Audit log anti-reconstruction display method, system, computer device and storage medium

By performing structured processing and heterogeneous reconstruction graph analysis of database audit logs, combined with terminal credibility assessment, dynamic control and display decisions are generated. This solves the problem of gradually piecing together and restoring the database structure from audit logs, and improves the security and accountability of audit log management.

CN122152641APending Publication Date: 2026-06-05JIUYOU TECH (SHENZHEN) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
JIUYOU TECH (SHENZHEN) CO LTD
Filing Date
2026-04-29
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

In the existing database security system, the management security of audit logs is insufficient. Audit administrators can view relatively complete database audit logs, which poses a risk that the database structure and business plaintext can be restored by gradually piecing together the audit logs. Existing solutions fail to effectively prevent the cumulative reconstruction risk of multiple, small-batch, and continuous disclosures.

Method used

Collect database audit logs and perform syntax normalization, mapping them to structured log objects. Construct a heterogeneous reconstruction graph to record the relationship between fields, business objects, and query intents in the historical disclosure process of the audit subject. Calculate the structural coupling increment and counterfactual recoverable gain, and combine terminal credibility and collaborative splicing risk to calculate a dynamic reconstruction risk score, generating control and display decisions, including refusing to view, statistical summary disclosure, anonymized disclosure, single-person approval disclosure, or dual-person approval isolated disclosure.

Benefits of technology

It effectively mitigates the risk of recovering database structure and sensitive business plaintext after audit logs are continuously spliced ​​together, improving management security. Through dynamic control and display decisions and terminal credibility assessment, it ensures that audit log viewing does not accumulate to a level that can be reconstructed under low risk, and achieves a high level of accountability for auditors.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122152641A_ABST
    Figure CN122152641A_ABST
Patent Text Reader

Abstract

The application relates to an audit log anti-reconstruction display method and system, computer equipment and a storage medium, which maps a database audit log into a structured log object, maintains a historical disclosure state for each audit subject, and constructs a heterogeneous reconstruction graph. A viewing request is received, an application field set, a declared purpose, a target object range, request terminal information and a time window constraint are analyzed based on the corresponding structured log object, a leakage budget liability is updated, a dynamic reconstruction risk score is calculated in combination with collaborative splicing risk and terminal credibility, and a display decision is generated according to the dynamic reconstruction risk score and a dynamic threshold strategy. The counterfactual recoverable gain is introduced into the audit log display scene, the time-varying association among fields, objects and query intentions is described through the heterogeneous reconstruction graph, and long-term constraints are realized through the leakage budget liability mechanism, so that the audit subject cannot continuously accumulate to a reconstructable level even in the case of low risk at each request, and the management security is improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of database security auditing technology, and in particular to an audit log anti-reconstruction control display method, system, computer equipment, and storage medium. Background Technology

[0002] In existing database security architectures, database administrators, security administrators, and audit administrators are typically separated to reduce the risks posed by a single high-privilege entity. However, in most current implementations, while audit administrators do not directly possess write permissions to the business database, they can view relatively complete database audit logs. These audit logs typically include at least the execution time, user ID, object ID, session ID, SQL type, parameter fragments, return result fragments, primary or foreign key information, and object paths. Improving the security of audit log management is a pressing issue that needs to be addressed. Summary of the Invention

[0003] Therefore, it is necessary to provide an audit log anti-reconstruction control method, system, computer device, and computer-readable storage medium that can improve management security in response to the above problems.

[0004] The first aspect of this application provides a method for controlling the display of audit logs against reconstruction, including: Database audit logs are collected and their syntax is normalized, mapping each log entry to a structured log object; wherein, the structured log object includes a metadata field, a semantic sharding field, a relational fingerprint field, and a control policy field, and the semantic sharding field is encrypted; For each audit entity, maintain the historical disclosure status and construct a heterogeneous reconstruction graph; the heterogeneous reconstruction graph records the relationship between fields, business objects and query intents in the historical disclosure process of the audit entity, and is used to calculate the structural coupling increment and counterfactual recoverable gain; The system receives requests from audit entities to view a set of fields to be disclosed in the target audit log. Based on the corresponding structured log object, it parses the set of fields to be disclosed, the stated purpose, the scope of the target object, the requesting terminal information, and the time window constraints. Specifically, the set of fields to be disclosed is used to calculate field sensitivity, structural coupling increment, key structural enhancements, and counterfactual recoverable gains. The stated purpose is used for purpose compliance verification, approval determination, generation of restricted view invoices, and post-audit tracing. The scope of the target object is used to limit the update range of business object nodes in the heterogeneous reconstruction graph and to calculate counterfactual recoverable gains. The requesting terminal information is used for terminal credibility assessment and invoice terminal binding. The time window constraints are used to extract historical disclosure trajectories and calculate the risks of leaked budget liabilities and collaborative splicing. Based on the leaked budget liabilities at the time of the last request, after time decay, the leaked budget liabilities are updated by combining the field sensitivity, structural coupling increment, key structural enhancements and counterfactual recoverable gains corresponding to the current viewing request. Furthermore, the risk score for dynamic reconstruction is calculated by combining collaborative splicing risk and terminal credibility. Based on the dynamic reconstruction risk score and dynamic threshold strategy, a control and display decision is generated from among the following: refuse to view, statistical summary disclosure, anonymized disclosure, single-person approval disclosure, or dual-person approval isolated disclosure.

[0005] In one embodiment, the structured log object is represented as: ; in, For metadata fields, For semantic fragmentation domains, For relational fingerprint fields, For the control strategy domain; the relation fingerprint domain includes object set hash, connection pattern hash, predicate template hash and object access path hash; fields belonging to the same field group in the semantic fragmentation domain are encrypted using an authentication encryption function.

[0006] In one embodiment, the heterogeneous reconstruction graph is represented as: ; in, For a collection of field nodes, A collection of business object nodes. For the set of nodes representing the query intent; Represents the set of edges; This represents a time-varying edge weight matrix, which is updated based on the same disclosure relationship, the same connection template relationship, and the same business object relationship.

