A data encryption method based on enterprise data security management
By using data lineage fingerprinting and dual-layer key wrapping reconstruction technology, the encryption strength is dynamically adjusted, solving the problem of low efficiency in security attribute synchronization and permission revocation in enterprise data encryption management, and realizing efficient security control under a distributed data architecture.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- HAITIANDI DIGITAL TECH (BEIJING) CO LTD
- Filing Date
- 2026-03-10
- Publication Date
- 2026-06-12
AI Technical Summary
Existing enterprise data encryption management mechanisms cannot effectively synchronize security attributes under a distributed data architecture, resulting in derived data being out of security supervision. Furthermore, traditional permission revocation and policy changes consume high computing resources, affecting the efficiency of dynamic data security management and cross-departmental analysis.
By extracting data lineage fingerprints to generate security attribute algorithm layer inheritance, combined with a two-layer architecture to perform key wrapping layer reconstruction, and using risk assessment functions to dynamically adjust encryption strength, second-level permission revocation and flexible key management are achieved.
It extends data security strategies at the algorithm level, supports second-level dynamic management of massive amounts of data, solves the problems of high resource consumption and high latency of traditional encryption mechanisms, and achieves a balance between security and availability.
Smart Images

Figure CN122197047A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of data security and information processing technology, specifically a data encryption method based on enterprise data security management. Background Technology
[0002] With the rapid development of the digital economy, data has become a core strategic asset for enterprises. In the production and operation processes of large enterprises, especially multinational or cross-industry organizations, data exhibits characteristics of large-scale, high-frequency flow and multi-business domain interaction. To improve business decision-making efficiency, data often needs to undergo a series of complex processing steps, such as cleaning, aggregation, and anonymization, from the original database to form derived datasets for downstream analysis. Under complex distributed data architectures, ensuring the security of data throughout its entire lifecycle has become a significant challenge for enterprises in their digital transformation.
[0003] However, existing enterprise data encryption management mechanisms still have significant limitations when dealing with the above scenarios:
[0004] First, in a distributed data architecture, data is frequently processed and transferred between different business domains. Current technologies lack effective mechanisms for transferring security attributes, resulting in the encryption strength and protection strategies of the original data failing to extend synchronously to derived data along with data lineage. This makes downstream processed data highly susceptible to escaping security oversight, creating security gaps in the enterprise's data governance system.
[0005] Second, traditional permission revocation or policy change usually requires full re-encryption of the large amount of existing data in the underlying storage. When dealing with massive amounts of data, this consumes extremely high computing resources and storage space, and causes significant processing delays. As a result, it is impossible to achieve real-time blocking of data access permissions during business operations, which is not easy to meet the real-time needs of enterprises for dynamic data security management.
[0006] Third, existing encryption control methods often conflict between security and usability. Static, coarse-grained encryption methods adopted to ensure security greatly limit the efficiency of cross-departmental or cross-regional data joint analysis. Due to the lack of flexible key management structures and policy matching mechanisms, data in complex sharing scenarios either cannot be effectively utilized due to over-protection or necessary security protection is sacrificed in pursuit of business efficiency.
[0007] This invention proposes a data encryption method based on enterprise data security management. It achieves algorithmic inheritance of security attributes by extracting data lineage fingerprints, dynamically adjusts encryption strength using a risk assessment function, and combines a two-layer architecture to reconstruct the key wrapping layer, enabling second-level permission revocation for massive amounts of data. This addresses the shortcomings of uncontrolled security policies and low management performance in distributed architectures. Summary of the Invention
[0008] To address the shortcomings of existing technologies, this invention provides a data encryption method based on enterprise data security management to solve the problems mentioned in the background section.
[0009] To achieve the above objectives, the present invention provides the following technical solution: a data encryption method based on enterprise data security management, comprising:
[0010] Step 1: Logically segment the dataset to be encrypted to generate several data segments, assign a globally unique identifier to each data segment, and calculate the proportional parameter based on the step size of the data segment and the metadata volume.
[0011] Step 2: Use the tracing engine to extract the topological features of the lineage graph corresponding to each data segment, perform standardized encoding on the node paths and flow operators in the lineage graph, and generate lineage fingerprints bound to each data segment through hash operation;
[0012] Step 3: Collect and access multi-dimensional risk factors of data segments with bloodline fingerprints, input the multi-dimensional risk factors into the preset risk assessment function to calculate the real-time risk score, and map the corresponding encryption strength level and key re-wrapping cycle according to the real-time risk score.
