A method for heterogeneous information security integration for distributed projects

By constructing a federated three-tier trusted architecture and a full-link zero-trust system, the problem of insufficient security and reliability of traditional information integration methods in distributed scenarios is solved, and efficient, secure cross-domain integration and privacy protection of multi-source heterogeneous data are achieved.

CN122197090APending Publication Date: 2026-06-12SHANDONG XINSHUICHENG PROJECT MANAGEMENT CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHANDONG XINSHUICHENG PROJECT MANAGEMENT CO LTD
Filing Date
2026-03-10
Publication Date
2026-06-12

AI Technical Summary

Technical Problem

Traditional information integration methods are difficult to adapt to the high security and high reliability requirements of distributed scenarios, especially in terms of cross-domain sharing and privacy protection of multi-source heterogeneous data sources.

Method used

A federated three-layer trusted architecture is constructed, including a federated master scheduling node cluster, multi-domain edge agent nodes, and trusted execution environment (TEE) computing power nodes. Cross-domain data integration is achieved through a full-link zero-trust system. Intra-domain semantic ontology deconstruction and cross-domain encrypted semantic alignment are adopted, combined with hierarchical desensitization, homomorphic encryption, and TEE encrypted computing to perform data encryption and integrated computing. Data security is ensured through digital twin verification and blockchain notarization.

Benefits of technology

It achieves full-lifecycle trusted management and control of distributed cross-domain nodes, efficiently resolves semantic conflicts in the integration of multi-source heterogeneous data, integrates hierarchical desensitization and homomorphic encryption, ensures data privacy and security, and improves the compliance and reliability of integration operations.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122197090A_ABST
    Figure CN122197090A_ABST
Patent Text Reader

Abstract

The present application belongs to the technical field of data integration, and particularly relates to a heterogeneous information security integration method for distributed projects. It aims to solve the problems of low integration efficiency, insufficient privacy protection and poor security reliability of existing distributed projects across business domains. The present application first constructs a federated three-layer trusted architecture and a full-link zero-trust system; through edge proxy nodes, it completes the access of heterogeneous data sources and the collection of metadata, completes intra-domain heterogeneous resolution based on a semantic ontology model, synchronizes to the corresponding TEE computing nodes after hierarchical desensitization and homomorphic encryption; after zero-trust secondary verification, it completes cross-domain encrypted semantic alignment and integrated calculation in the TEE isolated environment, and through real-time verification by a digital twin model, finally completes consistency verification and alliance blockchain tamper-proof storage. The present application can realize efficient and secure integration of heterogeneous data, protect data privacy and security throughout the process, and adapt to the high security requirements of distributed project cross-domain collaboration.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of data integration technology, and in particular relates to a method for secure integration of heterogeneous information in distributed projects. Background Technology

[0002] Digital transformation is driving the large-scale deployment of distributed projects across various fields. These projects are often deployed across business domains, resulting in multi-source heterogeneous data sources with varying structures, formats, and semantics. Efficient integration of heterogeneous information has become a core requirement for unlocking data value and achieving cross-domain business collaboration. Furthermore, issues such as cross-domain sharing of distributed data and privacy protection need to be addressed as critical requirements. Traditional information integration methods are no longer adequate for the high security and reliability requirements of distributed scenarios. Summary of the Invention

[0003] In view of the technical problems existing in the background art, the present invention proposes a method for secure integration of heterogeneous information in distributed projects.

[0004] To achieve the above objectives, the technical solution adopted by the present invention includes the following steps:

[0005] S1. Construct a federated three-tier trusted architecture for the integration of heterogeneous information in distributed projects. The three-tier trusted architecture includes a federated master scheduling node cluster, multi-domain edge agent nodes divided according to the business domains of distributed projects, and trusted execution environment (TEE) computing power nodes that are bound to each business domain. Complete the initial configuration of the three-tier trusted architecture and build a zero-trust system covering the entire link.

[0006] S2. For multiple heterogeneous data sources within each business domain, the edge proxy node of the corresponding business domain completes the access authentication and full-dimensional metadata collection of the heterogeneous data sources. Based on the collected metadata, a unified semantic ontology model of heterogeneous data sources within the domain is constructed. The first layer of heterogeneity resolution within the domain is completed through the semantic ontology model, and a standardized semantic dataset within the domain is generated.

[0007] S3, the edge agent node, based on the data security classification rules of the distributed project, performs data security classification and corresponding level de-identification processing on the standardized semantic dataset, and uses homomorphic encryption algorithm to encrypt the de-identified dataset to generate the encrypted dataset of the corresponding security level; at the same time, it generates the integrated permission declaration and unique digital digest corresponding to the encrypted dataset, and synchronizes the encrypted dataset, integrated permission declaration, and digital digest to the isolated storage area of ​​the TEE computing power node of the corresponding business domain.