[0007] In one embodiment, the dynamic threshold strategy includes a dynamic threshold. , , and And satisfy: ; in, Based on the threshold, For adjustment coefficients, For the normalized leaked budget liabilities, The normalized terminal credibility satisfies: ; Based on the score and dynamic threshold, a control and display decision is generated. : ; in, To refuse to view, For the double approval of quarantine disclosure, Disclosure approved by a single individual. For the purpose of desensitization disclosure, For statistical summary disclosure.

[0008] In one embodiment, after generating a control / disclosure decision based on the dynamic reconstruction risk score and dynamic threshold strategy, including refusing to view, statistical summary disclosure, anonymized disclosure, single-person approved disclosure, or dual-person approved isolated disclosure, the method further includes: If the control and display decision requires approval, a context summary to be approved is generated for approval, and a restricted view ticket is generated after approval, and a one-time view key is derived based on the restricted view ticket.

[0009] In one embodiment, after deriving a one-time view key based on the restricted view ticket, the method further includes: Using the one-time view key, selective field-level decryption is performed only on the approved fields, outputting a minimum necessary view with watermark in a trusted environment.

[0010] In one embodiment, after performing field-level selective decryption only on the approved fields using the one-time view key and outputting the minimum necessary watermarked view in a trusted environment, the method further includes: View behavior, invoice summary, risk score, control decision, view summary and timestamp are written into a separate secondary audit chain.

[0011] A second aspect of this application provides an audit log anti-reconstruction control and display system, comprising: The log normalization module is used to collect database audit logs and perform syntax normalization, mapping each log entry to a structured log object. The structured log object includes a metadata field, a semantic sharding field, a relational fingerprint field, and a control policy field, and the semantic sharding field is encrypted. The reconstruction graph maintenance module is used to maintain the historical disclosure status for each audit entity and construct a heterogeneous reconstruction graph. The heterogeneous reconstruction graph records the association between fields, business objects and query intents in the historical disclosure process of the audit entity, and is used to calculate the structural coupling increment and counterfactual recoverable gain. The risk assessment module receives viewing requests from the audit entity for a set of fields to be disclosed in the target audit log. It parses the requested field set, declared purpose, target object scope, requesting terminal information, and time window constraints based on the corresponding structured log object. Based on the time decay of the leaked budget liabilities at the time of the last request, it updates the leaked budget liabilities by combining the field sensitivity, structural coupling increment, key structural enhancements, and counterfactual recoverable gain corresponding to the current viewing request. Furthermore, it calculates a dynamic reconstruction risk score by combining collaborative splicing risk and terminal credibility. Specifically, the requested field set is used for calculating field sensitivity, structural coupling increment, key structural enhancements, and counterfactual recoverable gain; the declared purpose is used for purpose compliance verification, approval judgment, generation of restricted view invoices, and post-audit tracing; the target object scope is used to limit the update range of business object nodes in the heterogeneous reconstruction graph and calculate counterfactual recoverable gain; the requesting terminal information is used for terminal credibility assessment and invoice terminal binding; and the time window constraints are used to extract historical disclosure trajectories and calculate leaked budget liabilities and collaborative splicing risk. The strategy decision module is used to generate a control and display decision based on the dynamic reconstruction risk score and dynamic threshold strategy, including refusing to view, statistical summary disclosure, anonymized disclosure, single-person approval disclosure, or dual-person approval isolated disclosure.

[0012] A third aspect of this application provides a computer device including a processor, a memory, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the method described above.

[0013] A fourth aspect of this application provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the above-described method.

[0014] The aforementioned audit log anti-reconstruction control and display method, system, computer equipment, and computer-readable storage medium map database audit logs into structured log objects and perform field group encryption on semantic sharding domains. For each audit entity, a historical disclosure status is maintained, and a heterogeneous reconstruction graph is constructed. This graph records the relationships between fields, business objects, and query intents during the audit entity's historical disclosure process, used to calculate structural coupling increments and counterfactual recoverable gains. The system receives audit entity requests to view a set of fields to be disclosed in the target audit log. Based on the corresponding structured log object, it parses the requested field set, declared purpose, target object scope, request terminal information, and time window constraints. Based on the time decay of the leaked budget liabilities at the time of the last request, it updates the leaked budget liabilities by combining the field sensitivity, structural coupling increment, key structural enhancements, and counterfactual recoverable gains corresponding to the current viewing request. Furthermore, it calculates a dynamic reconstruction risk score by combining collaborative splicing risk and terminal credibility. Based on the dynamic reconstruction risk score and dynamic threshold strategy, it generates a control and display decision from among refusing to view, statistical summary disclosure, anonymized disclosure, single-person approved disclosure, or dual-person approved isolated disclosure. Introducing counterfactual recoverable gain into the audit log control scenario allows for direct measurement of the degree to which the current field request improves the inferability of hidden database structure variables. By depicting the time-varying relationship between fields, objects, and query intent through heterogeneous reconstruction graphs, it is possible to identify the structural splicing effect caused by multiple small disclosures. At the same time, long-term constraints are achieved through the leaked budget liability mechanism, ensuring that even if each request is low-risk, the audit entity cannot continuously accumulate to a reconstructable level, thereby improving management security. Attached Figure Description

[0015] Figure 1 This is a flowchart of an audit log anti-reconstruction control display method in one embodiment; Figure 2 A flowchart of an audit log anti-reconstruction control display method in another embodiment; Figure 3 This is a block diagram of an audit log anti-reconstruction control and display system in one embodiment; Figure 4 Here is a block diagram of the audit log anti-reconstruction control and display system in another embodiment; Figure 5 This is an internal structural diagram of a computer device in one embodiment. Detailed Implementation

[0016] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.

[0017] Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein in the specification of this application is for the purpose of describing particular embodiments only and is not intended to be limiting of this application.

[0018] When used herein, the singular forms of “a,” “an,” and “the” may also include the plural forms unless the context clearly indicates otherwise. It should also be understood that the terms “comprising / including” or “having,” etc., specify the presence of the stated features, wholes, steps, operations, components, parts, or combinations thereof, but do not preclude the possibility of the presence or addition of one or more other features, wholes, steps, operations, components, parts, or combinations thereof. Meanwhile, the term “and / or” as used in this specification includes any and all combinations of the associated listed items.

