Data security management method, device, equipment, medium and program product

By leveraging blockchain technology for dynamic security assessment and intelligent data anonymization, the problem of sensitivity changes during data transfer is solved. This enables automatic adjustment of data security levels and real-time risk monitoring, ensuring data availability and security while meeting privacy compliance requirements.

CN122394830APending Publication Date: 2026-07-14INDUSTRIAL AND COMMERCIAL BANK OF CHINA

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
INDUSTRIAL AND COMMERCIAL BANK OF CHINA
Filing Date
2026-03-03
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing data security management technologies are unable to adapt to the changes in sensitivity during data flow. Their desensitization methods are rigid, access control is lagging, audit logs are easily tampered with, and they lack dynamic risk perception capabilities, making it difficult to balance data security and availability.

Method used

By adopting a blockchain-based dynamic security assessment strategy, dynamic grading, intelligent de-identification, access control, and real-time risk monitoring are implemented, combined with end-to-end log analysis, to achieve dynamic adjustment of data security management and real-time risk handling.

Benefits of technology

It enables automatic adaptive adjustment of data security levels, flexible de-identification processing, rapid permission granting, reduces the risk of data leakage, meets privacy compliance requirements, and improves data availability and security.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394830A_ABST
    Figure CN122394830A_ABST
Patent Text Reader

Abstract

The application provides a blockchain-based data security management method, device, equipment, storage medium and program product, which can be applied to the field of artificial intelligence technology. The method comprises: performing dynamic security evaluation on to-be-processed data based on a dynamic security evaluation strategy to determine a security level; performing desensitization processing on the to-be-processed data while associating security identification information based on the security level and a data use scenario to generate desensitized data; setting an N-level access control strategy based on the security identification information, wherein N is an integer greater than 1; in response to performing data access based on the access control strategy, monitoring operation behaviors performed on the desensitized data, and performing risk evaluation on the operation behaviors; in response to the risk evaluation result meeting a risk condition, performing a risk disposal operation; and storing full-link logs by using a blockchain, and adjusting the dynamic security evaluation strategy by analyzing the full-link logs.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of blockchain technology, and more specifically to a blockchain-based data security management method, apparatus, device, medium, and program product. Background Technology

[0002] Current data security practices primarily employ static data grading (e.g., manually marking sensitive fields), role-based access control, and fixed data masking rules (e.g., full-field masking), combined with virtualization network acceleration technology and centralized audit logs. Regarding sensitive data management, traditional solutions typically rely on predefined classification strategies (e.g., identifying specific data types such as ID card numbers and mobile phone numbers) and rule engines to perform data masking operations. Permission allocation is based on preset role templates, and policy adjustments require manual approval processes. Furthermore, data lineage tracing often uses centralized databases to record data derivation relationships, but overall lacks dynamic risk perception capabilities. Summary of the Invention

[0003] In view of the above problems, embodiments of this application provide a data security management method, apparatus, device, medium and program product based on blockchain.

[0004] According to a first aspect of this application, a blockchain-based data security management method is provided, comprising: performing a dynamic security assessment on data to be processed based on a dynamic security assessment strategy to determine a security level; performing de-identification processing on the data to be processed and associating it with security identification information based on the security level and the data usage scenario to generate de-identified data; setting an N-level access control policy based on the security identification information, wherein N is an integer greater than 1; monitoring the operation behavior performed on the de-identified data in response to data access based on the access control policy, and performing a risk assessment on the operation behavior; performing risk disposal operation in response to the risk assessment result meeting the risk conditions; and using blockchain to store end-to-end logs, and adjusting the dynamic security assessment strategy by analyzing the end-to-end logs.

[0005] According to an embodiment of this application, the dynamic security assessment of the data to be processed based on the dynamic security assessment strategy to determine the security level includes: identifying the state changes of the data to be processed; and dynamically adjusting the security level based on the identification results.

[0006] According to embodiments of this application, the state change includes at least one of combining operations, processing operations, and derived operations on the data to be processed.

[0007] According to an embodiment of this application, the step of de-identifying the data to be processed based on the security level and the data usage scenario, and simultaneously associating it with security identification information to generate de-identified data, includes: selecting a de-identification rule based on the security level and the data usage scenario; and applying the de-identification rule to de-identify the data to be processed, while simultaneously generating and associating it with security identification information.

[0008] According to an embodiment of this application, the step of de-identifying the data to be processed based on the security level and data usage scenario, and simultaneously associating it with security identification information to generate de-identified data, further includes: intercepting data access requests to the data to be processed; and rewriting the data access requests as access requests to the de-identified data.

[0009] According to an embodiment of this application, the security identification information includes the security level and event identification information, and the step of setting an N-level access control policy based on the security identification information includes setting the N-level access control policy based on the security level, the requester's identity, and the business context information.

[0010] According to an embodiment of this application, the step of responding to data access based on the access control policy, monitoring the operation behavior performed on the de-identified data, and assessing the risk of the operation behavior includes: parsing the operation behavior to obtain semantic features; and matching the semantic features with preset risk rules or behavior patterns to generate a risk score.

[0011] According to an embodiment of this application, the step of adjusting the dynamic security assessment strategy by analyzing the full-link logs includes: locating the leakage path through the event identification information, generating an audit report based on the leakage path and cross-system logs; and adjusting the dynamic security assessment strategy by analyzing the audit report.

[0012] According to a second aspect of this application, a blockchain-based data security management device is provided, comprising: a dynamic hierarchical module, used to perform dynamic security assessment on data to be processed based on a dynamic security assessment strategy to determine a security level; an intelligent de-identification module, used to de-identify the data to be processed based on the security level and data usage scenario, and simultaneously associate security identification information to generate de-identified data; an access control module, used to set an N-level access control strategy based on the security identification information, where N is an integer greater than 1; a risk assessment module, used to monitor the operation behavior performed on the de-identified data in response to data access based on the access control strategy, and to perform a risk assessment on the operation behavior; the risk assessment module is also used to perform risk disposal operation in response to the risk assessment result meeting risk conditions; and an audit optimization module, used to use blockchain to store end-to-end logs, and to adjust the dynamic security assessment strategy by analyzing the end-to-end logs.

[0013] According to a third aspect of this application, an electronic device is provided, comprising: one or more processors; and a memory for storing one or more computer programs, wherein the one or more processors execute the one or more computer programs to implement the steps of the method described above.