[0008] S4. The edge agent node initiates a cross-domain heterogeneous information integration request to the federated master scheduling node cluster. The federated master scheduling node cluster performs zero-trust identity secondary verification on the edge agent node that initiated the request. After the verification is passed, it parses the business rules and data boundaries corresponding to the integration request, generates a cross-domain integration scheduling scheme based on the business rules, and sends the scheduling instructions and cross-domain semantic alignment rules to the TEE computing power nodes of the corresponding business domain.

[0009] S5. After receiving the scheduling instruction, each TEE computing node first completes the trusted state verification of its own TEE isolation environment. After the verification is passed, it completes the encrypted semantic alignment and integration calculation of the multi-domain encrypted dataset within the TEE isolation environment based on the cross-domain semantic alignment rules, and generates the initial multi-source integrated dataset. At the same time, based on the pre-trained digital twin verification model, it performs real-time simulation verification of the entire integration calculation process, identifies abnormal integration points, performs reversible rollback operations on abnormal points, and generates a full-process integration operation storage certificate for the verified initial multi-source integrated dataset.

[0010] S6 and TEE computing power nodes synchronize the verified multi-source integrated dataset and integrated operation evidence storage certificate to the federated master scheduling node cluster. The federated master scheduling node cluster performs full consistency verification and digital digest verification on the multi-source integrated dataset. After the verification is passed, the final compliant integrated dataset is generated, and the integrated operation evidence storage certificate is uploaded to the consortium blockchain for tamper-proof storage. At the same time, a traceable unique data identifier is generated for the final compliant integrated dataset.

[0011] Preferably, in step S2, the process of constructing a unified semantic ontology model of heterogeneous data sources within the domain based on the collected metadata, and generating a standardized semantic dataset within the domain by completing the first layer of heterogeneity resolution through the semantic ontology model, specifically includes:

[0012] Based on the collected metadata, the core concepts, concept attributes, inter-concept relationships and data constraint rules of each heterogeneous data source are extracted to construct a basic semantic ontology within the domain;

[0013] The metadata of each heterogeneous data source is mapped to the basic semantic ontology within the domain, completing ontology concept alignment, attribute mapping, semantic conflict resolution and data type standardization. Semantic conflict resolution includes same-name conflict resolution, synonym conflict resolution and data granularity conflict resolution.

[0014] Based on the mapped semantic ontology, the original heterogeneous data from various heterogeneous data sources are transformed into standardized semantic datasets that conform to a unified semantic specification, and semantic mapping logs corresponding to the datasets are generated.

[0015] Preferably, in step S3, the data hierarchical desensitization and encryption process specifically includes:

[0016] Based on the industry compliance requirements and data sensitivity of distributed projects, a data security classification rule is preset to divide the data into four security levels: public, internal, sensitive and core.

[0017] For datasets with different security levels, corresponding de-identification algorithms are configured. Public-level data is de-identified with format preservation, internal-level data is de-identified with masking, and sensitive and core-level data are de-identified with irreversible de-identification and differential privacy protection.

[0018] An encryption algorithm that supports homomorphic operations is used to encrypt the anonymized dataset field by field to generate an encrypted dataset;

[0019] A unique digital digest is generated based on the hash value of the encrypted dataset, and an integrated permission statement is generated based on the data security level and business rules. The integrated permission statement includes the scope of data availability, executable operations, usage time limit, and access subject restrictions.

[0020] Preferably, the process of generating the zero-trust identity secondary verification and cross-domain integrated scheduling scheme in step S4 specifically includes:

[0021] After receiving the integration request from the edge agent node, the federated master scheduling node cluster performs a second verification on the device identity, operating entity identity, and node environment trust status of the edge agent node based on the zero trust system. At the same time, it verifies the timeliness and permissions of the integration request. If the verification fails, the integration request is directly rejected and the audit log is recorded. If the verification passes, the integration request is parsed.

[0022] Based on the parsed business rules, the data source scope, data calculation rules, integration timeliness requirements and security compliance requirements of the integration task are extracted, and the second alignment of the cross-domain semantic ontology is completed to generate cross-domain semantic alignment rules.

[0023] Based on the computing power requirements of the integrated task and the load status of each TEE computing power node, computing power resources and timing execution rules are allocated to the integrated task to generate a cross-domain integrated scheduling scheme. The scheduling scheme includes data alignment rules, dense computing logic, execution timing, node division of labor and exception handling rules.

