavioral feature analysis model to calculate the deviation between the real-time operation sequence and the user's historical normal operation patterns, and generating a behavioral risk score based on the real-time geolocation information; assessing the risk level of the behavioral risk score, and if the behavioral risk score reaches a high risk level, rejecting the execution of the data operation request and recording a security log; otherwise, allowing the execution of the data operation request based on the set of operation permissions; generating a behavioral risk score based on real-time geolocation information includes: a preset whitelist of commonly used geographic areas, which records the geographic location codes that have appeared in the user's historical normal operations; comparing the obtained real-time geolocation information with the whitelist of commonly used geographic areas; if the real-time geolocation information is in the whitelist of commonly used geographic areas, the behavioral risk score is directly taken as the deviation; if the real-time geolocation information is not in the whitelist of commonly used geographic areas, a risk increment value is added to the deviation, and the result after addition is used as the behavioral risk score.
[0010] For operation requests that are not sensitive operation types, allow the execution of data operation requests directly based on the operation permission set;
[0011] After data operations are permitted, the data stream transmission rate and packet destination address of the current connection session are monitored in real time to obtain real-time transmission characteristics;
[0012] The real-time transmission characteristics are matched with a normal transmission pattern library established based on the user's historical normal operation patterns. When the matching result indicates that there is continuous data outflow and the target address is an unauthorized address, the current connection session is interrupted, and the user behavior risk profile associated with the first sequence number is updated according to the monitoring results.
[0013] In one embodiment of the present invention, the permission mapping table pre-stores the correspondence between user-device combinations and operation permission sets, wherein the operation permission set includes at least three levels: read-only permission, read-write permission, and disabled permission; the operation permission set of the user-device combination is determined by querying the preset permission mapping table based on the composite permission query key, specifically as follows:
[0014] The first serial number is used as the prefix and the second serial number is used as the suffix to concatenate the strings. The concatenated string is then hashed, and the resulting hash value is used as the composite permission query key.
[0015] Using the composite permission query key as an index, search for a matching permission record in the permission mapping table. If a matching record is found, extract the corresponding set of operation permissions. If no matching record is found, assign the default read-only permission as the set of operation permissions.
[0016] In one embodiment of the present invention, the sensitive operation types include: batch copy operation, file export operation, formatting operation, and system file modification operation; the operation type of the data operation request is determined according to the operation permission set, specifically: parsing the operation instruction code contained in the data operation request, comparing the operation instruction code with a preset sensitive operation instruction code list, and if the operation instruction code exists in the sensitive operation instruction code list, then the operation request is determined to be a sensitive operation type.
[0017] In one embodiment of the present invention, obtaining real-time geographic location information when initiating a data operation request specifically involves: obtaining the current latitude and longitude coordinates through the GPS module built into the USB flash drive, and converting the latitude and longitude coordinates into geographic location codes; obtaining the real-time operation sequence of the current connection session specifically involves: recording all operation instructions and their timestamps from the start of the current connection session to the receipt of the data operation request, and generating an operation instruction sequence in chronological order.
[0018] In one embodiment of the present invention, constructing a pre-trained behavioral feature analysis model includes:
[0019] Collect the types of operations, the time intervals between adjacent operations, and the frequency of operations per unit time in the user's historical normal operations as historical behavior samples.
[0020] In the historical behavior sample, count the number of times the operation type shifts from the previous operation type to the next operation type, and calculate the probability of each operation type shift.
[0021] Statistically analyze the probability distribution of different time intervals for each type of operation;
[0022] The operation type transition probability and the time interval probability distribution under different operation types are used as feature parameters to describe the user's historical normal operation mode.
[0023] The deviation between the real-time operation sequence and the user's historical normal operation mode is calculated by comparing the operation type, the time interval between adjacent operations and the feature parameters in the real-time operation sequence, calculating the joint probability value of the occurrence of the real-time operation sequence, and taking the negative logarithm of the joint probability value as the deviation.
[0024] In one embodiment of the present invention, the behavioral risk score is used to determine the risk level, including:
[0025] Obtain users' historical risk score records and calculate the mean and standard deviation of the historical risk score records;
[0026] The first risk threshold is the mean plus one standard deviation, and the second risk threshold is the mean plus two standard deviations.
[0027] The current behavioral risk score is compared with the first risk threshold and the second risk threshold: if the behavioral risk score is less than the first risk threshold, it is rated as low risk; if the behavioral risk score is between the first risk threshold and the second risk threshold, it is rated as medium risk; if the behavioral risk score is greater than the second risk threshold, it is rated as high risk.
[0028] In one embodiment of the present invention, the normal transmission pattern library stores the transmission rate range, transmission time period distribution, and a whitelist of commonly used target addresses of the user during historical normal operations; matching real-time transmission characteristics with the normal transmission pattern library established based on the user's historical normal operation patterns specifically involves:
[0029] Determine whether the current data stream transmission rate exceeds the upper limit of the transmission rate range, determine whether the current time is outside the transmission time period distribution, and determine whether the destination address of the data packet is not in the commonly used destination address whitelist;
[0030] If the following conditions are met simultaneously: the transmission rate exceeds the upper limit, the time is outside the time period distribution, and the target address is not in the whitelist, then the matching result indicates that there is continuous data outflow and the target address is an unauthorized address.
