A quantum encryption transmission and knowledge graph fusion data security system
By integrating quantum-encrypted transmission with knowledge graphs into a data security system, an enterprise data knowledge graph is constructed for path reasoning and risk assessment, generating dynamic response strategies and distributing keys using quantum channels. This solves the problem of low data transmission security in existing technologies and achieves high-security and precise data protection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- HAITIANDI DIGITAL TECH (BEIJING) CO LTD
- Filing Date
- 2026-04-07
- Publication Date
- 2026-06-26
AI Technical Summary
Existing data transmission security solutions suffer from computational complexity risks, static and coarse-grained encryption strategies, and a lack of understanding of data flow when facing complex and covert attack methods, making them difficult to deal with internal threats and complex data misuse.
A data security system that integrates quantum encryption transmission with knowledge graphs constructs an enterprise data knowledge graph for path reasoning and risk assessment, generates dynamic data response strategies, and uses quantum channels to distribute quantum symmetric keys for differentiated encrypted transmission.
It enables precise control of data access permissions, real-time perception of security risks, and quantum-level security assurance for data transmission, significantly improving the security protection capabilities of enterprises' core data.
Smart Images

Figure CN122001583B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of data processing technology, and more specifically, to a data security system that integrates quantum encrypted transmission with knowledge graphs. Background Technology
[0002] With the deepening of digital transformation, data has become a core asset for enterprises. However, data faces dual threats during transmission: external cyberattacks and internal malicious leaks. Traditional data security solutions, such as firewalls, intrusion detection systems, and traditional encryption technologies (such as RSA and AES), are gradually revealing their limitations in dealing with increasingly complex and covert attack methods.
[0003] First, traditional encryption technologies rely on computational complexity, making them vulnerable to being cracked. Second, existing encryption strategies are often static and coarse-grained, such as uniformly encrypting the entire database or file, failing to dynamically and finely adjust based on data content, visitor identity, and access context, resulting in a trade-off between security and efficiency. Third, existing security systems lack the ability to understand data flow and the deep semantic relationships between data entities, users, and operations, making them inadequate in detecting and responding to internal threats masquerading as legitimate users (such as Advanced Persistent Threats (APTs)) and complex data misuse behaviors. Summary of the Invention
[0004] This application aims to provide a data security system that integrates quantum encrypted transmission with knowledge graphs, in order to solve the problem of low data transmission security in existing technologies.
[0005] This application provides a data security system that integrates quantum encrypted transmission with knowledge graphs, including:
[0006] The knowledge graph construction module is used to collect multi-source data from enterprises and construct enterprise data knowledge graphs based on the multi-source data.
[0007] The dynamic encryption engine module is used to respond to real-time data access requests generated by users, and to perform path reasoning and risk assessment in the enterprise data knowledge graph based on the real-time data access requests, and generate a data response strategy corresponding to the real-time data access requests.
[0008] A quantum key distribution module is used to distribute quantum symmetric keys to data receivers via a quantum channel;
[0009] The quantum encryption transmission module is used to encrypt and transmit the target data corresponding to the real-time data access request to the user according to the data response strategy and the quantum symmetry key, thereby completing the secure data interaction.
[0010] In one possible implementation, multi-source enterprise data is collected, and an enterprise data knowledge graph is constructed based on the multi-source enterprise data, including:
[0011] Collect data on the relationships between personnel and departments, data and departments, and data and their corresponding access policies within an enterprise to obtain multi-source data.
[0012] A knowledge graph of enterprise data is constructed based on the enterprise's multi-source data.
[0013] In one possible implementation, in response to a real-time data access request generated by a user, and based on the real-time data access request, path reasoning and risk assessment are performed in the enterprise data knowledge graph to generate a data response strategy corresponding to the real-time data access request, including:
[0014] Responding to a real-time data access request generated by a user; wherein the real-time data access request includes the target data that the user needs to access;
[0015] Using the target data as an entity, path reasoning is performed in the enterprise data knowledge graph to determine the first target department and target access strategy corresponding to the target data.
[0016] Determine the second target department corresponding to the user, and determine whether the user, the first target department, and the second target department corresponding to the user meet the target access policy. If so, determine that the data permission requirements are met; otherwise, determine that the data permission requirements are not met.
[0017] The system acquires network traffic data of users during data access and uses a network security detection model pre-deployed through a neighborhood-order response optimization algorithm to conduct a risk assessment of the users, determining the risk assessment result; the risk assessment result includes whether there is a risk or not.
[0018] If the data access requirements are met and the risk assessment result indicates that there is no risk, then the data response strategy corresponding to the real-time data access request is a quantum encryption response strategy.
[0019] If the data access requirements are met and the risk assessment result indicates that there is a risk, then the data response strategy corresponding to the real-time data access request is a quantum-enhanced response strategy.
[0020] If the data access permissions are not met and the risk assessment result indicates that there is a risk or there is no risk, then the data response strategy corresponding to the real-time data access request will be a request rejection response strategy.