[0024] Preferably, step S5, the process of TEE internal dense-state integration calculation and real-time verification specifically includes:

[0025] After receiving the scheduling instruction, the TEE computing power node completes the trusted status verification of its own TEE isolation environment through the remote proof service. If the verification fails, it reports the exception to the federated main scheduling node cluster and terminates the task. If the verification passes, it retrieves the corresponding encrypted dataset from the isolation storage area.

[0026] Within the TEE isolated environment, based on cross-domain semantic alignment rules, the encrypted semantic alignment and primary key mapping of the multi-domain encrypted dataset are completed. Based on the encrypted computation logic in the scheduling scheme, homomorphic encrypted integration computation is performed to generate the initial multi-source integrated dataset.

[0027] By calling a pre-trained digital twin verification model, the entire process of integrated computing and data flow is input into the digital twin verification model for real-time simulation and comparison to identify abnormal integration points such as missing data, duplicate data, semantic conflicts, and abnormal computing logic.

[0028] For any identified abnormal integration points, a reversible rollback operation is performed based on the integration operation log to re-execute the integration calculation for the corresponding points until the verification is passed. For the initial multi-source integration dataset that has passed the full verification, a full-process integration operation certificate containing the operation subject, operation sequence, calculation logic, data flow, and verification results is generated.

[0029] Preferably, step S6, the consistency verification and blockchain evidence storage process specifically includes:

[0030] After receiving the multi-source integrated dataset and the integration operation certificate, the federated master scheduling node cluster performs a full consistency hash verification on the multi-source integrated dataset based on the digital digest uploaded by each domain. At the same time, it verifies the integration permission declaration and compliance of the dataset. If the verification fails, it returns to the corresponding TEE computing power node to re-execute the integration calculation. If the verification passes, it generates the final compliant integrated dataset.

[0031] To generate a traceable and unique data identifier for the final compliant integrated dataset, the data identifier is associated with the dataset's data, semantic mapping logs, integration operation evidence storage certificate, and blockchain evidence storage address;

[0032] The integrated operation evidence certificate, digital digest of the dataset, unique data identifier, and access permission information are packaged into an on-chain block, and the on-chain evidence is completed through the consensus mechanism of the consortium blockchain. At the same time, an on-chain index is built for the traceability query of the dataset.

[0033] Compared with existing technologies, the advantages and positive effects of this invention are as follows: it constructs a federated three-layer trusted architecture and a matching end-to-end zero-trust system to achieve full-lifecycle trusted management and control of distributed cross-domain nodes, adapting to the deployment characteristics of distributed projects in multiple business domains; it adopts a two-layer scheme of intra-domain semantic ontology heterogeneity resolution and cross-domain encrypted semantic alignment to efficiently solve the semantic conflict problem of multi-source heterogeneous data integration; it integrates hierarchical desensitization, homomorphic encryption, and TEE encrypted computation to achieve encrypted processing of data throughout the entire process, eliminating privacy leaks at the source; and through real-time verification of digital twins and tamper-proof blockchain evidence storage, it achieves controllable and traceable integration process with rollback capability for anomalies, significantly improving the compliance and reliability of integration operations. Attached Figure Description

[0034] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0035] Figure 1 This is a flowchart illustrating a method for heterogeneous information security integration in distributed projects. Detailed Implementation

[0036] To better understand the above-mentioned objectives, features, and advantages of the present invention, the present invention will be further described below in conjunction with the accompanying drawings and embodiments. It should be noted that, unless otherwise specified, the embodiments and features described in these embodiments can be combined with each other.

[0037] Numerous specific details are set forth in the following description in order to provide a full understanding of the invention. However, the invention may also be practiced in other ways than those described herein, and therefore the invention is not limited to the specific embodiments disclosed in the following specification.

[0038] like Figure 1 As shown, a method for heterogeneous information security integration in distributed projects includes the following steps:

[0039] S1. Construct a federated three-tier trusted architecture for the integration of heterogeneous information in distributed projects. The three-tier trusted architecture includes a federated master scheduling node cluster, multi-domain edge agent nodes divided according to the business domains of distributed projects, and trusted execution environment (TEE) computing power nodes that are bound to each business domain. Complete the initial configuration of the three-tier trusted architecture and build a zero-trust system covering the entire link.

[0040] S2. For multiple heterogeneous data sources within each business domain, the edge proxy node of the corresponding business domain completes the access authentication and full-dimensional metadata collection of the heterogeneous data sources. Based on the collected metadata, a unified semantic ontology model of heterogeneous data sources within the domain is constructed. The first layer of heterogeneity resolution within the domain is completed through the semantic ontology model, and a standardized semantic dataset within the domain is generated.