[0031] In one embodiment of the present invention, updating the user behavior risk profile associated with the first serial number based on monitoring results specifically involves:
[0032] The real-time transmission characteristics during this interrupted connection session are used as abnormal behavior samples, and the target address and transmission rate are extracted as feature fields.
[0033] Add the abnormal behavior sample to the abnormal behavior record table of the user behavior risk profile corresponding to the first serial number;
[0034] According to the preset cycle, new samples in the abnormal behavior record table are added to the training set of the behavior feature analysis model, and the behavior feature analysis model is incrementally updated.
[0035] To address the aforementioned technical problems, this invention also provides an anti-copying USB flash drive, comprising a memory and a processor, having dual serial numbers, the memory storing a computer program, and the processor executing the computer program to implement the steps of the hierarchical permission management method based on the dual serial numbers described above.
[0036] The technical solution of the present invention has the following advantages compared with the prior art:
[0037] The hierarchical access control method based on dual serial numbers described in this invention achieves fine-grained binding between users and devices by introducing a dual serial number mechanism, thus overcoming the limitations of the coarse-grained access control of traditional solutions. For sensitive operations, multi-factor verification is performed by combining real-time geolocation information and behavioral feature analysis models, which can dynamically assess operational risks, effectively avoid falsely blocking legitimate operations, and promptly prevent high-risk behaviors. In addition, real-time monitoring of data stream transmission characteristics and matching with a normal pattern library further enhances the ability to identify and block abnormal data outflows, significantly improving the security and dynamic adaptability of data anti-copying. Attached Figure Description
[0038] To make the content of this invention easier to understand, the invention will be further described in detail below with reference to specific embodiments and accompanying drawings, wherein:
[0039] Figure 1 This is a flowchart of the hierarchical permission management method based on dual serial numbers in this invention;
[0040] Figure 2 This is a flowchart illustrating the steps of determining the set of operation permissions for a user-device combination based on a permission mapping table, according to the present invention.
[0041] Figure 3 This is a flowchart illustrating the steps involved in constructing a pre-trained behavioral feature analysis model according to the present invention.
[0042] Figure 4 This is a flowchart illustrating the steps of generating a behavioral risk score using real-time geolocation information according to the present invention.
[0043] Figure 5 This is a flowchart illustrating the steps of the present invention in assessing the risk level using behavioral risk scoring;
[0044] Figure 6 This is a flowchart illustrating the steps of matching real-time transmission features with a normal transmission mode library according to the present invention. Detailed Implementation
[0045] The present invention will be further described below with reference to the accompanying drawings and specific embodiments, so that those skilled in the art can better understand and implement the present invention. However, the embodiments described are not intended to limit the present invention.
[0046] Reference Figure 1 As shown, this invention proposes a hierarchical access control method based on dual serial numbers, constructing a multi-layered dynamic protection system from the perspective of the entire data operation process. Firstly, it starts with identity recognition. In response to a device connection request, it simultaneously obtains a first serial number identifying the user and a second serial number identifying the anti-copy USB drive itself. The combination of these two serial numbers generates a unique composite access control query key, used to query a preset access control mapping table. This step physically binds the operator to the device, fundamentally eliminating the risk of access based solely on a password or device, laying a reliable foundation for subsequent fine-grained access control.
[0047] Building upon this foundation, the solution introduces a tiered verification mechanism based on operational sensitivity. Upon receiving a data operation request, the system first determines the type of operation based on the established set of operation permissions. For routine requests that are not sensitive, the system allows direct execution, ensuring the smoothness of daily operations and avoiding unnecessary verification steps that could disrupt the user experience. For highly sensitive operations such as batch copying and file export, the system automatically triggers a multi-factor verification process. This process no longer relies solely on static passwords but incorporates dynamic behavior and environment analysis: firstly, it acquires real-time geolocation information at the time the request is initiated to identify operations from abnormal geographical locations; secondly, it acquires the real-time operation sequence of the current session and inputs it into a pre-trained behavioral feature analysis model. By calculating the deviation from the user's historical normal operation patterns, the risk of the current behavior is quantified. The behavioral risk score generated by combining these two factors identifies the true risk level of the operation. Only when the risk score does not reach a high-risk level will the operation be allowed to execute; otherwise, it will be rejected and logged. This mechanism enables dynamic adjustment of permissions, making the protection of sensitive operations more flexible and accurate, and significantly improving the accuracy of identifying potential threats.
[0048] Furthermore, to prevent unauthorized actions during legitimate operations, a real-time monitoring and dynamic feedback mechanism is implemented. After data operations are permitted, the system continuously monitors the data stream transmission rate and packet destination addresses of the current session. If data stream characteristics are detected, such as continuous high-speed data outflow targeting an unauthorized address, and this does not match the transmission pattern library built upon the user's historical normal behavior, the system immediately terminates the connection session. This not only promptly blocks ongoing malicious copying activities but also updates the behavioral risk profile associated with the user's identifier based on monitoring results. This profile serves as input to the behavioral feature analysis model, enabling the model to continuously learn from changes in user habits, achieving self-evolution and optimization of the security strategy.