[0019] Current audit log management generally improves log security in the following ways: First, by encrypting the entire log or using searchable encryption; second, by statically anonymizing sensitive fields in the log; third, by implementing traditional role-based access control or approval control for log viewing; and fourth, by using hash chains, blockchains, or trusted execution environments to protect the log records themselves from tampering. While these technologies can alleviate the problems of plaintext exposure, tampering, and unauthorized access to logs, they still have at least the following shortcomings: 1. Existing solutions typically use a single review as the basis for judgment, lacking quantitative modeling of the cumulative reconstruction risks resulting from "multiple, small-batch, and continuous disclosures"; 2. Most existing solutions only perform static evaluations of field sensitivity, without considering the structural coupling between fields or the splicing relationship between historically disclosed fields and currently applied fields; 3. Even after approval, existing solutions often return a large portion of the log in plain text to auditors, making it difficult to truly implement the principle of minimum necessary disclosure; 4. Existing solutions typically only audit "database access behavior," lacking a higher level of re-auditing and re-constraint of "auditors' behavior of viewing audit logs"; 5. Existing solutions lack a unified algorithm framework for factors such as multi-person collaborative viewing, fluctuations in the credibility of the terminal environment, and the decay of leaked budget over time.

[0020] Therefore, this application provides a method for controlling the display of audit logs against reconstruction, specifically involving dynamic control over the display of audit logs in scenarios that resist structural reconstruction, fragment splicing, and internal abuse. This method addresses the problem of auditors gradually recovering database table structures, field mapping relationships, business object relationships, and sensitive business plaintext by repeatedly viewing log fragments. The solution integrates "field sensitivity," "structural coupling relationships," "historical disclosure trajectory," "counterfactual recoverability," "leaked budget," "terminal credibility," and "collaborative splicing risk" into a unified dynamic control loop to solve the technical problem of recovering the database structure and business profile after audit logs are gradually spliced ​​together in a legitimate viewing process.

[0021] In one embodiment, such as Figure 1 As shown, an audit log anti-reconstruction control display method is provided, including: Step S110: Collect database audit logs and perform syntax normalization, mapping each log entry to a structured log object.

[0022] The structured log object is a standardized internal representation of the original audit logs, serving as a unified data carrier for subsequent risk assessment and control processing. The structured log object includes at least a metadata field, a semantic sharding field, a relational fingerprint field, and a control policy field, with the semantic sharding field undergoing group encryption. The metadata field is used for log retrieval and request location; the semantic sharding field is used for encrypted storage of field groups and selective decryption at the field level; the relational fingerprint field is used for updating heterogeneous reconstruction graphs and calculating structural risks; and the control policy field is used for sensitivity level determination, exposure ratio control, and approval rule invocation.

[0023] Upon receiving the raw audit logs, the SQL statements, binding parameters, returned record fragments, and execution context are first converted into a unified intermediate representation. Then, based on the field dictionary, object mapping table, and syntax analysis results, the raw logs are split into a metadata domain, a semantic sharding domain, a relational fingerprint domain, and a control policy domain. The relational fingerprint domain does not directly store the complete table structure, but instead stores the following fingerprint tuples. : ; in, Represents a hash function. For a collection of objects, For connection mode, As a predicate template, This is for object access paths. This design allows the system to use structural information for risk assessment, but avoids directly retaining reversible explicit structural descriptions in the log storage layer.

[0024] In one embodiment, a structured log object is represented as: ; in, Indicates the first The structured log object mapped from the original audit log. This is the metadata field, which includes timestamp, user identifier, session identifier, source address, object identifier, operation type, etc. This is a semantic sharding domain, containing field value shards, result shards, parameter shards, and returned summaries; The relation fingerprint field contains relation fingerprints generated from the SQL abstract syntax tree, join patterns, predicate templates, and object co-occurrence relations. To control the policy domain relationship fingerprint domain, it includes field category labels, encryption group numbers, disclosure budget factors, exposure ratio limits, and approval rule tags.

[0025] Specifically, relation fingerprint domain It includes at least object set hashing, join pattern hashing, predicate template hashing, and object access path hashing. For semantic fragmentation domains... Belonging to the same field group The fields are encrypted using an authenticated encryption function: ; in, This refers to the AEAD encryption function. This is the encrypted field. HKDF (HMAC-based Key Derivation Function) is an HMAC-based key derivation function used to derive a key from the root key. Derived field group key and from the field group key Derive a one-time view key. For the plaintext collection of field groups, To add authentication data, This is the version number of the field group key.

[0026] Step S120: Maintain the historical disclosure status for each audit entity and construct a heterogeneous reconstruction graph.

[0027] Historical disclosure status is a crucial foundation that distinguishes this application from ordinary static access control. It includes at least the set of historically disclosed fields, the set of historically disclosed objects, historical request time series, historical approval results and disclosure levels, current disclosed budget liabilities, and statistical information on collaborative applications within the same approval domain, to support subsequent cumulative risk modeling. The system maintains historical disclosure status for each audit entity, constructs a heterogeneous reconstruction graph, and updates nodes and edge rights.

[0028] The core function of the heterogeneous reconstruction graph is to formalize the process by which the auditing entity gradually assembles the database structure by repeatedly reviewing logs. It records the relationships between fields, business objects, and query intents in the auditing entity's historical disclosure process. In the subsequent dynamic reconstruction risk scoring, it is used to calculate the structural coupling increment and to provide a neighborhood propagation basis for the conditional probability estimation of hidden structural variables, thereby calculating the counterfactual recoverable gain. In addition, it can also be used to identify high-weighted closed loops, object bridging relationships, and field co-occurrence patterns, and to calculate the structural closed loop risk.

[0029] Specifically, targeting the auditing entity At any moment Based on the disclosed history, construct a heterogeneous reconstruction map. Represented as: ; in, For a collection of field nodes, A collection of business object nodes. For the set of nodes representing the query intent, Represents the set of edges; This represents a time-varying edge weight matrix, which is updated based on the same disclosure relationship, the same connection template relationship, and the same business object relationship.