[0013] Step 4: Concatenate the globally unique identifier, lineage fingerprint, encryption strength level, and preset data classification and grading labels to construct key generation context metadata. Input the key generation context metadata into a hash-based key derivation function to generate the underlying data encryption key.
[0014] Step 5: Use the underlying data encryption key to perform symmetric encryption on each data segment to generate ciphertext data segments. Use the system-level key to encapsulate the underlying data encryption key to generate key wrapping layer metadata. Then, physically isolate and store the ciphertext data segments and key wrapping layer metadata.
[0015] Step 6: When an abnormal fluctuation in the real-time risk score is detected, a reconstruction operation is performed on the metadata of the key wrapping layer. This is done by blocking the parsing and acquisition of the underlying data encryption key in order to revoke access to the ciphertext data segment.
[0016] Preferably, the ratio parameter in step one satisfies the judgment condition: the quotient of the volume of the metadata of the key wrapping layer and the step size is defined as the metadata expansion coefficient. If the metadata expansion coefficient exceeds the preset performance loss upper limit threshold, the step size is increased by dynamically fusing adjacent logical segments until the ratio parameter falls back to the preset equilibrium range.
[0017] Preferably, the kinship graph topological features in step two include the set of upstream nodes, the set of flowing edges, and the operator types in the data processing process as the data flows through the distributed production environment. The normalization encoding process transforms the unstructured kinship topology into a binary character sequence with strong temporal characteristics by performing weight calibration on the path depth of the upstream node set.
[0018] Preferably, the risk assessment function in step three satisfies the following formula:
[0019] ,
[0020] in, For real-time risk scores, For user anomaly factor, For equipment reliability factor, As an environmental threat factor, , , These are the preset weighting coefficients for each factor.
[0021] Preferably, the hash-based key derivation function in step four satisfies the following formula:
[0022] ,
[0023] in, The encryption key for the underlying data. The random salt value is extracted from the security metadata management node. Generate context metadata for the key containing the bloodline fingerprint. The output length of the encryption key for the underlying data is specified, and the key generates context metadata to ensure key isolation for the same original data across different lineage paths.
[0024] The output length of the underlying data encryption key in step four It is positively correlated with the encryption strength level, and when the risk level increases, the output bit width of the underlying data encryption key is automatically increased, and the number of iterations of the hash-based key derivation function is adjusted synchronously.
[0025] Preferably, the physical isolation storage in step five includes: storing the ciphertext data segment in a large-scale distributed file system, storing the key wrapping layer metadata in a metadata server protected by a hardware security module, and performing a strong mapping association across storage media at the logical layer through a logical index number with atomicity characteristics.
[0026] Preferably, the reconstruction operation in step six includes: issuing a permission revocation instruction for a specific access subject, performing secondary encapsulation on the original underlying data encryption key based on the updated context metadata and the current timestamp slice, so that the old key wrapping layer becomes invalid in both the time and logical dimensions.
[0027] Preferably, the basis for determining the abnormal fluctuation of the real-time risk score in step six is: within a preset sliding time window, the cumulative deviation of the calculated continuous risk value sequence from the baseline risk value exceeds a preset tolerance percentage, and the abnormal fluctuation triggers the automatic shortening of the effective lifespan of the key wrapping layer metadata.
[0028] Preferably, the dynamic adjustment process of the proportional parameter includes: establishing a nonlinear regression model of step size and decryption delay time, setting the upper limit threshold of performance loss according to the output of the nonlinear regression model, and simultaneously performing index remapping on the globally unique identifier during the process of increasing the step size to ensure addressing consistency after logical segment fusion.
[0029] Preferably, the normalized encoding process of the kinship map topological features includes: extracting the information entropy increment of the processing operator in the kinship link, assigning asymmetric hash calculation masks to different path nodes, so that the final generated kinship fingerprint has the uniqueness of the topological structure and has the sensitivity judgment feature for privacy leakage sensitive points in the data flow path.
[0030] Step one enables fine-grained addressing and management of massive datasets by logically segmenting them and assigning unique identifiers. At the same time, the calculation of the proportional parameters provides a quantitative adjustment basis for balancing storage overhead and decryption performance, effectively improving the system's flexibility when processing complex datasets.