[0049] In summary, this invention precisely addresses the problems of crude, static, and unadaptive access control in existing technologies through a comprehensive set of interconnected technical measures, including dual-serial number binding, hierarchical permission division, multi-factor dynamic verification, and real-time behavior monitoring and feedback. Its beneficial effects include: First, by shifting the verification focus from single identity verification to identity, behavior, and environment verification, it significantly enhances the protection against highly sensitive operations and effectively curbs unauthorized data copying; second, by differentiating the sensitivity of operations, it avoids disturbing low-risk operations while rigorously verifying high-risk operations, maximizing user experience while ensuring security; finally, through real-time monitoring and dynamic updates to user behavior profiles, the security system possesses adaptive capabilities, continuously resisting ever-changing security threats and providing users with robust yet flexible data security protection in complex business scenarios.
[0050] In this embodiment, a composite permission query key is generated by combining the first serial number and the second serial number. Based on this composite permission query key, a preset permission mapping table is queried to determine the set of user-device combined operation permissions. Therefore, referring to... Figure 2 As shown, this application further proposes a permission mapping table that pre-stores the correspondence between user-device combinations and operation permission sets. The operation permission set includes at least three levels: read-only permission, read-write permission, and disabled permission. Based on the composite permission query key, the pre-set permission mapping table is queried to determine the operation permission set of the user-device combination. Specifically, the first sequence number is used as a prefix and the second sequence number is used as a suffix to concatenate strings, and the concatenated string is hashed. The resulting hash value is used as the composite permission query key. Using the composite permission query key as an index, a matching permission record is searched in the permission mapping table. If a matching record is found, the corresponding operation permission set is extracted. If no matching record is found, the default read-only permission is assigned as the operation permission set.
[0051] Specifically, the permission mapping table is a core data structure used to store permission information for combinations of users and devices. This table is pre-configured to ensure that the system can quickly query the operation permissions of a specific user on a specific device at runtime. The hierarchical division of operation permission sets, such as read-only permissions, read-write permissions, and disabled permissions, provides granular permission control capabilities. Read-only permissions allow users to view data but not modify it; read-write permissions allow users to view and modify data; disabled permissions completely prohibit users from performing any operations on a specific device. This hierarchical design makes permission management more flexible and secure, and can be configured according to actual business needs and security policies.
[0052] The generation method of the composite permission query key is crucial to the efficiency and security of permission queries. In this embodiment, a unique combined string is formed by concatenating the first serial number, which serves as the user identifier, and the second serial number, which serves as the device identifier. Subsequently, a hash operation is performed on this combined string to generate a fixed-length hash value as the composite permission query key. Hash operations have characteristics such as one-wayness and collision resistance, effectively protecting the original serial number information and preventing the derivation of the user or device identifier from the key. At the same time, it ensures the uniqueness and unpredictability of the generated key, thus improving key security.
[0053] After obtaining the composite permission query key, the system uses this key as an index to search the preset permission mapping table. This search is typically performed using efficient methods such as database queries or hash table lookups. If a permission record matching the key exists in the permission mapping table, the set of operation permissions defined in that record is directly extracted as the final operation permissions for the current user-device combination. If no record matching the key is found in the permission mapping table, meaning that the specific user-device combination has not been explicitly configured with permissions, the system will automatically assign default read-only permissions as the set of operation permissions. This default allocation mechanism ensures that even with incomplete permission configuration, the system can provide a secure, restricted access level, avoiding security vulnerabilities or system crashes caused by missing permissions, while also reducing the complexity of permission configuration.
[0054] By generating a composite permission query key using string concatenation and hash operations, this implementation ensures the uniqueness and security of the key, effectively preventing key tampering or reverse engineering. Simultaneously, the pre-defined correspondence between user-device combinations and operation permission sets in the permission mapping table, along with hierarchical permissions such as read-only, read-write, and disabled permissions, provides flexible and granular permission control. More importantly, when a permission record for a specific user-device combination is not found in the permission mapping table, the system automatically assigns a default read-only permission. This effectively avoids security vulnerabilities that may arise from incomplete permission configuration, ensuring that the system maintains a basic level of secure access under all circumstances. This improves the robustness and security of permission management and simplifies the complexity of permission configuration.
[0055] In practical applications, accurately and efficiently identifying which data operation requests fall under sensitive operation types to avoid unnecessary verification processes that could negatively impact user experience, while simultaneously ensuring the security of critical data operations, is a technical issue that requires further clarification and optimization. Unclear definitions of sensitive operation types or inaccurate judgment mechanisms can lead to security vulnerabilities or frequent triggering of multi-factor authentication due to misjudgments, reducing system availability.
[0056] In response, this application further proposes that sensitive operation types include batch copying operations, file export operations, formatting operations, and system file modification operations; the operation type of a data operation request is determined based on the set of operation permissions, specifically: parsing the operation instruction code contained in the data operation request, comparing the operation instruction code with a preset list of sensitive operation instruction codes, and if the operation instruction code exists in the list of sensitive operation instruction codes, then the operation request is determined to be a sensitive operation type.