[0021] In one possible implementation, a method for pre-deploying a network security detection model using a neighborhood-order response optimization algorithm includes:
[0022] A network security detection model is constructed using a CNN-LSTM model, and the hyperparameters of the network security detection model are initially encoded to obtain a training population.
[0023] For any individual in the population, obtain the fitness of that individual, and determine the individual with the highest fitness as the globally optimal individual;
[0024] Based on the globally optimal individual, an adaptive exploration range is generated for the individual, and a dynamic region exploration strategy is used to explore the neighborhood of the individual according to the adaptive exploration range to obtain the first target individual;
[0025] For any first target individual, a dual-strategy solution space exploration strategy controlled by a dynamic switching mechanism is used to adaptively explore the position of the first target individual to obtain the second target individual;
[0026] For any second target individual, a greedy segmented perturbation strategy is used to adaptively explore the second target individual globally to obtain the third target individual;
[0027] Determine whether the current number of training iterations is greater than or equal to the preset maximum number of training iterations. If so, redetermine the global optimal individual based on the third target individual. Otherwise, based on the third target individual, return to the step of obtaining the global optimal individual and proceed to the next training process.
[0028] The hyperparameters of the newly determined globally optimal individuals are used as the hyperparameters of the network security detection model and deployed to the server where the dynamic encryption engine module is located.
[0029] In one possible implementation, based on the globally optimal individual, an adaptive exploration range is generated for the individual, and according to the adaptive exploration range, a dynamic region exploration strategy is used to explore the neighborhood of the individual to obtain the first target individual, including:
[0030] Obtain the current number of training iterations and determine the dynamic selection factor based on the current number of training iterations;
[0031] Based on the aforementioned dynamic selection factor and the globally optimal individual, an adaptive exploration range is generated by combining the upper limit individual composed of the upper limit of hyperparameters and the lower limit individual composed of the lower limit of hyperparameters.
[0032] For any given individual, the upper and lower limits of the adaptive exploration range are used to dynamically explore the region of the individual to obtain the first target individual.
[0033] In one possible implementation, for any first target individual, an adaptive positional exploration strategy controlled by a dynamic switching mechanism is used to explore the solution space of the first target individual to obtain a second target individual, including:
[0034] For any first target individual, obtain the fitness corresponding to the first target individual, and determine the dynamic switching factor based on the fitness corresponding to the first target individual;
[0035] Based on the aforementioned dynamic switching factor, a population information reference fusion strategy or a globally optimal guided mutation update strategy is selected to adaptively explore the location of the first target individual, thereby obtaining the second target individual;
[0036] The group information reference fusion strategy includes:
[0037] Obtain the average individual corresponding to all first target individuals, and determine the individual with the closest Euclidean distance to the average individual as the reference individual;
[0038] Based on the reference individual and the average individual, the first target individual is adaptively located to obtain the second target individual;
[0039] The globally optimal guided mutation update strategy includes:
[0040] Obtain a random control factor, and generate a guiding mutation vector based on the random control factor and the globally optimal individual;
[0041] Based on the globally optimal individual and the guiding mutation vector, the first target individual is adaptively explored to obtain the second target individual.
[0042] In one possible implementation, for any second target individual, a greedy segmented perturbation strategy is used to adaptively explore the second target individual globally to obtain the third target individual, including:
[0043] Obtain the current number of training iterations, and based on the current number of training iterations and the preset maximum number of training iterations, obtain a segmented perturbation factor;
[0044] Based on the piecewise perturbation factor, the second target individual is mutated using a normal distribution function to obtain the mutated second target individual;
[0045] Determine whether the fitness of the second target individual after mutation is greater than that of the original second target individual. If so, the second target individual after mutation is used as the third target individual; otherwise, the original second target individual is used as the third target individual.
[0046] In one possible implementation, distributing a quantum symmetric key to a data receiver via a quantum channel includes: distributing a quantum symmetric key to a data receiver via a quantum channel and employing the QKD algorithm.
[0047] In one possible implementation, the target data corresponding to the real-time data access request is encrypted and transmitted to the user according to the data response strategy and the quantum symmetry key, including:
[0048] When the data response strategy is a quantum encryption response strategy, a quantum symmetric key is used to encrypt the target data corresponding to the real-time data access request and transmit it to the user.
[0049] When the data response strategy is a quantum-enhanced response strategy, a separate secondary encryption key is generated. The target data corresponding to the real-time data access request is encrypted using the secondary encryption key and transmitted to the user. The secondary encryption key is then transmitted to the user using a key splitting and QKD fusion algorithm so that the user can decrypt it.
[0050] If the data response strategy is a request denial response strategy, then a denial-of-access message is generated, and the denial-of-access message is encrypted using a quantum symmetric key and transmitted to the user.
[0051] In one possible implementation, a fusion algorithm of key splitting and QKD is used to transmit the secondary encryption key to the user, including:
[0052] A symmetric key algorithm is used to generate a secondary encryption key, which is then randomly divided into multiple key fragments.