[0014] According to a fourth aspect of this application, a computer-readable storage medium is also provided, on which a computer program or instructions are stored, wherein the computer program or instructions, when executed by a processor, implement the steps of the above-described method.

[0015] According to a fifth aspect of this application, a computer program product is also provided, including a computer program or instructions that, when executed by a processor, implement the steps of the above-described method. Attached Figure Description

[0016] The above-mentioned contents, other objects, features and advantages of this application will become clearer from the following description of embodiments with reference to the accompanying drawings, in which:

[0017] Figure 1 The illustrations depict application scenarios of blockchain-based data security management methods, apparatuses, devices, media, and program products according to embodiments of this application.

[0018] Figure 2 A flowchart illustrating a blockchain-based data security management method according to an embodiment of this application is shown schematically.

[0019] Figure 3 A flowchart illustrating the closed-loop feedback of a blockchain-based data security management method according to an embodiment of this application is shown in the illustration.

[0020] Figure 4This schematic diagram illustrates a structural block diagram of a blockchain-based data security management device according to an embodiment of this application;

[0021] Figure 5 A block diagram schematically illustrates an electronic device suitable for implementing a blockchain-based data security management method according to an embodiment of this application. Detailed Implementation

[0022] The embodiments of this application will now be described with reference to the accompanying drawings. However, it should be understood that these descriptions are exemplary only and are not intended to limit the scope of this application. In the following detailed description, numerous specific details are set forth to provide a thorough understanding of the embodiments of this application for ease of explanation. However, it will be apparent that one or more embodiments may be implemented without these specific details. Furthermore, descriptions of well-known structures and technologies are omitted in the following description to avoid unnecessarily obscuring the concepts of this application.

[0023] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of this application. The terms “comprising,” “including,” etc., as used herein indicate the presence of the stated features, steps, operations, and / or components, but do not exclude the presence or addition of one or more other features, steps, operations, or components.

[0024] All terms used herein (including technical and scientific terms) have the meanings commonly understood by those skilled in the art, unless otherwise defined. It should be noted that the terms used herein are to be interpreted in a manner consistent with the context of this specification, and not in an idealized or overly rigid way.

[0025] When using expressions such as "at least one of A, B and C", they should generally be interpreted in accordance with the meaning that is commonly understood by those skilled in the art (e.g., "a system having at least one of A, B and C" should include, but is not limited to, a system having A alone, a system having B alone, a system having C alone, a system having A and B, a system having A and C, a system having B and C, and / or a system having A, B and C, etc.).

[0026] Traditional static data grading cannot adapt to changes in sensitivity during data flow: For example, after raw data is processed to generate derived reports, its risk level may increase, but the system cannot automatically identify this change, resulting in newly generated data not receiving the corresponding level of protection. Fixed anonymization rules affect data availability or security: For example, in customer service scenarios requiring user identity verification, full-field masking may hinder business operations; insufficient anonymization may lead to leakage risks during data sharing. Access control lags behind changes in business scenarios: For example, temporary job transfers during promotional periods require manual approval, with response delays often exceeding 24 hours, failing to meet real-time business needs. Derived data deviates from the original control strategy: For example, sensitive fields in analysis reports or AI models generated from protected raw data do not inherit the corresponding anonymization rules, posing a secondary leakage risk. Centralized audit logs are susceptible to tampering: While virtualization network acceleration solutions improve transmission efficiency, they are not linked to data security policies and cannot identify and intercept abnormal access behavior in real time, such as frequent queries to sensitive databases outside of working hours.

[0027] This application provides a blockchain-based data security management method, comprising: performing a dynamic security assessment on the data to be processed based on a dynamic security assessment strategy to determine a security level; performing de-identification processing on the data to be processed and associating it with security identification information based on the security level and the data usage scenario to generate de-identified data; setting an N-level access control policy based on the security identification information, where N is an integer greater than 1; monitoring the operation behavior performed on the de-identified data in response to data access based on the access control policy, and performing a risk assessment on the operation behavior; performing risk disposal operations in response to the risk assessment result meeting the risk conditions; and using blockchain to store end-to-end logs, and adjusting the dynamic security assessment strategy by analyzing the end-to-end logs.

[0028] The blockchain-based data security management method provided in this application can automatically detect changes in data sensitivity and dynamically adjust the protection strength; flexibly implement differentiated desensitization according to usage scenarios and user roles; connect with business systems to automatically and quickly grant temporary permissions and freeze abnormal accounts in real time; and utilize anti-tampering logs and network monitoring technology to ensure the authenticity and traceability of operation records. Ultimately, in sensitive data application scenarios such as finance and healthcare, it achieves a balance between data availability and security, significantly reduces the risk of leakage, and meets the compliance requirements of relevant privacy regulations.

[0029] In the technical solution of this application, the user information (including but not limited to user personal information, user image information, user device information, such as location information) and data (including but not limited to data used for analysis, stored data, and displayed data) involved are all information and data authorized by the user or fully authorized by all parties. Furthermore, the collection, storage, use, processing, transmission, provision, disclosure, and application of related data all comply with relevant laws, regulations, and standards, take necessary confidentiality measures, do not violate public order and good morals, and provide corresponding operation entry points for users to choose to authorize or refuse.

[0030] In scenarios where personal information is used for automated decision-making, the methods, devices, and systems provided in this application all provide users with corresponding operation entry points for users to choose to agree to or reject the automated decision results; if the user chooses to reject, the process enters the expert decision-making process.

[0031] As used in this paper, the term "model" refers to a model that learns the relationship between inputs and outputs from training data, enabling it to generate corresponding outputs for a given input after training. Model generation can be based on machine learning techniques. Deep learning is a machine learning algorithm that processes inputs and provides corresponding outputs using multiple layers of processing units. A neural network model is an example of a deep learning-based model. In this paper, "model" may also be referred to as a "machine learning model," "learning model," "machine learning network," or "learning network," and these terms are used interchangeably.

[0032] It's important to note that the term "neural network" can refer to a machine learning network based on deep learning. A neural network processes input and provides corresponding output, typically consisting of an input layer, an output layer, and one or more hidden layers between them. Neural networks used in deep learning applications often include many hidden layers, increasing the network's depth. The layers of a neural network are connected sequentially, so that the output of the previous layer serves as the input to the next layer. The input layer receives the input to the neural network, while the output layer's output becomes the final output. Each layer of a neural network includes one or more nodes (also called processing nodes or neurons), each processing the input from the layer above.