[0057] Specifically, sensitive operation types are defined as those that pose a potentially high risk to data security or system stability, such as bulk copying, file exporting, formatting, and modifying system files. Bulk copying typically refers to a user attempting to copy large amounts of data from a protected environment to external storage or a network location, which can lead to data breaches. File exporting refers to transferring files from a controlled device to an external environment via specific applications or functions, also posing a data breach risk. Formatting initializes the storage medium, resulting in the permanent erasure of data, and is considered a high-risk data corruption activity. Modifying system files involves altering core operating system components or critical configurations, potentially jeopardizing normal system operation and security. These operation types are considered sensitive because, if maliciously exploited, they can cause serious damage to data assets and system integrity.
[0058] To accurately determine whether a data operation request belongs to the aforementioned sensitive operation types, this application achieves this by parsing the operation instruction codes contained in the data operation request. Operation instruction codes are low-level commands or API call identifiers issued by the operating system or application when performing a specific function. For example, a file copy operation corresponds to a specific file system API call, and a formatting operation corresponds to a disk management command. The parsing process typically involves monitoring and analyzing system calls, application programming interfaces, or network protocol packets to extract instruction information representing the operation intent.
[0059] The parsed operation command codes are then compared with a pre-configured list of sensitive operation command codes. This list is a pre-configured database or collection containing specific command codes, API function names, command-line arguments, or event identifiers corresponding to sensitive behaviors such as batch copying, file exporting, formatting, and modifying system files. The comparison process can be an exact match or based on pattern recognition (such as regular expression matching) to identify a series of related commands.
[0060] If the comparison result shows that the current operation command code exists in the list of sensitive operation command codes, the system will determine that the data operation request belongs to a sensitive operation type. This determination will trigger a subsequent multi-factor authentication process to further confirm the legality of the operation and the user's identity.
[0061] To perform multi-factor verification of sensitive operation requests, this application further proposes to obtain real-time geolocation information when the data operation request is initiated. Specifically, the latitude and longitude coordinates of the current location are obtained through the GPS module built into the USB flash drive, and the latitude and longitude coordinates are converted into geolocation codes. The real-time operation sequence of the current connection session is obtained, specifically, all operation instructions and their timestamps are recorded from the start of the current connection session to the receipt of the data operation request, and an operation instruction sequence is generated in chronological order.
[0062] Specifically, real-time geolocation information is crucial for determining whether the operating environment is abnormal, such as whether the user is operating from their usual work location. Obtaining the current latitude and longitude coordinates via the built-in GPS module of the USB flash drive is a direct and accurate positioning method, particularly suitable for scenarios where the USB flash drive is used as the operating medium, reducing reliance on external network environments. The obtained latitude and longitude coordinates are then converted into geolocation codes, which can be administrative division codes, custom region IDs, etc., for subsequent comparison with a pre-defined geographical region whitelist to assess regional risks. Real-time operation sequences are key data for analyzing user behavior patterns and determining whether operations are abnormal. By recording all operation instructions and their timestamps from the start of the current connection session to the receipt of a data operation request, and generating an operation instruction sequence in chronological order, the user's behavioral path and rhythm within a specific session can be reconstructed. Operation instructions can include specific operations such as opening, copying, deleting, and modifying files, while timestamps provide the time dimension information of the operation, providing detailed and ordered input data for behavioral feature analysis models.
[0063] After identifying real-time geolocation information and real-time operation sequences as verification factors, behavioral feature analysis models can more accurately calculate the deviation between real-time operation sequences and users' historical normal operation patterns. Figure 3 As shown, this application further proposes a method for constructing a pre-trained behavioral feature analysis model, including: When constructing the pre-trained behavioral feature analysis model, it is first necessary to collect the operation types, time intervals between adjacent operations, and operation frequency per unit time from the user's historical normal operations as historical behavior samples. Operation types refer to various specific actions performed by the user on the system or device, such as opening files, modifying files, switching directories, starting programs, and querying data. These operation types are the basic building blocks of user behavior and can be obtained through system logs, API call monitoring, or event capture mechanisms of specific applications. The time interval between adjacent operations refers to the time elapsed between the completion of one operation and the start of the next, reflecting the rhythm and thought process of the user's operations. It can be obtained by recording the precise timestamp of each operation and calculating the difference. The operation frequency per unit time refers to the total number of times the user performs operations within a specific time window (e.g., 1 minute, 5 minutes), reflecting the density and activity of the user's operations. It can be calculated by counting the number of operation events within a sliding time window. Historical behavior samples are the aforementioned data collected from users' past operations that are considered normal and compliant. They serve as the basis for establishing a baseline of normal user behavior and are typically stored in a database or a dedicated data storage system.
[0064] Based on this, it is necessary to statistically analyze the frequency of transitions from one operation type to the next in historical behavior samples and calculate the probability of each transition. This step aims to capture the sequential and habitual nature of user operations, as users typically tend to perform certain specific follow-up operations after completing an operation. This can be achieved by constructing a state transition matrix or a Markov chain model, traversing the operation sequences in all historical behavior samples, recording the frequency of each pair of consecutive operations (previous operation type -> next operation type), and then calculating the conditional probability of each operation type transition. Simultaneously, it is also necessary to statistically analyze the probability distribution of different time intervals for each operation type. This step aims to quantify the temporal rhythm characteristics of users performing specific operations. This can be achieved by collecting time interval data between all adjacent operations for each operation type, dividing this time interval data into several predefined time intervals, statistically analyzing the frequency of time intervals within each interval, and calculating its proportion in the total time intervals, thereby obtaining the probability distribution. Finally, the operation type transition probability and the time interval probability distribution under different operation types are used as feature parameters to describe the user's historical normal operation pattern. These parameters together constitute the mathematical description of the user's normal behavior pattern and are stored in the behavior feature analysis model in the form of a data structure as a benchmark for subsequent real-time behavior comparison.