[0030] If field With fields If they are jointly observed in historical disclosures or appear together under the same relational fingerprint template, then update the coupling weights. : ; in, For the current moment Fields With fields Coupling weights, For the previous moment Fields With fields Coupling weights, The time decay factor, For the same disclosure indicator function, This is a template indicator function for the same connection. This is an indicator function for the same business object. ω1, ω2, and ω3 are non-negative weighting coefficients, representing the degree of influence of three types of evidence—same disclosure, same join template, and same business object—on the field coupling strength, respectively. The relation fingerprint template is a pattern description that is an abstraction of object co-occurrence relationships, join patterns, and predicate structures. It is used to support structural risk assessment, rather than directly storing plaintext information that can restore the database structure.

[0031] Furthermore, once an auditing entity successfully views certain fields, the system adds the corresponding field nodes, object nodes, and query intent nodes to the edge weights of its personal reconstruction graph or update graph. For multiple cross-day accesses to the same business object, the system additionally accumulates object bridge edges. ; in, For the current moment object node With object nodes The weight of the bridge edge between them Indicates the previous moment object node With object nodes The weight of the bridging edges between them. Represents object nodes With object nodes Whether it can be connected by the same identifier key or the same foreign key chain due to this disclosure, κ is the object bridging edge gain coefficient, used to control the extent to which a single bridging evidence enhances the strength of the object relationship.

[0032] Step S130: Receive the audit entity's request to view the set of fields to be disclosed in the target audit log, and parse the set of fields to be disclosed, the purpose of the statement, the scope of the target object, the requesting terminal information and the time window constraints based on the corresponding structured log object.

[0033] The viewing request is initiated targeting specific fields or sets of fields in the audit log that require disclosure, rather than directly viewing the entire structured log object. The data carried in the viewing request may include the field set, its purpose, object scope, terminal information, and time window. The structured log object is an internal data organization format within the system; the auditing entity actually requests to view only a portion of its information, such as field values, statistical summaries, or anonymized fragments. Upon receiving the viewing request, the system analyzes relevant factors based on the structured log object and the heterogeneous reconstruction graph. It then calculates a dynamic reconstruction risk score based on these factors and completes the risk assessment and control / disclosure processing for the corresponding structured log object.

[0034] Specifically, when the auditing entity submits a viewing request, the request message... Represented as: ; in, This serves as the identifier for the auditing entity, i.e., the identity identifier of the user who initiated the viewing request. This is a log identifier used to uniquely identify a log record, log fragment, or log collection that has been requested to be viewed. For the application field set, To check the purpose or task objective, such as compliance verification, anomaly backtracking, incident review, etc. Indicates the scope of the target object, used to limit the business objects, record range, or object category involved in this request. This represents the timestamp, i.e., the time the request was submitted or the time the event occurred. Bind an identifier to the terminal.

[0035] In this embodiment, upon receiving a viewing request, the system combines the corresponding structured log object and heterogeneous reconstruction graph to parse the application field set, declared purpose, target object scope, requesting terminal information, and time window constraints. The application field set is used to calculate field sensitivity, structural coupling increment, key structural enhancements, and counterfactual recoverable gains; the declared purpose is used for purpose compliance verification, approval determination, generation of restricted view invoices, and post-audit tracing; the target object scope is used to limit the update range of business object nodes in the heterogeneous reconstruction graph and calculate counterfactual recoverable gains; the requesting terminal information is used for terminal credibility assessment and invoice terminal binding; and the time window constraints are used to extract historical disclosure trajectories and calculate the risks of leaked budget liabilities and collaborative splicing.

[0036] Step S140: Based on the leaked budget liabilities at the time of the last request, after time decay, and combined with the field sensitivity, structural coupling increment, key structural enhancements and counterfactual recoverable gains corresponding to the current viewing request, update the leaked budget liabilities, and further combine the collaborative splicing risk and terminal credibility to calculate the dynamic reconstruction risk score.

[0037] Specifically, upon receiving a viewing request, the system first verifies whether the purpose field is in the predefined audit task template, then retrieves the historical disclosure trajectory from the audit subject's most recent window and updates it. And the last request time Leaked budget liabilities Then, the field sensitivity is calculated sequentially. Incremental structural coupling Key structural enhancements Counterfactual recoverable gains Leaking budget liabilities Collaborative splicing risks and terminal credibility Then, substitute the values ​​into the dynamic reconstruction risk scoring formula to calculate the dynamic reconstruction risk score. .

[0038] Specifically, for the application field set Calculate field sensitivity : ; in, For the application field set field elements in , , , These represent sensitivity to identity verification, financial sensitivity, business criticality, and regulatory sensitivity, respectively. Weights and satisfying . Represents the application field set The number of elements, where ε is a smoothing constant greater than zero, used to avoid zero denominators and improve numerical stability.

[0039] Let the set of historical disclosure fields be The current view request will result in an increase in structural coupling. Defined as: ; in, Represents the application field set field elements in Represents the set of historical disclosure fields field elements in Indicates time t Next field With fields The coupling weights between them. Represents the application field set The number of elements, Represents the historical disclosure field set The number of elements in the matrix, where ε is a smoothing constant greater than zero.

[0040] When applying for the field set When the field contains a primary key, foreign key, unique identifier field, or join predicate field, introduce a structural key enhancement. : ; in, This indicates the primary key indicator function, which returns 1 if the input field set contains a primary key field, and 0 otherwise. This indicates a foreign key indicator function, which takes the value 1 if the input field set contains a foreign key field, and 0 otherwise. This indicates a function that indicates the unique identifier field. It returns 1 if the input field set contains a unique identifier field, and 0 otherwise. This indicates a join predicate field indicator function, which takes the value 1 if the input field set contains a join predicate field, and 0 otherwise. , , , These are the weighting coefficients.

[0041] Let the hidden structure variable be It includes the table relationship schema, field mapping relationships, and object clustering relationships of the target database. Let... Deadline Given the set of information already disclosed to the auditing entity, the counterfactual recoverable gain resulting from the current viewing request is defined as: ; After normalization, we get : ; in, H The conditional entropy is used to characterize the uncertainty of hidden structural variables given observational information. ε is a positive constant used to avoid a zero denominator. In this embodiment, the conditional entropy is estimated using an empirical distribution: ; in, To hide the structure state space, Obtained based on the neighborhood propagation results in the heterogeneous reconstruction graph.