[0053] Multiple shared keys are generated using the QKD algorithm. The key fragments are encrypted using a one-to-one correspondence between the shared keys and key fragments, and the encrypted key fragments are then transmitted to the user.
[0054] Beneficial effects:
[0055] This application provides a data security system that integrates quantum encrypted transmission with a knowledge graph. By collecting multi-source data from an enterprise and constructing an enterprise data knowledge graph, it responds to real-time data access requests, performs path reasoning and risk assessment within the knowledge graph, generates dynamic data response strategies, and then distributes quantum symmetric keys to the data receiver via a quantum channel. Based on the response strategy and the quantum key, it performs differentiated encrypted transmission of the target data. By combining the refined permission reasoning of the knowledge graph with the absolute security of quantum encryption, and introducing an intelligent risk assessment model based on a neighborhood-order response optimization algorithm, it achieves precise control of data access permissions, real-time perception of security risks, and quantum-level security assurance for data transmission, significantly improving the security protection capabilities of the enterprise's core data. Attached Figure Description
[0056] To more clearly illustrate the technical solutions of the embodiments of this application, the drawings used in the description of the embodiments of this application will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0057] Figure 1 This is a schematic diagram of the structure of a data security system that integrates quantum encryption transmission and knowledge graph according to an embodiment of this application.
[0058] Figure labeling: 101-Knowledge graph construction module, 102-Dynamic encryption engine module, 103-Quantum key distribution module, 104-Quantum encrypted transmission module. Detailed Implementation
[0059] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0060] like Figure 1 As shown in the figure, this application provides a data security system that integrates quantum encrypted transmission and knowledge graph, including:
[0061] The knowledge graph construction module 101 is used to collect multi-source data from enterprises and construct an enterprise data knowledge graph based on the multi-source data.
[0062] Traditional RBAC (Role-Based Access Control) models are static and struggle to adapt to rapid changes in enterprise organizational structures and project collaborations. This application constructs an enterprise data knowledge graph, semantically modeling entities such as personnel, departments, data, and policies, along with their complex relationships. When an access request arrives, the system can perform deep path reasoning within the graph, not only identifying the user but also understanding their position and relationship within the organizational structure. This allows for more accurate and business-logic-compliant permission decisions than traditional RBAC. For example, it can easily implement complex cross-departmental permission controls such as "Project manager in department A can access specific data related to this project in department B," effectively preventing permission abuse and data leaks.
[0063] This module is responsible for extracting multi-source data from the company's human resources system, document management system, and access control system. Specifically, the extracted data includes: the affiliation between personnel and departments (e.g., Zhang San belongs to the R&D department), the affiliation between data and departments (e.g., Project A Requirements Document.docx belongs to the Product department), and the relationship between data and access policies (e.g., the access policy for Project A Requirements Document.docx is read-write only for project managers in the Product and R&D departments). Module 101 uses a graph database (e.g., Neo4j) to construct an enterprise data knowledge graph from this data. Entity nodes in the graph represent personnel, departments, and data files, while relationship edges represent belonging, ownership, and accessibility.
[0064] The dynamic encryption engine module 102 is used to respond to real-time data access requests generated by users, and to perform path reasoning and risk assessment in the enterprise data knowledge graph based on the real-time data access requests, and generate a data response strategy corresponding to the real-time data access requests.
[0065] This application embodiment generates a data response strategy corresponding to the real-time data access request by performing path reasoning and risk assessment in the enterprise data knowledge graph based on the real-time data access request. This enables dynamic response and improves security compared to traditional fixed encrypted transmission strategies.
[0066] The quantum key distribution module 103 is used to distribute quantum symmetric keys to the data receiver through a quantum channel.
[0067] Quantum key distribution technology utilizes fundamental principles of quantum mechanics (such as Heisenberg's uncertainty principle and the quantum no-cloning theorem) to achieve unconditionally secure key distribution, fundamentally eliminating the risk of key eavesdropping.
[0068] The quantum encryption transmission module 104 is used to encrypt and transmit the target data corresponding to the real-time data access request to the user according to the data response strategy and the quantum symmetry key, thereby completing the secure data interaction.
[0069] This application's embodiments form a closed-loop, adaptive, collaborative protection system. The knowledge graph provides contextual information for risk assessment, and the assessment results, in turn, guide the selection of encryption strategies, while quantum encryption provides unbreakable transmission protection for the entire interaction process. This multi-layered, multi-dimensional deep integration makes the overall security system's protection capabilities far exceed the simple summation of its components, enabling it to cope with current and future more complex and advanced data security challenges.
[0070] This application provides a data security system that integrates quantum encrypted transmission with a knowledge graph. It collects multi-source enterprise data and constructs an enterprise data knowledge graph. Then, in response to real-time data access requests, it performs path reasoning and risk assessment within the knowledge graph to generate dynamic data response strategies. Next, it distributes quantum symmetric keys to the data receiver via a quantum channel and performs differentiated encrypted transmission of the target data based on the response strategy and the quantum key. By combining the refined permission reasoning of the knowledge graph with the absolute security of quantum encryption, and introducing an intelligent risk assessment model based on a neighborhood-order response optimization algorithm, it achieves precise control of data access permissions, real-time perception of security risks, and quantum-level security assurance for data transmission, significantly improving the security protection capabilities of the enterprise's core data.
