A multi-dimensional content security method and system for an intranet of an enterprise

By constructing a multi-dimensional protection system in the intranet environment of small and medium-sized enterprises (SMEs) that includes semantic obfuscation, text masquerading, national cryptographic encryption, and integrity verification, the problem of poor adaptability of content confidentiality technology in SME intranets is solved. This achieves high concealment and low cost in the entire process of confidentiality protection, adapting to the transmission, storage, and sharing needs of various types of content.

CN122394845APending Publication Date: 2026-07-14朱江

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
朱江
Filing Date
2026-04-02
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

In the intranet environment of small and medium-sized enterprises, existing content security technologies have poor adaptability, high cost, insufficient camouflage capabilities, and limited functionality. They cannot achieve full-process, multi-dimensional local protection, and there are risks of data leakage and tampering. Furthermore, there is no sound integrity verification mechanism.

Method used

It adopts a multi-dimensional protection system of semantic obfuscation, text masquerading, national cryptographic encryption and integrity verification. Through semantic obfuscation module, text masquerading module, national cryptographic encryption encapsulation module and decryption verification module, it completes data processing in a closed loop on the enterprise intranet, builds a full-process confidentiality protection system, and is adapted to the technical capabilities and cost requirements of small and medium-sized enterprises.

Benefits of technology

It achieves high-level covert protection of core content within the intranet of small and medium-sized enterprises, reduces the risk of data leakage and tampering, is compatible with existing office systems, requires no professional technical maintenance, has low cost and high compatibility, and adapts to the full-process confidentiality needs of various types of content.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394845A_ABST
    Figure CN122394845A_ABST
Patent Text Reader

Abstract

The application discloses a multi-dimensional content security method and system for an enterprise intranet, belongs to the technical field of information security, and is suitable for a small and medium-sized enterprise closed intranet, low investment, and a non-professional operation scene, and is free of intelligent reasoning and analysis modules. The application builds a local protection system of "confusion - camouflage - encryption - check - adaptation", contains six linkage modules, the modules rely on intranet local channel data transmission, all operations are locally closed loop, and no external network interaction is generated. The scheme firstly confuses core sensitive information to reduce readability, then is disguised as an intranet ordinary document to evade DLP detection, and after SM4 national encryption, realizes intranet offline storage, transmission and sharing. Before decryption, key and integrity double check are performed, if the check is not passed, decryption is refused, and an abnormal prompt is output. The system does not need an independent server, can be integrated with an existing office terminal for lightweight deployment, is suitable for commercial documents, source codes, financial data and other types of confidential content, has good concealment and compatibility, is low in cost, is simple in operation, does not need professional maintenance, can effectively prevent core data leakage and tampering, and has obvious advantages in industrialization and landing.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of information security technology, specifically to a low-cost, easy-to-deploy, and highly camouflage-resistant multi-dimensional content confidentiality method and system adapted to the closed environment of enterprise intranets and geared towards small and medium-sized enterprises. It is applicable to the protection of core assets in all scenarios, such as document transmission within enterprise intranets, core data protection, and confidentiality of source code and commercial documents, without setting up any intelligent reasoning, intelligent analysis, or intelligent auxiliary processing related functional modules.

[0002] (a) Definition of Terms

[0003] The enterprise intranet described in this invention specifically refers to a closed computer network built within an enterprise, accessible only to authorized enterprise terminals, with no external network access, and dedicated to internal office work, data storage, and business processes.

[0004] The semantic obfuscation described in this invention refers to technical means of replacing core sensitive information, inserting meaningless characters, or fragmenting core logic in content through custom rules, thereby compromising the comprehensibility of the content. It is used only for information confidentiality and does not change the original core purpose of the content.

[0005] The text masquerading described in this invention refers to a technical processing method that converts confidential content into a document format commonly used in daily office work on an enterprise intranet and without confidentiality features, thereby circumventing the identification of intranet DLP (Data Loss Prevention) systems and security audit systems.

[0006] The lightweight deployment described in this invention refers to a deployment method that does not require building a separate server or high-configuration hardware, but can be directly integrated into the enterprise's existing office terminals, and can achieve system operation through simple operation.

[0007] The integrity verification mechanism described in this invention refers to a technical mechanism that uses a preset verification algorithm to extract and compare the feature values ​​of confidential content to verify whether the content has been illegally tampered with during transmission, storage, and sharing.

[0008] The national cryptographic encryption encapsulation described in this invention refers to an encryption processing method that uses the SM4 symmetric encryption algorithm recognized by the State Cryptography Administration to encrypt content that has undergone semantic obfuscation and text spoofing, and encapsulates it into a standard format commonly used in enterprise intranets. Background Technology

[0009] Small and medium-sized enterprises (SMEs) generally suffer from low IT investment, lack of professional IT operations and maintenance teams, and weak internal network security capabilities. Their core assets, such as core documents, source code, customer data, operational plans, and financial data, are at high risk of leakage and tampering within the enterprise's internal network environment. Existing enterprise internal network content confidentiality technologies are poorly suited for SMEs and have significant shortcomings.

[0010] 1. Traditional encryption tools only encrypt the entire file, making the encrypted file easily identifiable and intercepted by internal network DLP systems and security audit systems, resulting in poor confidentiality and concealment;

[0011] 2. Code obfuscation and document encryption tools have limited functionality, only covering the confidentiality needs of a single type of content. They have poor adaptability and cannot simultaneously meet the confidentiality requirements of multiple types of content such as text, source code, office documents, and data reports.

[0012] 3. The deployment process of commercial-grade enterprise security systems is complex, and the hardware and annual maintenance costs are high, far exceeding the cost affordability of small and medium-sized enterprises, and the technology implementation threshold is high;

[0013] 4. It lacks an integrated security solution that takes into account intranet transmission adaptation, text spoofing, and semantic obfuscation. Its protection dimensions are limited, and it can only achieve basic encryption, which cannot avoid detection at the source.

[0014] 5. Existing technologies rely heavily on external network resources or cloud computing power, lacking local processing capabilities. Core data is at risk of being leaked during external network transmission, and these technologies cannot meet the needs of small and medium-sized enterprises working on purely internal networks.

