Media information intelligent delivery method and system based on user portrait

By constructing a homomorphic association graph through anonymization and secret sharing protocols, and combining differential privacy protection and zero-knowledge proofs, the privacy and data authenticity issues in intelligent media information delivery are solved, enabling efficient, secure analysis and precise delivery of cross-domain user behavior data.

CN122241761APending Publication Date: 2026-06-19WOW BANG MOBILE MEDIA CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
WOW BANG MOBILE MEDIA CO LTD
Filing Date
2026-03-25
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing technologies for intelligent media information delivery suffer from insufficient privacy and security protection and inadequate usability of data analysis results. In particular, the lack of effective privacy protection and data authenticity verification mechanisms in multi-party collaborative environments leads to biases and fraud risks in user profile databases.

Method used

Anonymization and diversity are jointly generalized by mapping direct identifiers to anonymous anchors using irreversible hash functions; the feature set is split into encrypted fragments using a secret sharing protocol and local embedding transformation is performed in the encrypted state to construct a homomorphic association graph; differential privacy-preserving profile clustering is implemented, and the authenticity of aggregated statistical features is verified through a zero-knowledge proof protocol to generate a de-identified user profile library that supports encrypted queries.

Benefits of technology

It achieves efficient and secure fusion of cross-domain, multi-source user behavior data while strictly protecting user privacy. It constructs an anonymous anchor set and a generalized feature set that cannot be directly linked to specific individuals, ensuring privacy and security during data transmission and storage. It also implements differential privacy protection on the graph and outputs a set of profile clusters that reflect the patterns of real user groups.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122241761A_ABST
    Figure CN122241761A_ABST
Patent Text Reader

Abstract

This invention provides a method and system for intelligent media information delivery based on user profiles, relating to the field of user profile technology. The method involves obtaining anonymous anchors and generalized features from user behavior data through irreversible hashing and generalization processing. A homomorphic association graph is constructed on encrypted shards using secret sharing and secure inner product protocols, and profile clustering is performed based on differential privacy. Aggregated features are verified through zero-knowledge proofs, and ciphertext queries are supported by homomorphic encryption to generate a de-identified user profile library. This method achieves secure fusion of cross-domain user features and accurate profile construction under privacy protection, providing a highly secure data foundation for intelligent media information delivery.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to user profiling technology, and more particularly to a method and system for intelligent delivery of media information based on user profiles. Background Technology

[0002] In existing technologies, intelligent media delivery based on user profiles typically relies on the collection and analysis of multi-source user behavior data. The conventional approach involves data platforms acquiring user behavior data from various channels and attempting to integrate this data to construct a unified user profile. To address data privacy and compliance issues, existing technologies usually perform simple anonymization of user identification information, such as removing direct identifiers or generalizing certain fields. Subsequently, this pre-processed data is centralized or distributed to computing nodes for feature extraction, similarity calculation, and user segmentation, ultimately forming a user profile model for targeted delivery. The entire process aims to achieve the correlation and utilization of cross-domain user characteristics to improve the accuracy of media delivery.

[0003] However, the aforementioned conventional practices have significant drawbacks. On the one hand, the anonymization and data processing methods they employ are often rather crude, making it difficult to provide sufficient privacy and security guarantees in complex data fusion and computation scenarios. Simple identifier removal or generalization processing is vulnerable to re-identification attacks, while centralized or poorly encrypted distribution computing models pose a risk of leakage of raw user data or intermediate computation results during transmission and processing, failing to meet increasingly stringent data protection regulations. On the other hand, existing methods are insufficient in ensuring the usability and authenticity of data analysis results. In collaborative environments with multiple participants and mutual distrust, there is a lack of effective mechanisms to verify the authenticity of the data or computation results provided by each party. Furthermore, it is impossible to effectively verify the semantic consistency and conditional retrieval of the generated aggregated profiles while protecting data privacy. This may lead to biases or fraud in the final user profile database, thereby affecting the effectiveness and credibility of media information delivery. Summary of the Invention

[0004] This invention provides a method and system for intelligent media information delivery based on user profiles, which can solve the problems in the prior art.

[0005] A first aspect of this invention provides a method for intelligent media information delivery based on user profiles, comprising:

[0006] Acquire user behavior data distributed across multiple data sources, map direct identifiers in the user behavior data to anonymous anchors using an irreversible hash function, and generalize the quasi-identifiers using joint constraints of anonymization and diversity to obtain a set of anonymous anchors and a set of generalized features.

[0007] The generalized feature set is split into encrypted fragments and distributed to mutually untrusted computing nodes through a secret sharing protocol. Each node performs a local embedding transformation on the encrypted fragment to obtain a local profile embedding. The cross-domain feature similarity is calculated without exposing the plaintext of the local embeddings of each party using a secure inner product protocol. A homomorphic association graph is constructed based on the cross-domain feature similarity.

[0008] Based on the homomorphic association graph, differential privacy-preserving image clustering is performed by injecting noise that satisfies differential privacy constraints into the graph edge weights to obtain a set of image clusters.

[0009] The authenticity of the aggregated statistical features in the portrait cluster set is verified by using a zero-knowledge proof protocol. Semantic consistency constraints are introduced to ensure that the statistical distribution of the reconstructed portrait is equivalent to that of the original portrait. The authorized party can perform conditional retrieval of portrait attributes in the ciphertext domain through a secure query interface supported by homomorphic encryption, thereby generating a de-identified user portrait library that supports ciphertext queries.

[0010] The updated information of the de-identified user profile library and the homomorphic association graph is fed back and fused to adaptively optimize the local embedding transformation parameters.

[0011] The direct identifiers in the user behavior data are mapped to anonymous anchors using an irreversible hash function. The quasi-identifiers are then generalized using a joint constraint of anonymization and diversity, resulting in a set of anonymous anchors and a set of generalized features, including:

[0012] Semantic parsing is performed on the direct identifiers in the user behavior data to identify the unique identity identifier field. Anonymous anchors are generated by one-way mapping of the unique identity identifier field by introducing an irreversible hash function with random salt value.

[0013] Based on the anonymous anchors, a temporal association chain for user behavior sessions is constructed. Quasi-identifiers in the user behavior data are grouped according to the temporal association chain, and information entropy and re-identification risk metric are calculated for each quasi-identifier in each group.

[0014] A multidimensional generalization space for quasi-identifiers is established based on the re-identification risk metric. An equivalence class partitioning criterion and a sensitive attribute distribution criterion are established in the multidimensional generalization space. The generalization granularity of each quasi-identifier dimension is dynamically determined by iteratively optimizing the joint constraint objective of the equivalence class partitioning criterion and the sensitive attribute distribution criterion.

[0015] The generalization granularity is applied to each dimension of the quasi-identifier, and a hierarchical generalization transformation is performed to generate a set of generalized quasi-identifiers. The anonymous anchor is used as an index key to perform a structured mapping between the anonymous anchor and the set of generalized quasi-identifiers, forming a set of anonymous anchors and a set of generalized features.

[0016] Semantic parsing is performed on the direct identifiers in the user behavior data to identify a unique identity field. Anonymous anchors are generated by performing a one-way mapping on this unique identity field using an irreversible hash function with a random salt value, including:

[0017] Field type identification is performed on the direct identifiers in the user behavior data, and the identifier fields with unique identity determination are extracted as unique identity identifier fields. A combined index of data source identifier and time window identifier is established for the unique identity identifier fields.

[0018] Based on the combined index, a random salt value is generated through key derivation operation. The random salt value makes the same unique identity identifier field produce deterministic differences under different data sources or different time windows. The random salt value is concatenated with the unique identity identifier field to form a salted identifier string.

[0019] An anonymous anchor of fixed length is generated by performing a one-way mapping operation on the salted identifier string using an irreversible hash function.