[0033] It should be understood that machine learning generally includes three phases: training, testing, and application (also known as inference). In the training phase, a given model is trained using a large amount of training data, iteratively updating parameter values ​​until the model can consistently generate inferences that meet the expected goals from the training data. Through training, the model can be considered to have learned the relationship between inputs and outputs (also known as the input-output mapping) from the training data. The parameter values ​​of the trained model are determined. In the testing phase, test inputs are applied to the trained model to test whether it can provide the correct output, thus determining the model's performance. In the application phase, the model can be used to process actual inputs based on the trained parameter values ​​to determine the corresponding output.

[0034] It should be noted that the blockchain-based data security management method provided in this application can be used in the field of blockchain technology, involving the application of blockchain in data security, and can also be used in any field other than blockchain technology, such as the field of financial technology. Here, the application field of this application is not limited.

[0035] Figure 1 This is a schematic diagram of a blockchain-related network environment according to an exemplary embodiment of this application. Figure 1 The network environment 100 shown may include a client-side computing device 101, a server-side device 102, and at least one blockchain system, such as blockchain system 103, blockchain system 104, and blockchain system 105.

[0036] For example, client-side computing device 101 may include various types of client-side computing devices, such as personal computer computing devices, mobile computing devices, Internet of Things (IoT) devices, and other forms of intelligent devices with certain computing capabilities. It should be noted that client-side computing device 101 does not mean that all client-side computing devices are in the same communication network, but is merely a collective term for these client-side computing devices. Some computing devices in client-side computing device 101 can be coupled to server-side 102 through various communication networks. For example, device 3 is coupled to server-side 102. Some computing devices in client-side computing device 101 may also not be coupled to server-side 102, but directly coupled to the blockchain system; for example, device 4 can be directly coupled to blockchain system 103. Client-side computing device 101 may also include one or more user-side servers, such as devices 5 and 6. Some computing devices in client-side computing device 101 can be coupled to these user-side servers; for example, device 1 is coupled to device 5, and device 2 is coupled to device 6. The user-side server can be further directly coupled to the blockchain system, or it can be further coupled to the server 102 through various communication networks. For example, device 5 can be further directly coupled to the blockchain system, and device 6 can be further coupled to the server 102.

[0037] It should be noted that the user-side server can be implemented by a service entity that has established a user account system. This service entity can include the operating entity of the service carrier that provides various online and / or offline services to users. Correspondingly, the operating entity can include the operator of the aforementioned service carrier; for example, the operating entity can include individuals, organizations, companies, and enterprises that operate and manage the aforementioned service carrier.

[0038] Server 102 can be coupled to one or more blockchain systems through various communication networks. For example, server 102 can be coupled to blockchain system 103, blockchain system 104 and blockchain system 105 respectively.

[0039] The communication network may include wired and / or wireless communication networks, such as local area networks, wide area networks, the Internet, or combinations thereof, which are based on wired or wireless access networks provided by operators.

[0040] Each blockchain system can maintain one or more blockchains, such as public blockchains, private blockchains, consortium blockchains, etc., and includes multiple blockchain nodes to host the aforementioned one or more blockchains; for example, Figure 1The nodes shown, such as Node 1, Node 2, Node 3, Node 4, and Node i, can collectively support one or more blockchains. Cross-chain data access is also possible between the blockchains contained within each blockchain system, as well as between different blockchain systems themselves.

[0041] Nodes in a blockchain system can be physical devices or virtual devices implemented within servers or server clusters. For example, a node in a blockchain system can be a physical host in a server cluster, or a virtual machine created by virtualizing the hardware resources of a server or server cluster using virtualization technology. Each node can be coupled together to form a network through various types of communication methods to support one or more blockchains.

[0042] Server-side 102 may include a blockchain service platform, such as a platform for providing blockchain services. This platform can provide blockchain services to client-side computing devices coupled to the platform by providing pre-written software for activities occurring on the blockchain (e.g., subscriptions and notifications, user authentication, database management, remote updates, etc.).

[0043] In practical applications, blockchain services can be deployed on the blockchain in the form of smart contracts. When an application running on a client-side computing device uses a blockchain service, it can send a request to the blockchain system to invoke the corresponding smart contract deployed on the blockchain.

[0044] Figure 2 A flowchart illustrating a blockchain-based data security management method according to an embodiment of this application is shown. Figure 2 As shown, the blockchain-based data security management method 200 according to an embodiment of this application may include steps S210 to S260.

[0045] It should be noted that, although the steps of the method are described in a specific order in the embodiments of this application, it should be understood that the execution order of these steps is not fixed and can be adjusted according to actual needs. Specifically, some steps can be executed in reverse order, or they can be executed in parallel to improve efficiency without affecting the overall method effect. In addition, some steps may be optional and can be selectively executed according to specific application scenarios or requirements.

[0046] In step S210, a dynamic security assessment is performed on the data to be processed based on the dynamic security assessment strategy to determine the security level.

[0047] In embodiments of this application, user consent or authorization can be obtained before acquiring user information. For example, a request to acquire user information can be sent to the user before step S210. If the user consents or authorizes the acquisition of user information, step S210 is executed.

[0048] In step S220, based on the security level and data usage scenario, the data to be processed is de-identified and associated with security identification information to generate de-identified data.

[0049] In step S230, an N-level access control policy is set based on the security identification information, where N is an integer greater than 1.

[0050] In step S240, in response to data access based on access control policies, the operation behavior performed on the de-identified data is monitored, and the operation behavior is risk-assessed.

[0051] In embodiments of this application, a corresponding operation entry point can be provided to the user, allowing the user to choose to agree to or reject the automated decision result. That is, before conducting a risk assessment on the operation, the user can provide an instruction to agree to or reject the risk assessment through the corresponding operation entry point. If the user agrees to conduct the risk assessment, the operation is assessed for risk, i.e., step S240 is executed. If the user refuses to conduct the risk assessment, the expert decision-making process is initiated.

[0052] In step S250, in response to the risk assessment result meeting the risk conditions, a risk disposal operation is performed.

[0053] In step S260, blockchain is used to store the full-link logs, and the dynamic security assessment strategy is adjusted by analyzing the full-link logs.

[0054] This application aims to address the systemic deficiencies in existing data security management technologies, specifically including: the inability of the system to automatically identify and adjust the protection level when data importance dynamically changes with processing flow; rigid de-identification methods that make it difficult to strike a balance between protecting data privacy and ensuring business availability; cumbersome and slow temporary permission granting processes that cannot adapt to the needs of rapidly changing business; the failure of derived data to automatically inherit the protection strategy of the original data, making newly generated data prone to "getting out of control"; and the risk of audit logs being tampered with, lacking the ability to monitor and intercept abnormal operations in real time.