[0015] 6. The confidentiality rules are fixed and require manual maintenance by professional technicians. They cannot adapt to the dynamic changes in enterprise intranet office scenarios and security detection systems, and small and medium-sized enterprises are unable to adjust the rules.

[0016] 7. Without a robust integrity verification mechanism, core content is easily tampered with during transmission, storage, and sharing, and the tampered content cannot be quickly and effectively identified, resulting in data distortion.

[0017] 8. After deployment, it requires significant adjustments to the company's existing intranet architecture and office processes, and has poor compatibility with the company's existing OA system, file manager, and storage devices, making it difficult for small and medium-sized enterprises to implement.

[0018] To address the aforementioned shortcomings, this invention proposes a multi-dimensional content confidentiality method and system specifically adapted to the intranet environment of small and medium-sized enterprises (SMEs). Through an integrated design of semantic obfuscation, text masquerading, national cryptographic encryption, integrity verification, and lightweight intranet deployment, it constructs a full-process, multi-dimensional, purely local confidentiality protection system. This achieves localization of core content within the enterprise intranet, eliminates external network dependence, and provides highly concealed protection. At the same time, it is fully adaptable to the technical capabilities and cost control needs of SMEs, fundamentally solving the problems of poor adaptability, complex deployment, high cost, insufficient masquerading, and limited functionality of existing technologies. Summary of the Invention

[0019] (a) Purpose of the invention

[0020] The purpose of this invention is to overcome the shortcomings of existing enterprise intranet security technologies in adapting to small and medium-sized enterprises (SMEs), and to provide a multi-dimensional content security method and system for enterprise intranets. This system achieves integrated protection of core content in the enterprise intranet environment through semantic obfuscation, text masquerading, encryption, and integrity verification, reducing the risk of leakage and tampering of core content within the enterprise intranet. Simultaneously, it achieves lightweight deployment, no external network dependency, high masquerading capability, and high compatibility, requiring no professional technical personnel for maintenance. It perfectly adapts to the usage needs of SME intranets, balancing system compliance, ease of use, and feasibility, providing a low-cost, full-process security protection solution for the core assets of SME intranets.

[0021] (II) Invention Scheme

[0022] This invention proposes a multi-dimensional content confidentiality method and system for enterprise intranets based on a closed-loop technology process of "obfuscation-masking-encryption-verification-adaptation". The core includes six interconnected modules: content acquisition and preprocessing module, semantic obfuscation module, text masking module, national cryptographic encryption and encapsulation module, intranet adaptation and deployment module, and decryption and verification module. These modules form a complete confidentiality protection system of "content acquisition-standardized processing-semantic obfuscation-text masking-national cryptographic encryption-intranet deployment-decryption and verification". All data processing and encryption operations are completed locally on the enterprise intranet in a closed loop, without any external network data interaction. Furthermore, the system does not have intelligent reasoning, intelligent analysis, or intelligent auxiliary processing related functional modules.

[0023] The most fundamental difference between this invention and existing enterprise intranet security technologies is that:

[0024] Existing technologies mostly involve single-file-level encryption or simple format modification, offering limited protection dimensions. Encrypted files have easily identifiable characteristics and poor adaptability and implementation for small and medium-sized enterprises (SMEs). In contrast, this invention constructs a multi-layered protection system from four dimensions: semantics, format, encryption, and deployment. First, it disrupts the understandability of the core content through semantic obfuscation. Then, it transforms confidential content into a harmless format commonly used within the intranet through text masquerading, thus circumventing identification by intranet security detection systems at the source. Finally, it employs the national cryptographic algorithm SM4 for high-strength encryption and encapsulation. Furthermore, it is specifically designed to adapt to the characteristics of SMEs' closed intranets, lack of professional maintenance, and low costs, supporting pure offline deployment and offline transmission, and is compatible with existing enterprise office systems and equipment, achieving a dual improvement in protection security and implementation for SMEs.

[0025] The decryption verification module, serving as the system's security hub, is responsible for maintaining the system's security baseline. It incorporates an integrity verification algorithm and an enterprise-level proprietary authorization system, providing decryption and restoration services only to authorized enterprise terminals. Before decryption, it performs dual verification of the authorization key and content integrity. If verification fails, decryption is directly rejected, and a clear tampering anomaly message is output, ensuring that core content is not accessed or illegally modified without authorization. The semantic obfuscation module, based on a preset sensitive word library and custom mapping rules, accurately obfuscates core sensitive information without altering the original core purpose of the content. The text disguise module is tailored to the intranet office scenarios of small and medium-sized enterprises (SMEs), converting the obfuscated content into a common office format without any classified information. The national cryptographic encryption encapsulation module uses compliant national cryptographic algorithms to meet enterprise data security encryption compliance requirements. The intranet adaptation and deployment module enables lightweight integration of the system into existing enterprise office terminals, requiring no additional hardware or servers. All modules seamlessly connect and coordinate through the enterprise's local intranet data channel, with no external network interaction between modules, constructing a highly concealed, low-cost, and external network-dependent content security system for SMEs.

[0026] This system has no special hardware requirements and can be directly integrated into existing computers, office terminals, and other conventional equipment in enterprises. All operations are adapted to the existing office processes of SMEs' intranets, without the need to adjust the enterprise's existing network architecture and work mode. One-click deployment and simple operation significantly reduce the threshold for use and maintenance costs for enterprises. At the same time, it covers a variety of core content of SMEs' intranets, such as text, source code, office documents, data reports, and financial ledgers, and adapts to the confidentiality requirements of the entire process of transmission, storage, and sharing. It has a strong industrialization capability and scenario adaptability.

[0027] (III) System Structure and Technical Solution

[0028] A multi-dimensional content confidentiality method for enterprise intranets includes the following steps:

[0029] 1. Upon system startup, the decryption and verification module completes initialization, loads the preset integrity verification algorithm and the enterprise's exclusive authorization key, and enters a resident running state without any external network data interaction;

[0030] 2. The content acquisition and preprocessing module is activated to acquire the core content to be protected on the enterprise intranet, complete the format standardization process, and accurately extract the core semantic units and sensitive information identifiers, with no omissions or misjudgments of sensitive information;

[0031] 3. The semantic obfuscation module, based on a preset sensitive word library and custom mapping rules, replaces and obfuscates the extracted core semantic units and sensitive information, inserts meaningless characters, or fragments the core logic, thereby compromising the comprehensibility of the content while preserving the original core purpose of the content.