[0041] S3, the edge agent node, based on the data security classification rules of the distributed project, performs data security classification and corresponding level de-identification processing on the standardized semantic dataset, and uses homomorphic encryption algorithm to encrypt the de-identified dataset to generate the encrypted dataset of the corresponding security level; at the same time, it generates the integrated permission declaration and unique digital digest corresponding to the encrypted dataset, and synchronizes the encrypted dataset, integrated permission declaration, and digital digest to the isolated storage area of ​​the TEE computing power node of the corresponding business domain.

[0042] S4. The edge agent node initiates a cross-domain heterogeneous information integration request to the federated master scheduling node cluster. The federated master scheduling node cluster performs zero-trust identity secondary verification on the edge agent node that initiated the request. After the verification is passed, it parses the business rules and data boundaries corresponding to the integration request, generates a cross-domain integration scheduling scheme based on the business rules, and sends the scheduling instructions and cross-domain semantic alignment rules to the TEE computing power nodes of the corresponding business domain.

[0043] S5. After receiving the scheduling instruction, each TEE computing node first completes the trusted state verification of its own TEE isolation environment. After the verification is passed, it completes the encrypted semantic alignment and integration calculation of the multi-domain encrypted dataset within the TEE isolation environment based on the cross-domain semantic alignment rules, and generates the initial multi-source integrated dataset. At the same time, based on the pre-trained digital twin verification model, it performs real-time simulation verification of the entire integration calculation process, identifies abnormal integration points, performs reversible rollback operations on abnormal points, and generates a full-process integration operation storage certificate for the verified initial multi-source integrated dataset.

[0044] S6 and TEE computing power nodes synchronize the verified multi-source integrated dataset and integrated operation evidence storage certificate to the federated master scheduling node cluster. The federated master scheduling node cluster performs full consistency verification and digital digest verification on the multi-source integrated dataset. After the verification is passed, the final compliant integrated dataset is generated, and the integrated operation evidence storage certificate is uploaded to the consortium blockchain for tamper-proof storage. At the same time, a traceable unique data identifier is generated for the final compliant integrated dataset.

[0045] It should be further explained that, in the specific implementation process, the construction, initialization configuration, and zero-trust system setup of the federated three-tier trusted architecture in step S1 include:

[0046] First, a federated master scheduling node cluster is constructed, consisting of no fewer than three physically isolated trusted scheduling nodes. A distributed consensus database is configured for the cluster, including allocating the total running memory of the database cluster, data synchronization bandwidth between nodes, firewall access control policies, and a whitelist of cluster administrator permissions. A unified scheduling communication protocol and cross-domain data interaction interface are configured for the federated master scheduling node cluster. At the same time, cluster performance testing is completed, including concurrent scheduling stress testing, cluster disaster recovery switching testing, and security attack and defense testing. After all performance tests are passed, the initial configuration of the federated master scheduling node cluster is completed.

[0047] Secondly, according to the business domain division rules of the distributed project, an edge proxy node is configured for each independent business domain, and the data source access permissions of the corresponding business domain are bound to each edge proxy node. The metadata collection module, semantic processing module, data desensitization and encryption module, and communication module of the edge proxy node are configured. A unique device identity and public-private key pair are assigned to each edge proxy node to complete the environment initialization and security hardening of the edge proxy node.

[0048] Furthermore, a Trusted Execution Environment (TEE) computing power node is bound to each edge agent node of each business domain. The TEE computing power node adopts a hardware-level trusted execution environment. Each TEE computing power node is divided into an independent isolated storage area and a secure computing area. The isolated storage area is physically isolated from the external network environment, and only the secure computing area inside the TEE is allowed to read and write data. The remote proof service configuration of the TEE computing power node is completed to realize the remote verification of the trusted status of the TEE environment.

[0049] Finally, a zero-trust system covering the entire link is built based on a three-layer trusted architecture. The configuration of the zero-trust system includes: full-node identity authentication mechanism, continuous environment trusted verification mechanism, least privilege access control mechanism, and full-process operation audit mechanism; a unified identity trust root is configured for the zero-trust system to realize full-link identity verification of all nodes and operating entities.

[0050] It should be further explained that, in the specific implementation process, the process of resolving intra-domain heterogeneity and generating standardized semantic datasets in step S2 specifically includes:

[0051] First, the heterogeneous data sources within the target business domain are numbered, denoted as k. The edge proxy node corresponding to this business domain initiates an access request to the heterogeneous data source numbered k and completes access authentication. The access authentication includes verification of the data source's identity and legality, access permissions, and the security status of the data source environment. If the authentication fails, access to the data source is rejected. If the authentication succeeds, a trusted communication link is established between the edge proxy node and the heterogeneous data source.

