An internet of things device access authentication method and system for a smart campus
By constructing a fingerprint-driven graph and dynamic trust assessment, the system identifies the risk of identity drift in IoT devices in smart campuses, dynamically allocates authentication tasks, and monitors unauthorized access. This solves the problems of dynamic consistency and resource optimization in IoT device access authentication in smart campuses, and enables precise handling of abnormal terminals and business continuity.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- ZHANGJIAJIE INST OF AERONAUTICAL ENG
- Filing Date
- 2026-03-24
- Publication Date
- 2026-06-05
AI Technical Summary
The access authentication scheme for IoT devices in smart campuses lacks the ability to continuously assess the dynamic consistency of identity characteristics and communication behavior during terminal operation, making it difficult to detect illegal devices in a timely manner. Furthermore, the allocation of authentication resources is not differentiated enough, affecting the continuity of normal terminal services and the efficiency of abnormal handling and response.
By constructing a fingerprint-driven graph, the risk of terminal identity drift is identified, and identity recognition topology reorganization is implemented to generate a distribution map of high-risk terminals. Combined with token lifecycle analysis and trust decay processing, authentication tasks are dynamically allocated and decomposed into core sequences and auxiliary sequences. Unauthorized access anomalies are monitored and seamless takeover authentication is performed.
It achieves closed-loop management of the entire process of IoT terminal access authentication, improves the ability to detect counterfeiting and identity credential reuse, avoids the ineffective consumption of authentication resources, and ensures the continuity of normal business and accurate permission correction of abnormal terminals.
Smart Images

Figure CN122160151A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the fields of network security and Internet of Things (IoT) technology, and in particular to an IoT device access authentication method and system for smart campuses. Background Technology
[0002] In smart campus scenarios, a large number of heterogeneous IoT terminals are deployed, covering various types of devices such as access control, environmental monitoring, and multimedia teaching. These terminals are continuously online and their access behaviors are complex. Traditional access authentication schemes rely on static identity credentials, performing only one-time identity verification when a terminal first connects. They lack the ability to continuously assess the dynamic consistency between identity characteristics and communication behavior during terminal operation. When a terminal is counterfeited or its credentials are illegally reused, existing schemes struggle to detect these deviations in a timely manner from the perspective of behavioral pattern deviations. This results in unauthorized devices remaining outside the scope of security control for extended periods after obtaining initial credentials.
[0003] At the level of authentication resource scheduling and anomaly response, existing solutions employ a uniform authentication strength strategy for all terminals, failing to differentiate authentication tasks based on the real-time trust status of each terminal. This results in the ineffective consumption of authentication resources on low-risk terminals. Furthermore, when terminals exhibit abnormal behavior such as unauthorized access, existing solutions lack a response mechanism that combines abnormal signals with dynamic switching of the authentication link. This makes it impossible to accurately correct permissions and take over authentication for abnormal terminals while ensuring the continuity of normal terminal services, leading to delayed anomaly handling responses and difficulty in effectively controlling the scope of impact. Summary of the Invention
[0004] This invention discloses an IoT device access authentication method and system for smart campuses. It aims to construct a dynamic graph by continuously collecting terminal identity features and communication behavior data, identifying identity drift risks and quantifying trust decay to define effective access coverage. Token lifecycle analysis is performed on terminals within the coverage area, and authentication tasks are allocated differentially based on confidence levels. The authentication task is broken down into core sequences and auxiliary sequences, with hot standby node configuration and unauthorized access anomaly monitoring implemented separately. Upon detecting distortion signals, the system dynamically determines to take over the authentication link and completes seamless authentication continuity, achieving closed-loop control over the entire IoT terminal access authentication process.
[0005] The first aspect of this invention proposes a method for authenticating IoT device access in smart campuses, comprising the following steps: Collect device fingerprint data and behavioral traffic signals from IoT terminals, construct a fingerprint driving map based on the device fingerprint data and the behavioral traffic signals, and generate a counterfeiting risk identifier from the fingerprint driving map by identifying fingerprint drift features. Based on the fingerprint-driven graph, an identity recognition topology reorganization is performed to generate a high-risk terminal distribution map. Based on the high-risk terminal distribution map and the spoofing risk identifier, a trust decay analysis is performed to construct an effective access coverage area. Token lifecycle analysis is performed on the effective access coverage area to extract authentication confidence identifiers and token time window constraints. Based on the authentication confidence identifiers and the effective access coverage area, permission interval mapping is performed to generate an authentication task allocation strategy. The authentication task allocation strategy is decomposed into a core authentication sequence and an auxiliary authentication sequence. Elastic access capacity analysis is performed on the auxiliary authentication sequence to form a hot standby authentication node cluster. Unauthorized access anomaly monitoring is performed on the core authentication sequence, and distortion signals are obtained by combining the token time window constraint. Based on the distorted signal, the permission correction parameters are extracted, and the permission correction parameters are matched with the hot standby authentication node cluster to determine the takeover authentication link. The takeover authentication link is then seamlessly connected with the core authentication sequence to output the access authentication command.