[0042] To limit the risks accumulated from repeated disclosures over a long period, this application maintains a leak budget account for each auditing entity. Let the time of the last request be... This would reveal budget liabilities. Updated to: ; in, The time interval between the two requests. Let the budget decay time constant be... This is the debt gain coefficient.

[0043] To mitigate collaborative risks among multiple audit entities, define the risks of collaborative risks within the same department, approval domain, or task group. : ; in, This represents the cosine similarity function, used to measure the directional similarity of recent field application behavior vectors between two audit entities. As the current audit subject, In order to be consistent with the current audit entity Another audit entity that belongs to the same set of pre-determined entities (same department, same approval domain, or same task group). for Request a frequency vector for the fields within the most recent window. for Request a frequency vector for the fields within the most recent window. To and A collection of entities from the same department, approval domain, or task group.

[0044] Determine the terminal's trustworthiness based on the trusted environment of the requesting terminal. : ; in, Indicates the managed terminal indication quantity. Indicates the controlled network indication quantity. This indicates the enable / disabled value for dynamic watermarking and screen capture detection. This indicates that an indicator is present on the external storage device. This indicates whether the copy / export channel is enabled. to These are non-negative weighting coefficients used to characterize the impact of managed terminals, controlled networks, dynamic watermarking / screen capture detection, external devices, and copy / export channels on terminal credibility, respectively.

[0045] Finally, after normalizing the above factors, the dynamic reconstructed risk score is obtained using the Logistic scoring function. : ; in, This is the Logistic mapping function, used to compress the results of linear combinations to the interval (0, 1). , , , , , , These are the normalized field sensitivity, structural coupling increment, key structural enhancement, counterfactual recoverable gain, leaked budget liabilities, collaborative splicing risk, and terminal credibility. By normalizing each factor separately, the differences in the dimensions of different factors are eliminated. For model weights, The bias term is used as the input. The normalized input factors are summed using model weights and the bias term, and then mapped to the (0, 1) interval via a Logistic mapping function to obtain the dynamically reconstructed risk score. .

[0046] Furthermore, the counterfactual recoverable gain was calculated. Subsequently, if the requested set of application fields contains more than two join predicate fields, and these fields form a high-weighted closed loop with the historical fields, then to avoid closed loop inference, the system can use counterfactual recoverable gain. Additional enhancements are: ; in, express and Whether a structural closed-loop indicator is formed. This is the structural closed-loop risk enhancement coefficient, used to improve the counterfactual recoverable gain when high-weighted closed loops are detected. Make additional enhancements. This is understandable, as it allows for the recovery of gains from counterfactual events. Additional enhancements are made, which are the additional counterfactual recoverable gains. Normalization is performed to calculate the dynamic reconstruction risk score. .

[0047] Step S150: Based on the dynamic reconstruction risk score and dynamic threshold strategy, generate a control and disclosure decision from among the following: refuse to view, statistical summary disclosure, anonymized disclosure, single-person approval disclosure, or dual-person approval segregated disclosure.

[0048] To make the system more sensitive to high budget liabilities and low-trust terminals, the dynamic threshold strategy includes dynamic thresholds. , , and And satisfy: ; in, Based on the threshold, For adjustment coefficients, For the normalized leaked budget liabilities, The normalized terminal credibility satisfies: ; Based on the dynamic reconstruction of the risk score and the relationship between four dynamic thresholds, the system outputs a control / disclosure decision from among: refusing to view, dual-approval segregated disclosure, single-approval disclosure, anonymized disclosure, or statistical summary disclosure. In this embodiment, a control / disclosure decision is generated based on the dynamic reconstruction of the risk score and the dynamic thresholds. : ; in, To refuse to view, For the double approval of quarantine disclosure, Disclosure approved by a single individual. For the purpose of desensitization disclosure, For statistical summary disclosure. In this embodiment, if The system does not return the actual business fields, but only a statistical summary, such as the number of records, value range buckets, hash prefixes, or category labels. The system returns a de-identified view, displaying only the partially exposed field values. If The system generates a single-person approval task, which is then approved by the data manager or security manager. If The system requires dual approval and only allows display in an isolated viewing environment; copying, downloading, exporting, or long-term caching are not permitted. The system will reject the viewing request and may trigger an error alert.

[0049] In one embodiment, such as Figure 2 As shown, after step S150, the method further includes step S160: if the control display decision requires approval, generate a context summary to be approved for approval, generate a restricted view ticket after approval, and derive a one-time view key based on the restricted view ticket.

[0050] In cases where control decisions require approval, the system generates a pending context summary, performs single-person or dual-person approval, and generates a restricted view invoice after approval. and based on restricted view tickets Derive one-time view keys for each field group The content of a restricted view ticket is not unique; for example, it may include log identifier, audit entity identifier, approved field set, stated purpose, expiration date, maximum number of views, terminal binding identifier, exposure ratio set, random number, approval signature, etc. In this embodiment, the system generates a restricted view ticket after approval. : ; in, For the approval entity's private key, This indicates that the approval entity is based on the approval entity's private key. The executed digital signature function is used by the approving entity to sign the digest to be signed using its private key to ensure authenticity, integrity, and non-repudiation. Represents a hash function. LogID This is a log identifier used to uniquely identify a log record, log fragment, or log collection that has been requested to be viewed. UID This serves as the identifier for the auditing entity, i.e., the identity identifier of the user who initiated the viewing request. For the set of approved fields, Purpose To check the purpose or task objective, such as compliance verification, anomaly backtracking, incident review, etc. Expiration date To the maximum number of views, Bind an identifier to the terminal to ensure that the ticket is used only on the designated device. For the set of exposure ratios. Nonce It is a one-time random number used to ensure the uniqueness of the ticket and prevent replay.

[0051] Based on restricted view tickets With field group key Derived one-time view key: ; Where HKDF is a key derivation function based on HMAC. For field groups Field group key, Represents a hash function. c To view the current counter, For the set of approved fields, Bind an identifier to the terminal.

[0052] Decryption only applies to the approved field set. The covered fields are decrypted, while unapproved fields remain encrypted or are displayed as empty. For highly sensitive fields such as ID card numbers, bank card numbers, and mobile phone numbers, a segmented exposure function can be used. ; in, n Represents field value m Total length, l Indicates the length to be retained in the head. r This indicates the length retained at the tail. and The value is determined by the exposure ratio. Adaptive decision.