[0031] Step two utilizes the lineage fingerprint generated by the traceability engine to transform the data flow path and processing logic into immutable mathematical features, ensuring that data security attributes can be automatically extended from the processing process to the derived data, thereby eliminating the risk of regulatory gaps caused by data flow in a distributed environment from the root.
[0032] Step 3, through the linkage of multi-dimensional risk factors and evaluation functions, enables the encryption strategy to perceive and adaptively adjust in real time according to user behavior and environmental threats. While ensuring the defense strength in high-risk scenarios, it optimizes access performance in low-risk environments, achieving a precise balance between security and availability.
[0033] Step four involves deeply coupling global identifiers, lineage characteristics, risk levels, and classification labels to construct a key context. This ensures that the key derivation process has high environmental sensitivity and path uniqueness, and achieves logical isolation of data under different lineage paths at the algorithm level, greatly enhancing the collision resistance of the key system.
[0034] Step 5 employs a physically isolated storage architecture with ciphertext and key wrapping layers. It utilizes system-level keys to perform secondary encapsulation of the underlying keys, which significantly reduces the size of management metadata while ensuring the security of core data storage, laying a solid architectural foundation for achieving efficient permission changes and access control.
[0035] Step six, by reconstructing the metadata of the micro-key wrapper layer, can instantly block unauthorized access without touching the massive amount of ciphertext at the underlying level. This greatly reduces the consumption of computing resources and processing delays when permissions are revoked, ensuring that enterprises have the control capability to respond in seconds when dealing with security fluctuations.
[0036] This invention provides a data encryption method based on enterprise data security management. It has the following beneficial effects:
[0037] 1. This invention employs lineage graph feature extraction and fingerprint encoding association technology to achieve the technical effect of automatic inheritance of security attributes through data processing and flow, thereby realizing the forced extension of security strategies at the algorithm logic level and solving the defense gap caused by the lack of a transmission mechanism for derived data to escape supervision.
[0038] 2. This invention adopts a two-layer association encryption and key wrapping layer logic reconstruction scheme to achieve the technical effect of blocking permissions by operating on extremely small amounts of metadata, realizing second-level dynamic control under massive data, and solving the shortcomings of traditional full-volume re-encryption mechanism such as high resource consumption and large processing delay.
[0039] 3. This invention adopts a multi-dimensional risk modeling and encryption strength adaptive matching mechanism to achieve the technical effect of dynamically adjusting the encryption strategy according to the access context environment, realize a precise dynamic balance between security protection and business sharing, and solve the problem of low data utilization caused by static coarse-grained encryption. Attached Figure Description
[0040] Figure 1 This is a flowchart illustrating a data encryption method based on enterprise data security management according to the present invention. Detailed Implementation
[0041] To enable those skilled in the art to understand the present invention, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. Obviously, the described embodiments are some, but not all, of the embodiments of the present invention. Other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative effort should fall within the scope of protection of the present invention.
[0042] The present invention will now be described in detail with reference to the accompanying drawings:
[0043] Example 1: Cross-domain R&D data lifecycle protection based on bloodline fingerprints
[0044] In the collaborative R&D scenario of large high-end manufacturing enterprises, involving The design blueprints went through a complex process from the R&D center to the outsourced manufacturers and then to the third-party quality inspection agencies.
[0045] Technical execution logic: When the original design drawings of the R&D center are defined as a dataset to be encrypted, the system initiates segmented logical processing. It dynamically calculates the initial step size by establishing a nonlinear regression model of step size and decryption delay, and assigns a globally unique identifier to each segment. The subsequent tracing engine begins full-process tracking: data flows from the R&D end to the external collaboration end through feature parameterization operators, and then to the quality inspection end through model simplification operators. The system captures the topological features of this chain in real time, performs weight calibration on the path depth of each node, and transforms the unstructured lineage topology into a binary character sequence with strong temporal characteristics.
[0046] During this process, the system focuses on the flow path and, by extracting the information entropy increment of each processing operator in the lineage link, assigns asymmetric hash calculation masks to different path nodes. When an external unit receives data through the gateway, a lineage fingerprint with strong temporal characteristics is injected into the key generation context metadata during the key derivation stage. This means that the underlying data encryption key is inextricably anchored to a specific flow path. If the external unit attempts to bypass the quality inspection process and directly send the data to a third party without access to the original parameters, the calculated lineage fingerprint will deviate from the verification due to the lack of necessary operator features and path encoding in the flow path. This results in the inability to derive the correct underlying encryption key, thereby blocking the risk of unauthorized data flow to derivative links at the algorithm level and achieving the forced inheritance of security attributes through lineage relationships.