[0055] According to embodiments of this application, a blockchain-based data security management method is adopted, which integrates dynamic hierarchical classification, intelligent de-identification, automatic access control, risk detection, and audit trail. This method performs dynamic security assessments on the data to be processed, automatically adapting to data changes and business needs, defining data security levels, and reducing the risk of data leakage. Intelligent de-identification ensures data security while meeting diverse usage needs and increasing flexibility. Setting access control policies ensures data availability within a controllable range, speeds up authorization, and improves user experience. Risk assessments of operational behaviors reduce the risk of data tampering and comply with privacy compliance requirements. Dynamically adjusting security assessment strategies forms a complete security closed loop that can be continuously optimized.

[0056] Traditional static data grading cannot adapt to changes in sensitivity during data processing. For example, a report might become more important when ordinary addresses and consumption records are combined, but the system might not recognize this, and the new report might not be protected. To address this, embodiments of this application propose dynamic security assessment of the data to be processed to determine its security level and automatically adjust the data's importance.

[0057] According to embodiments of this application, a dynamic security assessment is performed on the data to be processed based on a dynamic security assessment strategy to determine the security level, including: identifying changes in the state of the data to be processed; and dynamically adjusting the security level based on the identification results.

[0058] For example, a dynamic security assessment strategy can include multiple data security levels, such as Level 1, Level 2, ..., Level K; or Internal, Intermediate, ..., Confidential; or Low, Medium, ..., High, etc. If the data changes, the security level corresponding to the changed data is determined from the dynamic security assessment strategy. For example, after adding a transaction field to the data, its security level can change from Level 1 to Level 2; after performing cross-database aggregation to generate a risk control report, its security level can change from Internal to Confidential.

[0059] In some embodiments, the security level of data is adjusted through real-time data grading and event triggering mechanisms. Combining a sensitive feature library with a lightweight artificial intelligence model can automatically label initial sensitive data. Low-load incremental scanning technology can capture data changes in real time. For example, an artificial intelligence model with a classification accuracy of ≥85% can be selected, combined with a pre-built sensitive feature library supporting over 20 categories of custom regularization rules, to automatically label initial sensitive data (e.g., internal level). Low-load incremental scanning technology with low resource consumption can be selected to capture data changes in real time.

[0060] When a data combination is detected to trigger an escalation of risk, the data security management method of the embodiment can quickly (e.g., within 10 seconds) dynamically upgrade the data classification, generate a classification event with a digital signature and push it to the de-identification processing step. For example, when scattered addresses and consumption records are aggregated into a report, the data classification (security level) is adjusted from the internal level to the confidential level, a classification event containing a data identifier, a new level and a timestamp is generated and pushed to the de-identification processing step in real time.

[0061] According to the embodiments of this application, the security level of the data is dynamically adjusted according to the changes in the state of the data to be processed, which solves the problem that traditional static classification cannot adapt to changes in sensitivity during data processing and flow, ensuring that the data can be protected in accordance with the current risks and increasing data security.

[0062] The dynamic security assessment strategy provided in the embodiments provides a dynamic security basis for subsequent processing procedures.

[0063] According to embodiments of this application, state changes include at least one of combining operations, processing operations, and derived operations on the data to be processed.

[0064] Combining operations can include aggregating multiple types of data together. These multiple types of data may come from a single database or belong to different databases. For example, aggregated address information and consumption records can be used to generate a report.

[0065] Processing operations may include reprocessing the original data, such as adding, deleting, or modifying fields based on the original data. It should be noted that adding, deleting, or modifying fields based on the original data are merely examples and not limitations of the embodiments of this application. For example, processing operations may also include encrypting the original data.

[0066] Derivative operations can include regeneration and re-creation based on the original data, or data that evolves or changes from the original data. For example, in traditional data security management methods, the original data has protection rules, but analysis reports or AI models derived from the original data are prone to secondary leakage because they do not automatically inherit the security level of the original data. The blockchain-based security management method provided in this embodiment can identify data changes caused by derivative operations and redetermine the data security level, thereby solving the data leakage problem existing in traditional methods.

[0067] It should be noted that the state change, including at least one of the combination operation, processing operation, and derivative operation on the data to be processed, is merely an example and not a limitation on the embodiments of this application. Any data change can be captured by the method of the embodiments of this application and trigger a corresponding change in data security level. There are no clear boundaries between the combination operation, processing operation, and derivative operation. In some cases, a derivative operation can be a combination operation, a processing operation can be a derivative operation, and a combination operation can also be a processing operation. Different operations can be converted into each other.

[0068] The blockchain-based data security management method provided in the embodiments of this application can identify the sensitivity leap of data caused by combination, processing and derivation, ensure the comprehensiveness and accuracy of security level classification, and avoid data leakage caused by inaccurate level classification.

[0069] In some embodiments, by combining a pre-built sensitive feature library (covering more than 20 standard data types and supporting custom rules via regular expressions), initial sensitive labels can be automatically assigned to data. Through bypass incremental scanning technology, database logs can be monitored to capture data changes in real time. When data combinations lead to an increased risk level, the database logs are compared with the sensitive feature library for identification, and the data classification is dynamically upgraded quickly (e.g., within 10 seconds), for example, from public to confidential. A digitally signed classification event is generated and pushed to the de-identification process, providing real-time updated data security attribute data for subsequent processing.

[0070] Traditional data security management methods, when anonymizing data, either completely hide information, making it impossible for users to verify their identity, or hide too little information, making it easy for data to be leaked when shared externally. To address this, the method provided in this application, after obtaining the security level of the data to be processed, intelligently anonymizes the data, flexibly switching the anonymization method (e.g., partial hiding / blurring) according to the user and scenario, thus avoiding the problem of overly rigid data anonymization methods.

[0071] According to embodiments of this application, the process of de-identifying data and associating it with security identification information based on security level and data usage scenario includes: selecting de-identification rules based on security level and data usage scenario; and applying the de-identification rules to de-identify the data while generating and associating it with security identification information.

[0072] In some embodiments, de-identification rules may include masking partial fields, full masking, and sensitive information transformation. Sensitive information transformation may include transforming the data to be processed, such as adjusting the position or content of the data to be processed based on preset rules, or encrypting the data to be processed. It should be noted that the de-identification rules can be any existing de-identification method for data de-identification, which will not be listed here.