[0071] In one possible implementation, multi-source enterprise data is collected, and an enterprise data knowledge graph is constructed based on the multi-source enterprise data, including:
[0072] Collect data on the relationships between personnel and departments, data and departments, and data and their corresponding access policies within an enterprise to obtain multi-source data.
[0073] A knowledge graph of enterprise data is constructed based on the enterprise's multi-source data.
[0074] Constructing knowledge graphs is a relatively common technical approach, and existing technologies can be used; therefore, the embodiments in this application will not be described in detail.
[0075] In one possible implementation, in response to a real-time data access request generated by a user, and based on the real-time data access request, path reasoning and risk assessment are performed in the enterprise data knowledge graph to generate a data response strategy corresponding to the real-time data access request, including:
[0076] Responding to a real-time data access request generated by a user; wherein the real-time data access request includes the target data that the user needs to access;
[0077] Using the target data as an entity, path reasoning is performed in the enterprise data knowledge graph to determine the first target department and target access strategy corresponding to the target data.
[0078] Determine the second target department corresponding to the user, and determine whether the user, the first target department, and the second target department corresponding to the user meet the target access policy. If so, determine that the data permission requirements are met; otherwise, determine that the data permission requirements are not met.
[0079] For example, if the target access policy only allows access from personnel in the first target department, then it checks whether the user's corresponding second target department is the same as the first target department. If so, the data permission requirement is met; otherwise, the data permission requirement is not met. This is just an example; the specific access policy can be set according to the actual needs of the enterprise.
[0080] The system acquires network traffic data of users during data access and uses a network security detection model pre-deployed through a neighborhood-order response optimization algorithm to conduct a risk assessment of the users, determining the risk assessment result; the risk assessment result includes whether there is a risk or not.
[0081] If the data access requirements are met and the risk assessment result indicates that there is no risk, then the data response strategy corresponding to the real-time data access request is a quantum encryption response strategy.
[0082] If the data access requirements are met and the risk assessment result indicates that there is a risk, then the data response strategy corresponding to the real-time data access request is a quantum-enhanced response strategy.
[0083] If the data access permissions are not met and the risk assessment result indicates that there is a risk or there is no risk, then the data response strategy corresponding to the real-time data access request will be a request rejection response strategy.
[0084] This application embodiment uses a dynamic strategy to respond to data, which can effectively respond to different access situations and effectively increase the security of data transmission.
[0085] In one possible implementation, a method for pre-deploying a network security detection model using a neighborhood-order response optimization algorithm includes:
[0086] A network security detection model is constructed using a CNN-LSTM (Convolutional Neural Network-Long Short-Term Memory Network) model, and the hyperparameters of the network security detection model are initially encoded to obtain a training population.
[0087] For example, the hyperparameters of the network security detection model can be randomly initialized between the upper and lower bounds, and the initialized hyperparameters can be encoded into vectors to obtain individuals. This process can be repeated multiple times to obtain a population for training.
[0088] For any individual in the population, obtain the fitness of that individual, and determine the individual with the highest fitness as the global optimal individual.
[0089] For example, the loss function value can be obtained using an existing training dataset (such as the KDDCup99 dataset), and then the fitness can be obtained by adding the loss function value to a very small constant term (such as 0.0001) and taking the reciprocal.
[0090] Based on the globally optimal individual, an adaptive exploration range is generated for the individual, and a dynamic region exploration strategy is used to explore the neighborhood of the individual according to the adaptive exploration range to obtain the first target individual;
[0091] For any first target individual, a dual-strategy solution space exploration strategy controlled by a dynamic switching mechanism is used to adaptively explore the position of the first target individual to obtain the second target individual;
[0092] For any second target individual, a greedy segmented perturbation strategy is used to adaptively explore the second target individual globally to obtain the third target individual;
[0093] Determine whether the current number of training iterations is greater than or equal to the preset maximum number of training iterations. If so, redetermine the global optimal individual based on the third target individual. Otherwise, based on the third target individual, return to the step of obtaining the global optimal individual and proceed to the next training process.
[0094] The hyperparameters of the newly determined globally optimal individuals are used as hyperparameters of the network security detection model and deployed to the server where the dynamic encryption engine module is located. This server refers to the server where a data security system that integrates quantum encryption transmission and knowledge graph is located.
[0095] Optionally, after each strategy is executed, the individual can be processed for exceeding the limit (such as re-randomly initializing the elements that exceed the limit within the upper and lower limits) to ensure the reliability of the algorithm.