[0020] The generalized feature set is split into encrypted fragments using a secret sharing protocol and distributed to mutually untrusted computing nodes. Each node performs a local embedding transformation on the encrypted fragment to obtain a local profile embedding, including:

[0021] A multinomial secret sharing scheme is constructed for each generalized feature in the set of generalized features according to the secret sharing protocol. Each generalized feature is split into multiple encrypted fragments through the multinomial secret sharing scheme. The encrypted fragments satisfy the threshold recovery property, so that a single encrypted fragment does not reveal any information of the original generalized feature.

[0022] A sharding distribution strategy is determined based on the trust domain division of the computing nodes. The sharding distribution strategy stipulates that if the number of encrypted shards received by each computing node is lower than the threshold value of the threshold recovery feature, the encrypted shards are distributed to untrusted computing nodes according to the sharding distribution strategy.

[0023] Each computing node performs a local embedding transformation on the received encrypted fragment. The local embedding transformation projects the encrypted fragment to the embedding space through an encrypted domain mapping operation to generate a local image embedding.

[0024] Calculating cross-domain feature similarity using the secure inner product protocol without exposing the plaintext of local embeddings of each party, and constructing a homomorphic association graph based on the cross-domain feature similarity includes:

[0025] A secure inner product calculation framework is established for the local image embedding generated by each computing node. The secure inner product calculation framework enables each computing node to perform vector inner product calculation on the local image embedding in an encrypted state through homomorphic encryption operation, thereby generating an encrypted local inner product result.

[0026] Each computing node transmits the local inner product result of the encrypted state to the coordination node. The coordination node uses the additive homomorphic property of the homomorphic encryption operation to perform homomorphic addition aggregation on the local inner product result of the encrypted state to obtain the cross-domain inner product sum of the encrypted state. Then, it performs decryption operation on the cross-domain inner product sum of the encrypted state to recover the cross-domain feature similarity. Based on the cross-domain feature similarity, a homomorphic association graph is constructed.

[0027] Based on the homomorphic association graph, differential privacy-preserving image clustering is performed by injecting noise that satisfies differential privacy constraints into the graph edge weights, resulting in a set of image clusters including:

[0028] Sensitivity analysis is performed on the edge weights in the homomorphic association graph to calculate the maximum impact of a single user data change on the edge weights, thereby obtaining a global sensitivity quantification value. A noise generation mechanism is then constructed based on the global sensitivity quantification value and a preset privacy budget parameter.

[0029] The noise generation mechanism generates perturbation noise for each edge weight in the homomorphic correlation graph, and the perturbation noise is superimposed on the corresponding edge weight to obtain the perturbation homomorphic correlation graph.

[0030] Graph clustering is performed based on the perturbed homomorphic association graph. The graph clustering operation calculates the connection density between nodes according to the perturbed edge weights, and divides nodes with connection density exceeding a preset clustering threshold into the same portrait cluster to generate a portrait cluster set.

[0031] The authenticity of aggregated statistical features in the portrait cluster set is verified using a zero-knowledge proof protocol. Semantic consistency constraints are introduced to ensure that the statistical distribution of the reconstructed portrait is equivalent to that of the original portrait. A secure query interface supported by homomorphic encryption enables authorized parties to perform conditional retrieval of portrait attributes in the ciphertext domain, generating a de-identified user portrait library that supports ciphertext queries, including:

[0032] Aggregated statistical features are extracted from each image cluster in the image cluster set. A statistical feature authenticity proof is constructed through a zero-knowledge proof protocol. The statistical feature authenticity proof enables the verifier to verify the correctness of the calculation of the aggregated statistical features without obtaining the original image data, and generates an aggregated statistical feature set with authenticity labels.

[0033] A semantic consistency constraint function is established based on the aggregated statistical feature set. The semantic consistency constraint function calculates the statistical distance between the feature distribution of the reconstructed image and the feature distribution of the original image. The semantic consistency constraint function is iteratively optimized to make the statistical distance converge to a preset equivalence threshold, thereby obtaining a set of reconstructed images that satisfies the statistical distribution equivalence.

[0034] An attribute index structure is constructed for the image attributes in the reconstructed image set according to the attribute type. Each attribute value in the attribute index structure is encrypted by homomorphic encryption operation to generate a ciphertext attribute index. A secure query interface is constructed based on the ciphertext attribute index. A ciphertext domain condition retrieval is performed on the ciphertext attribute index by homomorphic comparison operation to generate a query result set.

[0035] The aggregated statistical feature set, the reconstructed profile set, and the attribute index of the encrypted state are integrated to form a de-identified user profile library that supports encrypted queries.

[0036] A second aspect of the present invention provides a media information intelligent delivery system based on user profiles, comprising:

[0037] The data anonymization unit is used to acquire user behavior data distributed across multiple data sources. Direct identifiers in the user behavior data are mapped to anonymous anchors using an irreversible hash function. The quasi-identifiers are generalized using a combination of anonymization and diversity constraints to obtain a set of anonymous anchors and a set of generalized features.

[0038] The feature encryption unit is used to split the generalized feature set into encrypted fragments and distribute them to mutually untrusted computing nodes through a secret sharing protocol. Each node performs a local embedding transformation on the encrypted fragment to obtain a local profile embedding. The cross-domain feature similarity is calculated without exposing the plaintext of the local embeddings of each party using a secure inner product protocol. Based on the cross-domain feature similarity, a homomorphic association graph is constructed.

[0039] A privacy clustering unit is used to perform differential privacy-preserving portrait clustering based on the homomorphic association graph. Noise that satisfies differential privacy constraints is injected into the graph edge weights to obtain a set of portrait clusters.

[0040] The portrait verification unit is used to verify the authenticity of the aggregated statistical features in the portrait cluster set using a zero-knowledge proof protocol, introduce semantic consistency constraints to ensure that the statistical distribution of the reconstructed portrait is equivalent to that of the original portrait, and enable the authorized party to perform conditional retrieval of portrait attributes in the ciphertext domain through a secure query interface supported by homomorphic encryption, thereby generating a de-identified user portrait library that supports ciphertext queries.

[0041] The feedback optimization unit is used to feed back and fuse the update information of the de-identified user profile library and the homomorphic association graph to adaptively optimize the local embedding transformation parameters.

[0042] A third aspect of the present invention provides an electronic device, comprising:

[0043] processor;

[0044] Memory used to store processor-executable instructions;

[0045] The processor is configured to invoke instructions stored in the memory to execute the aforementioned method.

[0046] A fourth aspect of the present invention provides a computer-readable storage medium having stored thereon computer program instructions that, when executed by a processor, implement the aforementioned method.

[0047] The beneficial effects of this application are as follows:

[0048] This method enables efficient and secure fusion and intelligent analysis of cross-domain, multi-source user behavior data while strictly protecting user privacy. By irreversibly hashing direct identifiers into anonymous anchors and jointly anonymizing and generalizing oriented identifiers, user identity information is effectively stripped away from the source. This constructs a set of anonymous anchors and a set of generalized features that cannot be directly linked to specific individuals, laying the data foundation for subsequent privacy-preserving computations.

[0049] By leveraging a secret sharing protocol, the generalized feature set is split into encrypted fragments and distributed to mutually untrusted computing nodes, ensuring that the original data is never fully exposed to a single node during storage and transmission. Each node independently performs local embedding transformations on its local encrypted fragments, generating local profile embeddings, and collaboratively calculates cross-domain feature similarity through a secure inner product protocol. This process successfully constructs a homomorphic association graph without exchanging or exposing any plaintext local embeddings, achieving "data usable but invisible" cross-domain collaborative modeling and breaking down data silos.