[0032] 4. The text masquerading module converts the semantically obfuscated content into a harmless document format commonly used within the enterprise intranet, thus avoiding identification by security detection systems such as the intranet DLP system and security audit system;

[0033] 5. The national cryptographic encryption and encapsulation module uses the SM4 national cryptographic algorithm to perform symmetric encryption on the disguised content and encapsulates it into an encrypted encapsulation file in a standard format commonly used in enterprise intranets. The encapsulated file has no special encryption identifier.

[0034] 6. The intranet adaptation and deployment module enables encrypted and packaged files to be transmitted offline within the enterprise intranet, stored locally, and shared with authorized terminals. It is compatible with the enterprise's existing office systems and storage devices, and there is no external network transmission link.

[0035] 7. When an authorized terminal initiates a decryption request, the decryption verification module first verifies the validity of the terminal's exclusive authorization key. After the key verification is successful, an integrity verification is performed. If the verification is successful, the decryption is completed and the original core content is restored. If the verification fails, the decryption is rejected directly and a tampering error message is output.

[0036] 8. All operational data and abnormal information of confidential operations are synchronously stored on the enterprise's intranet local storage device, providing data support for subsequent optimization of system confidentiality protection and forming a purely local closed-loop confidentiality protection system.

[0037] The system of this invention includes:

[0038] 1. Content Acquisition and Preprocessing Module: Connected to the semantic obfuscation module via the enterprise intranet local data channel, it is used to acquire the core content to be protected, complete the format standardization process, and accurately extract the core semantic units and sensitive information identifiers, supporting unified access of multiple types of content;

[0039] 2. Semantic Obfuscation Module: Connected to the content acquisition and preprocessing module and the text disguise module through the local data channel of the enterprise intranet, it obfuscates core sensitive information based on preset rules, destroying the comprehensibility of the content while retaining the original core purpose of the content;

[0040] 3. Text camouflage module: Connects with the semantic obfuscation module and the national cryptographic encryption encapsulation module through the local data channel of the enterprise intranet, converting the obfuscated content into a harmless document format commonly used on the enterprise intranet, thus avoiding identification by the intranet security detection system;

[0041] 4. National Cryptographic Encryption and Packaging Module: Connects with the text masquerading module and intranet adaptation and deployment module through the local data channel of the enterprise intranet. It uses the SM4 national cryptographic algorithm to symmetrically encrypt the masqueraded content and encapsulate it into a standard format file without any special encryption identifier.

[0042] 5. Intranet Adaptation and Deployment Module: Connects with the national cryptographic encryption and encapsulation module and decryption and verification module through the enterprise intranet local data channel to achieve lightweight system deployment and intranet offline transmission, local storage and authorized sharing of encrypted files, compatible with existing office systems;

[0043] 6. Decryption Verification Module: As the system's security hub, it connects to the intranet adaptation and deployment module through the enterprise intranet local data channel to realize authorization key verification, integrity verification, decryption restoration, and anomaly prompts. It only provides decryption services for enterprise authorized terminals.

[0044] (iv) Beneficial effects of the invention

[0045] 1. Designed specifically for the closed intranet environment of small and medium-sized enterprises, it supports pure offline deployment, offline operation, and offline transmission, without any external network dependence. All data processing is completed locally in a closed loop, completely avoiding the risk of leakage during public network transmission, and is fully adapted to the pure intranet office scenarios of small and medium-sized enterprises.

[0046] 2. It constructs multi-layered protection from four dimensions: semantics, format, encryption, and deployment. The text disguise makes the confidential content have no confidentiality features, making it difficult for the internal network DLP system and security audit system to identify and intercept it. It has excellent disguise and concealment, and avoids internal network detection from the root.

[0047] 3. It adopts the SM4 national cryptographic symmetric encryption algorithm recognized by the State Cryptography Administration, which meets the enterprise's data security and encryption compliance requirements, protects the security of core content from the encryption level, and complies with relevant national information security standards;

[0048] 4. No need to set up a separate server or have high-configuration hardware requirements. It can be directly integrated into the existing office terminals of enterprises, with lightweight deployment, one-click operation, and no need for professional technicians to maintain it, which greatly reduces the usage threshold for small and medium-sized enterprises.

[0049] 5. It covers a wide range of core content for SMEs, including text, source code, office documents, data reports, financial ledgers, and human resources information, and adapts to the confidentiality requirements of the entire process of transmission, storage, and sharing, solving the problems of limited functionality and poor adaptability of existing technologies;

[0050] 6. No additional procurement costs such as hardware, servers, annual subscriptions, etc. It can directly reuse the company's existing office equipment and systems. The lightweight design greatly reduces the company's procurement costs and subsequent operation and maintenance costs, and is fully adapted to the low-cost investment needs of small and medium-sized enterprises.

[0051] 7. Built-in integrity verification mechanism and enterprise-level exclusive authorization system provide dual protection against unauthorized access and illegal tampering of core content. Dual verification is performed before decryption to effectively verify the authenticity and integrity of the content. Tampering can be identified and alerted in real time.

[0052] 8. Fully compatible with existing enterprise intranet office systems, storage devices and network architecture, without the need to adjust existing enterprise office processes and network settings, can be quickly put into use after deployment, has strong implementation capabilities, and is suitable for the characteristics of small and medium-sized enterprises without professional IT teams;

[0053] 9. Semantic obfuscation processing preserves the original core purpose of the content throughout the entire process. After decryption, the original content can be completely restored without information loss or distortion. It balances confidentiality and content usability and does not affect the company's daily office use.

[0054] 10. Supports enterprises to customize sensitive word databases, mapping rules and disguise formats according to their own industry and business needs, adapt to the personalized confidentiality needs of different industries and departments, with strong flexibility and adaptability, and simple rule adjustment operation without professional technical capabilities.

[0055] 11. All modules are seamlessly connected through the enterprise intranet local data channel. There is no intermediate caching or risk of data leakage during the data flow process, ensuring data security throughout the entire process. The system is stable, consumes few resources, and does not affect the normal use of the enterprise's existing terminal devices. Attached Figure Description

[0056] Figure 1 This is a schematic diagram of the system structure modules of the present invention.