[0065] When calculating the deviation between a real-time operation sequence and a user's historical normal operation pattern, the operation type and time interval between adjacent operations in the real-time operation sequence are compared with the aforementioned feature parameters. A joint probability value for the occurrence of the real-time operation sequence is calculated, and the negative logarithm of the joint probability value is used as the deviation. A real-time operation sequence refers to a series of operation instructions and their timestamps being executed by the user in the current connection session. For each operation in the real-time operation sequence, firstly, based on its operation type and the previous operation type, the operation type transition probability stored in the model is retrieved. Simultaneously, based on the time interval between this operation and the previous operation, the probability distribution of the time interval under the corresponding operation type stored in the model is retrieved to obtain the probability of that time interval occurring. These probability values are multiplied to obtain the joint probability value of the entire real-time operation sequence. Finally, the negative logarithm of the calculated joint probability value is used as the deviation. The smaller the joint probability value, the lower the match between the real-time operation sequence and the historical normal pattern; the larger its negative logarithm (deviation), the more abnormal the behavior.
[0066] Using the deviation calculated above, refer to Figure 4As shown, this application proposes a more refined behavioral risk scoring generation mechanism, specifically including: First, a pre-defined whitelist of frequently used geographic areas, which records the geographic location codes that have appeared in the user's historical normal operations. This whitelist of frequently used geographic areas is a pre-configured list or database containing geographic location information of the user's frequently performed operations, constructed based on the geographic locations of past user operations considered normal. When a user performs a normal operation, the system records their geographic location information and adds their geographic location code to the whitelist. The whitelist can be maintained periodically, for example, by removing geographic locations that have not been used for a long time, or by adding new geographic locations based on new normal operation patterns.
[0067] Secondly, the acquired real-time geolocation information is compared with a whitelist of commonly used geographic areas. When the system obtains the real-time geolocation information at the time of the data operation request, it queries the whitelist of commonly used geographic areas to determine whether the current location belongs to a geographic area known and trusted by the user. The comparison can be an exact match or a fuzzy match, such as determining whether it falls within a preset geographic area.
[0068] Secondly, if the real-time geolocation information is within the frequently used geographic area whitelist, the behavioral risk score will directly be the deviation value. This means that when a user operates within a trusted geographic area, the geographic location risk is low, and the behavioral risk score is mainly determined by the deviation of the operation itself, avoiding unnecessary risk enhancement. If the comparison results show that the real-time geolocation information exists in the whitelist, the system will use the deviation between the previously calculated real-time operation sequence and the user's historical normal operation pattern as the final behavioral risk score, without adding additional risk weights from geographic location.
[0069] Finally, if the real-time geolocation information is not in the commonly used geographic area whitelist, a risk increment value is added to the deviation score, and the result is used as the behavioral risk score. When a user operates in an untrusted geographic area, it indicates a potential risk in the geographic location. In this case, an additional risk weight needs to be added to the deviation score to more accurately reflect the overall risk. If the comparison result shows that the real-time geolocation information is not in the whitelist, the system will add a predefined risk increment value to the deviation score according to preset risk assessment rules. This increment value can be fixed or dynamically determined based on the geographic location offset distance. The greater the geographic location offset, the larger the increment value. The added value is the final behavioral risk score.
[0070] Reference Figure 5As shown, this application further proposes a risk level assessment method for behavioral risk scores, including: before assessing the risk level, the system first acquires historical risk score records associated with a specific user. These records are a collection of behavioral risk scores calculated and stored by the system based on the user's behavioral patterns and geographical location information during past operations. By statistically analyzing these historical risk score records, their mean and standard deviation can be calculated. The mean represents the user's average risk level under normal operating conditions, while the standard deviation reflects the fluctuation range or dispersion of their risk scores. These statistics provide the basis for subsequently dynamically setting risk thresholds.
[0071] Based on this, the system dynamically sets risk thresholds using statistical principles. Specifically, the calculated historical risk score mean plus one standard deviation is used as the first risk threshold. Simultaneously, the mean plus two standard deviations is used as the second risk threshold. This method of dynamically adjusting thresholds based on users' historical behavioral data allows risk level classification to better adapt to the personalized behavioral patterns of different users, avoiding misjudgments or omissions that might occur with fixed thresholds. For example, for a user with relatively small fluctuations in risk score, their threshold range will be relatively concentrated; while for users with diverse behavioral patterns and large fluctuations in risk score, their threshold range will be correspondingly expanded, thus more accurately reflecting their true risk level.