[0050] This paper proposes a portrait clustering method that implements differential privacy protection on homomorphic association graphs. By injecting noise that meets the strict definition of differential privacy into the graph edge weights, it effectively resists various inference attacks targeting the graph structure. This method achieves a good balance between the amount of perturbation noise and the clustering utility, so that the output portrait cluster set can reflect the real user group patterns while providing quantifiable privacy protection for each individual. Attached Figure Description

[0051] Figure 1 This is a flowchart illustrating the intelligent media information delivery method based on user profiles, as described in an embodiment of the present invention.

[0052] Figure 2 This is a flowchart illustrating the intelligent media information delivery decision-making process based on user profiles, as described in an embodiment of the present invention. Detailed Implementation

[0053] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0054] The technical solution of the present invention will be described in detail below with reference to specific embodiments. These specific embodiments can be combined with each other, and the same or similar concepts or processes may not be described again in some embodiments.

[0055] Figure 1 This is a flowchart illustrating the intelligent media information delivery method based on user profiles according to an embodiment of the present invention. Figure 1 As shown, the method includes:

[0056] Acquire user behavior data distributed across multiple data sources, map direct identifiers in the user behavior data to anonymous anchors using an irreversible hash function, and generalize the quasi-identifiers using joint constraints of anonymization and diversity to obtain a set of anonymous anchors and a set of generalized features.

[0057] The generalized feature set is split into encrypted fragments and distributed to mutually untrusted computing nodes through a secret sharing protocol. Each node performs a local embedding transformation on the encrypted fragment to obtain a local profile embedding. The cross-domain feature similarity is calculated without exposing the plaintext of the local embeddings of each party using a secure inner product protocol. A homomorphic association graph is constructed based on the cross-domain feature similarity.

[0058] Based on the homomorphic association graph, differential privacy-preserving image clustering is performed by injecting noise that satisfies differential privacy constraints into the graph edge weights to obtain a set of image clusters.

[0059] The authenticity of the aggregated statistical features in the portrait cluster set is verified by using a zero-knowledge proof protocol. Semantic consistency constraints are introduced to ensure that the statistical distribution of the reconstructed portrait is equivalent to that of the original portrait. The authorized party can perform conditional retrieval of portrait attributes in the ciphertext domain through a secure query interface supported by homomorphic encryption, thereby generating a de-identified user portrait library that supports ciphertext queries.

[0060] The updated information of the de-identified user profile library and the homomorphic association graph is fed back and fused to adaptively optimize the local embedding transformation parameters.

[0061] In one optional implementation, the direct identifiers in the user behavior data are mapped to anonymous anchors using an irreversible hash function, and the quasi-identifiers are generalized using a joint constraint of anonymization and diversity to obtain a set of anonymous anchors and a set of generalized features, including:

[0062] Semantic parsing is performed on the direct identifiers in the user behavior data to identify the unique identity identifier field. Anonymous anchors are generated by one-way mapping of the unique identity identifier field by introducing an irreversible hash function with random salt value.

[0063] Based on the anonymous anchors, a temporal association chain for user behavior sessions is constructed. Quasi-identifiers in the user behavior data are grouped according to the temporal association chain, and information entropy and re-identification risk metric are calculated for each quasi-identifier in each group.

[0064] A multidimensional generalization space for quasi-identifiers is established based on the re-identification risk metric. An equivalence class partitioning criterion and a sensitive attribute distribution criterion are established in the multidimensional generalization space. The generalization granularity of each quasi-identifier dimension is dynamically determined by iteratively optimizing the joint constraint objective of the equivalence class partitioning criterion and the sensitive attribute distribution criterion.

[0065] The generalization granularity is applied to each dimension of the quasi-identifier, and a hierarchical generalization transformation is performed to generate a set of generalized quasi-identifiers. The anonymous anchor is used as an index key to perform a structured mapping between the anonymous anchor and the set of generalized quasi-identifiers, forming a set of anonymous anchors and a set of generalized features.

[0066] When performing semantic parsing on direct identifiers in user behavior data, an identifier type recognition model is established. This model scans the naming patterns and content features of data fields to identify identifier fields with unique identity characteristics. Unique identity identifier fields include user identifier fields, device identifier fields, and account identifier fields. The identification criteria are that the uniqueness ratio of the field value in the dataset exceeds 95%, and the field length and encoding format conform to identifier characteristics. Semantic parsing calculates the percentage of unique values ​​for each field and confirms its identity identification attribute through semantic matching of field names. The matching rules are executed based on a predefined identifier keyword table, and fields with a matching score higher than a set value are identified as unique identity identifier fields.

[0067] An irreversible hash function with a random salt value is used to perform a one-way mapping on the identity uniqueness identifier field. This hash function concatenates a randomly generated salt value string to each identifier field value and then performs a hash operation. The salt value is set to a fixed length of bytes and is generated using a pseudo-random number generator. The generator's seed value is calculated based on a combination of the system timestamp and the data batch identifier. The output length of the hash function is fixed, and the output result serves as an anonymous anchor, with the data type being a fixed-length string. The one-way mapping process does not retain any reversible information about the original identifier and salt value; all salt values ​​are immediately cleared after the mapping is complete. The generated anonymous anchors are stored in an anonymous anchor set, with each anonymous anchor associated with an internal index value.

[0068] A temporal association chain for user behavior sessions is constructed based on anonymous anchors, linking multiple behavior records of the same user in chronological order. During the construction of the temporal association chain, user behavior data is grouped by anonymous anchors, and behavior records within each group are arranged in ascending order by the timestamp of the behavior occurrence, forming a temporally ordered behavior sequence. The time interval between adjacent behavior records in the behavior sequence is calculated; if the time interval exceeds a set threshold, they are considered to belong to different sessions. This threshold is determined based on the average session duration in the business scenario. Quasi-identifiers in the user behavior data are grouped according to the temporal association chain. Quasi-identifiers include age group, geographic location, and occupation category fields. The grouping operation groups quasi-identifiers belonging to the same session into the same group.

[0069] For each group of quasi-identifiers, information entropy and a re-identification risk metric are calculated. Information entropy is calculated based on the value distribution of a single quasi-identifier field within the group, obtained by statistically analyzing the frequency of each value, multiplying the frequencies by their logarithms, summing the results, and taking the negative value. The re-identification risk metric considers both the uniqueness of the quasi-identifier combination and its matchability with external knowledge context. Uniqueness is assessed by calculating the frequency of the quasi-identifier combination within the group in the global dataset; lower frequencies indicate a higher re-identification risk. Matchability is assessed based on the semantic association strength between the quasi-identifier field and fields from the public data source, obtained through a predefined field mapping table. The re-identification risk metric is obtained by a weighted sum of the uniqueness score and the matchability score.

[0070] A multidimensional generalization space for quasi-identifiers is established based on the re-identification risk metric. This space uses the field dimensions of the quasi-identifiers as coordinate axes, with each axis corresponding to a generalization hierarchy. The generalization hierarchy defines a multi-level abstraction path from specific values ​​to general values. The generalization hierarchy for numeric fields is achieved through interval merging, while the generalization hierarchy for categorical fields is achieved through a category hierarchy tree. An equivalence class partitioning criterion is established within the multidimensional generalization space, requiring data records to be grouped according to the generalized quasi-identifiers, with each group containing at least a predetermined number of records to meet anonymity requirements. The sensitive attribute distribution criterion requires sufficient diversity of sensitive attribute values ​​within each equivalence class, measured by calculating the number of different categories of sensitive attribute values ​​and the uniformity of category distribution.