[0057] Figure 2 This is a schematic diagram of the method flow of the present invention. Detailed Implementation

[0058] (a) Implementation method

[0059] The present invention will be further described in detail below with reference to specific embodiments. A multi-dimensional content confidentiality method and system for enterprise intranets includes:

[0060] 1. Content Acquisition and Preprocessing Module: Connects with the semantic obfuscation module through the local data channel of the enterprise intranet to acquire the core content to be protected on the enterprise intranet, completes the format standardization process and accurately extracts the core semantic units and sensitive information identifiers. It supports unified access of multiple types of content such as text, source code, office documents, and data reports, with no omission or misjudgment of sensitive information.

[0061] 2. Semantic Obfuscation Module: Connected to the content acquisition and preprocessing module and the text disguise module through the local data channel of the enterprise intranet, based on the preset sensitive word library and custom mapping rules, it replaces and obfuscates core sensitive information, inserts meaningless characters or fragments core logic, thereby destroying the comprehensibility of the content while retaining the original core purpose of the content.

[0062] 3. Text Disguise Module: Connects with the semantic obfuscation module and the national cryptographic encryption encapsulation module through the local data channel of the enterprise intranet, converts the obfuscated content into a harmless document format commonly used on the enterprise intranet, adjusts the layout and presentation, and avoids identification by security detection systems such as intranet DLP system and security audit system;

[0063] 4. National Cryptographic Encryption and Packaging Module: Connected to the text camouflage module and intranet adaptation and deployment module through the local data channel of the enterprise intranet, it uses the SM4 national cryptographic symmetric encryption algorithm to perform high-strength encryption on the camouflaged content and encapsulates it into a standard format file for the enterprise intranet. The encapsulated file has no special encryption identifier.

[0064] 5. Intranet Adaptation and Deployment Module: Connects with the national cryptographic encryption and encapsulation module and decryption verification module through the enterprise intranet local data channel to achieve lightweight integration of the system on the enterprise's existing office terminals, complete the intranet offline transmission, local storage and sharing of encrypted files with authorized terminals, and be compatible with the enterprise's existing office systems and storage devices;

[0065] 6. Decryption Verification Module: As the system's security hub, it connects to the intranet adaptation and deployment module through the enterprise's local data channel. It loads a preset integrity verification algorithm and the enterprise's exclusive authorization key, runs resident, and only provides decryption and restoration services for authorized enterprise terminals. It completes dual verification of authorization key and integrity. If the verification fails, it directly refuses decryption and outputs an error message.

[0066] Its workflow is as follows:

[0067] After system startup, the decryption and verification module completes initialization and loads preset rules, entering a resident running state without any external network data interaction. The content acquisition and preprocessing module acquires the core content to be protected within the enterprise intranet, performs format standardization processing on the content, accurately extracts the core semantic units and sensitive information identifiers, and transmits the processed data to the semantic obfuscation module through a local data channel. The semantic obfuscation module, based on a preset sensitive word library and custom mapping rules, replaces and obfuscates the core sensitive information. It can insert meaningless characters or fragment the core logic according to enterprise needs, compromising the comprehensibility of the content. After processing, the content is transmitted to the text disguise module through a local data channel. The text disguise module converts the obfuscated content into a harmless document format commonly used in daily office work within the enterprise intranet, adjusts the layout and presentation to evade identification by the intranet security detection system, and then transmits the content to the national cryptographic encryption and encapsulation module through a local data channel. The national cryptographic encryption and encapsulation module uses the SM4 national cryptographic symmetric encryption algorithm to perform high-strength encryption processing on the disguised content and encapsulates it into a standard format encrypted encapsulation file commonly used within the enterprise intranet. After encapsulation, the content is transmitted through the local data channel. The channel transmits files to the intranet adaptation and deployment module; the intranet adaptation and deployment module enables offline transmission, local storage, and sharing of the encrypted packaged file with authorized terminals within the enterprise intranet, compatible with existing office systems and storage devices, without classified information, and circumvents intranet security system interception; when an authorized terminal needs to use the content, it initiates a decryption request to the decryption verification module. The decryption verification module first verifies the validity of the terminal's exclusive authorization key. After the key verification is successful, it performs integrity verification on the encrypted packaged file using a preset integrity verification algorithm, extracting file feature values ​​and comparing them precisely with preset feature values. If the comparison matches, it confirms that the file has not been illegally tampered with, completes file decryption, and restores the original core content; if the comparison does not match, it confirms that the file has been illegally tampered with, directly rejects the decryption operation, and outputs an abnormal message "The file has been tampered with and cannot be decrypted" to the authorized terminal; unauthorized terminals cannot initiate decryption requests, nor can they identify the true content of the encrypted packaged file. All confidential operation data is synchronously stored on the enterprise intranet local device, forming a complete, purely local closed-loop technical protection system of "acquisition-obfuscation-disguise-encryption-adaptation-decryption-verification".

[0068] The system in this invention processes and verifies confidential content based on four quantifiable and achievable objective standards to ensure protection effectiveness and content usability. All standards are implemented using conventional technical means in the field of information security, making them suitable for the technical implementation capabilities of small and medium-sized enterprises.

[0069] 1. Accuracy of sensitive information identification: It accurately extracts core semantic units and sensitive information identifiers, and has a high accuracy rate in identifying different types of core assets of SMEs, with no omissions or misjudgments of sensitive information;

[0070] 2. Obfuscation of validity: By replacing, inserting, or fragmenting the content in a single or combined manner, the comprehensibility of the core content is effectively destroyed, making it impossible for unauthorized personnel to interpret the core information, without changing the original core purpose of the content;

[0071] 3. Disguise Adaptability: The disguised document format is highly consistent with the daily office documents on the enterprise intranet, with no confidentiality features, which can effectively avoid detection by the intranet DLP system and security audit system, and has a high success rate in avoiding intranet security detection systems;

[0072] 4. Integrity and Consistency: The decrypted data has high integrity, with no information loss, distortion, or tampering.