[0073] For example, security identification information may include security level and event identification information, and may be watermark information, which may include various information including the security level. For instance, while de-identifying the data to be processed, an invisible watermark containing a hierarchical event identifier and an operator identity hash is embedded. The hierarchical event identifier can be used to determine the data security level, and the operator identity hash can be used for subsequent compliance retrospectives, responsibility delineation, and other steps. The method in this embodiment generates and associates corresponding security identification information while performing de-identification processing on the data to be processed, and the generated de-identified data carries this security identification information.

[0074] In some embodiments, a scenario-based dynamic de-identification mechanism is used to perform de-identification processing on the data to be processed. After receiving a graded event, a differentiated de-identification strategy is invoked according to the security level of the data and the usage scenario. The selected de-identification strategy (i.e., de-identification rules) is used to de-identify the data to be processed. For example, if the data label of the data to be processed indicates that it is a confidential report, and the usage scenario requires customer service verification that requires partial plaintext, then the report is de-identified by partially obscuring it and associated with security identification information.

[0075] For example, for low-sensitivity data (e.g., mobile phone number), the middle field (e.g., "123****1234") is masked, and for high-sensitivity data (e.g., ID card number), a virtual number that conforms to the real distribution is generated.

[0076] According to the embodiments of this application, based on the security level and data usage scenario, de-identification rules are selected and the data to be processed is de-identified, which increases the flexibility of the de-identification method, adapts to various data security needs, and avoids data leakage caused by retaining too much information while meeting data availability requirements; the added security identification information can be used for access control and audit traceability to ensure the interpretability and compliance of data operations.

[0077] According to embodiments of this application, based on security level and data usage scenario, the process of de-identifying the data to be processed and associating it with security identification information to generate de-identified data further includes: intercepting data access requests for the data to be processed; and rewriting the data access requests into access requests for the de-identified data.

[0078] In some embodiments, database queries are intercepted in real time to ensure zero contact with the original data. For example, structured query language is intercepted in real time at the database protocol layer, and the query for the data to be processed is rewritten as a query for the de-identified fields. The processed de-identified data stream (response latency less than 50ms) is passed to the dynamic access control step to perform access control. The security identification information embedded in the de-identified data can provide a basis for subsequent traceability.

[0079] For example, the desensitization process receives events pushed by dynamic data classification processing. Based on the data's dynamic label as "confidential" and the specific use case, it executes differentiated desensitization strategies: full-field simulation replacement is enabled for highly sensitive data, and watermark tags containing classification event identifiers and operator identity hashes are embedded; the original data is ensured to remain untouched by intercepting and rewriting the structured query language in real time at the database protocol layer; the processed desensitized data stream is then passed to the access control process.

[0080] According to an embodiment of this application, by rewriting the data access request, zero contact with the original data is achieved, thus avoiding leakage of the original data.

[0081] According to embodiments of this application, incremental scanning technology is used to reduce system resource occupancy, and structured query language rewriting technology avoids data duplication, saving storage costs and significantly optimizing resource efficiency. Artificial intelligence classification models and sensitive feature libraries can automatically complete most data classification tasks, and temporary permission mechanisms can seamlessly support high-concurrency business scenarios (e.g., data processing volume increases exponentially during e-commerce promotions). While ensuring business continuity, millisecond-level response is achieved, effectively solving the pain points of lagging security protection and high resource consumption in traditional solutions, reducing the number of security incidents, and improving overall operational efficiency.

[0082] To address the issue of slow temporary permission granting in existing technologies—for example, when promotional activities urgently need to access data, approval often exceeds 24 hours, causing delays—this embodiment's blockchain-based data security management method introduces a permission self-control step, dynamically authorizing access to the data to be accessed.

[0083] According to an embodiment of this application, the security identification information includes security level and event identification information. Setting an N-level access control policy based on the security identification information includes setting an N-level access control policy based on the security level, the requester's identity, and business context information.

[0084] For example, security identification information may include hierarchical event identifiers and event identifier information. Hierarchical event identifiers may include security levels, as well as data identifiers and timestamps. Event identifier information may include operator identification. Data identifiers, timestamps, and operator identification can all be used for audit traceability. The process of audit traceability will be described below and will not be elaborated on here.

[0085] For example, dynamic authorization is achieved through dynamic access control, and data access is executed based on authorized permissions. Specifically, multi-level access control policies are set based on the security level of the data to be accessed, the identity of the requester, and business context information. All permission changes can generate audit logs, forming a policy closed loop. The higher the security level, the stricter the access conditions, setting higher-level and more stringent authorization permissions. For example, internal-level data can be used by business personnel and managers, while confidential data can only be used by managers. Lower-level requesters are granted lower-level authorization permissions. For example, business personnel can only view data at levels 1 to 3, while managers can view and modify data at levels 1 to 6. Important and core business operations are granted higher-level authorization permissions. For example, core business operations can only be viewed by management, and ordinary business personnel cannot view them.

[0086] The method in the embodiment can set up a multi-level access control policy based on at least one of security level, requester identity and business context information. For example, it can perform three-level dynamic authorization based on watermark label (including security level), user identity information and business scenario, covering regular scenario, temporary scenario and risk scenario.

[0087] In standard scenarios, permissions are assigned based on preset roles; for example, customer service personnel can only access anonymized data views. In temporary scenarios, time-sensitive permissions are automatically granted based on business event flows; for example, during promotional activities, marketing personnel can temporarily access complete user profiles for 2 hours. In high-risk scenarios, behavioral monitoring data is received in real time; for example, if a single user queries more than 10 times per second, the account is frozen within 0.5 seconds. All permission changes (including operator, validity period, and event identifier) ​​generate audit logs and are synchronized to the risk monitoring and auditing steps, forming a closed-loop strategy execution chain of "hierarchy → anonymization → permissions" to ensure dynamic matching of permissions and data risks.

[0088] According to the embodiments of this application, multi-level access control policies are set based on security level, requester identity and business context information, which realizes dynamic and fine-grained binding of permissions and data risks, refines access permissions for different levels of data, and improves access efficiency while ensuring data security.

[0089] For example, in step S240, data access is performed based on the access control policy, the operation behavior performed on the de-identified data is monitored, and a risk assessment is performed on the operation behavior. That is, when data access is performed in accordance with the determined access control policy, the method of the embodiment further monitors the operation behavior performed on the de-identified data, and performs risk disposal operations if the risk assessment result meets the risk conditions; if data access is not performed in accordance with the determined access control policy, it can be directly determined that the data access is risky, and risk disposal operations can be performed, such as terminating the access.