[0071] The generalization granularity of each quasi-identifier dimension is dynamically determined by iteratively optimizing the joint constraint objective of the equivalence class partitioning criterion and the sensitive attribute distribution criterion. The joint constraint objective is defined as a comprehensive evaluation function of anonymity satisfaction rate, diversity satisfaction rate, and information loss, calculated through weighted summation. Iterative optimization starts with an initial generalization granularity configuration, setting the generalization granularity of all quasi-identifier dimensions to the lowest level, and gradually increasing the generalization granularity of each dimension until the joint constraint objective reaches an acceptable level. In each iteration, the dimension that contributes the most to the improvement of the joint constraint objective is selected to increase the generalization granularity. The iteration terminates when both anonymity and diversity satisfaction rates exceed a set threshold and the improvement of the objective function in several consecutive iterations is lower than the convergence criterion.

[0072] The defined generalization granularity is applied to each dimension of the quasi-identifiers, performing a hierarchical generalization transformation. This transformation maps the original field values ​​to generalized values ​​at the corresponding level, based on the generalization hierarchy and granularity level of each quasi-identifier field. For numeric fields, generalization is achieved through interval mapping, where the original value is replaced with its corresponding interval after finding its appropriate generalization interval. For categorical fields, generalization is achieved by traversing the category hierarchy tree upwards, moving from the specific category value of a leaf node to the ancestor node of the specified generalization level, and replacing the original value with the category label of the ancestor node. For date / time fields, generalization is achieved through time granularity coarsening, generalizing from a precise point in time to a time period. The resulting set of generalized quasi-identifiers maintains the same number of records and field structure as the original data; only the field values ​​are replaced with generalized values.

[0073] Using anonymous anchors as index keys, a structured mapping is performed between anonymous anchors and the set of generalized quasi-identifiers. This structured mapping establishes a one-to-many relationship between anonymous anchors and generalized quasi-identifier records. Each anonymous anchor is associated with all its corresponding generalized quasi-identifier records. This association is stored using a key-value pair data structure, where the key is the anonymous anchor and the values ​​are a list of generalized quasi-identifier records. During the mapping process, for each piece of original user behavior data, the values ​​of its anonymous anchor and generalized quasi-identifier fields are extracted. The quasi-identifier field values ​​are then used to construct a structured record, which is appended to the record list corresponding to the anonymous anchor. The resulting set of anonymous anchors contains all unique anonymous anchors and their internal indices, while the set of generalized features contains all generalized quasi-identifier records and their mapping relationships with the anonymous anchors.

[0074] In one optional implementation, semantic parsing is performed on the direct identifiers in the user behavior data to identify a unique identity identifier field. Anonymous anchors are generated by performing a one-way mapping on the unique identity identifier field using an irreversible hash function with a random salt value, including:

[0075] Field type identification is performed on the direct identifiers in the user behavior data, and the identifier fields with unique identity determination are extracted as unique identity identifier fields. A combined index of data source identifier and time window identifier is established for the unique identity identifier fields.

[0076] Based on the combined index, a random salt value is generated through key derivation operation. The random salt value makes the same unique identity identifier field produce deterministic differences under different data sources or different time windows. The random salt value is concatenated with the unique identity identifier field to form a salted identifier string.

[0077] An anonymous anchor of fixed length is generated by performing a one-way mapping operation on the salted identifier string using an irreversible hash function.

[0078] When anonymizing user behavior data, identifiers in the original data are categorized and identified. User behavior data typically contains various types of fields, including user ID, phone number, email address, device MAC address, browsing history, and transaction amount. Through semantic analysis of these fields, fields that uniquely identify a user are extracted and used as unique identifiers. For example, user ID, the last four digits of a phone number, and a complete email address all fall into this category. These fields are characterized by their ability to uniquely correspond to a specific individual within the dataset, and therefore require special protection.

[0079] A composite index mechanism is established for the identified unique identifier field. This composite index consists of two parts: a data source identifier and a time window identifier. The data source identifier is used to distinguish different data collection channels; for example, an e-commerce platform is marked as "EC01," and a social media platform is marked as "SM02." The time window identifier is divided according to a preset time granularity, which can be encoded by hour, day, or week. For example, "2024-01-15" can be encoded as "20240115." Through this composite index, even the same identifier field of the same user will be assigned different index values ​​in different sources or time periods.

[0080] Random salt values ​​are generated based on a composite index using the key derivation function PBKDF2 or HKDF. The composite index is used as input, combined with a pre-configured master key, and a random salt value is derived through multiple rounds of iterative computation. Specifically, the data source identifier and the time window identifier are concatenated to form a derived input string, such as "EC01||20240115", and then the key derivation operation is performed. The number of iterations in the derivation process is set to more than 10,000 to ensure sufficient computational complexity to resist brute-force attacks. The generated random salt value is 128 bits long and represented as a hexadecimal string.

[0081] After obtaining the random salt value, it is concatenated with the unique identifier field. For example, if a user ID is "USER123456" and the corresponding random salt value is "a7f3e9d2c1b4f8e6", the concatenation result is "USER123456||a7f3e9d2c1b4f8e6". This concatenation method ensures that even if the original identifier fields are the same, the resulting anonymous anchors will be completely different due to the difference in salt values. Double vertical lines are used as delimiters during concatenation to avoid confusion with characters contained in the identifier field itself.

[0082] An irreversible hash operation is performed on the salted identifier string using a cryptographically secure hash function such as SHA-256 or SHA-3. The salted identifier string is used as input to calculate a 256-bit hash digest. This hash digest serves as the anonymous anchor, stored as a 64-bit hexadecimal string. Due to the one-way nature of hash functions, it is impossible to deduce the original unique identifier field from the anonymous anchor. Furthermore, even if an attacker obtains some of the original data, the introduction of the salt value prevents a batch reconstruction attack using a pre-computed rainbow table. The generated anonymous anchor serves as a unified identifier for users in subsequent processing, used for cross-data source behavioral correlation analysis, while ensuring user privacy is not compromised.

[0083] In one optional implementation, the generalized feature set is split into encrypted fragments and distributed to mutually untrusted computing nodes via a secret sharing protocol. Each node performs a local embedding transformation on the encrypted fragments to obtain a local profile embedding, including:

[0084] A multinomial secret sharing scheme is constructed for each generalized feature in the set of generalized features according to the secret sharing protocol. Each generalized feature is split into multiple encrypted fragments through the multinomial secret sharing scheme. The encrypted fragments satisfy the threshold recovery property, so that a single encrypted fragment does not reveal any information of the original generalized feature.

[0085] A sharding distribution strategy is determined based on the trust domain division of the computing nodes. The sharding distribution strategy stipulates that if the number of encrypted shards received by each computing node is lower than the threshold value of the threshold recovery feature, the encrypted shards are distributed to untrusted computing nodes according to the sharding distribution strategy.

[0086] Each computing node performs a local embedding transformation on the received encrypted fragment. The local embedding transformation projects the encrypted fragment to the embedding space through an encrypted domain mapping operation to generate a local image embedding.

[0087] In practice, a Shamir secret sharing scheme with a threshold of (t, n) is constructed for each generalized feature f_i in the generalized feature set. Specifically, a polynomial of degree t-1 is constructed for feature f_i over the finite field GF(p). The coefficients a_1, a_2, ..., a_t-1 are generated using a cryptographically secure random number generator. n distinct evaluation points x_1, x_2, ..., x_n are selected, and the function values ​​(x_j, P(x_j)) of the polynomial are calculated at these points, resulting in n encrypted fragments. This scheme satisfies the threshold recovery property, meaning that holding any t fragments allows recovery of the original feature f_i through Lagrange interpolation, while holding fewer than t fragments provides no information about f_i in an information-theoretical sense.