[0073] Existing intranet security technologies focus only on encryption results, neglecting disguise and localization, making them easily identifiable and posing a risk of data leakage. Furthermore, they are poorly suited for small and medium-sized enterprises (SMEs). This invention, however, constructs a fully localized protection system from semantic obfuscation and text disguise to national cryptographic encryption and local deployment. It does not rely on external network resources, fundamentally reducing the risk of content being identified, stolen, or tampered with. Simultaneously, it balances compliance, low cost, and ease of operation, perfectly meeting the core security needs of SMEs' intranets.

[0074] Each functional module described in this invention can be implemented using computer software programming, hardware circuits, or a combination of software and hardware. The related data processing, semantic obfuscation, encryption operations, and integrity verification processes all conform to conventional technical means in the field of computer information security. Those skilled in the art can implement them according to the description in this specification without the need for excessive experimentation.

[0075] The system's lightweight deployment, local closed-loop processing, and national cryptographic encryption mechanism are all achievable with existing conventional technologies, requiring no special hardware. It possesses strong industrialization capabilities and scenario adaptability, and can be quickly promoted and applied in various small and medium-sized enterprise intranet environments.

[0076] The semantic obfuscation and text spoofing rule configuration described in this invention is implemented using mature lexicon matching, format conversion and rule constraint technologies in the field. It does not rely on complex algorithms or special hardware and belongs to conventional technical means in the field of computer information security. It has the characteristics of simple implementation, stable operation and low resource consumption. Small and medium-sized enterprises can complete the rule adjustment themselves without the support of professional technical personnel.

[0077] (II) Example 1: Enterprise Intranet Business Document Confidentiality Example

[0078] This embodiment uses business documents from the administrative / marketing departments of small and medium-sized enterprises (SMEs) as the confidentiality target. It describes the multi-dimensional content confidentiality process within the enterprise's closed intranet environment. This embodiment uses MD5 as the integrity verification algorithm, adapting to the terminal operation capabilities of SMEs.

[0079] 1. System Initialization: The system starts up and integrates the system of this invention into the ordinary office terminal of the enterprise's administrative department. The decryption and verification module loads the MD5 integrity verification algorithm and the administrative department's exclusive authorization key, completes the initialization and enters the resident running state. There is no external network data interaction. The semantic obfuscation module loads the sensitive word library in the business field and the core information custom mapping rules (including cooperation amount, customer information, service terms, etc.).

[0080] 2. Receiving external instructions / acquiring content: The content acquisition and preprocessing module acquires core business documents such as confidential cooperation plans, customer quotations, and internal operation reports from the enterprise intranet;

[0081] 3. Content preprocessing and sensitive information extraction: The acquired commercial documents are standardized and converted into editable text format. Core semantic units and sensitive information identifiers such as "cooperation amount", "service terms", "customer core information" and "operational data indicators" are accurately extracted, with no sensitive information omitted.

[0082] 4. Semantic Obfuscation: The semantic obfuscation module, based on a preset sensitive word library for the business domain and custom mapping rules, replaces the extracted core sensitive keywords with non-sensitive general terms. At the same time, it randomly inserts meaningless auxiliary characters into the document, fragmenting the description of the core business logic, destroying the comprehensibility of the document, and retaining the original office purpose of the document.

[0083] 5. Text camouflage processing: The text camouflage module converts the semantically obfuscated document into the enterprise's "daily work record" format, and adjusts the layout, font and paragraph format according to the enterprise's intranet office note specifications to avoid identification by the intranet DLP system and security audit system;

[0084] 6. National Cryptographic Encryption and Packaging: The national cryptographic encryption and packaging module uses the SM4 national cryptographic algorithm to perform symmetric encryption on the disguised daily work records and package them into a PDF format encrypted package file that is universally used on the enterprise intranet. After packaging, the file has no special encryption identifier and is consistent with ordinary office PDF files.

[0085] 7. Intranet Transmission and Storage: The intranet adaptation deployment module transmits encrypted PDF files to the enterprise intranet file server for local storage via the enterprise intranet local area network. The files can be shared among authorized terminals in the enterprise's administrative departments, avoiding interception by the intranet DLP system and security audit system.

[0086] 8. Decryption Request and Key Verification: When an authorized office terminal of the enterprise's administrative department initiates a decryption request, the decryption verification module first verifies the validity of the terminal's exclusive authorization key. Only terminals that pass the key verification can proceed to the next step of verification.

[0087] 9. Integrity Verification and Decryption Restoration: The decryption verification module uses the MD5 algorithm to verify the integrity of the encrypted file. It extracts the file's feature value and compares it precisely with the preset feature value. If the comparison matches, it confirms that the file has not been tampered with, completes the decryption, and restores the original business document. If the comparison does not match, it immediately outputs an error message "The file has been tampered with and cannot be decrypted," and refuses to decrypt.

[0088] 10. Model / Data Update: Synchronize and store the operational data, sensitive information identification results, and operation logs related to the confidentiality of this business document to the local storage device on the enterprise intranet, providing data support for the subsequent optimization of confidentiality rules in the business field and completing pure local closed-loop protection.

[0089] (III) Example 2: Enterprise Intranet Source Code Confidentiality Example

[0090] This embodiment uses the source code of a small or medium-sized enterprise's R&D department as the object of confidentiality. Within the enterprise's closed intranet environment, it illustrates the multi-dimensional content confidentiality process of the system. This embodiment employs SHA256 as the integrity verification algorithm to enhance the confidentiality and security of the source code.

[0091] 1. System initialization: The system starts up and integrates the system of this invention into the ordinary R&D terminal of the enterprise R&D department. The decryption and verification module loads the SHA256 integrity verification algorithm and the R&D department's exclusive authorization key, completes the initialization and enters the resident running state. There is no external network data interaction. The semantic obfuscation module loads the code domain sensitive information identification rules and the function name / variable name custom mapping rules.

[0092] 2. Receiving external instructions / acquiring content: The content acquisition and preprocessing module acquires confidential program files such as self-developed algorithm code, business scripts, and core function source code through the enterprise intranet;

[0093] 3. Content preprocessing and sensitive information extraction: The obtained source code files are standardized in terms of format, code indentation and comment format are unified, and core semantic units and sensitive information identifiers such as core function names, variable names, core logic comments, and key algorithm parameters are accurately extracted, with no sensitive information omitted;

[0094] 4. Semantic Obfuscation: The semantic obfuscation module, based on preset code domain sensitive information identification rules and custom mapping rules, replaces core function names and variable names with meaningless combinations of Chinese characters, deletes redundant comments in the source code and randomly inserts meaningless comment characters, fragments and reassembles the code segments of the core algorithm logic, destroys the readability and compileability of the source code, and retains the original running logic of the source code.