[0047] Example 2: Security Enhancement of High-Frequency Financial Trading Based on Real-Time Risk Profiling
[0048] In a commercial bank's cross-border payment and clearing system, data access requests are characterized by high frequency and variability, and traditional static encryption methods cannot cope with instantaneous fraud risks and environmental threats.
[0049] Technical Execution Logic: The system continuously monitors the data access environment and captures multi-dimensional risk factors in real time through collection plugins distributed across various business locations. The system substitutes user anomaly factors, device trustworthiness factors, and environmental threat factors into a preset risk assessment function, calculating a real-time risk score using preset weighting coefficients for each factor. If an account is detected attempting to initiate a large-amount query through an unencrypted tunnel in a remote location during the early morning hours, the system will calculate the cumulative deviation of the continuous risk value sequence from the baseline risk value within a preset sliding time window. When this deviation exceeds a preset tolerance percentage, the system determines that the real-time risk score has experienced abnormal fluctuations.
[0050] At this point, the system immediately activates adaptive adjustment logic, instantly switching from the low-strength encryption level to a high-strength level based on the real-time risk score mapping. During key derivation, the system automatically increases the output bit width of the underlying data encryption key and simultaneously adjusts the iteration hash count of the hash-based key derivation function. Simultaneously, this abnormal fluctuation triggers the system to automatically shorten the effective lifespan of the key wrapping layer metadata and performs a secondary encapsulation of the original underlying key based on the current timestamp, rendering the old key wrapping layer invalid in both the time and logical dimensions. This mechanism ensures that even if the accessing entity holds legitimate credentials, in a deteriorating risk environment, the system can achieve real-time and accurate protection of core financial data by dynamically increasing the cost of cracking and shortening key expiration.
[0051] Example 3: Efficient Operation and Maintenance Management of Heterogeneous Data in the Cloud Based on a Two-Layer Decoupled Architecture
[0052] In distributed cloud databases supporting large-scale business operations, the core challenge of enterprise governance is how to achieve low-loss access control for massive amounts of existing data, given the extremely frequent turnover of operations and maintenance personnel and policy changes.
[0053] Technical Execution Logic: For massive unstructured log data in the cloud, the system strictly implements a dynamic balancing strategy when performing logical segmentation. The system defines the quotient of the key-wrapped layer metadata volume and the step size as the metadata inflation coefficient. If this coefficient exceeds a preset performance loss limit threshold, the system dynamically merges adjacent logical segments to increase the step size until the ratio parameter falls back to the preset equilibrium range. Simultaneously, the globally unique identifier is re-indexed to ensure addressing consistency after merging. In terms of storage architecture, the system stores the encrypted data segments in a large-scale distributed file system, while the critical key-wrapped layer metadata is stored in a metadata server protected by a hardware security module. The two are strongly mapped across storage media through logical index numbers with atomic characteristics.
[0054] When a batch permission revocation command is triggered, the system performs a reconstruction operation. Instead of re-encrypting massive amounts of encrypted data in the distributed file system, the system extracts the relevant logical index numbers for revocation commands from specific access subjects and performs a secondary encapsulation of a tiny key layer based on the updated context metadata. This reconstruction operation blocks the parsing and acquisition of the underlying data encryption key, causing the original permissions to become invalid at the logical layer instantaneously. Because this operation involves a very small amount of metadata change and does not involve the physical transfer of the underlying encrypted data, the overall permission revocation process is almost imperceptible to business operations, successfully solving the real-time management challenge in large-scale cloud environments.
[0055] Embodiments of the present invention have been presented and described. It will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to the embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.