[0052] Secondly, through the metadata collection module of the edge proxy node, the full-dimensional metadata collection of all accessed heterogeneous data sources is completed. The collected metadata includes: data source structure metadata, semantic metadata, constraint metadata, data type metadata and business attribute metadata; the collected metadata corresponding to the heterogeneous data source numbered k is denoted as Meta[k].

[0053] Then, based on the collected full metadata, a unified semantic ontology model for heterogeneous data sources within the domain is constructed. The specific process is as follows: Based on the collected metadata Meta[k], the core concepts, concept attributes, inter-concept relationships, and data constraint rules of each heterogeneous data source are extracted to construct a basic semantic ontology within the domain; the metadata Meta[k] of each heterogeneous data source is mapped to the basic semantic ontology within the domain to complete ontology concept alignment, attribute mapping, semantic conflict resolution, and data type standardization. Semantic conflict resolution includes the resolution of homonymous conflicts, homonymous conflicts, and data granularity conflicts; based on the completed semantic ontology, the original heterogeneous data of each heterogeneous data source is converted into a standardized semantic dataset that conforms to the unified semantic specification. At the same time, a semantic mapping log corresponding to the dataset is generated. The semantic mapping log records the mapping relationship between the original data and the standardized data, the conversion rules, and the conflict resolution records.

[0054] It should be further explained that, in the specific implementation process, the data hierarchical desensitization and encryption process in step S3 specifically includes:

[0055] First, based on the industry compliance requirements and data sensitivity of distributed projects, pre-defined data security classification rules are established to divide data into four security levels: public, internal, sensitive, and core. For datasets of different security levels, corresponding de-identification algorithms and rules are pre-configured. Public data is de-identified with format preservation, internal data is de-identified with masking, and sensitive and core data are de-identified with irreversible de-identification and differential privacy protection.

[0056] Secondly, the edge proxy node divides the generated standardized semantic dataset into security levels field by field based on the preset data security classification rules, marks each field with a corresponding security level identifier, and calls the corresponding de-identification algorithm according to the security level identifier of the field to complete the de-identification processing of the entire dataset and generate the de-identified dataset.

[0057] Then, an encryption algorithm that supports homomorphic operations is used to encrypt the anonymized dataset field by field to generate an encrypted dataset. The homomorphic encryption algorithm supports semantic alignment, comparison and integration calculation of data in ciphertext state without decryption, ensuring privacy and security throughout the data process.

[0058] Furthermore, a unique digital digest is generated based on the hash value of the encrypted dataset. Specifically, the SHA-256 hash algorithm is used to perform a full hash calculation on the encrypted dataset, and the calculated hash value is used as the unique digital digest of the encrypted dataset, denoted as Hash[Data]. An integrated permission declaration is generated based on the data security level and business rules. The integrated permission declaration includes the data availability scope, executable operations, usage time limit and access subject restrictions. A unique permission identifier is configured for the integrated permission declaration, denoted as PermissionID.

[0059] Finally, the generated encrypted dataset, integrated permission declaration, and digital digest Hash[Data] are synchronized to the isolated storage area of ​​the TEE computing power node in the corresponding business domain through a trusted encrypted link. After synchronization is completed, a synchronization completion certificate is generated, and the synchronization time, data volume, and synchronization node information are recorded and stored in the local audit log of the edge agent node.

[0060] It should be further explained that, in the specific implementation process, the process of generating the zero-trust identity secondary verification and cross-domain integrated scheduling scheme in step S4 specifically includes:

[0061] First, the edge proxy node initiates a cross-domain heterogeneous information integration request to the federated master scheduling node cluster. This request carries the initiating node's identity identifier, public / private key signature, integration task requirements, business rule descriptions, and data boundary information. Upon receiving the integration request, the federated master scheduling node cluster performs a zero-trust secondary identity verification on the initiating edge proxy node based on a zero-trust system. This secondary verification includes: verifying the edge proxy node's device identity legitimacy, verifying the identity and permissions of the operating entity, verifying the trusted state of the node environment, and verifying the timeliness and scope of permissions of the integration request. If any verification fails, the integration request is directly rejected, a rejection reason is generated, and recorded in the full-process audit log. If all verification items pass, the secondary verification is completed, and the integration request is parsed.