[0088] For a distributed environment containing $k$ computing nodes, set a threshold value. The algorithm generates n = k + m fragments (with m redundant fragments for fault tolerance). A random disjoint allocation scheme is used for fragment distribution, ensuring that the number of fragments s received by each computing node satisfies s < t. A hash ring consensus algorithm is used to map fragment identifiers to the node space, and secondary filtering is performed based on the node's trust domain label to avoid allocating fragments with a recoverable threshold number to a combination of nodes within the same trust domain. During distribution, a message authentication code is attached to each fragment, and the receiving node verifies the fragment integrity by verifying the message authentication code.

[0089] After each computing node receives $s$ encrypted fragments locally, it constructs a local feature vector. , where x_{j_1}, ..., x_{j_s} are the evaluation points corresponding to the node. The local embedding transformation is implemented through a cryptographically compatible neural network layer, using a modified ReLU activation function. To maintain operational closure, the matrix operation W·v_local of the embedding transformation is performed on a finite field using modular multiplication and addition. The parameters of the transformation matrix W are collaboratively trained across nodes using a federated learning approach. The dimension of the transformed local profile embedding e_local is set to 1 / t of the original feature dimension, and the compressed representation reduces the communication overhead of subsequent secure computations.

[0090] To ensure semantic consistency in the embedding space, an alignment loss function is introduced to constrain the semantic comparability of local embeddings generated by different nodes. A secure aggregation protocol based on Paillier homomorphic encryption is adopted, in which each node uploads its homomorphically encrypted version of its local embedding to the coordinator. The coordinator calculates global statistics in the ciphertext domain to guide the update of embedding parameters. Throughout the process, the original fragments and local embeddings of each node do not leave the local computing environment.

[0091] In one optional implementation, cross-domain feature similarity is calculated using a secure inner product protocol without exposing the plaintext of local embeddings of each party. The construction of a homomorphic association graph based on the cross-domain feature similarity includes:

[0092] A secure inner product calculation framework is established for the local image embedding generated by each computing node. The secure inner product calculation framework enables each computing node to perform vector inner product calculation on the local image embedding in an encrypted state through homomorphic encryption operation, thereby generating an encrypted local inner product result.

[0093] Each computing node transmits the local inner product result of the encrypted state to the coordination node. The coordination node uses the additive homomorphic property of the homomorphic encryption operation to perform homomorphic addition aggregation on the local inner product result of the encrypted state to obtain the cross-domain inner product sum of the encrypted state. Then, it performs decryption operation on the cross-domain inner product sum of the encrypted state to recover the cross-domain feature similarity. Based on the cross-domain feature similarity, a homomorphic association graph is constructed.

[0094] In a distributed, multi-party collaborative environment, each computing node holds encrypted fragmented data processed by a secret sharing protocol. Each node independently performs a local embedding transformation, mapping its generalized features to a high-dimensional vector space, forming a local profile embedding vector of dimension $d$. The local embedding held by node A is represented as follows: The local embedding held by node B is represented as .

[0095] To calculate similarity without revealing the plaintext of each party's local embeddings, a secure inner product protocol based on Paillier homomorphic encryption is adopted. Node A first generates a public-private key pair (pk, sk) and sends the public key pk to node B. Node A performs homomorphic encryption on each component of its local embedding vector, generating an encrypted vector E_pk(v_A) = (E_pk(v_A, 1), E_pk(v_A, 2), ..., E_pk(v_A, d)), where E_pk(.) represents the encryption function using the public key pk.

[0096] After receiving the encrypted vector E_pk(v_A), node B utilizes the additive homomorphism and scalar multiplication properties of the Paillier encryption scheme to perform inner product calculation in the ciphertext domain. Specifically, it performs scalar multiplication on the i-th component E_pk(v_A, i) of the encrypted vector. This operation is equivalent to the plaintext field. Node B performs homomorphic addition on the ciphertext product across all dimensions, calculating... The local inner product of the encrypted state is obtained.

[0097] When three or more computing nodes are involved, the coordinating node collects the local inner product results of the encrypted states uploaded by each node. Utilizing the additive homomorphism of homomorphic encryption, the coordinating node performs homomorphic addition aggregation on multiple ciphertexts, summing the encrypted inner products from different nodes into a cross-domain inner product sum of the encrypted states. The coordinating node holds the private key $sk$ and performs decryption operations on the aggregated ciphertext to recover the plaintext value of the cross-domain feature similarity.

[0098] A homomorphic association graph is constructed based on the calculated cross-domain feature similarity. This graph uses anonymous anchors as nodes and cross-domain feature similarity as edge weights. When the similarity exceeds a preset threshold, an edge connection is established, forming an encrypted graph structure that characterizes the cross-domain user association patterns. The edge weights in the graph remain homomorphically encrypted, supporting subsequent graph algorithm operations in the ciphertext domain and ensuring the confidentiality of association relationships during transmission and storage. Throughout the computation process, nodes only exchange ciphertext data; no single party can infer the local embedding content of other parties from the ciphertext, thus meeting the privacy protection requirements of secure multi-party computation.

[0099] In one optional implementation, differential privacy-preserving image clustering is performed based on the homomorphic association graph. Noise satisfying differential privacy constraints is injected into the graph edge weights to obtain a set of image clusters including:

[0100] Sensitivity analysis is performed on the edge weights in the homomorphic association graph to calculate the maximum impact of a single user data change on the edge weights, thereby obtaining a global sensitivity quantification value. A noise generation mechanism is then constructed based on the global sensitivity quantification value and a preset privacy budget parameter.

[0101] The noise generation mechanism generates perturbation noise for each edge weight in the homomorphic correlation graph, and the perturbation noise is superimposed on the corresponding edge weight to obtain the perturbation homomorphic correlation graph.

[0102] Graph clustering is performed based on the perturbed homomorphic association graph. The graph clustering operation calculates the connection density between nodes according to the perturbed edge weights, and divides nodes with connection density exceeding a preset clustering threshold into the same portrait cluster to generate a portrait cluster set.

[0103] After obtaining the homomorphic association graph, it needs to be subjected to privacy-preserving clustering. Before performing clustering, a sensitivity analysis is performed on the weights of all edges in the graph. Edge weights reflect the association strength between nodes in different user profiles. When a user's data changes, the edge weights associated with that user will be affected. The global sensitivity quantifier is defined as the maximum change in edge weights that can be caused by a change in a single user's data. Specifically, in the calculation, all edges in the graph are traversed. Assuming a single user node is removed or added, the maximum absolute value of the edge weight change caused by this operation is calculated, and the maximum value among all possible changes is taken as the global sensitivity quantifier. .

[0104] After obtaining the global sensitivity quantification value, a noise generation mechanism is constructed by combining it with a preset privacy budget parameter ε. The privacy budget parameter controls the strength of privacy protection; the smaller the ε value, the higher the degree of privacy protection but the lower the data availability. The noise generation mechanism adopts the Laplace mechanism, and the scale parameter of the noise amplitude is set as follows. For each edge in the graph, starting from the edge with a mean of zero and a scale parameter of... The corresponding perturbation noise is generated independently by sampling from the Laplace distribution. The generated perturbation noise is directly added to the original edge weights to complete the perturbation processing of the edge weights. When the graph is large, the edge weights can be divided into blocks, and each block can be independently allocated a privacy budget and injected with noise to ensure that the overall differential privacy constraint is met.

[0105] After injecting noise into all edge weights, a perturbed homomorphic association graph is obtained. Graph clustering is then performed based on this perturbed graph, employing a connectivity-based clustering strategy. The graph nodes are traversed, and for any two nodes, their connection density is calculated. Connection density considers both direct edge weights and indirect path weights, and can be measured by calculating the weighted sum of all paths between the two nodes or by using the probability of a random walk. When the connection density between two nodes exceeds a preset clustering threshold, these two nodes are grouped into the same profile cluster. A disjoint-set data structure is used to maintain the cluster affiliation of nodes. Initially, each node forms its own cluster, which is gradually merged to form the final profile cluster as the connection density is determined. The clustering threshold is set according to business needs; a higher threshold results in more profile clusters with stronger internal homogeneity, while a lower threshold reduces the number of profile clusters but provides broader coverage. After clustering, a set of profile clusters is output, where each profile cluster contains a group of user profile node identifiers with similar behavioral characteristics. Because differential privacy noise has been injected into the edge weights, the clustering results can reflect the distribution of group characteristics without revealing individual information.