Claims
1. A data encryption method based on enterprise data security management, characterized in that, include: Step 1: Logically segment the dataset to be encrypted to generate several data segments, assign a globally unique identifier to each data segment, and calculate the proportional parameter based on the step size of the data segment and the metadata volume. Step 2: Use the tracing engine to extract the topological features of the lineage graph corresponding to each data segment, perform standardized encoding on the node paths and flow operators in the lineage graph, and generate lineage fingerprints bound to each data segment through hash operation; Step 3: Collect and access multi-dimensional risk factors of data segments with bloodline fingerprints, input the multi-dimensional risk factors into the preset risk assessment function to calculate the real-time risk score, and map the corresponding encryption strength level and key re-wrapping cycle according to the real-time risk score. Step 4: Concatenate the globally unique identifier, lineage fingerprint, encryption strength level, and preset data classification and grading labels to construct key generation context metadata. Input the key generation context metadata into a hash-based key derivation function to generate the underlying data encryption key. Step 5: Use the underlying data encryption key to perform symmetric encryption on each data segment to generate ciphertext data segments. Use the system-level key to encapsulate the underlying data encryption key to generate key wrapping layer metadata. Then, physically isolate and store the ciphertext data segments and key wrapping layer metadata. Step 6: When an abnormal fluctuation in the real-time risk score is detected, a reconstruction operation is performed on the metadata of the key wrapping layer. This is done by blocking the parsing and acquisition of the underlying data encryption key in order to revoke access to the ciphertext data segment.
2. The data encryption method based on enterprise data security management according to claim 1, characterized in that, In step one, the ratio parameter meets the judgment condition: the quotient of the volume of the metadata of the key wrapping layer and the step size is defined as the metadata expansion coefficient. If the metadata expansion coefficient exceeds the preset performance loss upper limit threshold, the step size is increased by dynamically fusing adjacent logical segments until the ratio parameter falls back to the preset equilibrium range.
3. The data encryption method based on enterprise data security management according to claim 1, characterized in that, In step two, the kinship graph topological features include the set of upstream nodes, the set of flowing edges, and the operator types in the data processing process during the data flow in the distributed production environment. The normalization encoding process transforms the unstructured kinship topology into a binary character sequence with strong temporal characteristics by performing weight calibration on the path depth of the upstream node set.
4. The data encryption method based on enterprise data security management according to claim 1, characterized in that, The risk assessment function in step three satisfies the following formula: , in, For real-time risk scores, For user anomaly factor, For equipment reliability factor, As an environmental threat factor, , , These are the preset weighting coefficients for each factor.
5. A data encryption method based on enterprise data security management according to claim 1, characterized in that, The hash-based key derivation function in step four satisfies the following formula: , in, The encryption key for the underlying data. The random salt value is extracted from the security metadata management node. Generate context metadata for the key containing the bloodline fingerprint. The output length of the encryption key for the underlying data is specified, and the key generates context metadata to ensure key isolation for the same original data across different lineage paths. The output length of the underlying data encryption key in step four It is positively correlated with the encryption strength level, and when the risk level increases, the output bit width of the underlying data encryption key is automatically increased, and the number of iterations of the hash-based key derivation function is adjusted synchronously.
6. A data encryption method based on enterprise data security management according to claim 1, characterized in that, The physical isolation storage in step five includes: storing the ciphertext data segment in a large-scale distributed file system, storing the key wrapping layer metadata in a metadata server protected by a hardware security module, and performing a strong mapping association across storage media at the logical layer through a logical index number with atomicity characteristics.
7. A data encryption method based on enterprise data security management according to claim 1, characterized in that, The reconstruction operation in step six includes: issuing a permission revocation instruction for a specific access subject, performing secondary encapsulation on the original underlying data encryption key based on the updated context metadata and the current timestamp slice, so that the old key wrapping layer becomes invalid in both the time and logical dimensions.
8. A data encryption method based on enterprise data security management according to claim 1, characterized in that, The basis for determining the abnormal fluctuation of the real-time risk score in step six is: within a preset sliding time window, the cumulative deviation of the calculated continuous risk value sequence from the baseline risk value exceeds a preset tolerance percentage, and the abnormal fluctuation triggers the automatic shortening of the effective lifespan of the key wrapping layer metadata.
9. A data encryption method based on enterprise data security management according to claim 2, characterized in that, The dynamic adjustment process of the proportional parameter includes: establishing a nonlinear regression model of step size and decryption delay time; setting the upper limit threshold of performance loss based on the output of the nonlinear regression model; and simultaneously remapping the index of the globally unique identifier during the process of increasing the step size to ensure addressing consistency after logical segment fusion.
10. A data encryption method based on enterprise data security management according to claim 3, characterized in that, The standardized encoding process of the kinship map topological features includes: extracting the information entropy increment of the processing operator in the kinship link, assigning asymmetric hash calculation masks to different path nodes, so that the final generated kinship fingerprint has the uniqueness of the topological structure and has the sensitivity judgment feature for privacy leakage sensitive points in the data flow path.