[0096] Traditional intrusion detection systems rely on fixed rules and are ineffective against unknown attacks. This application employs a CNN-LSTM model to fuse spatiotemporal features for traffic analysis and innovatively uses a neighborhood-order response optimization algorithm to optimize the model's hyperparameters. Through dynamic region exploration, dual-strategy solution space exploration, and greedy piecewise perturbation, this algorithm efficiently and accurately finds the optimal model configuration, significantly improving key indicators such as accuracy and recall of the network security detection model. This enables the system to identify anomalies and threats hidden in user access behavior in real time and accurately, maintaining a high detection rate even against novel attack patterns.
[0097] In one possible implementation, based on the globally optimal individual, an adaptive exploration range is generated for the individual, and according to the adaptive exploration range, a dynamic region exploration strategy is used to explore the neighborhood of the individual to obtain the first target individual, including:
[0098] Obtain the current training iteration count, and determine the dynamic selection factor based on the current training iteration count:
[0099]
[0100] in, This indicates a dynamic selection factor, where t represents the current number of training iterations and T represents the preset maximum number of training iterations.
[0101] Based on the aforementioned dynamic selection factor and the globally optimal individual, combined with the upper limit individual composed of the hyperparameter upper limit and the lower limit individual composed of the hyperparameter lower limit, the adaptive exploration range is generated as follows:
[0102]
[0103]
[0104] in, This represents the lower bound of the d-th dimension of the adaptive exploration range. This represents the upper bound of the d-th dimension of the adaptive exploration range. Let represent the d-th dimension of the hyperparameters of the globally optimal individual during the t-th training process, where d = 1, 2, ..., D, and D represents the total dimension of the individual's hyperparameters. This represents the d-th dimension hyperparameter of the lower limit individual. This represents the d-th dimension hyperparameter of the upper limit individual; express and Take the maximum value from the middle. express and Take the minimum value.
[0105] For any given individual, an adaptive upper and lower bound is used to dynamically explore the region of that individual, resulting in the first target individual:
[0106]
[0107] in, Let represent the i-th individual during the t-th training session, where i = 1, 2, ..., M, and M represents the total number of individuals. Represents the i-th individual as the first target. This represents the first exploration factor and is set to a normally distributed random number. This represents the second exploration factor, and is set to a random number between (0,1).
[0108] The dynamic region exploration strategy provided in this application allows for neighborhood exploration of individuals. From the early to the later stages of the algorithm, the exploration range of each individual can be dynamically adjusted, giving the algorithm more exploration space in the early stages and improving global exploration capabilities, while the algorithm focuses on small-scale exploration in the later stages, thus improving the convergence accuracy of the algorithm.
[0109] In one possible implementation, for any first target individual, an adaptive positional exploration strategy controlled by a dynamic switching mechanism is used to explore the solution space of the first target individual to obtain a second target individual, including:
[0110] For any first target individual, obtain the fitness corresponding to the first target individual, and determine the dynamic switching factor based on the fitness corresponding to the first target individual:
[0111]
[0112] in, Indicates the dynamic switching factor. Represents the hyperbolic tangent function. Represents the first random number between (0,1). Let j represent the fitness of the j-th individual with the first target, where j = 1, 2, ..., M. This represents the fitness of the current best individual;
[0113] Based on the dynamic switching factor, a population information reference fusion strategy or a globally optimal guided mutation update strategy is selected to adaptively explore the location of the first target individual, thereby obtaining the second target individual.
[0114] For example, a decision parameter can be randomly generated between (0,1). When the decision parameter is less than the dynamic switching factor, the population information reference fusion strategy is used to adaptively explore the location of the first target individual. Otherwise, the global optimal guided mutation update strategy is selected to adaptively explore the location of the first target individual.
[0115] The dynamic switching factor is dynamically adjusted based on the difference in fitness values between the first target individual and the globally optimal individual, so that the first target individual can still maintain appropriate exploration ability when it is close to the optimal solution, which can effectively prevent the algorithm from getting stuck.
[0116] The group information reference fusion strategy includes:
[0117] Obtain the average individual corresponding to all first target individuals, and determine the individual with the closest Euclidean distance to the average individual as the reference individual;
[0118] Based on the reference individual and the average individual, adaptive location exploration is performed on the first target individual to obtain the second target individual:
[0119]
[0120]
[0121] in, Let m represent the m-th first target individual during the t-th training process, where m = 1, 2, ..., M. This represents the m-th individual with the second target. This represents the adaptive exploration factor that gradually decreases as the number of iterations increases. This represents the second random number between (0,1). Let represent the average individual, where the hyperparameter of each dimension is the mean of the hyperparameters of all individuals in the first target dimension. Indicates a reference individual.
[0122] This group information reference fusion strategy can effectively improve the algorithm accuracy. Compared with single-location reference exploration, it can provide better exploration accuracy in the early, middle and late stages of the algorithm.
[0123] The globally optimal guided mutation update strategy includes:
[0124] Obtain the random control factor, and based on the random control factor and the globally optimal individual, generate the guided mutation vector as follows:
[0125]
[0126] in, Let n represent the nth first target individual during the t-th training process, where n = 1, 2, ..., M. express The corresponding guiding mutation vector, Represents a random control factor between (-1, 1). This represents the globally optimal individual.