[0062] Then, based on the parsed integration request, the core parameters of the integration task are extracted, including the data source scope, data calculation rules, integration timeliness requirements, security compliance requirements, and business collaboration rules. Based on the extracted core parameters, the cross-domain semantic ontology is aligned twice to generate cross-domain semantic alignment rules, which include cross-domain concept mapping rules, attribute alignment rules, semantic conflict resolution rules, and data format unification rules.

[0063] Furthermore, based on the computing power requirements and timing requirements of the integration task, as well as the real-time load status and trust level of each TEE computing power node, corresponding computing power resources, execution nodes and timing execution rules are allocated to the integration task to generate a cross-domain integration scheduling scheme; the scheduling scheme includes data alignment rules, dense computing logic, execution timing, node division of labor, exception handling rules and compliance verification standards.

[0064] Finally, the federated master scheduling node cluster will send the generated scheduling instructions and cross-domain semantic alignment rules to the TEE computing power nodes corresponding to each business domain involved in the integration task through a trusted encrypted link. At the same time, the core information of the scheduling scheme will be recorded in the audit log and synchronized to the consortium blockchain for pre-deposit.

[0065] It should be further explained that, in the specific implementation process, the TEE-internal encrypted integration computation and real-time verification process in step S5 specifically includes: First, after each TEE computing power node receives the scheduling instructions and cross-domain semantic alignment rules issued by the federated master scheduling node cluster, it completes the trusted state verification of its own TEE isolation environment through the remote proof service; the trusted state verification includes the integrity verification of the TEE environment, firmware version legality verification, isolation area access permission verification, and runtime environment security status verification; if the verification fails, it reports the abnormal information to the federated master scheduling node cluster and terminates the current integration task; if the verification passes, it retrieves the encrypted dataset, integration permission declaration, and digital digest corresponding to the integration task from its own isolated storage area.

[0066] Secondly, within the encrypted computing area of ​​the TEE isolated environment, based on the issued cross-domain semantic alignment rules, the encrypted semantic alignment and primary key mapping of the multi-domain encrypted dataset are completed. Based on the encrypted computing logic in the scheduling scheme, homomorphic encrypted integration computing is performed to generate the initial multi-source integrated dataset. The entire integration computing process is completed within the TEE isolated environment, and the data remains encrypted throughout, with no risk of plaintext data leakage.

[0067] Then, the pre-trained digital twin verification model is invoked, and the entire process of integrated computation, data flow, computational logic, and intermediate computation results are input into the digital twin verification model in real time. Real-time simulation and comparison are performed through the digital twin verification model to identify abnormal integration points in the integration process. These abnormal integration points include data missing points, data duplication points, semantic conflict points, computational logic anomalies, and permission violation points. For each identified abnormal integration point, a reversible rollback operation is performed based on pre-recorded integration operation logs, rolling back the data and computation process to a trusted state before the abnormal point. The integration computation at the corresponding point is then re-executed until the point passes the verification by the digital twin verification model. If the verification fails after three consecutive re-executions, the current task is terminated, and the abnormal information is reported to the federated master scheduling node cluster, and an anomaly log is recorded.

[0068] Finally, for the initial multi-source integrated dataset that has passed the full verification, a full-process integrated operation evidence certificate is generated. The evidence certificate includes operation subject information, operation time sequence record, calculation logic details, full-link data flow record, full-node verification results, exception handling record and digital digest information, and a unique evidence identifier EvidenceID is generated for the evidence certificate.

[0069] It should be further explained that, in the specific implementation process, the consistency verification and blockchain notarization process in step S6 includes the following: First, each TEE computing power node synchronizes the verified multi-source integrated dataset and integration operation notarization certificate to the federated master scheduling node cluster via a trusted encrypted link; after receiving the data, the federated master scheduling node cluster performs a full consistency hash verification on the multi-source integrated dataset based on the original digital digest uploaded by each business domain, and simultaneously verifies the integration permission declaration, business compliance, and legality of the entire process operation of the dataset. If the consistency verification or compliance verification fails, the dataset is returned to the corresponding TEE computing power node, requiring the integration calculation process to be re-executed, and an anomaly audit log is recorded; if all verification items pass, the final compliant integrated dataset is generated.

[0070] Then, a traceable and unique data identifier, denoted as DataID, is generated for the final compliant integrated dataset. The unique data identifier DataID is associated with the original business domain information, semantic mapping log, full-process integration operation evidence, digital digest and blockchain evidence address of the dataset, so as to realize traceable query and verification of the dataset throughout its entire life cycle.