[0095] 5. Text camouflage processing: The text camouflage module converts the semantically obfuscated source code content into the enterprise's "Computer Technology Learning Notes" format and saves it as a TXT text file that is universally used on the enterprise intranet, thus avoiding the intranet DLP system's feature recognition of the code file;

[0096] 6. National Cryptographic Encryption and Packaging: The national cryptographic encryption and packaging module uses the SM4 national cryptographic algorithm to perform symmetric encryption on the disguised technical learning notes and package them into a TXT format encrypted package file that is commonly used on the enterprise intranet. After packaging, the file has no special encryption identifier and is consistent with ordinary learning note TXT files.

[0097] 7. Intranet Storage and Sharing: The intranet adaptation and deployment module stores the encrypted TXT files on a dedicated intranet server in the enterprise's R&D department. Only authorized R&D terminals in the enterprise's R&D department can access this server. Files can be shared among authorized terminals in the R&D department through the enterprise intranet. Unauthorized terminals cannot access the files and cannot recognize their contents.

[0098] 8. Decryption Request and Key Verification: The enterprise's R&D department authorizes the R&D terminal to initiate a decryption request. The decryption verification module first verifies the validity of the terminal's exclusive authorization key. Only terminals that pass the key verification can proceed to the next step of verification.

[0099] 9. Integrity Verification and Decryption Restoration: The decryption verification module uses the SHA256 algorithm to perform integrity verification on the encrypted file. It extracts the file's feature value and compares it precisely with the preset feature value. If the comparison matches, it confirms that the file has not been tampered with, completes decryption, and restores the original source code file. If the comparison does not match, it immediately outputs an error message "The file has been tampered with and cannot be decrypted," and refuses to decrypt.

[0100] 10. Model / Data Update: Synchronize and store the confidential running data, sensitive information identification results, and operation logs of this source code to the enterprise's local storage device, providing data support for subsequent optimization of code domain confidentiality rules and completing pure local closed-loop protection.

[0101] (iv) Example 3: Example of Confidential Financial Data on Enterprise Intranet

[0102] This embodiment focuses on the core financial data of small and medium-sized enterprises (SMEs) and describes the multi-dimensional content confidentiality process within the enterprise's closed intranet environment. This embodiment uses MD5 as the integrity verification algorithm, adapted to the operational capabilities of SME financial terminals.

[0103] 1. System Initialization: The system starts up and integrates the system of this invention into the ordinary office terminal of the enterprise's finance department. The decryption and verification module loads the MD5 integrity verification algorithm and the finance department's exclusive authorization key, completes the initialization and enters the resident running state. There is no external network data interaction. The semantic obfuscation module loads the sensitive word library in the financial field and the core information custom mapping rules (including fund amount, customers, tax data, etc.).

[0104] 2. Receiving external instructions / acquiring content: The content acquisition and preprocessing module acquires core financial data that the company needs to keep confidential, such as financial statements, cash flow statements, cost accounting statements, and tax returns, through the company's intranet;

[0105] 3. Content preprocessing and sensitive information extraction: The acquired financial data is standardized and converted into an editable table format. Core semantic units and sensitive information identifiers such as "fund amount", "customer name", "tax declaration data" and "cost accounting indicators" are accurately extracted, with no sensitive information omitted.

[0106] 4. Semantic Obfuscation Processing: The semantic obfuscation module, based on a preset financial domain sensitive word library and custom mapping rules, replaces the extracted core sensitive values ​​with fuzzy identifiers and core customer names with general codes. At the same time, it randomly inserts meaningless auxiliary rows into the table to fragment the description of the core financial logic, thereby destroying the understandability of the financial data while retaining the original statistical purpose of the financial data.

[0107] 5. Text camouflage processing: The text camouflage module converts the semantically obfuscated financial data into the enterprise's "expense reimbursement record ledger" format, and adjusts the table layout and project names according to the enterprise's intranet financial office specifications to avoid identification by the intranet DLP system and security audit system;

[0108] 6. National Cryptographic Encryption and Packaging: The national cryptographic encryption and packaging module uses the SM4 national cryptographic algorithm to perform symmetric encryption on the disguised expense reimbursement record ledger and encapsulate it into an encrypted packaged file in Excel format commonly used on the enterprise intranet. The packaged file has no special encryption identifier and is consistent with ordinary financial ledger Excel files.

[0109] 7. Intranet Transmission and Storage: The intranet adaptation deployment module transmits the encrypted Excel file to the enterprise's dedicated intranet server for local storage via the enterprise's intranet local area network. The file can be shared among authorized terminals in the enterprise's finance department, avoiding interception by the intranet DLP system and security audit system.

[0110] 8. Decryption Request and Key Verification: When an authorized office terminal of the enterprise's finance department initiates a decryption request, the decryption verification module first verifies the validity of the terminal's exclusive authorization key. Only terminals that pass the key verification can proceed to the next step of verification.

[0111] 9. Integrity Verification and Decryption Restoration: The decryption verification module uses the MD5 algorithm to verify the integrity of the encrypted file. It extracts the file's feature value and compares it precisely with the preset feature value. If the comparison matches, it confirms that the file has not been tampered with, completes the decryption, and restores the original financial data. If the comparison does not match, it immediately outputs an abnormal message "The file has been tampered with and cannot be decrypted," and refuses to decrypt.

[0112] 10. Model / Data Update: Synchronize and store the operational data, sensitive information identification results, and operation logs related to the confidentiality of this financial data to the local storage device on the enterprise intranet. This will provide data support for the subsequent optimization of confidentiality rules in the financial field and complete the pure local closed-loop protection.