[0072] Subsequently, the system compares the behavioral risk score generated from the current data operation request with the dynamically set first and second risk thresholds. Based on the comparison results, the risk level of the current operation is assessed. If the current behavioral risk score is less than the first risk threshold, the operation is determined to be low-risk, indicating that its behavioral pattern is highly consistent with the user's historical normal operating pattern, and the geographical location information is also within a reliable range. If the behavioral risk score is between the first and second risk thresholds, it is determined to be medium-risk, which may mean that the operational behavior has a certain degree of deviation or the geographical location is slightly abnormal, but has not yet reached the level of high risk. If the behavioral risk score is greater than the second risk threshold, it is determined to be high-risk, which usually indicates that the current operational behavior deviates significantly from the user's historical normal pattern, or that the geographical location information is seriously abnormal, posing a high security risk.
[0073] In some embodiments described above, after data operations are permitted, the system monitors the data stream transmission rate and packet destination address of the current connection session in real time to obtain real-time transmission characteristics. However, simply obtaining these real-time transmission characteristics may not be sufficient to accurately determine whether covert, persistent data leakage occurs, especially when attackers attempt to circumvent simple threshold detection. Therefore, a more refined and comprehensive matching mechanism is needed to effectively identify abnormal data transmission patterns.
[0074] Reference Figure 6 As shown, this application further proposes that the normal transmission mode library stores the transmission rate range, transmission time distribution, and commonly used target address whitelist of users in historical normal operations; the real-time transmission characteristics are matched with the normal transmission mode library established based on the user's historical normal operation mode to determine whether the current data stream transmission rate exceeds the upper limit of the transmission rate range, whether the current time is outside the transmission time distribution, and whether the data packet target address is not in the commonly used target address whitelist; if the transmission rate exceeds the upper limit, the time is outside the time distribution, and the target address is not in the whitelist, then the matching result indicates that there is continuous data outflow and the target address is an unauthorized address.
[0075] Specifically, the normal transmission pattern library is a knowledge base used by the system to store and manage users' historical normal data transmission behavior patterns. This library establishes a baseline behavior pattern through long-term observation and statistical analysis of users' data transmission activities during normal operation. This library can be a structured database or file system, maintaining a record for each user (identified by a first sequence number). The record includes: transmission rate ranges, i.e., the minimum and maximum data flow transmission rates under normal operation, or more precisely, the transmission rate distribution intervals under different time periods or different operation types; transmission time distribution, i.e., recording the time periods when users typically transmit data, for example, users mainly transmit data from 9 am to 5 pm on weekdays, while rarely transmitting data at night or on weekends; and a whitelist of frequently used target addresses, i.e., storing a list of target addresses that users frequently access or transmit data to during normal operation, such as internal server IPs, authorized cloud storage service domains, and IP addresses of frequently used business partners. The construction of the pattern library requires a continuous data collection and update mechanism to adapt to changes in user behavior. Machine learning methods can be used to cluster and recognize patterns in historical data to more accurately define these ranges and distributions.
[0076] Matching real-time transmission characteristics with a library of normal transmission patterns built upon historical user behavior aims to identify potential abnormal transmission activity by comparing current real-time data transmission behavior with historical normal user behavior patterns. This matching process involves extracting key indicators from real-time transmission characteristics and comparing them with baseline data stored in the pattern library; this is typically a multi-dimensional comparison process.
[0077] The specific matching logic determines whether the current data stream transmission rate exceeds the upper limit of the transmission rate range, whether the current time is outside the transmission time distribution, and whether the destination address of the data packet is not in the commonly used destination address whitelist. This logic quantifies the deviation of real-time transmission characteristics from the normal pattern. The system obtains the data stream transmission rate of the current connection session in real time and compares it with the upper limit of the transmission rate range recorded for that user in the normal transmission pattern library. If the real-time rate is higher than the upper limit, it is marked as abnormal. The system obtains the time when the current data transmission occurred and compares it with the transmission time distribution recorded for that user in the normal transmission pattern library. For example, if the user usually transmits data during working hours, and the current transmission occurs late at night, it is marked as abnormal. The system obtains the destination address of the current data packet and compares it with the commonly used destination address whitelist recorded for that user in the normal transmission pattern library. If the destination address is not in the whitelist, it is marked as abnormal.
[0078] If the following conditions are met simultaneously: transmission rate exceeding the limit, time outside the time period distribution, and target address not in the whitelist, then the matching result indicates continuous data outflow and the target address is an unauthorized address. The system performs a logical AND operation on the above three judgment results. Only when all three conditions are met simultaneously is it finally determined that there is highly suspicious continuous data outflow to an unauthorized address. This multi-dimensional collaborative judgment mechanism can effectively filter out false alarms that may be caused by a single abnormal indicator, such as occasional transmission rate fluctuations or access to an infrequently used legitimate address.
[0079] In this embodiment, when abnormal behavior is detected by real-time monitoring of data stream transmission characteristics, the connection session is not simply interrupted. To optimize subsequent risk identification capabilities, this application further proposes a specific method for updating the user behavior risk profile associated with the first serial number based on the monitoring results. This method includes: when the system detects continuous data outflow with an unauthorized target address and interrupts the current connection session, the real-time transmission characteristics at the time of the interruption are used as abnormal behavior samples. Specifically, the system extracts key information from these real-time transmission characteristics, such as the target address and transmission rate, as feature fields of the abnormal behavior samples. For example, the target address can be a specific IP address, domain name, or file path, and the transmission rate can be the amount of data transmitted per unit time. These extracted abnormal behavior samples are then added to the abnormal behavior record table of the user behavior risk profile corresponding to the first serial number. Each user maintains their own exclusive user behavior risk profile, which records in detail the user's historical operational behavior and all identified abnormal events. Archiving abnormal samples here ensures that the abnormal behavior history of each user is traceable and provides a data foundation for subsequent personalized risk assessment. To enable the behavioral feature analysis model to continuously learn and adapt to new threat patterns, the system adds new samples from the abnormal behavior record table to the training set of the behavioral feature analysis model at preset intervals, such as daily, weekly, or after accumulating a certain number of new samples, and incrementally updates the model. This incremental update mechanism allows the model to adjust its internal parameters and recognition rules based on existing knowledge by learning from new abnormal samples, thereby improving its accuracy and robustness in detecting future abnormal behaviors.