[0090] In existing scenarios, administrators may delete abnormal logs and cannot intercept dangerous operations such as frequent data queries in the middle of the night. The blockchain-based data security management method in this embodiment introduces a real-time risk interception mechanism to detect risky behaviors in a timely manner by monitoring operational behavior.

[0091] According to embodiments of this application, in response to data access based on access control policies, monitoring the operational behavior performed on de-identified data and conducting risk assessment of the operational behavior includes: parsing the operational behavior to obtain semantic features; and matching the semantic features with preset risk rules or behavioral patterns to generate a risk score.

[0092] During the permission execution process, parsing the operation behavior and obtaining semantic features can include: performing semantic analysis on the operation behavior to obtain semantic features. This semantic analysis parses the structured query language type, execution time, data volume, and data objects to identify the data export statements. The structured query language type can include, for example, query, update, and delete; the execution time can include, for example, whether it occurred during peak business hours or off-peak hours such as early morning; the data volume can include, for example, whether it involved batch data downloads; and the data objects can include, for example, whether they are target sensitive fields (e.g., ID card numbers).

[0093] For example, matching semantic features with preset risk rules may include comparing the semantic features with an integrated threat signature database model. Matching semantic features with behavioral patterns may include comparing the semantic features using a lightweight artificial intelligence model or statistical model, for example, comparing the semantic features with the historical normal behavior baseline of the user / role. The method of the embodiment completes real-time evaluation based on the matching results, for example, generating a risk score.

[0094] The threat signature database integrates various high-risk database operation patterns, such as modifying the permissions and passwords of high-privilege database users, and deleting databases. It also integrates various low-risk database operation patterns, such as customer service representatives performing normal CRUD operations on ordinary users within the database. If a low-threat signature is matched (e.g., a low-privilege user attempting to access highly sensitive fields) or abnormal behavior is detected through the anomaly prediction layer (e.g., batch downloads during the early morning hours), and the risk value exceeds a preset threshold, the current session is immediately blocked. If a high-threat signature is matched (e.g., remotely performing administrator permission changes via a high-risk port, reading sensitive files in the database root directory), and the risk value exceeds a preset threshold, the current session is immediately blocked.

[0095] For example, new attack patterns (e.g., bypassing anonymized Structured Query Language injection) automatically generate rules, which are then fed back to the dynamic access control steps to adjust the strategy. All risk events (including interception actions, risk scores, and associated session identifiers) are written into the audit chain for feedback optimization, achieving a real-time closed-loop defense of "monitoring → interception → strategy optimization".

[0096] According to embodiments of this application, by analyzing operational semantics in real time and conducting risk assessments, high-risk operations are intercepted immediately. New attack patterns are transformed into rules and fed back to the access control steps. Risk events are written into the audit chain, enabling early detection and real-time blocking of internal threats and potential attacks, fundamentally reducing the risk of leakage. Through semantic and behavioral intelligent analysis, the accuracy of threat detection is significantly improved, overcoming the problems of high false positive rates and insensitivity to new or variant attacks associated with traditional fixed rules. Through feedback and adjustment mechanisms, dynamic adaptation is achieved, forming a continuously self-learning intelligent closed loop.

[0097] For example, in response to the risk assessment result meeting the risk conditions, a risk handling operation is performed, such as blocking the session when the risk score is greater than a preset value. Here, the risk conditions can be flexibly set according to the specific use case. For example, for scenarios with high data security requirements, a lower preset score can be set to avoid overlooking any potential risks.

[0098] The embodiments of this application employ blockchain to store end-to-end logs, and adjust dynamic security assessment strategies by analyzing these logs. The end-to-end logs aggregate operational information from various steps, including dynamic hierarchical classification, intelligent de-identification, access control, and risk monitoring, and may include hierarchical event identifiers, de-identified watermarks, access records, and risk interception records. It should be noted that using blockchain to store end-to-end logs is merely an example and not a limitation of the embodiments of this application. In other embodiments, blockchain storage combined with SM3 (Chinese national cryptographic standard) signatures can be used to solidify evidence.

[0099] According to embodiments of this application, adjusting the dynamic security assessment strategy by analyzing the end-to-end logs includes: locating the leakage path through event identification information, generating an audit report based on the leakage path and cross-system logs; and adjusting the dynamic security assessment strategy by analyzing the audit report.

[0100] For example, locating leakage paths through event identification information can include using watermarking tracing technology to pinpoint potential data leakage paths, such as the source of the spread of un-anonymized reports. By correlating watermarking tracing with cross-system logs, an immutable audit report can be generated. Cross-system log correlation can include matching database access records with business system operators.

[0101] The audit report can support three major application scenarios: compliance retrospection, tracing the entire lifecycle of sensitive data; responsibility identification, locating the unauthorized export behavior of relevant personnel; and strategy optimization, analyzing high-frequency false blocking events and feeding them back to the hierarchical steps to optimize the rules.

[0102] According to embodiments of this application, the analysis results of the audit report are fed back to the dynamic grading step, driving continuous optimization of the security strategy and forming a complete security closed loop of "grading → de-identification → access control → monitoring → auditing → grading". By analyzing the full-link logs, potential data leakage paths can be accurately located and attack patterns analyzed. The feedback adjustment mechanism enables the entire security system to learn and optimize in practice, solving the pain points of rigid rules and inability to cope with new threats in traditional solutions.

[0103] According to embodiments of this application, a lightweight artificial intelligence model enables second-level sensitive data identification and dynamic classification, linked with an intelligent desensitization mechanism to quickly complete scenario-based desensitization processing. Simultaneously, embedded watermark tags enable dynamic access control, improving security efficiency. The risk monitoring step can intercept abnormal access behavior in seconds, and combined with a blockchain-based immutable audit chain, it achieves accurate tracing of leakage paths, significantly reducing security risks and meeting compliance requirements.

[0104] Figure 3 A flowchart illustrating the closed-loop feedback of a blockchain-based data security management method according to an embodiment of this application is shown.