[0127] Based on the globally optimal individual and the guiding mutation vector, adaptive position exploration is performed on the first target individual to obtain the second target individual:
[0128]
[0129] in, This represents the nth individual with the second target.
[0130] This globally optimal guided mutation update strategy can reset the search space corresponding to each first target individual based on the globally optimal position, thereby effectively avoiding the algorithm from getting trapped in local optima.
[0131] In one possible implementation, for any second target individual, a greedy segmented perturbation strategy is used to adaptively explore the second target individual globally to obtain the third target individual, including:
[0132] Obtain the current training iteration count, and based on the current training iteration count and the preset maximum training iteration count, obtain the piecewise perturbation factor as follows:
[0133]
[0134] in, This represents the piecewise perturbation factor. This represents the first segment value, and is set to 0.9; This represents the second segment value and is set to 0.00001; This represents the first global exploration range control coefficient, and is set to 0.2; This represents the second global exploration range control coefficient, and is set to 0.8; Represents pi (π). This indicates the preset maximum number of training iterations.
[0135] In the early stages of algorithm iteration, when the reference value of the global optimum is relatively low, a larger perturbation radius allows for significant changes in the new global optimum, preventing the population from converging towards a fixed global optimum and losing diversity and breadth. This helps the algorithm to search for the global optimum over a wider range in the early stages of iteration. In the middle stages of iteration, as the algorithm gradually narrows its search for the global optimum, the perturbation radius also decreases along a curve. This smooth curve decay reduces abrupt changes and potential oscillations during the exploration process, avoiding drastic changes in the exploration range and effectively reducing oscillations in the exploration path. In the later stages of iteration, when the algorithm is very close to the global optimum, a fixed and very small perturbation radius is used to perturb the current optimum position, reducing the randomness of the exploration process and allowing the exploration agent to focus more on small local adjustments, thereby improving the stability and reliability of the solution.
[0136] Based on the piecewise perturbation factor, the second target individual is mutated using a normal distribution function to obtain the mutated second target individual as follows:
[0137]
[0138] in, Let d be the hyperparameter of the k-th individual with the second target. Let d be the hyperparameter of the second target individual after the k-th mutation. Indicated by As the mean, with Random numbers generated from a normal distribution of variance.
[0139] Determine whether the fitness of the second target individual after mutation is greater than that of the original second target individual. If so, the second target individual after mutation is used as the third target individual; otherwise, the original second target individual is used as the third target individual.
[0140] This mutation can effectively help the algorithm escape local optima. By performing a greedy process on the second target individual after mutation, the training speed of the algorithm in the early and middle stages can be effectively improved.
[0141] In one possible implementation, distributing a quantum symmetric key to a data receiver via a quantum channel includes: distributing a quantum symmetric key to a data receiver via a quantum channel and employing the QKD (Quantum Key Distribution) algorithm.
[0142] In one possible implementation, the target data corresponding to the real-time data access request is encrypted and transmitted to the user according to the data response strategy and the quantum symmetry key, including:
[0143] When the data response strategy is a quantum encryption response strategy, a quantum symmetric key is used to encrypt the target data corresponding to the real-time data access request and transmit it to the user.
[0144] When the data response strategy is a quantum-enhanced response strategy, a separate secondary encryption key is generated. The target data corresponding to the real-time data access request is encrypted using the secondary encryption key and transmitted to the user. The secondary encryption key is then transmitted to the user using a key splitting and QKD fusion algorithm so that the user can decrypt it.
[0145] If the data response strategy is a request denial response strategy, then a denial-of-access message is generated, and the denial-of-access message is encrypted using a quantum symmetric key and transmitted to the user.
[0146] Existing encryption schemes often employ a one-size-fits-all approach, failing to adapt to risk levels. This application creatively links risk assessment results dynamically with encryption strategies. For low-risk requests, standard quantum encryption is used, offering both security and efficiency. For high-risk but legitimate requests (such as legitimate employees from high-risk regions), the system automatically activates a "quantum-enhanced response strategy." This strategy generates an independent secondary key to encrypt the data a second time, and uses key splitting technology to divide the secondary key into multiple fragments, each distributed through an independent quantum channel. Even if an attacker intercepts some key fragments and data, they cannot decrypt it; they must obtain all fragments to reconstruct the key. This significantly improves the data's resistance to attack scenarios, achieving an intelligent balance between security and risk.
[0147] This application deeply integrates QKD technology into the data security process. QKD utilizes fundamental principles of quantum mechanics (such as the Heisenberg uncertainty principle and the quantum no-cloning theorem) to guarantee the theoretical security of key distribution. Any eavesdropping on the quantum channel will be immediately detected and key distribution will be terminated. This fundamentally eliminates the risks of man-in-the-middle attacks and key leakage that may exist in traditional key distribution processes, providing quantum-level security for data transmission in untrusted environments such as public networks, and effectively resisting the threat of future quantum computers.