[0071] Furthermore, the integrated operation evidence certificate, digital digest of the dataset, unique data identifier DataID, access permission information, and full-process audit log are packaged into an on-chain block. The on-chain evidence of the block is completed through the PBFT practical Byzantine fault-tolerant consensus mechanism of the consortium blockchain, ensuring the immutability of the on-chain data and the synchronization of multi-node consensus. At the same time, an on-chain index is built for the traceability query of the dataset, and the corresponding on-chain evidence information can be quickly queried through the unique data identifier DataID.

[0072] Finally, the unique data identifier (DataID), on-chain storage address, and data access permission information of the final compliant integrated dataset are synchronized to the edge agent node that initiated the integration task. At the same time, the completion status of the integration task and the full-process audit results are recorded in the local database, thus completing the entire process of this heterogeneous information security integration.

[0073] The above description is merely a preferred embodiment of the present invention and is not intended to limit the present invention in any other way. Any person skilled in the art may make changes or modifications to the above-disclosed technical content to create equivalent embodiments for application in other fields. However, any simple modifications, equivalent changes, and modifications made to the above embodiments based on the technical essence of the present invention without departing from the scope of the present invention shall still fall within the protection scope of the present invention.

Claims

1. A method for heterogeneous information security integration in distributed projects, characterized in that, Includes the following steps: S1. Construct a federated three-layer trusted architecture for the integration of heterogeneous information in distributed projects. The three-layer trusted architecture includes a federated master scheduling node cluster, multi-domain edge agent nodes divided according to the business domains of distributed projects, and trusted execution environment (TEE) computing power nodes that are bound to each business domain. Complete the initial configuration of the three-tier trusted architecture and build a zero-trust system covering the entire link; S2. For multiple heterogeneous data sources within each business domain, the edge proxy node of the corresponding business domain completes the access authentication and full-dimensional metadata collection of the heterogeneous data sources. Based on the collected metadata, a unified semantic ontology model of heterogeneous data sources within the domain is constructed. The first layer of heterogeneity resolution within the domain is completed through the semantic ontology model, and a standardized semantic dataset within the domain is generated. S3, the edge agent node, based on the data security classification rules of the distributed project, performs data security classification and corresponding level de-identification processing on the standardized semantic dataset, and uses homomorphic encryption algorithm to encrypt the de-identified dataset to generate the encrypted dataset of the corresponding security level; at the same time, it generates the integrated permission declaration and unique digital digest corresponding to the encrypted dataset, and synchronizes the encrypted dataset, integrated permission declaration, and digital digest to the isolated storage area of ​​the TEE computing power node of the corresponding business domain. S4. The edge agent node initiates a cross-domain heterogeneous information integration request to the federated master scheduling node cluster. The federated master scheduling node cluster performs zero-trust identity secondary verification on the edge agent node that initiated the request. After the verification is passed, it parses the business rules and data boundaries corresponding to the integration request, generates a cross-domain integration scheduling scheme based on the business rules, and sends the scheduling instructions and cross-domain semantic alignment rules to the TEE computing power nodes of the corresponding business domain. S5. After receiving the scheduling instruction, each TEE computing node first completes the trusted state verification of its own TEE isolation environment. After the verification is passed, it completes the encrypted semantic alignment and integration calculation of the multi-domain encrypted dataset within the TEE isolation environment based on the cross-domain semantic alignment rules, and generates the initial multi-source integrated dataset. At the same time, based on the pre-trained digital twin verification model, it performs real-time simulation verification of the entire integration calculation process, identifies abnormal integration points, performs reversible rollback operations on abnormal points, and generates a full-process integration operation storage certificate for the verified initial multi-source integrated dataset. S6 and TEE computing power nodes synchronize the verified multi-source integrated dataset and integrated operation evidence storage certificate to the federated master scheduling node cluster. The federated master scheduling node cluster performs full consistency verification and digital digest verification on the multi-source integrated dataset. After the verification is passed, the final compliant integrated dataset is generated, and the integrated operation evidence storage certificate is uploaded to the consortium blockchain for tamper-proof storage. At the same time, a traceable unique data identifier is generated for the final compliant integrated dataset.

2. The heterogeneous information security integration method for distributed projects according to claim 1, characterized in that, In step S2, the process of constructing a unified semantic ontology model of heterogeneous data sources within the domain based on the collected metadata, and generating a standardized semantic dataset within the domain by completing the first layer of heterogeneity resolution through the semantic ontology model, specifically includes: Based on the collected metadata, the core concepts, concept attributes, inter-concept relationships and data constraint rules of each heterogeneous data source are extracted to construct a basic semantic ontology within the domain; The metadata of each heterogeneous data source is mapped to the basic semantic ontology within the domain, completing ontology concept alignment, attribute mapping, semantic conflict resolution and data type standardization. Semantic conflict resolution includes same-name conflict resolution, synonym conflict resolution and data granularity conflict resolution. Based on the mapped semantic ontology, the original heterogeneous data from various heterogeneous data sources are transformed into standardized semantic datasets that conform to a unified semantic specification, and semantic mapping logs corresponding to the datasets are generated.