[0053] At the same time, the system overlays a session watermark on the display interface. : ; in, Represents a hash function. UID For the identification of the audit entity, Represents a timestamp. Bind an identifier to the terminal. c This is the current view counter, which increments with each view. Watermarks can contain semi-transparent text, random dot matrix, or fine-grained pixel offset markers.

[0054] In one embodiment, after step S160, the method further includes step S170: using a one-time view key to perform field-level selective decryption only on the approved fields, and outputting a watermarked minimum necessary view in a trusted environment. In this embodiment, for the approved fields... f The output rule for the minimum necessary view is defined as follows: ; in, For plaintext fields, Representation field f The corresponding ciphertext field value, To be based on the exposure ratio plaintext of fields Execute the locally exposed function. For fields f Functions for generating statistical summary information Indicates that it is not visible. For the set of approved fields, This is the set of fields to be displayed in an anonymized or partially exposed manner. This is the set of fields for plaintext display, representing the set of fields that are allowed to be output in full plaintext. The set of fields to display for the statistical summary indicates that only the set of fields for which statistical summary information is allowed to be output. , , These correspond to three levels of visibility control: partially visible, fully visible plaintext, and only visible abstract. In one embodiment, , and It can be dynamically determined based on the control and display decision, the sensitivity level of the field, and the approval result, and the three do not overlap.

[0055] In one embodiment, continue to refer to Figure 2 Following step S170, the method further includes step S180: writing the viewing behavior, invoice summary, risk score, control display decision, view summary, and timestamp into a separate secondary audit chain. The system writes the viewing behavior, invoice summary, risk score, control display decision, view summary, and timestamp into the separate secondary audit chain and generates an intraday Merkle root for cross-validation. Viewing behavior can include opening, scrolling, closing, timeout, repeated viewing, approval failure, or revocation, etc.

[0056] Specifically, whenever the minimum necessary view is opened, scrolled, closed, timed out, repeatedly viewed, or approval fails, the system generates a corresponding event and writes it to the secondary audit chain. The secondary audit chain summary only saves the event summary and view summary, not the complete plaintext content. If the system detects that the same restricted view ticket is used on different terminals, or the number of views exceeds a threshold, the system will continue to process the event. If so, the restricted view ticket will be immediately revoked and an exception event will be written.

[0057] In this embodiment, each viewing event is recorded as... Then view the event. Summary of the Secondary Audit Chain for: ; in, Represents a hash function. This is a summary of the secondary audit chain of the event viewed last time. This is a summary of the invoices viewed this time. For the risk score reviewed this time, For the control display decision reviewed this time, This is the timestamp for this viewing. This is a summary of the views viewed this time. This is the identifier of the audit entity being reviewed.

[0058] For a summary of all events within the same calendar day, further construct the intraday Merkelgen : ; in, This indicates the calendar day identifier, and can also be understood as the date index used when auditing events by day. Represents timestamp Falling on a natural day A collection of summaries of all audit events within the scope. This indicates the corresponding calendar day. Merkelgen, within the day. In one embodiment, natural day The time range is from 00:00:00 to 23:59:59 of the current day. All timestamps. Falling on that natural day Event summary within They are included in the same set and further generate the corresponding intraday Merkle root. Merkelgen can periodically submit data to an independent audit server or a trusted timestamp service within the day.

[0059] The aforementioned audit log anti-reconstruction and control method collects database audit logs and standardizes them into structured log objects containing metadata, semantic sharding, relational fingerprint, and control policy domains. It constructs a heterogeneous reconstruction graph based on historical disclosure trajectories and calculates the counterfactual recoverable gain of the current viewing request on hidden structural variables. Combining field sensitivity, structural coupling increment, counterfactual recoverable gain, leaked budget liabilities, collaborative splicing risk, and terminal trustworthiness, a dynamic reconstruction risk score is obtained. Based on a dynamic threshold strategy, a control decision is generated from one of the following: rejection, statistical summary disclosure, anonymized disclosure, single-person approval disclosure, or dual-person approval isolated disclosure. After approval, a restricted view document is generated and a one-time view key is derived. Only the approved fields are subjected to field-level selective decryption and trusted environment rendering, outputting a watermarked minimum necessary view. The viewing behavior, document summary, risk score, view summary, and intraday Merkle root data are written into an independent secondary audit chain. This solution can suppress the risk of recovering database structure and sensitive business plaintext after continuous splicing of audit logs without affecting audit retrieval efficiency, improving security and accountability in scenarios of internal abuse, physical leakage, and collaborative inference.

[0060] The above-mentioned method for preventing the reconstruction and display of audit logs has at least the following beneficial effects: 1. For the first time, counterfactual recoverable gain is introduced into the audit log control scenario, which can directly measure the degree to which the current field request improves the inferability of hidden database structure variables.

[0061] 2. By using heterogeneous reconstruction graphs to characterize the time-varying relationships between fields, objects, and query intent, the structural splicing effect caused by "multiple small disclosures" can be identified.

[0062] 3. By disclosing budget liabilities, long-term constraints are achieved, preventing the auditing entity from accumulating liabilities to a level that can be rebuilt even if each request is low-risk.

[0063] 4. By quantifying risk through collaborative splicing, multiple people can view the behavior of collaborative risk assessment, thus suppressing horizontal splicing-style leaks that are achieved through task assignments within the team.

[0064] 5. A tiered control system is formed through statistical summary disclosure, anonymized disclosure, single-person approval disclosure, and dual-person approval segregated disclosure, rather than a simple binary allow / reject control.

[0065] 6. Once approved, only restricted view tickets will be issued and a one-time view key will be derived to ensure that plaintext is only visible on limited terminals, with limited number of uses, limited fields, and limited time limits.

[0066] 7. Conduct independent re-auditing of the "audit log viewing behavior itself" through a secondary audit chain to achieve high-level accountability for auditors.

[0067] It should be understood that although the steps in the flowcharts of the embodiments described above are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the embodiments described above may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages of other steps.