[0148] In one possible implementation, a fusion algorithm of key splitting and QKD is used to transmit the secondary encryption key to the user, including:
[0149] A symmetric key algorithm is used to generate a secondary encryption key, which is then randomly divided into multiple key fragments.
[0150] 2h polynomials can be generated using an h-order polynomial. , ) combination, each ( , Each of these is a key fragment, and the h-th order polynomial is:
[0151]
[0152] in, This represents the secondary encryption key. Represents a polynomial. , ,…, This represents the 1st, 2nd, ..., hth coefficient, all of which are preset values. It represents the independent variable.
[0153] Multiple shared keys are generated using the QKD algorithm. The key fragments are encrypted using a one-to-one correspondence between the shared keys and key fragments, and the encrypted key fragments are then transmitted to the user.
[0154] The QKD algorithm should generate 2h shared keys. Therefore, when transmitting encrypted key fragments, the order of the polynomial should also be transmitted. The data receiver then needs to decrypt the h+1 encrypted key fragments using the QKD shared key to recover the secondary encryption key. This effectively prevents data from being cracked and ensures data security. For the secondary encryption key, since a polynomial needs to be constructed, it must be converted to a decimal number before participating in the calculation.
[0155] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on the differences from other embodiments. The same or similar parts between the various embodiments can be referred to each other.
[0156] This application describes embodiments with reference to flowchart illustrations and / or block diagrams of methods, apparatuses, electronic devices, and computer program products according to embodiments of this application. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal device, generate instructions for implementing the flowchart... Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0157] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing terminal device to operate in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0158] These computer program instructions can also be loaded onto a computer or other programmable data processing terminal equipment, causing a series of operational steps to be performed on the computer or other programmable terminal equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable terminal equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0159] Although preferred embodiments of the present application have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of the embodiments of the present application.
[0160] Finally, it should be noted that in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or terminal device that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or terminal device. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or terminal device that includes said element.
[0161] This document uses specific examples to illustrate the principles and implementation methods of this application. The descriptions of the above embodiments are only for the purpose of helping to understand the methods and core ideas of this application. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of this application. Therefore, the content of this specification should not be construed as a limitation of this application.
Claims
1. A data security system integrating quantum encrypted transmission and knowledge graph, characterized in that, include: The knowledge graph construction module is used to collect multi-source data from enterprises and construct enterprise data knowledge graphs based on the multi-source data. The dynamic encryption engine module is used to respond to real-time data access requests generated by users, and to perform path reasoning and risk assessment in the enterprise data knowledge graph based on the real-time data access requests, and generate a data response strategy corresponding to the real-time data access requests. A quantum key distribution module is used to distribute quantum symmetric keys to data receivers via a quantum channel; The quantum encryption transmission module is used to encrypt and transmit the target data corresponding to the real-time data access request to the user according to the data response strategy and the quantum symmetry key, so as to complete the secure data interaction. In response to a user's real-time data access request, and based on the real-time data access request, performing path reasoning and risk assessment in the enterprise data knowledge graph to generate a data response strategy corresponding to the real-time data access request, including: Responding to a real-time data access request generated by a user; wherein the real-time data access request includes the target data that the user needs to access; Using the target data as an entity, path reasoning is performed in the enterprise data knowledge graph to determine the first target department and target access strategy corresponding to the target data. Determine the second target department corresponding to the user, and determine whether the user, the first target department, and the second target department corresponding to the user meet the target access policy. If so, determine that the data permission requirements are met; otherwise, determine that the data permission requirements are not met. The system acquires network traffic data of users during data access and uses a network security detection model pre-deployed through a neighborhood-order response optimization algorithm to conduct a risk assessment of the users, determining the risk assessment result; the risk assessment result includes whether there is a risk or not. If the data access requirements are met and the risk assessment result indicates that there is no risk, then the data response strategy corresponding to the real-time data access request is a quantum encryption response strategy. If the data access requirements are met and the risk assessment result indicates that there is a risk, then the data response strategy corresponding to the real-time data access request is a quantum-enhanced response strategy. If the data access permissions are not met and the risk assessment result indicates that there is a risk or there is no risk, then the data response strategy corresponding to the real-time data access request will be a request rejection response strategy.
2. The data security system integrating quantum encrypted transmission and knowledge graph as described in claim 1, characterized in that, Collect multi-source enterprise data and construct an enterprise data knowledge graph based on the multi-source enterprise data, including: Collect data on the relationships between personnel and departments, data and departments, and data and their corresponding access policies within an enterprise to obtain multi-source data. A knowledge graph of enterprise data is constructed based on the enterprise's multi-source data.