[0080] Utilizing the aforementioned hierarchical permission management method based on dual serial numbers, this application further applies it to a USB flash drive, providing a copy-proof USB flash drive, including a memory and a processor, and possessing dual serial numbers. The memory stores a computer program, and the processor, when executing the computer program, implements the steps of the aforementioned hierarchical permission management method based on dual serial numbers. By integrating a memory and processor with dual serial numbers into the USB flash drive and executing the hierarchical permission management method based on dual serial numbers, fine-grained permission control and dynamic risk assessment of the user-device combination are achieved. This effectively solves the technical problems of coarse-grained permission control and lack of dynamic adaptability in existing technologies, achieving the effect of improving operational convenience while ensuring data security.
[0081] Specifically, the memory stores data such as the permission mapping table, the normal transmission pattern library, and user behavior risk profiles. The processor is configured to execute computer programs to perform functions such as obtaining the first and second serial numbers, generating composite permission query keys, and querying operation permission sets. When the processor detects that a data operation request is a sensitive operation type, it triggers a multi-factor verification process, including obtaining real-time geolocation information and a real-time operation sequence, inputting the real-time operation sequence into a pre-trained behavioral feature analysis model to calculate the deviation, and combining it with the real-time geolocation information to generate a behavioral risk score. Based on the risk level assessment result, it decides whether to allow the operation to be executed. For non-sensitive operation types, it directly executes according to the operation permission set. After allowing the data operation to be executed, the processor monitors the data stream transmission rate and the destination address of the data packets in real time, matches the real-time transmission characteristics with the normal transmission pattern library, and interrupts the connection session and updates the user behavior risk profile when it identifies continuous data flowing out to an unauthorized address.
[0082] Through the above technical solution, this invention's copying USB flash drive overcomes the limitations of traditional static protection modes, enabling access control to dynamically adapt to operational risks based on user-device combinations. Because the processor incorporates real-time geolocation information and behavioral feature analysis models during execution, it can accurately distinguish between legitimate single-file reading and suspicious batch copying behavior, avoiding security vulnerabilities or false blocking of legitimate operations due to rigid policies. Simultaneously, the normal transmission mode library and user behavior risk profile maintained in the memory allow the USB flash drive to continuously learn from users' historical normal operating patterns and dynamically optimize the risk assessment mechanism. Overall, embedding the dual serial number mechanism and dynamic access control method into the USB flash drive significantly improves the real-time response capability and security protection accuracy of anti-copying technology, effectively balancing security and ease of use in complex and ever-changing usage scenarios.
[0083] Obviously, the above embodiments are merely illustrative examples for clear explanation and are not intended to limit the implementation. Those skilled in the art will recognize that other variations or modifications can be made based on the above description. It is neither necessary nor possible to exhaustively list all possible implementations here. However, obvious variations or modifications derived therefrom are still within the scope of protection of this invention.
Claims
1. A hierarchical permission management method based on dual serial numbers, characterized in that, Includes the following steps: In response to a device connection request, obtain a first serial number and a second serial number, where the first serial number is the user identifier and the second serial number is the device identifier; The first serial number and the second serial number are combined to generate a composite permission query key. Based on the composite permission query key, a preset permission mapping table is queried to determine the set of operation permissions for the user-device combination. Receive data operation requests and determine the operation type of the data operation request based on the set of operation permissions; For operation requests classified as sensitive, a multi-factor verification process is triggered, including: obtaining real-time geolocation information at the time the data operation request was initiated and the real-time operation sequence of the current connection session; inputting the real-time operation sequence into a pre-trained behavioral feature analysis model to calculate the deviation between the real-time operation sequence and the user's historical normal operation patterns, and generating a behavioral risk score based on the real-time geolocation information; assessing the risk level of the behavioral risk score, and if the behavioral risk score reaches a high risk level, rejecting the execution of the data operation request and recording a security log; otherwise, allowing the execution of the data operation request based on the set of operation permissions; generating a behavioral risk score based on real-time geolocation information includes: a preset whitelist of commonly used geographic areas, which records the geographic location codes that have appeared in the user's historical normal operations; comparing the obtained real-time geolocation information with the whitelist of commonly used geographic areas; if the real-time geolocation information is in the whitelist of commonly used geographic areas, the behavioral risk score is directly taken as the deviation; if the real-time geolocation information is not in the whitelist of commonly used geographic areas, a risk increment value is added to the deviation, and the result after addition is used as the behavioral risk score. For operation requests that are not sensitive operation types, allow the data operation request to be executed directly based on the operation permission set; After data operations are permitted, the data stream transmission rate and packet destination address of the current connection session are monitored in real time to obtain real-time transmission characteristics; The real-time transmission characteristics are matched with a normal transmission pattern library established based on the user's historical normal operation patterns. When the matching result indicates that there is continuous data outflow and the target address is an unauthorized address, the current connection session is interrupted, and the user behavior risk profile associated with the first sequence number is updated according to the monitoring results.