[0106] In one optional implementation, a zero-knowledge proof protocol is used to verify the authenticity of aggregated statistical features in the portrait cluster set. Semantic consistency constraints are introduced to ensure that the statistical distribution of the reconstructed portrait is equivalent to that of the original portrait. A secure query interface supported by homomorphic encryption enables the authorized party to perform conditional retrieval of portrait attributes in the ciphertext domain, generating a de-identified user portrait library that supports ciphertext queries, including:

[0107] Aggregated statistical features are extracted from each image cluster in the image cluster set. A statistical feature authenticity proof is constructed through a zero-knowledge proof protocol. The statistical feature authenticity proof enables the verifier to verify the correctness of the calculation of the aggregated statistical features without obtaining the original image data, and generates an aggregated statistical feature set with authenticity labels.

[0108] A semantic consistency constraint function is established based on the aggregated statistical feature set. The semantic consistency constraint function calculates the statistical distance between the feature distribution of the reconstructed image and the feature distribution of the original image. The semantic consistency constraint function is iteratively optimized to make the statistical distance converge to a preset equivalence threshold, thereby obtaining a set of reconstructed images that satisfies the statistical distribution equivalence.

[0109] An attribute index structure is constructed for the image attributes in the reconstructed image set according to the attribute type. Each attribute value in the attribute index structure is encrypted by homomorphic encryption operation to generate a ciphertext attribute index. A secure query interface is constructed based on the ciphertext attribute index. A ciphertext domain condition retrieval is performed on the ciphertext attribute index by homomorphic comparison operation to generate a query result set.

[0110] The aggregated statistical feature set, the reconstructed profile set, and the attribute index of the encrypted state are integrated to form a de-identified user profile library that supports encrypted queries.

[0111] like Figure 2 As shown, the method includes:

[0112] When extracting aggregated statistical features from each image cluster in the image cluster set, statistical measures are calculated for the image attribute fields within each image cluster. These statistical measures include the mean, median, standard deviation, quantiles, frequency distribution, and entropy value of the attribute fields. For numerical attribute fields, the mean is obtained by summing the values ​​of this field for all images within the cluster and dividing by the number of images. The median is obtained by taking the middle value after sorting the values ​​of this field for all images within the cluster in ascending order. The standard deviation is obtained by taking the square root of the sum of the squared differences between each value and the mean, divided by the number of images. For categorical attribute fields, the frequency distribution is obtained by counting the number of occurrences of each category value within the cluster. The entropy value is obtained by calculating the negative of the sum of the logarithms of the frequencies of each category value and the products of those frequencies. Aggregated statistical features are organized as key-value pairs, with the image cluster identifier as the key and the statistical measure as the value.

[0113] When constructing a statistical feature authenticity proof using a zero-knowledge proof protocol, a zero-knowledge proof construction based on a commitment scheme and challenge-response interaction is adopted. The commitment scheme generates a cryptographic commitment value for the original portrait data in the portrait cluster. This commitment value is calculated using a hash function that combines the original data with a random blinding factor; the hash function output length is fixed at 32 bytes. The proving party publicly discloses the commitment value and aggregated statistical features, while hiding the original portrait data and the blinding factor. During the challenge-response interaction, the verifying party sends a random challenge value to the proving party. The challenge value is a fixed-length random bit string, 16 bytes in length.

[0114] The prover constructs a response based on the challenge value. The response includes the computational path and intermediate states of the aggregated statistical features. The computational path describes the transformation steps from the original data to the statistical features, and the intermediate states include the grouped summation results, the sorted position indices, and the cumulative frequency values. The portion of the response involving the original data is processed using a blinding factor mask. The masking process involves performing a modulo addition operation between the original data values ​​and the mask values ​​derived from the challenge value.

[0115] After receiving the response, the verifier performs consistency verification based on the committed value, aggregated statistical features, challenge value, and response. Verification includes checking the consistency between the masked intermediate state and the calculation logic of the aggregated statistical features. This is achieved by recalculating the aggregated statistical features according to the calculation path for the intermediate state in the response and comparing the recalculated result with the publicly disclosed aggregated statistical features. If the consistency verification passes, the verifier accepts the authenticity of the aggregated statistical features and assigns an authenticity marker to them. This marker is a Boolean field with a value of true. The generated set of aggregated statistical features with authenticity markers is organized as key-value pairs, with the profile cluster identifier as the key and a composite structure containing the aggregated statistical features and the authenticity marker as the value.

[0116] When establishing a semantic consistency constraint function based on an aggregated statistical feature set, the constraint function is defined as a statistical distance metric between the feature distribution of the reconstructed image and the feature distribution of the original image. The statistical distance metric employs a weighted combination of multi-dimensional distance indicators, including distribution similarity, moment similarity, and entropy similarity. Distribution similarity is calculated for categorical attribute fields. By comparing the frequency distributions of the reconstructed and original images in each category value of that field, the cosine similarity of the two frequency distribution vectors is calculated. The cosine similarity is the inner product of the two vectors divided by the product of their magnitudes, and its value ranges from 0 to 1.

[0117] Moment similarity is calculated for numerical attribute fields. It compares the mean and standard deviation of the reconstructed image and the original image in that field, calculating the absolute value of the difference between the means and the absolute value of the difference between the standard deviations. The semantic consistency constraint function weights and sums the distance metrics across all dimensions according to preset weight coefficients, where the sum of the weight coefficients equals 1. The weight coefficients are determined based on the business importance and sensitivity of the attribute field. The goal of the constraint function is to minimize the statistical distance metric, converging it below a preset equivalence threshold. This equivalence threshold is determined based on the business requirements for image fidelity, typically set to 0.05.

[0118] When iteratively optimizing the semantic consistency constraint function, the gradient descent optimization algorithm is used to adjust the attribute values ​​of the reconstructed portrait. The initial reconstructed portrait is generated by random sampling from the original portrait set, with a sampling ratio of 80%. The gradient descent optimization algorithm calculates the partial derivatives of the constraint function with respect to the attribute values ​​of the reconstructed portrait. The partial derivatives are approximated by numerical differentiation. A small perturbation is applied to each attribute value, with the perturbation amplitude being 0.001 times the attribute value range. The difference between the constraint function values ​​before and after the perturbation is divided by the perturbation amplitude to obtain an approximate value of the partial derivative.

[0119] The optimization algorithm adjusts the reconstructed profile attribute values ​​based on the direction of partial derivatives and the step size. The initial step size is set to 0.1, and it is dynamically adjusted after each iteration based on the decrease in the constraint function value. When the decrease is greater than 10%, the step size increases by 20%, and when the decrease is less than 1%, the step size decreases by 50%. Attribute value adjustments must satisfy the attribute's value range and type constraints. For numerical attributes, the adjusted values ​​are truncated to ensure they are between the minimum and maximum values. For categorical attributes, the category value is reselected through probability sampling. The iteration terminates when the constraint function value falls below the equivalent threshold or when the decrease in the constraint function value is less than 0.001 for 10 consecutive iterations.