3. The data security system integrating quantum encrypted transmission and knowledge graph as described in claim 1, characterized in that, Methods for pre-deploying network security detection models using neighborhood-order response optimization algorithms include: A network security detection model is constructed using a CNN-LSTM model, and the hyperparameters of the network security detection model are initially encoded to obtain a training population. For any individual in the population, obtain the fitness of that individual, and determine the individual with the highest fitness as the globally optimal individual; Based on the globally optimal individual, an adaptive exploration range is generated for the individual, and a dynamic region exploration strategy is used to explore the neighborhood of the individual according to the adaptive exploration range to obtain the first target individual; For any first target individual, a dual-strategy solution space exploration strategy controlled by a dynamic switching mechanism is used to adaptively explore the position of the first target individual to obtain the second target individual; For any second target individual, a greedy segmented perturbation strategy is used to adaptively explore the second target individual globally to obtain the third target individual; Determine whether the current number of training iterations is greater than or equal to the preset maximum number of training iterations. If so, redetermine the global optimal individual based on the third target individual. Otherwise, based on the third target individual, return to the step of obtaining the global optimal individual and proceed to the next training process. The hyperparameters of the newly determined globally optimal individuals are used as the hyperparameters of the network security detection model and deployed to the server where the dynamic encryption engine module is located.
4. The data security system integrating quantum encrypted transmission and knowledge graph as described in claim 3, characterized in that, Based on the globally optimal individual, an adaptive exploration range is generated for the individual, and according to the adaptive exploration range, a dynamic region exploration strategy is used to explore the neighborhood of the individual to obtain the first target individual, including: Obtain the current number of training iterations and determine the dynamic selection factor based on the current number of training iterations; Based on the aforementioned dynamic selection factor and the globally optimal individual, an adaptive exploration range is generated by combining the upper limit individual composed of the upper limit of hyperparameters and the lower limit individual composed of the lower limit of hyperparameters. For any given individual, the upper and lower limits of the adaptive exploration range are used to dynamically explore the region of the individual to obtain the first target individual.
5. The data security system integrating quantum encrypted transmission and knowledge graph as described in claim 4, characterized in that, For any given first target individual, a dual-strategy solution space exploration strategy controlled by a dynamic switching mechanism is used to adaptively explore the position of the first target individual to obtain the second target individual, including: For any first target individual, obtain the fitness corresponding to the first target individual, and determine the dynamic switching factor based on the fitness corresponding to the first target individual; Based on the aforementioned dynamic switching factor, a population information reference fusion strategy or a globally optimal guided mutation update strategy is selected to adaptively explore the location of the first target individual, thereby obtaining the second target individual; The group information reference fusion strategy includes: Obtain the average individual corresponding to all first target individuals, and determine the individual with the closest Euclidean distance to the average individual as the reference individual; Based on the reference individual and the average individual, the first target individual is adaptively located to obtain the second target individual; The globally optimal guided mutation update strategy includes: Obtain a random control factor, and generate a guiding mutation vector based on the random control factor and the globally optimal individual; Based on the globally optimal individual and the guiding mutation vector, the first target individual is adaptively explored to obtain the second target individual.
6. The data security system integrating quantum encrypted transmission and knowledge graph as described in claim 5, characterized in that, For any second target individual, a greedy piecewise perturbation strategy is used to adaptively explore the second target individual globally, resulting in the third target individual, including: Obtain the current number of training iterations, and based on the current number of training iterations and the preset maximum number of training iterations, obtain a segmented perturbation factor; Based on the piecewise perturbation factor, the second target individual is mutated using a normal distribution function to obtain the mutated second target individual; Determine whether the fitness of the second target individual after mutation is greater than that of the original second target individual. If so, the second target individual after mutation is used as the third target individual; otherwise, the original second target individual is used as the third target individual.
7. The data security system integrating quantum encrypted transmission and knowledge graph as described in claim 1, characterized in that, Distributing quantum symmetric keys to data receivers via quantum channels includes: distributing quantum symmetric keys to data receivers via quantum channels and using the QKD algorithm.
8. The data security system integrating quantum encrypted transmission and knowledge graph as described in claim 7, characterized in that, Based on the data response strategy and the quantum symmetric key, the target data corresponding to the real-time data access request is encrypted and transmitted to the user, including: When the data response strategy is a quantum encryption response strategy, a quantum symmetric key is used to encrypt the target data corresponding to the real-time data access request and transmit it to the user. When the data response strategy is a quantum-enhanced response strategy, a separate secondary encryption key is generated. The target data corresponding to the real-time data access request is encrypted using the secondary encryption key and transmitted to the user. The secondary encryption key is then transmitted to the user using a key splitting and QKD fusion algorithm so that the user can decrypt it. If the data response strategy is a request denial response strategy, then a denial-of-access message is generated, and the denial-of-access message is encrypted using a quantum symmetric key and transmitted to the user.
9. The data security system integrating quantum encrypted transmission and knowledge graph as described in claim 7, characterized in that, A fusion algorithm combining key splitting and QKD is used to transmit the secondary encryption key to the user, including: A symmetric key algorithm is used to generate a secondary encryption key, which is then randomly divided into multiple key fragments. Multiple shared keys are generated using the QKD algorithm. The key fragments are encrypted using a one-to-one correspondence between the shared keys and key fragments, and the encrypted key fragments are then transmitted to the user.