[0068] Based on the same inventive concept, this application also provides an audit log anti-reconstruction control and display system for implementing the audit log anti-reconstruction control and display method described above. The solution provided by this system is similar to the implementation scheme described in the above method; therefore, the specific limitations of one or more audit log anti-reconstruction control and display system embodiments provided below can be found in the limitations of the audit log anti-reconstruction control and display method described above, and will not be repeated here.

[0069] In one embodiment, as shown in Figure 3, an audit log anti-reconstruction control and display system is provided, including: The log normalization module 110 is used to collect database audit logs and perform syntax normalization, mapping each log to a structured log object. The structured log object includes a metadata field, a semantic sharding field, a relational fingerprint field, and a control policy field, and performs field group encryption on the semantic sharding field.

[0070] The reconstruction graph maintenance module 120 is used to maintain the historical disclosure status for each audit entity and construct a heterogeneous reconstruction graph. The heterogeneous reconstruction graph records the relationship between fields, business objects and query intents in the historical disclosure process of the audit entity, and is used to calculate the structural coupling increment and counterfactual recoverable gain.

[0071] The risk assessment module 130 receives requests from the audit entity to view the set of fields to be disclosed in the target audit log. It parses the set of fields, declared purpose, target object scope, request terminal information, and time window constraints based on the corresponding structured log object. Based on the time decay of the leaked budget liabilities at the time of the last request, it updates the leaked budget liabilities by combining the field sensitivity, structural coupling increment, key structural enhancements, and counterfactual recoverable gain corresponding to the current viewing request. Furthermore, it calculates a dynamic reconstruction risk score by combining collaborative splicing risk and terminal credibility. Specifically, the set of fields to be disclosed is used to calculate field sensitivity, structural coupling increment, key structural enhancements, and counterfactual recoverable gain; the declared purpose is used for purpose compliance verification, approval determination, generation of restricted view invoices, and post-audit tracing; the target object scope is used to limit the update range of business object nodes in the heterogeneous reconstruction graph and calculate counterfactual recoverable gain; the request terminal information is used for terminal credibility assessment and invoice terminal binding; and the time window constraints are used to extract historical disclosure trajectories and calculate leaked budget liabilities and collaborative splicing risk.

[0072] The strategy decision module 140 is used to generate a control and display decision based on the dynamic reconstruction risk score and dynamic threshold strategy, including refusing to view, statistical summary disclosure, anonymized disclosure, single-person approval disclosure, or dual-person approval isolated disclosure.

[0073] In one embodiment, a structured log object is represented as: ; in, For metadata fields, For semantic fragmentation domains, For relational fingerprint fields, The control strategy domain is defined as follows: the relation fingerprint domain includes object set hash, join pattern hash, predicate template hash, and object access path hash; fields belonging to the same field group in the semantic fragmentation domain are encrypted using an authentication encryption function.

[0074] In one embodiment, the heterogeneous reconstruction graph is represented as: ; in, For a collection of field nodes, A collection of business object nodes. For the set of nodes representing the query intent; Represents the set of edges; This represents a time-varying edge weight matrix, which is updated based on the same disclosure relationship, the same connection template relationship, and the same business object relationship.

[0075] In one embodiment, the dynamic threshold strategy includes a dynamic threshold. , , and And satisfy: ; in, Based on the threshold, For adjustment coefficients, For the normalized leaked budget liabilities, The normalized terminal credibility satisfies: ; Based on the score and dynamic threshold, a control and display decision is generated. : ; in, To refuse to view, For the double approval of quarantine disclosure, Disclosure approved by a single individual. For the purpose of desensitization disclosure, For statistical summary disclosure.

[0076] In one embodiment, such as Figure 4 As shown, the system also includes: a ticket approval and key derivation module 150, which is used to generate a pending context summary for approval when the control display decision requires approval, and generate a restricted view ticket after approval, and derive a one-time view key based on the restricted view ticket.

[0077] In one embodiment, such as Figure 4As shown, the system also includes a trusted rendering module 160, which uses a one-time view key to perform field-level selective decryption only on the approved fields and outputs a watermarked minimum necessary view in a trusted environment.

[0078] In one embodiment, such as Figure 4 As shown, the system also includes a secondary audit module 170, which is used to write viewing behavior, invoice summary, risk score, control display decision, view summary and timestamp into an independent secondary audit chain.

[0079] The modules in the aforementioned audit log anti-reconstruction control and display system can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in the processor of a computer device in hardware form or independent of it, or stored in the memory of the computer device in software form, so that the processor can call and execute the corresponding operations of each module.

[0080] In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as follows: Figure 5 As shown, the computer device includes a processor, memory, input / output interfaces, a communication interface, a display unit, and an input device. The processor, memory, and input / output interfaces are connected via a system bus, and the communication interface, display unit, and input device are also connected to the system bus via the input / output interfaces. The processor provides computing and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system and computer programs. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input / output interfaces are used for exchanging information between the processor and external devices. The communication interface is used for wired or wireless communication with external terminals; wireless communication can be achieved through Wi-Fi, mobile cellular networks, NFC (Near Field Communication), or other technologies. When the computer program is executed by the processor, it implements an audit log anti-reconstruction control display method. The display unit of the computer device is used to form a visually visible image and can be a display screen, a projection device, or a virtual reality imaging device. The display screen can be an LCD screen or an e-ink screen. The input device of the computer device can be a touch layer covering the display screen, or buttons, trackballs, or touchpads set on the casing of the computer device, or external keyboards, touchpads, or mice, etc.

[0081] Those skilled in the art will understand that Figure 5The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.

[0082] In one embodiment, a computer device is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to implement the steps of the method described above.

[0083] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed by a processor, implements the steps of the above-described method.

[0084] In one embodiment, a computer program product is provided, including a computer program that, when executed by a processor, implements the steps of the method described above.

[0085] Those skilled in the art will understand that all or part of the processes in the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium. When executed, the computer program can include the processes of the embodiments described above. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, etc., and are not limited to these.

[0086] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.

[0087] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are relatively specific and detailed, they should not be construed as limiting the scope of the invention patent. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this patent application should be determined by the appended claims.