3. The heterogeneous information security integration method for distributed projects according to claim 1, characterized in that, In step S3, the data hierarchical desensitization and encryption process specifically includes: Based on the industry compliance requirements and data sensitivity of distributed projects, a data security classification rule is preset to divide the data into four security levels: public, internal, sensitive and core. For datasets with different security levels, corresponding de-identification algorithms are configured. Public-level data is de-identified with format preservation, internal-level data is de-identified with masking, and sensitive and core-level data are de-identified with irreversible de-identification and differential privacy protection. An encryption algorithm that supports homomorphic operations is used to encrypt the anonymized dataset field by field to generate an encrypted dataset; A unique digital digest is generated based on the hash value of the encrypted dataset, and an integrated permission statement is generated based on the data security level and business rules. The integrated permission statement includes the scope of data availability, executable operations, usage time limit, and access subject restrictions.

4. The heterogeneous information security integration method for distributed projects according to claim 1, characterized in that, The process of generating the zero-trust identity secondary verification and cross-domain integrated scheduling scheme in step S4 specifically includes: After receiving the integration request from the edge agent node, the federated master scheduling node cluster performs a second verification on the device identity, operating entity identity, and node environment trust status of the edge agent node based on the zero trust system. At the same time, it verifies the timeliness and permissions of the integration request. If the verification fails, the integration request is directly rejected and the audit log is recorded. If the verification passes, the integration request is parsed. Based on the parsed business rules, the data source scope, data calculation rules, integration timeliness requirements and security compliance requirements of the integration task are extracted, and the second alignment of the cross-domain semantic ontology is completed to generate cross-domain semantic alignment rules. Based on the computing power requirements of the integrated task and the load status of each TEE computing power node, computing power resources and timing execution rules are allocated to the integrated task to generate a cross-domain integrated scheduling scheme. The scheduling scheme includes data alignment rules, dense computing logic, execution timing, node division of labor and exception handling rules.

5. The heterogeneous information security integration method for distributed projects according to claim 1, characterized in that, In step S5, the process of TEE internal dense-state integration calculation and real-time verification specifically includes: After receiving the scheduling instruction, the TEE computing power node completes the trusted status verification of its own TEE isolation environment through the remote proof service. If the verification fails, it reports the exception to the federated main scheduling node cluster and terminates the task. If the verification passes, it retrieves the corresponding encrypted dataset from the isolation storage area. Within the TEE isolated environment, based on cross-domain semantic alignment rules, the encrypted semantic alignment and primary key mapping of the multi-domain encrypted dataset are completed. Based on the encrypted computation logic in the scheduling scheme, homomorphic encrypted integration computation is performed to generate the initial multi-source integrated dataset. By calling a pre-trained digital twin verification model, the entire process of integrated computing and data flow is input into the digital twin verification model for real-time simulation and comparison to identify abnormal integration points such as missing data, duplicate data, semantic conflicts, and abnormal computing logic. For any identified abnormal integration points, a reversible rollback operation is performed based on the integration operation log to re-execute the integration calculation for the corresponding points until the verification is passed. For the initial multi-source integration dataset that has passed the full verification, a full-process integration operation certificate containing the operation subject, operation sequence, calculation logic, data flow, and verification results is generated.

6. The heterogeneous information security integration method for distributed projects according to claim 1, characterized in that, In step S6, the consistency verification and blockchain evidence storage process specifically includes: After receiving the multi-source integrated dataset and the integration operation certificate, the federated master scheduling node cluster performs a full consistency hash verification on the multi-source integrated dataset based on the digital digest uploaded by each domain. At the same time, it verifies the integration permission declaration and compliance of the dataset. If the verification fails, it returns to the corresponding TEE computing power node to re-execute the integration calculation. If the verification passes, it generates the final compliant integrated dataset. To generate a traceable and unique data identifier for the final compliant integrated dataset, the data identifier is associated with the dataset's data, semantic mapping logs, integration operation evidence storage certificate, and blockchain evidence storage address; The integrated operation evidence certificate, digital digest of the dataset, unique data identifier, and access permission information are packaged into an on-chain block, and the on-chain evidence is completed through the consensus mechanism of the consortium blockchain. At the same time, an on-chain index is built for the traceability query of the dataset.