[0120] When constructing the attribute index structure for the portrait attributes in the reconstructed portrait set according to attribute type, different index structures are used for numeric attributes and categorical attributes. Numeric attributes use a range tree index structure. Each node of the range tree stores the range of attribute values ​​and a list of portrait identifiers within that range. The range division is determined using an equal-frequency binning method, and the number of sub-ranges is set to the square root of the size of the reconstructed portrait set. The range tree is constructed by building a balanced binary tree in ascending order of the midpoint values ​​of the ranges. Each node of the tree stores the start and end values ​​of the range and a list of portrait identifiers. Categorical attributes use a hash table index structure. The key of the hash table is the attribute's category value, and the value is a list of portrait identifiers with that category value. The hash function uses modulo operation, and the hash table size is set to twice the number of different category values ​​for that attribute in the reconstructed portrait set.

[0121] When encrypting attribute values ​​in the attribute index structure using homomorphic encryption, an additive homomorphic encryption scheme is employed. The encryption scheme generates a public key and a private key; the public key is used for encryption, and the private key is used for decryption. The key length is 2048 bits. For the start and end values ​​of intervals in the interval tree index structure, the public key is used to encrypt them separately. The encrypted start and end values ​​replace the original plaintext values ​​and are stored in the interval tree nodes. For the category values ​​in the hash table index structure, the public key is used to encrypt them, and the encrypted category values ​​serve as the new keys for the hash table. The image identifier list is not encrypted and is stored in plaintext. The generated ciphertext attribute index maintains the same data structure type as the original index structure.

[0122] When constructing a secure query interface based on encrypted attribute indexes, the interface receives encrypted query conditions and query type parameters. Query type parameters include equality queries, range queries, and combined queries. Equality queries are suitable for categorical attributes; the query condition is an encrypted category value. The interface calculates the hash value of the query condition and looks up the corresponding profile identifier list in the hash table of the encrypted state. Range queries are suitable for numeric attributes; the query condition is the start and end values ​​of an encrypted range. The interface uses homomorphic comparison operations to find range nodes in the range tree of the encrypted state that intersect with the query conditions.

[0123] Homomorphic comparison operations leverage the homomorphic property of addition, comparing the size of two ciphertexts by calculating the difference and determining the sign of the difference. A sign-based protocol for the ciphertext field is employed, which uses multi-party secure computation to compare ciphertext sizes without decryption. Combined queries support logical AND, OR, and NOT operations on multiple attribute conditions. The interface performs set intersection, union, and complement operations on the list of profile identifiers for each single attribute query result to obtain the final query result set.

[0124] When integrating the aggregated statistical feature set, the reconstructed profile set, and the encrypted attribute index, a unified data storage and access layer is established. The data storage layer adopts a key-value storage model, storing three types of data objects: mappings from profile cluster identifiers to aggregated statistical features and authenticity identifiers; mappings from profile identifiers to the reconstructed profile attribute field set; and mappings from attribute field names to the encrypted attribute index. The access layer provides a unified query interface, which routes queries to the corresponding data objects based on the target type of the query request. The access layer implements access control, verifying the authorization status of query requests through access tokens, which include the authorizing party identifier, authorization scope, and validity period. The access layer records audit logs for all query operations, including query time, authorizing party identifier, query type, query conditions, number of query results, and execution time.

[0125] A second aspect of the present invention provides a media information intelligent delivery system based on user profiles, comprising:

[0126] The data anonymization unit is used to acquire user behavior data distributed across multiple data sources. Direct identifiers in the user behavior data are mapped to anonymous anchors using an irreversible hash function. The quasi-identifiers are generalized using a combination of anonymization and diversity constraints to obtain a set of anonymous anchors and a set of generalized features.

[0127] The feature encryption unit is used to split the generalized feature set into encrypted fragments and distribute them to mutually untrusted computing nodes through a secret sharing protocol. Each node performs a local embedding transformation on the encrypted fragment to obtain a local profile embedding. The cross-domain feature similarity is calculated without exposing the plaintext of the local embeddings of each party using a secure inner product protocol. Based on the cross-domain feature similarity, a homomorphic association graph is constructed.

[0128] A privacy clustering unit is used to perform differential privacy-preserving portrait clustering based on the homomorphic association graph. Noise that satisfies differential privacy constraints is injected into the graph edge weights to obtain a set of portrait clusters.

[0129] The portrait verification unit is used to verify the authenticity of the aggregated statistical features in the portrait cluster set using a zero-knowledge proof protocol, introduce semantic consistency constraints to ensure that the statistical distribution of the reconstructed portrait is equivalent to that of the original portrait, and enable the authorized party to perform conditional retrieval of portrait attributes in the ciphertext domain through a secure query interface supported by homomorphic encryption, thereby generating a de-identified user portrait library that supports ciphertext queries.

[0130] The feedback optimization unit is used to feed back and fuse the update information of the de-identified user profile library and the homomorphic association graph to adaptively optimize the local embedding transformation parameters.

[0131] A third aspect of the present invention provides an electronic device, comprising:

[0132] processor;

[0133] Memory used to store processor-executable instructions;

[0134] The processor is configured to invoke instructions stored in the memory to execute the aforementioned method.

[0135] A fourth aspect of the present invention provides a computer-readable storage medium having stored thereon computer program instructions that, when executed by a processor, implement the aforementioned method.

[0136] This invention can be a method, apparatus, system, and / or computer program product. The computer program product may include a computer-readable storage medium having computer-readable program instructions loaded thereon for performing various aspects of the invention.

[0137] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features therein. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of the present invention.

Claims

1. A method for intelligent media information delivery based on user profiles, characterized in that, include: Acquire user behavior data distributed across multiple data sources, map direct identifiers in the user behavior data to anonymous anchors using an irreversible hash function, and generalize the quasi-identifiers using joint constraints of anonymization and diversity to obtain a set of anonymous anchors and a set of generalized features. The generalized feature set is split into encrypted fragments and distributed to mutually untrusted computing nodes through a secret sharing protocol. Each node performs a local embedding transformation on the encrypted fragment to obtain a local profile embedding. The cross-domain feature similarity is calculated without exposing the plaintext of the local embeddings of each party using a secure inner product protocol. A homomorphic association graph is constructed based on the cross-domain feature similarity. Based on the homomorphic association graph, differential privacy-preserving image clustering is performed by injecting noise that satisfies differential privacy constraints into the graph edge weights to obtain a set of image clusters. The authenticity of the aggregated statistical features in the portrait cluster set is verified by using a zero-knowledge proof protocol. Semantic consistency constraints are introduced to ensure that the statistical distribution of the reconstructed portrait is equivalent to that of the original portrait. The authorized party can perform conditional retrieval of portrait attributes in the ciphertext domain through a secure query interface supported by homomorphic encryption, thereby generating a de-identified user portrait library that supports ciphertext queries. The updated information of the de-identified user profile library and the homomorphic association graph is fed back and fused to adaptively optimize the local embedding transformation parameters.

2. The method according to claim 1, characterized in that, The direct identifiers in the user behavior data are mapped to anonymous anchors using an irreversible hash function. The quasi-identifiers are then generalized using a joint constraint of anonymization and diversity, resulting in a set of anonymous anchors and a set of generalized features, including: Semantic parsing is performed on the direct identifiers in the user behavior data to identify the unique identity identifier field. Anonymous anchors are generated by one-way mapping of the unique identity identifier field by introducing an irreversible hash function with random salt value. Based on the anonymous anchors, a temporal association chain for user behavior sessions is constructed. Quasi-identifiers in the user behavior data are grouped according to the temporal association chain, and information entropy and re-identification risk metric are calculated for each quasi-identifier in each group. A multidimensional generalization space for quasi-identifiers is established based on the re-identification risk metric. An equivalence class partitioning criterion and a sensitive attribute distribution criterion are established in the multidimensional generalization space. The generalization granularity of each quasi-identifier dimension is dynamically determined by iteratively optimizing the joint constraint objective of the equivalence class partitioning criterion and the sensitive attribute distribution criterion. The generalization granularity is applied to each dimension of the quasi-identifier, and a hierarchical generalization transformation is performed to generate a set of generalized quasi-identifiers. The anonymous anchor is used as an index key to perform a structured mapping between the anonymous anchor and the set of generalized quasi-identifiers, forming a set of anonymous anchors and a set of generalized features.