2. The hierarchical permission management method based on dual serial numbers according to claim 1, characterized in that: The permission mapping table pre-stores the correspondence between user-device combinations and operation permission sets. The operation permission set includes at least three levels: read-only permission, read-write permission, and disabled permission. Based on the composite permission query key, a preset permission mapping table is queried to determine the user-device combination operation permission set, specifically: The first serial number is used as the prefix and the second serial number is used as the suffix to concatenate the strings. The concatenated string is then hashed, and the resulting hash value is used as the composite permission query key. Using the composite permission query key as an index, search for a matching permission record in the permission mapping table. If a matching record is found, extract the corresponding set of operation permissions. If no matching record is found, assign the default read-only permission as the set of operation permissions.
3. The hierarchical permission management method based on dual serial numbers according to claim 1, characterized in that: Sensitive operation types include: batch copy operations, file export operations, formatting operations, and system file modification operations. The operation type of a data operation request is determined based on the set of operation permissions. Specifically, the operation command code contained in the data operation request is parsed, and the operation command code is compared with a preset list of sensitive operation command codes. If the operation command code exists in the list of sensitive operation command codes, the operation request is determined to be a sensitive operation type.
4. The hierarchical permission management method based on dual serial numbers according to claim 1, characterized in that: To obtain real-time geolocation information when a data operation request is initiated, specifically: obtain the current latitude and longitude coordinates through the built-in GPS module of the USB flash drive, and convert the latitude and longitude coordinates into geolocation codes; to obtain the real-time operation sequence of the current connection session, specifically: record all operation instructions and their timestamps from the start of the current connection session to the receipt of the data operation request, and generate an operation instruction sequence in chronological order.
5. The hierarchical permission management method based on dual serial numbers according to claim 1, characterized in that: Construct a pre-trained behavioral feature analysis model, including: Collect the types of operations, the time intervals between adjacent operations, and the frequency of operations per unit time in the user's historical normal operations as historical behavior samples. In the historical behavior sample, count the number of times the operation type shifts from the previous operation type to the next operation type, and calculate the probability of each operation type shift. Statistically analyze the probability distribution of different time intervals for each type of operation; The operation type transition probability and the time interval probability distribution under different operation types are used as feature parameters to describe the user's historical normal operation mode. The deviation between the real-time operation sequence and the user's historical normal operation mode is calculated by comparing the operation type, the time interval between adjacent operations and the feature parameters in the real-time operation sequence, calculating the joint probability value of the occurrence of the real-time operation sequence, and taking the negative logarithm of the joint probability value as the deviation.
6. The hierarchical permission management method based on dual serial numbers according to claim 1, characterized in that: The behavioral risk score is used to determine the risk level, including: Obtain users' historical risk score records and calculate the mean and standard deviation of the historical risk score records; The first risk threshold is the mean plus one standard deviation, and the second risk threshold is the mean plus two standard deviations. The current behavioral risk score is compared with the first risk threshold and the second risk threshold: if the behavioral risk score is less than the first risk threshold, it is rated as low risk; if the behavioral risk score is between the first risk threshold and the second risk threshold, it is rated as medium risk; if the behavioral risk score is greater than the second risk threshold, it is rated as high risk.
7. The hierarchical permission management method based on dual serial numbers according to claim 1, characterized in that: The normal transmission pattern library stores the user's transmission rate range, transmission time distribution, and a whitelist of commonly used destination addresses during historical normal operations. Real-time transmission characteristics are matched against the normal transmission pattern library built based on the user's historical normal operation patterns, specifically as follows: Determine whether the current data stream transmission rate exceeds the upper limit of the transmission rate range, determine whether the current time is outside the transmission time period distribution, and determine whether the destination address of the data packet is not in the commonly used destination address whitelist; If the following conditions are met simultaneously: the transmission rate exceeds the upper limit, the time is outside the time period distribution, and the target address is not in the whitelist, then the matching result indicates that there is continuous data outflow and the target address is an unauthorized address.
8. The hierarchical permission management method based on dual serial numbers according to claim 1, characterized in that: The user behavior risk profile associated with the first serial number will be updated based on the monitoring results, specifically as follows: The real-time transmission characteristics during this interrupted connection session are used as abnormal behavior samples, and the target address and transmission rate are extracted as feature fields. Add the abnormal behavior sample to the abnormal behavior record table of the user behavior risk profile corresponding to the first serial number; According to the preset cycle, new samples in the abnormal behavior record table are added to the training set of the behavior feature analysis model, and the behavior feature analysis model is incrementally updated.
9. A copy-proof USB flash drive, characterized in that: It includes a memory and a processor, has dual serial numbers, the memory stores a computer program, and the processor executes the computer program to implement the steps of the hierarchical permission management method based on dual serial numbers as described in any one of claims 1 to 8.