[0113] (V) Application Scenarios Examples

[0114] This system, relying on its core characteristics of lightweight deployment, no external network dependency, high camouflage, multi-dimensional protection, and low cost, can be widely applied to various core content confidentiality scenarios within the intranets of small and medium-sized enterprises in various industries. It is adaptable to the confidentiality needs of different departments and different types of content, requires no professional IT team, and can be quickly implemented. The following are typical application scenarios:

[0115] 1. Business document confidentiality scenarios for enterprise administration / marketing departments: Applicable to the confidentiality protection of business documents such as cooperation plans, customer quotations, operational reports, market research data, and core customer information for SMEs. The system disguises business documents as common formats such as daily work records and office ledgers, hides core business data through semantic obfuscation, and stores and shares them on the intranet after encryption with national cryptographic standards. Only authorized terminals can decrypt and restore them, effectively preventing the leakage of trade secrets and meeting the core data confidentiality needs of SMEs in the process of market expansion;

[0116] 2. Confidentiality of Source Code / Technical Documentation in Enterprise R&D Departments: Suitable for protecting the confidentiality of technical assets such as self-developed algorithm code, core function scripts, technical solutions, patent documents, and R&D data of SMEs. The system disguises the source code as technical learning notes, equipment operation and maintenance logs, etc., and fragments the core code logic to prevent the source code from being illegally stolen and compiled, thus safeguarding the core technological competitiveness of SMEs and meeting the confidentiality needs of technology-based SMEs.

[0117] 3. Financial Data Confidentiality Scenarios for Enterprise Finance Departments: Applicable to the confidentiality protection of core financial data such as financial statements, cash flow records, tax data, cost accounting, and customer ledgers for SMEs. The system disguises financial data documents as expense reimbursement records, financial work ledgers, etc., using semantic obfuscation to hide core financial indicators and fund information. After encryption with national cryptographic standards, it is stored on a dedicated server on the intranet, accessible and decrypted only by authorized financial terminals, ensuring the security of financial data for SMEs and mitigating the risk of financial information leakage.

[0118] 4. Core Information Confidentiality Scenarios for Enterprise Human Resources Departments: Applicable to the confidentiality protection of core human resources information such as employee files, salary systems, performance appraisals, talent planning, and employee contact information in small and medium-sized enterprises. The system disguises relevant documents as daily human resources work records, employee training notes, etc., using semantic obfuscation to hide core sensitive information, achieving local confidential storage on the intranet, preventing the leakage of human resources information, and adapting to the personnel management data confidentiality needs of small and medium-sized enterprises;

[0119] 5. Production Data Confidentiality Scenario for Enterprise Production Departments: Applicable to the confidentiality protection of core production data such as production processes, capacity data, quality inspection reports, production plans, and material procurement ledgers for SMEs. The system disguises production data documents as production operation and maintenance logs, equipment inspection records, and other formats, adapting to the intranet office scenario of the production department, achieving offline confidentiality protection of production data within the intranet, ensuring the security of production and operation data for SMEs, and meeting the production data confidentiality needs of manufacturing SMEs.

[0120] The above description is merely a preferred embodiment of the present invention and is not intended to limit the present invention in any way. Any modifications, equivalent substitutions, improvements, etc., made within the principles and logic of the present invention, regardless of the file format or storage form used, shall fall within the protection scope of the present invention as long as they do not depart from the core technical solution of the present invention.

Claims

1. A multi-dimensional content security system for enterprise intranets, characterized in that, It includes a content acquisition and preprocessing module, a semantic obfuscation module, a text masquerading module, a national cryptographic encryption and encapsulation module, an intranet adaptation and deployment module, and a decryption and verification module; the content acquisition and preprocessing module is used to acquire the core content to be protected and accurately extract the core semantic units and sensitive information identifiers; The semantic obfuscation module is used to replace and obfuscate core sensitive information, insert meaningless characters, or fragment core logic based on preset rules, thereby compromising the comprehensibility of the content while retaining its original core purpose. The text camouflage module is used to convert the obfuscated content into a harmless document format commonly used within the enterprise intranet, avoiding identification by the intranet DLP system and security audit system. The national cryptographic encryption and encapsulation module is used to encrypt the camouflaged content using the SM4 national cryptographic symmetric encryption algorithm and encapsulate it into a standard format file without special encryption identifiers. The intranet adaptation and deployment module is used to achieve lightweight system deployment and intranet offline transmission, local storage, and authorized sharing of encrypted files. The decryption and verification module is used to complete authorized key verification, integrity verification, decryption restoration, and anomaly alerts, and only provides decryption services for enterprise authorized terminals. Each module is seamlessly connected and operates collaboratively through the enterprise intranet local data channel, forming a full-process, purely local closed-loop enterprise intranet content confidentiality system of "content acquisition - semantic obfuscation - text masquerading - national cryptographic encryption - intranet adaptation - decryption - integrity verification". The system adopts a lightweight deployment mechanism and can be directly integrated into the enterprise's existing office terminals without any external network dependence. All data processing and encryption operations are completed locally in a closed loop within the enterprise intranet, and the system does not have intelligent reasoning, intelligent analysis, or intelligent auxiliary processing related function modules.

2. The system according to claim 1, characterized in that, The decryption verification module is the security hub of the system. It loads a preset integrity verification algorithm and an enterprise-specific authorization key, runs resident, and realizes status assessment and overall scheduling of decryption permissions. If the key verification fails, the decryption request is directly rejected. If the integrity verification fails, a tampering exception message is output, thus restricting unauthorized access and illegal tampering behavior from a mechanism perspective.

3. The system according to claim 1, characterized in that, The content acquisition and preprocessing module supports the acquisition of various types of core content from SME intranets, such as text, source code, office documents, data reports, financial ledgers, and human resources information. It completes format standardization processing, accurately extracts core semantic units and sensitive information identifiers, provides precise targeting for semantic obfuscation, and ensures no sensitive information is missed or misjudged.

4. The system according to claim 1, characterized in that, The semantic obfuscation module has a built-in preset sensitive word library and custom mapping rules, which allows enterprises to configure and update rules independently according to industry and business needs. The obfuscation process retains the original core purpose of the content throughout the process, and the original content can be completely restored after decryption without information loss or distortion.

5. The system according to claim 4, characterized in that, After the semantic obfuscation module completes the obfuscation process, the processed content is automatically transmitted to the text disguise module through the local data channel of the enterprise intranet, achieving a seamless connection between obfuscation and disguise. The data flow has no intermediate cache, ensuring that the core content is always in a protected state and avoiding leakage in the intermediate links.