[0105] like Figure 3As shown, this closed-loop feedback mechanism can include a dynamic hierarchical engine, an intelligent de-identification engine, an access control engine, a risk monitoring engine, and an audit traceability engine. The dynamic hierarchical engine obtains data to be processed from the data source, classifies the data into security levels, generates hierarchical events, and provides these events to the intelligent de-identification engine. The intelligent de-identification engine de-identifies the data and provides the de-identified data with associated watermark information to the access control engine. The access control engine performs dynamic access control, generates access logs, and synchronizes them to the risk monitoring engine. The risk monitoring engine performs real-time risk interception and policy optimization, provides risk events to the audit traceability engine, and feeds back policy optimization information to the access control engine, which dynamically adjusts permissions based on this information. The audit traceability engine performs end-to-end auditing and feeds back to the policy, optimizing hierarchical rules and feeding them back to the dynamic hierarchical engine to update the dynamic security assessment policy. This forms a complete closed-loop feedback loop.

[0106] Based on the aforementioned blockchain-based data security management method, embodiments of this application also provide a blockchain-based data security management device. The following will be combined with... Figure 4 The device is described in detail.

[0107] Figure 4 A schematic block diagram of a blockchain-based data security management device according to an embodiment of this application is shown.

[0108] like Figure 4 As shown, the blockchain-based data security management device 400 in this embodiment includes a dynamic hierarchical module 410, an intelligent desensitization module 420, an access control module 430, a risk assessment module 440, and an audit optimization module 450.

[0109] The dynamic grading module 410 is used to perform dynamic security assessment on the data to be processed based on a dynamic security assessment strategy to determine the security level. In one embodiment, the dynamic grading module 410 can be used to execute step S210 described above, which will not be repeated here.

[0110] The intelligent desensitization module 420 is used to desensitize the data to be processed based on the security level and data usage scenario, while associating it with security identification information to generate desensitized data. In one embodiment, the intelligent desensitization module 420 can be used to execute step S220 described above, which will not be repeated here.

[0111] The access control module 430 is used to set an N-level access control policy based on security identification information, where N is an integer greater than 1. In one embodiment, the access control module 430 can be used to execute step S230 described above, which will not be repeated here.

[0112] The risk assessment module 440 is used to monitor the operation behavior performed on the de-identified data in response to data access based on access control policies, perform risk assessment on the operation behavior, and perform risk disposal operation in response to the risk assessment result meeting the risk conditions. In one embodiment, the risk assessment module 440 can be used to perform steps S240 and S250 described above, which will not be repeated here.

[0113] The audit optimization module 450 is used to store end-to-end logs using blockchain and adjusts dynamic security assessment strategies by analyzing the end-to-end logs. In one embodiment, the audit optimization module 450 can be used to execute step S260 described above, which will not be repeated here.

[0114] According to an embodiment of this application, the dynamic grading module 410 is further configured to: identify changes in the state of the data to be processed; and dynamically adjust the security level based on the identification results.

[0115] According to embodiments of this application, state changes include at least one of combining operations, processing operations, and derived operations on the data to be processed.

[0116] According to an embodiment of this application, the intelligent desensitization module 420 is further configured to: select desensitization rules based on security level and data usage scenario; and apply the desensitization rules to desensitize the data to be processed, while generating and associating security identification information.

[0117] According to an embodiment of this application, the intelligent desensitization module 420 is further configured to: intercept data access requests for data to be processed; and rewrite the data access requests as access requests for desensitized data.

[0118] According to an embodiment of this application, the security identification information includes security level and event identification information, and the access control module 430 is further used to: set an N-level access control policy based on the security level, the requester's identity, and the business context information.

[0119] According to an embodiment of this application, the risk assessment module 440 is further configured to: parse the operational behavior to obtain semantic features; and match the semantic features with preset risk rules or behavioral patterns to generate a risk score.

[0120] According to an embodiment of this application, the audit optimization module 450 is further configured to: locate the leakage path through event identification information, generate an audit report based on the leakage path and cross-system logs; and adjust the dynamic security assessment strategy by analyzing the audit report.

[0121] According to embodiments of this application, any multiple modules among the dynamic hierarchical module 410, intelligent desensitization module 420, access control module 430, risk assessment module 440, and audit optimization module 450 can be merged into one module, or any one of these modules can be split into multiple modules. Alternatively, at least some of the functions of one or more of these modules can be combined with at least some of the functions of other modules and implemented in one module. According to embodiments of this application, at least one of the dynamic hierarchical module 410, intelligent desensitization module 420, access control module 430, risk assessment module 440, and audit optimization module 450 can be at least partially implemented as hardware circuits, such as field-programmable gate arrays, programmable logic arrays, systems-on-a-chip, systems-on-a-substrate, systems-on-package, application-specific integrated circuits, or any other reasonable means of integrating or packaging circuits, or implemented in software, hardware, or firmware, or in any one of the three implementation methods, or in a suitable combination of any of them. Alternatively, at least one of the dynamic hierarchical module 410, intelligent desensitization module 420, access control module 430, risk assessment module 440, and audit optimization module 450 can be at least partially implemented as a computer program module, which can perform corresponding functions when the computer program module is run.

[0122] Figure 5 A block diagram schematically illustrates an electronic device suitable for implementing a blockchain-based data security management method according to an embodiment of this application.

[0123] like Figure 5 As shown, an electronic device 1200 according to an embodiment of this application includes a processor 1201, which can perform various appropriate actions and processes according to a program stored in a read-only memory 1202 or a program loaded from a storage portion 1208 into a random access memory 1203. The processor 1201 may include, for example, a general-purpose microprocessor, an instruction set processor and / or an associated chipset and / or a dedicated microprocessor. The processor 1201 may also include onboard memory for caching purposes. The processor 1201 may include a single processing unit or multiple processing units for executing different steps of the method flow according to an embodiment of this application.

[0124] Random access memory 1203 stores various programs and data required for the operation of electronic device 1200. Processor 1201, read-only memory 1202, and random access memory 1203 are interconnected via bus 1204. Processor 1201 executes various steps of the method flow according to embodiments of this application by executing programs in read-only memory 1202 and / or random access memory 1203. It should be noted that the programs may also be stored in one or more memories other than read-only memory 1202 and random access memory 1203. Processor 1201 may also execute various steps of the method flow according to embodiments of this application by executing programs stored in said one or more memories.