[0006] A second aspect of this invention proposes an IoT device access authentication system for smart campuses, comprising: The graph construction module is used to collect device fingerprint data and behavioral traffic signals of IoT terminals, construct a fingerprint-driven graph based on the device fingerprint data and behavioral traffic signals, and identify fingerprint drift features from the fingerprint-driven graph to generate a counterfeiting risk identifier. The coverage access module is used to perform identity recognition topology reorganization based on the fingerprint-driven map to generate a high-risk terminal distribution map, and to perform trust decay analysis based on the high-risk terminal distribution map and the spoofing risk identifier to construct an effective access coverage domain. The strategy generation module is used to perform token lifecycle analysis on the effective access coverage area to extract authentication confidence identifiers and token time window constraints, and generate authentication task allocation strategies based on the authentication confidence identifiers combined with the effective access coverage area by performing permission interval mapping. The node construction module is used to decompose the authentication task allocation strategy into a core authentication sequence and an auxiliary authentication sequence, perform elastic access capacity analysis on the auxiliary authentication sequence to form a hot standby authentication node cluster, and perform unauthorized access anomaly monitoring on the core authentication sequence in combination with the token time window constraint to obtain distortion signals. The instruction output module is used to extract permission correction parameters based on the distorted signal, perform deviation compensation matching between the permission correction parameters and the hot standby authentication node cluster to determine the takeover authentication link, and seamlessly connect the takeover authentication link with the core authentication sequence to output access authentication instructions.
[0007] The beneficial effects of this invention are reflected in the following points: First, by continuously collecting terminal identity features and communication behavior data to construct a dynamic correlation graph, the drift and changes of terminal identity features are identified from the graph, and a counterfeiting risk identifier is generated. Combined with physical area boundary division and inter-area risk propagation intensity analysis, differentiated trust attenuation is implemented for each terminal within the coverage area, dynamically determining the effective access coverage range. This realizes the transformation from single-point static identity verification to continuous dynamic trust assessment, improving the ability to detect attacks such as counterfeiting replacement and identity credential reuse. Second, the token request behavior of terminals within the effective access coverage area is analyzed for lifecycle and frequency characteristics. The remaining lifecycle of the token and the frequency fluctuation status are jointly evaluated to generate a confidence score. Based on the confidence score difference, authentication strength and token time window constraints that match the risk status of each terminal are assigned, avoiding the ineffective consumption of authentication resources by a unified authentication strategy, and keeping the authentication processing strength dynamically consistent with the actual risk level of the terminal. Finally, by breaking down the authentication task into a core sequence and an auxiliary sequence, hot standby authentication nodes are configured for the auxiliary sequence based on topological proximity and elastic capacity. For the core sequence, unauthorized access behavior is continuously monitored and source jump anomalies are extracted to generate distortion signals. After detecting the distortion signal, permission correction parameters are extracted and matched with the hot standby node for deviation compensation. The takeover authentication link is dynamically determined and the takeover link is seamlessly connected with the core authentication sequence to output authentication instructions. Under the premise of ensuring the continuity of normal terminal services, accurate permission correction and authentication takeover of abnormal terminals are achieved. Attached Figure Description
[0008] Figure 1 This is a flowchart illustrating an IoT device access authentication method for smart campuses according to the present invention.
[0009] Figure 2 This is a structural block diagram of an IoT device access authentication system for smart campuses according to the present invention. Detailed Implementation
[0010] In the following description, specific details such as particular system architectures and techniques are set forth for illustrative purposes and not for limitation, in order to provide a thorough understanding of the embodiments of this application. However, those skilled in the art will understand that this application may also be implemented in other embodiments without these specific details. In other instances, detailed descriptions of well-known systems, apparatuses, circuits, and methods have been omitted so as not to obscure the description of this application with unnecessary detail.
[0011] It should be understood that, when used in this application specification and the appended claims, the term "comprising" indicates the presence of the described features, integrals, steps, operations, elements and / or components, but does not exclude the presence or addition of one or more other features, integrals, steps, operations, elements, components and / or a collection thereof.