6. The system according to claim 1, characterized in that, The text camouflage module is used to convert obfuscated content into harmless document formats commonly used on the enterprise intranet, such as daily work notes, industry-standard reports, equipment maintenance logs, office records, and expense reimbursement ledgers. The layout and presentation are adjusted according to intranet office standards, with no confidentiality features, effectively avoiding identification and interception by intranet DLP systems and security audit systems.

7. The system according to claim 1, characterized in that, The text camouflage module provides an open interface for custom camouflage formats, allowing enterprises to choose their own camouflage format based on their internal network office scenarios and industry characteristics. This adapts to the personalized confidentiality needs of different departments and scenarios, and the camouflage adaptability can be adjusted to suit different internal network security detection environments. Furthermore, the format adjustment operation does not require the support of professional technicians.

8. The system according to claim 1, characterized in that, The national cryptographic encryption and encapsulation module adopts the SM4 national cryptographic symmetric encryption algorithm recognized by the State Cryptography Administration as the sole algorithm channel for encrypting core content. The entire encryption process is completed locally on the enterprise intranet. The disguised content is not directly transmitted to the intranet. It must be encrypted with national cryptographic encryption and encapsulated in a standard format before it can be transmitted to the intranet adaptation and deployment module through the local data channel.

9. The system according to claim 8, characterized in that, The national cryptographic encryption and encapsulation module encapsulates the encrypted content into standard enterprise intranet formats such as PDF, TXT, and Excel. The encapsulated files have no special encryption identifiers and are highly consistent with ordinary office documents on the intranet, further enhancing confidentiality and concealment.

10. The system according to claim 1, characterized in that, The system supports lightweight cold start and rapid deployment. It does not require a separate server or high-configuration hardware. It can be directly integrated into existing enterprise computers, office terminals and other conventional equipment. The system can be initialized and run with one click and requires no professional technicians for maintenance.

11. The system according to claim 1, characterized in that, All semantic obfuscation, text spoofing, encryption encapsulation, decryption and verification operations are completed locally within the enterprise intranet in a closed loop, without relying on external network resources, cloud computing power or interfaces. The entire data flow is based on the local data channel of the enterprise intranet, avoiding the risk of leakage of core content during transmission over the public network.

12. The system according to claim 1, characterized in that, The system can be deployed on various office terminals and dedicated servers within an enterprise intranet, and can be implemented based on the existing computer information security technology architecture. The intranet adaptation and deployment module is compatible with mainstream operating systems such as Windows and Linux, and can seamlessly connect with the enterprise's existing OA system, file manager, and intranet sharing system without adjusting the enterprise's existing intranet architecture and office processes.

13. A multi-dimensional content confidentiality method for enterprise intranets, characterized in that, Includes the following steps: Upon system startup, the decryption and verification module preloads a preset integrity verification algorithm and the enterprise's exclusive authorization key, completes initialization, and enters a resident running state without external network data interaction. The content acquisition and preprocessing module acquires the core content to be protected within the enterprise's intranet, completes format standardization processing, and accurately extracts core semantic units and sensitive information identifiers. The semantic obfuscation module, based on a preset sensitive word library and custom mapping rules, replaces and obfuscates core sensitive information, inserts meaningless characters, or fragments core logic, thereby compromising the comprehensibility of the content while retaining its original core purpose. The text disguise module converts the obfuscated content into a harmless document format commonly used within the enterprise's intranet, circumventing identification by the intranet's DLP system and security audit system. The national cryptographic encryption and encapsulation module uses the SM4 national cryptographic symmetric encryption algorithm to encrypt the disguised content and encapsulates it into an encrypted encapsulation file in a standard format commonly used within the enterprise's intranet without any special encryption identifiers. The intranet adaptation and deployment module enables encrypted and packaged files to be transmitted offline, stored locally, and shared with authorized users within the enterprise intranet. After an authorized terminal initiates a decryption request, the decryption verification module first verifies the validity of the exclusive authorization key. If the key verification is successful, an integrity verification is performed. If the verification is successful, the original core content is decrypted and restored. If the verification fails, decryption is rejected and a tampering error message is output. All confidential operation data is synchronously stored on the local device within the enterprise intranet, and the returned content retrieval steps form a local closed-loop iteration. This method adopts a lightweight deployment mechanism with no external network dependency. All operations are completed locally within the enterprise intranet, without intelligent reasoning, intelligent analysis, or intelligent auxiliary processing steps, and is compatible with the enterprise's existing office systems and processes.

14. The method according to claim 13, characterized in that, The content acquisition and preprocessing module achieves accurate extraction of core semantic units and sensitive information identifiers through standardized recognition rules. At the same time, it monitors the compatibility of content formats, automatically completes format standardization processing, avoids processing deviations caused by different formats, and ensures the effectiveness of subsequent obfuscation and disguise operations, with no omissions or misjudgments in sensitive information identification.

15. The method according to claim 13, characterized in that, The semantic obfuscation module achieves obfuscation of core sensitive information through single or combined methods such as replacement obfuscation, insertion of meaningless characters, and fragmentation of core logic, effectively disrupting the comprehensibility of the content. At the same time, it optimizes the obfuscation rule matching logic to ensure that the original core purpose of the content is not changed, and the original content can be completely restored after decryption.

16. The method according to claim 13, characterized in that, The decryption verification adopts a dual verification rule of authorized key verification + integrity verification. If the key verification fails, the decryption request will be rejected directly. If the integrity verification fails, the decryption will be forcibly terminated and a clear tampering error message will be output. Decryption and restoration can only be completed after both verifications are successful. The verification process simultaneously verifies the authenticity and integrity of the content, and refuses to decrypt content that has been illegally tampered with, so as to ensure the security of core content.

17. The method according to claim 13, characterized in that, The integrity verification algorithm can be a conventional verification algorithm such as MD5 or SHA256, which is compatible with the operating capabilities of the enterprise's existing office terminals. It can be selected independently according to the enterprise's confidentiality needs. The algorithm loading and switching operations are simple and do not require the support of professional technicians.

18. The method according to claim 13, characterized in that, All data transfers between modules are completed through the enterprise's local intranet data channel, without intermediate caching. Data transmission is real-time and lossless, ensuring data security throughout the entire process and without affecting the normal operation of the enterprise's existing terminal equipment.