[0125] According to embodiments of this application, the electronic device 1200 may further include an input / output interface 1205, which is also connected to the bus 1204. The electronic device 1200 may also include one or more of the following components connected to the input / output interface 1205: an input section 1206 including a keyboard, mouse, etc.; an output section 1207 including a cathode ray tube, liquid crystal display, etc., and a speaker, etc.; a storage section 1208 including a hard disk, etc.; and a communication section 1209 including a network interface card, such as a local area network card, modem, etc. The communication section 1209 performs communication processing via a network such as the Internet. A drive 1210 is also connected to the input / output interface 1205 as needed. A removable medium 1211, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., is installed on the drive 1210 as needed so that computer programs read from it can be installed into the storage section 1208 as needed.

[0126] Embodiments of this application also provide a computer-readable storage medium, which may be included in the device / apparatus / system described in the above embodiments; or it may exist independently and not assembled into the device / apparatus / system. The computer-readable storage medium carries one or more programs, which, when executed, implement the method according to the embodiments of this application.

[0127] According to embodiments of this application, the computer-readable storage medium can be a non-volatile computer-readable storage medium, such as including but not limited to: portable computer disks, hard disks, random access memory, read-only memory, erasable programmable read-only memory, portable compact disk read-only memory, optical storage devices, magnetic storage devices, or any suitable combination thereof. In embodiments of this application, the computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. For example, according to embodiments of this application, the computer-readable storage medium may include the read-only memory 1202, and / or random access memory 1203, and / or one or more memories other than read-only memory 1202 and random access memory 1203 described above.

[0128] Embodiments of this application also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowchart. When the computer program product is run on a computer system, the program code is used to cause the computer system to implement the methods provided in the embodiments of this application.

[0129] In one embodiment, the computer program may rely on a tangible storage medium such as an optical storage device or a magnetic storage device. In another embodiment, the computer program may also be transmitted and distributed in the form of signals over a network medium, and may be downloaded and installed via the communication section 1209, and / or installed from the removable medium 1211. The program code contained in the computer program can be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination thereof.

[0130] In embodiments of this application, the computer program can be downloaded and installed from a network via communication section 1209, and / or installed from removable medium 1211. When the computer program is executed by processor 1201, it performs the functions defined in the system of this application embodiment. According to embodiments of this application, the systems, devices, apparatuses, modules, units, etc., described above can be implemented by computer program modules.

[0131] According to embodiments of this application, program code for executing the computer programs provided in the embodiments of this application can be written in any combination of one or more programming languages. Specifically, these computational programs can be implemented using high-level procedural and / or object-oriented programming languages, and / or assembly / machine languages. The program code can be executed entirely on the user's computing device, partially on the user's device, partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).

[0132] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, may be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0133] Those skilled in the art will understand that the features described in the various embodiments of this application can be combined and / or combined in various ways, even if such combinations or combinations are not explicitly described in this application. In particular, the features described in the various embodiments of this application can be combined and / or combined in various ways without departing from the spirit and teachings of this application. All such combinations and / or combinations fall within the scope of this application.

Claims

1. A data security management method based on blockchain, characterized in that, The method includes: The dynamic security assessment strategy is used to dynamically assess the security of the data to be processed and determine its security level. Based on the security level and data usage scenario, the data to be processed is de-identified and associated with security identification information to generate de-identified data. Based on the security identification information, an N-level access control policy is set, where N is an integer greater than 1; In response to data access performed based on the access control policy, the system monitors the operations performed on the de-identified data and conducts a risk assessment of the operations. In response to the risk assessment results meeting the risk conditions, risk management actions are performed; and The system uses blockchain to store end-to-end logs, and adjusts the dynamic security assessment strategy by analyzing these logs.

2. The method according to claim 1, characterized in that, The dynamic security assessment strategy performs dynamic security assessments on the data to be processed to determine the security level, including: Identify the state changes of the data to be processed; and The security level is dynamically adjusted based on the identification results.

3. The method according to claim 2, characterized in that, The state change includes at least one of the following: combining operations, processing operations, and derivative operations on the data to be processed.

4. The method according to claim 1, characterized in that, The process of de-identifying the data to be processed based on the security level and data usage scenario, while simultaneously associating it with security identification information, to generate de-identified data includes: Based on the security level and the data usage scenario, select the de-identification rules; and The data to be processed is desensitized using the aforementioned desensitization rules, and the security identification information is generated and associated with it.

5. The method according to claim 4, characterized in that, The process of de-identifying the data to be processed based on the security level and data usage scenario, while associating it with security identification information, and generating de-identified data further includes: Intercepting data access requests to the data to be processed; and The data access request is rewritten as an access request for the de-identified data.

6. The method according to claim 1, characterized in that, The security identification information includes the security level and event identification information, and the step of setting an N-level access control policy based on the security identification information includes: The N-level access control policy is set based on the security level, the requester's identity, and the business context information.

7. The method according to claim 1, characterized in that, The step of responding to data access based on the access control policy, monitoring the operations performed on the de-identified data, and conducting a risk assessment of the operations includes: The operation behavior is parsed to obtain semantic features; and The semantic features are matched with preset risk rules or behavioral patterns to generate a risk score.

8. The method according to claim 6, characterized in that, The step of adjusting the dynamic security assessment strategy by analyzing the full-link logs includes: The leak path is located using the event identification information, and an audit report is generated based on the leak path and cross-system logs; and The dynamic security assessment strategy is adjusted by analyzing the audit report.

9. A data security management device based on blockchain, characterized in that, The device includes: The dynamic grading module is used to perform dynamic security assessments on the data to be processed based on dynamic security assessment strategies and determine the security level. The intelligent desensitization module is used to desensitize the data to be processed based on the security level and data usage scenario, and at the same time associate security identification information to generate desensitized data; The access control module is used to set an N-level access control policy based on the security identification information, where N is an integer greater than 1; The risk assessment module is used to monitor the operation behavior performed on the de-identified data in response to data access based on the access control policy, and to conduct a risk assessment on the operation behavior; The risk assessment module is also configured to perform risk management operations in response to the risk assessment result meeting risk conditions; and The audit optimization module is used to store end-to-end logs using blockchain and to adjust the dynamic security assessment strategy by analyzing the end-to-end logs.

10. An electronic device, comprising: One or more processors; Memory, used to store one or more computer programs. The characteristic feature is that the one or more processors execute the one or more computer programs to implement the steps of the method according to any one of claims 1 to 8.

11. A computer-readable storage medium having a computer program or instructions stored thereon, characterized in that, When the computer program or instructions are executed by a processor, they implement the steps of the method according to any one of claims 1 to 8.

12. A computer program product, comprising a computer program or instructions, characterized in that, When the computer program or instructions are executed by a processor, they implement the steps of the method according to any one of claims 1 to 8.