Claims

1. A method for controlling the display of audit logs against reconstruction, characterized in that, include: Database audit logs are collected and their syntax is normalized, mapping each log entry to a structured log object; wherein, the structured log object includes a metadata field, a semantic sharding field, a relational fingerprint field, and a control policy field, and the semantic sharding field is encrypted; For each audit entity, maintain the historical disclosure status and construct a heterogeneous reconstruction graph; the heterogeneous reconstruction graph records the association between fields, business objects and query intents in the historical disclosure process of the audit entity, and is used to calculate the structural coupling increment and counterfactual recoverable gain; The system receives requests from audit entities to view a set of fields to be disclosed in the target audit log. Based on the corresponding structured log object, it parses the set of fields to be disclosed, the stated purpose, the scope of the target object, the requesting terminal information, and the time window constraints. Specifically, the set of fields to be disclosed is used to calculate field sensitivity, structural coupling increment, key structural enhancements, and counterfactual recoverable gains. The stated purpose is used for purpose compliance verification, approval determination, generation of restricted view invoices, and post-audit tracing. The scope of the target object is used to limit the update range of business object nodes in the heterogeneous reconstruction graph and to calculate counterfactual recoverable gains. The requesting terminal information is used for terminal credibility assessment and invoice terminal binding. The time window constraints are used to extract historical disclosure trajectories and calculate the risks of leaked budget liabilities and collaborative splicing. Based on the leaked budget liabilities at the time of the last request, after time decay, the leaked budget liabilities are updated by combining the field sensitivity, structural coupling increment, key structural enhancements and counterfactual recoverable gains corresponding to the current viewing request. Furthermore, the risk score for dynamic reconstruction is calculated by combining collaborative splicing risk and terminal credibility. Based on the dynamic reconstruction risk score and dynamic threshold strategy, a control and display decision is generated from among the following: refuse to view, statistical summary disclosure, anonymized disclosure, single-person approval disclosure, or dual-person approval isolated disclosure.

2. The method according to claim 1, characterized in that, The structured log object is represented as: ; in, For metadata fields, For semantic fragmentation domains, For relational fingerprint fields, For the control strategy domain; the relation fingerprint domain includes object set hash, connection pattern hash, predicate template hash and object access path hash; fields belonging to the same field group in the semantic fragmentation domain are encrypted using an authentication encryption function.

3. The method according to claim 1, characterized in that, The heterogeneous reconstruction diagram is represented as follows: ; in, For a collection of field nodes, A collection of business object nodes. For the set of nodes representing the query intent; Represents the set of edges; This represents a time-varying edge weight matrix, which is updated based on the same disclosure relationship, the same connection template relationship, and the same business object relationship.

4. The method according to claim 1, characterized in that, The dynamic threshold strategy includes dynamic thresholds. , , and And satisfy: ; in, Based on the threshold, For adjustment coefficients, For the normalized leaked budget liabilities, The normalized terminal credibility satisfies: ; Based on the score and dynamic threshold, a control and display decision is generated. : ; in, To refuse to view, For the double approval of quarantine disclosure, Disclosure approved by a single individual. For the purpose of desensitization disclosure, For statistical summary disclosure.

5. The method according to any one of claims 1 to 4, characterized in that, Based on the aforementioned dynamic reconstruction risk score and dynamic threshold strategy, after generating a control / disclosure decision from among refusing to view, statistical summary disclosure, anonymized disclosure, single-person approved disclosure, or dual-person approved segregated disclosure, the process further includes: If the control and display decision requires approval, a context summary to be approved is generated for approval, and a restricted view ticket is generated after approval, and a one-time view key is derived based on the restricted view ticket.

6. The method according to claim 5, characterized in that, After deriving a one-time view key based on the restricted view ticket, the method further includes: Using the one-time view key, selective field-level decryption is performed only on the approved fields, outputting a minimum necessary view with watermark in a trusted environment.

7. The method according to claim 6, characterized in that, After using the one-time view key to perform field-level selective decryption only on the approved fields, and outputting the minimum necessary watermarked view in a trusted environment, the process further includes: View behavior, invoice summary, risk score, control decision, view summary and timestamp are written into a separate secondary audit chain.

8. An audit log anti-reconstruction control and display system, characterized in that, include: The log normalization module is used to collect database audit logs and perform syntax normalization, mapping each log entry to a structured log object. The structured log object includes a metadata field, a semantic sharding field, a relational fingerprint field, and a control policy field, and the semantic sharding field is encrypted. The reconstruction graph maintenance module is used to maintain the historical disclosure status for each audit entity and construct a heterogeneous reconstruction graph. The heterogeneous reconstruction graph records the association between fields, business objects and query intents in the historical disclosure process of the audit entity, and is used to calculate the structural coupling increment and counterfactual recoverable gain. The risk assessment module receives viewing requests from the audit entity for a set of fields to be disclosed in the target audit log. It parses the requested field set, declared purpose, target object scope, request terminal information, and time window constraints based on the corresponding structured log object. Based on the time decay of the leaked budget liabilities at the time of the last request, it updates the leaked budget liabilities by combining the field sensitivity, structural coupling increment, key structural enhancements, and counterfactual recoverable gain corresponding to the current viewing request. Furthermore, it calculates a dynamic reconstruction risk score by combining collaborative splicing risk and terminal credibility. Specifically, the requested field set is used for calculating field sensitivity, structural coupling increment, key structural enhancements, and counterfactual recoverable gain; the declared purpose is used for purpose compliance verification, approval determination, generation of restricted view invoices, and post-audit tracing; the target object scope is used to limit the update range of business object nodes in the heterogeneous reconstruction graph and calculate counterfactual recoverable gain; the request terminal information is used for terminal credibility assessment and invoice terminal binding; and the time window constraints are used to extract historical disclosure trajectories and calculate leaked budget liabilities and collaborative splicing risk. The strategy decision module is used to generate a control and display decision based on the dynamic reconstruction risk score and dynamic threshold strategy, including refusing to view, statistical summary disclosure, anonymized disclosure, single-person approval disclosure, or dual-person approval isolated disclosure.

9. A computer device, characterized in that, The method includes a processor, a memory, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the computer program, it implements the method according to any one of claims 1 to 7.

10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the method described in any one of claims 1 to 7.