3. The method according to claim 2, characterized in that, Semantic parsing is performed on the direct identifiers in the user behavior data to identify a unique identity field. Anonymous anchors are generated by performing a one-way mapping on this unique identity field using an irreversible hash function with a random salt value, including: Field type identification is performed on the direct identifiers in the user behavior data, and the identifier fields with unique identity determination are extracted as unique identity identifier fields. A combined index of data source identifier and time window identifier is established for the unique identity identifier fields. Based on the combined index, a random salt value is generated through key derivation operation. The random salt value makes the same unique identity identifier field produce deterministic differences under different data sources or different time windows. The random salt value is concatenated with the unique identity identifier field to form a salted identifier string. An anonymous anchor of fixed length is generated by performing a one-way mapping operation on the salted identifier string using an irreversible hash function.

4. The method according to claim 1, characterized in that, The generalized feature set is split into encrypted fragments using a secret sharing protocol and distributed to mutually untrusted computing nodes. Each node performs a local embedding transformation on the encrypted fragment to obtain a local profile embedding, including: A multinomial secret sharing scheme is constructed for each generalized feature in the set of generalized features according to the secret sharing protocol. Each generalized feature is split into multiple encrypted fragments through the multinomial secret sharing scheme. The encrypted fragments satisfy the threshold recovery property, so that a single encrypted fragment does not reveal any information of the original generalized feature. A sharding distribution strategy is determined based on the trust domain division of the computing nodes. The sharding distribution strategy stipulates that if the number of encrypted shards received by each computing node is lower than the threshold value of the threshold recovery feature, the encrypted shards are distributed to untrusted computing nodes according to the sharding distribution strategy. Each computing node performs a local embedding transformation on the received encrypted fragment. The local embedding transformation projects the encrypted fragment to the embedding space through an encrypted domain mapping operation to generate a local image embedding.

5. The method according to claim 1, characterized in that, Calculating cross-domain feature similarity using the secure inner product protocol without exposing the plaintext of local embeddings of each party, and constructing a homomorphic association graph based on the cross-domain feature similarity includes: A secure inner product calculation framework is established for the local image embedding generated by each computing node. The secure inner product calculation framework enables each computing node to perform vector inner product calculation on the local image embedding in an encrypted state through homomorphic encryption operation, thereby generating an encrypted local inner product result. Each computing node transmits the local inner product result of the encrypted state to the coordination node. The coordination node uses the additive homomorphic property of the homomorphic encryption operation to perform homomorphic addition aggregation on the local inner product result of the encrypted state to obtain the cross-domain inner product sum of the encrypted state. Then, it performs decryption operation on the cross-domain inner product sum of the encrypted state to recover the cross-domain feature similarity. Based on the cross-domain feature similarity, a homomorphic association graph is constructed.

6. The method according to claim 1, characterized in that, Based on the homomorphic association graph, differential privacy-preserving image clustering is performed by injecting noise that satisfies differential privacy constraints into the graph edge weights, resulting in a set of image clusters including: Sensitivity analysis is performed on the edge weights in the homomorphic association graph to calculate the maximum impact of a single user data change on the edge weights, thereby obtaining a global sensitivity quantification value. A noise generation mechanism is then constructed based on the global sensitivity quantification value and a preset privacy budget parameter. The noise generation mechanism generates perturbation noise for each edge weight in the homomorphic correlation graph, and the perturbation noise is superimposed on the corresponding edge weight to obtain the perturbation homomorphic correlation graph. Graph clustering is performed based on the perturbed homomorphic association graph. The graph clustering operation calculates the connection density between nodes according to the perturbed edge weights, and divides nodes with connection density exceeding a preset clustering threshold into the same portrait cluster to generate a portrait cluster set.

7. The method according to claim 1, characterized in that, The authenticity of aggregated statistical features in the portrait cluster set is verified using a zero-knowledge proof protocol. Semantic consistency constraints are introduced to ensure that the statistical distribution of the reconstructed portrait is equivalent to that of the original portrait. A secure query interface supported by homomorphic encryption enables authorized parties to perform conditional retrieval of portrait attributes in the ciphertext domain, generating a de-identified user portrait library that supports ciphertext queries, including: Aggregated statistical features are extracted from each image cluster in the image cluster set. A statistical feature authenticity proof is constructed through a zero-knowledge proof protocol. The statistical feature authenticity proof enables the verifier to verify the correctness of the calculation of the aggregated statistical features without obtaining the original image data, and generates an aggregated statistical feature set with authenticity labels. A semantic consistency constraint function is established based on the aggregated statistical feature set. The semantic consistency constraint function calculates the statistical distance between the feature distribution of the reconstructed image and the feature distribution of the original image. The semantic consistency constraint function is iteratively optimized to make the statistical distance converge to a preset equivalence threshold, thereby obtaining a set of reconstructed images that satisfies the statistical distribution equivalence. An attribute index structure is constructed for the image attributes in the reconstructed image set according to the attribute type. Each attribute value in the attribute index structure is encrypted by homomorphic encryption operation to generate a ciphertext attribute index. A secure query interface is constructed based on the ciphertext attribute index. A ciphertext domain condition retrieval is performed on the ciphertext attribute index by homomorphic comparison operation to generate a query result set. The aggregated statistical feature set, the reconstructed profile set, and the attribute index of the encrypted state are integrated to form a de-identified user profile library that supports encrypted queries.

8. A media information intelligent delivery system based on user profiles, used to implement the method of any one of claims 1-7, characterized in that, include: The data anonymization unit is used to acquire user behavior data distributed across multiple data sources. Direct identifiers in the user behavior data are mapped to anonymous anchors using an irreversible hash function. The quasi-identifiers are generalized using a combination of anonymization and diversity constraints to obtain a set of anonymous anchors and a set of generalized features. The feature encryption unit is used to split the generalized feature set into encrypted fragments and distribute them to mutually untrusted computing nodes through a secret sharing protocol. Each node performs a local embedding transformation on the encrypted fragment to obtain a local profile embedding. The cross-domain feature similarity is calculated without exposing the plaintext of the local embeddings of each party using a secure inner product protocol. Based on the cross-domain feature similarity, a homomorphic association graph is constructed. A privacy clustering unit is used to perform differential privacy-preserving portrait clustering based on the homomorphic association graph. Noise that satisfies differential privacy constraints is injected into the graph edge weights to obtain a set of portrait clusters. The portrait verification unit is used to verify the authenticity of the aggregated statistical features in the portrait cluster set using a zero-knowledge proof protocol, introduce semantic consistency constraints to ensure that the statistical distribution of the reconstructed portrait is equivalent to that of the original portrait, and enable the authorized party to perform conditional retrieval of portrait attributes in the ciphertext domain through a secure query interface supported by homomorphic encryption, thereby generating a de-identified user portrait library that supports ciphertext queries. The feedback optimization unit is used to feed back and fuse the update information of the de-identified user profile library and the homomorphic association graph to adaptively optimize the local embedding transformation parameters.

9. An electronic device, characterized in that, include: processor; Memory used to store processor-executable instructions; The processor is configured to invoke instructions stored in the memory to execute the method according to any one of claims 1 to 7.

10. A computer-readable storage medium having computer program instructions stored thereon, characterized in that, When the computer program instructions are executed by the processor, they implement the method described in any one of claims 1 to 7.