[0012] As used in this application specification and the appended claims, the term "if" may be interpreted, depending on the context, as "when," "once," "in response to determination," or "in response to detection." Similarly, the phrases "if determined" or "if detected [the described condition or event]" may be interpreted, depending on the context, as meaning "once determined," "in response to determination," "once detected [the described condition or event]," or "in response to detection [the described condition or event]."
[0013] Furthermore, in the description of this application and the appended claims, the terms "first," "second," "third," etc., are used only to distinguish descriptions and should not be construed as indicating or implying relative importance.
[0014] References to "one embodiment" or "some embodiments" as described in this specification mean that one or more embodiments of this application include a specific feature, structure, or characteristic described in connection with that embodiment. Therefore, the phrases "in one embodiment," "in some embodiments," "in other embodiments," "in still other embodiments," etc., appearing in different parts of this specification do not necessarily refer to the same embodiment, but rather mean "one or more, but not all, embodiments," unless otherwise specifically emphasized. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless otherwise specifically emphasized.
[0015] The technical solutions of the embodiments of this application will be described below.
[0016] like Figure 1 As shown, this embodiment of the invention provides an IoT device access authentication method for smart campuses, including the following steps S110-S150: Step S110: Collect device fingerprint data and behavioral traffic signals of IoT terminals, construct a fingerprint driving map based on the device fingerprint data and behavioral traffic signals, and generate a counterfeit risk identifier by identifying fingerprint drift features from the fingerprint driving map.
[0017] Specifically, the system collects device fingerprint data and behavioral traffic signals from IoT terminals. The passive acquisition module extracts device fingerprint data from the protocol interactions during network access, including five static attributes: MAC address, operating system type, open port combination, protocol stack response characteristics, and hardware signature. The operating system type is inferred from the TTL value and window size of the TCP / IP protocol stack. Smart cameras typically open port 554 (RTSP streaming media) and port 80 (Web management interface), and the port combination constitutes a typical fingerprint of this type of terminal. Industrial gateways typically open port 502 (Modbus) and port 102 (S7 communication protocol), and the port combinations differ significantly between different types of terminals. Behavioral traffic signals are collected via bypass mirroring with a sampling interval of 1 second. Each sampling extracts three statistics within that interval: the number of data packets, the total number of bytes, and the protocol distribution, covering both uplink and downlink bidirectional traffic of the terminal. The protocol distribution records the proportion of each protocol layer. For example, the MQTT protocol typically accounts for over 90% of the uplink traffic of a temperature and humidity sensor; deviations from this proportion indicate an abnormal communication mode. Both device fingerprint data and behavioral traffic signals are timestamped with a 1ms accuracy. The two data streams are synchronized after being aligned using a unified timestamp, and resampling is triggered when the alignment error exceeds 5ms. If a terminal goes offline during behavioral traffic signal acquisition, resulting in no data for three consecutive sampling intervals, the corresponding time period is marked as traffic missing. Missing segments are not included in subsequent map construction. The corresponding device fingerprint data records are retained but marked with a missing label. Records with missing labels are not included in the fingerprint baseline statistics for the same type of device when filling map node attributes, to avoid data contamination of baseline calculation results during traffic missing periods.
[0018] A fingerprint-driven graph is constructed based on device fingerprint data and behavioral traffic signals. The graph uses terminal devices as nodes, with node attributes filled by five static attributes from the device fingerprint data. Each node corresponds to a unique terminal identifier, generated by concatenating the physical access point identifier and the first access timestamp to ensure global uniqueness. The physical access point identifier is jointly determined by the switch port number and VLAN identifier. The MAC address is written as a variable attribute of the node into the persistent attribute layer to support subsequent hop detection. Hardware signatures and protocol stack response features from the device fingerprint data are synchronously written into the node's persistent attribute layer. Directed edges between nodes are determined by the communication relationships detected in the behavioral traffic signals. A directed edge is established when two terminals directly exchange data packets within the sampling window. The edge weight is obtained by normalizing the product of communication frequency and byte size. The normalization denominator is the maximum value of the product of all edges in the current graph. A larger weight indicates denser communication between the two terminals. The edge weight between the smart gateway and multiple sensor nodes is usually much higher than the edge weight between sensor nodes themselves, reflecting the gateway's converged communication characteristics. The number of nodes in the fingerprint-driven graph dynamically expands with the number of connected terminals. The edge set is updated in real time with behavioral traffic signals, with the update cycle consistent with the sampling interval of 1 second. Edges with no communication for extended periods undergo exponential decay, with a decay coefficient set to 0.95 per minute. When the weight decays to below 0.01, the corresponding edge is removed from the graph. Isolated nodes in the graph represent terminals with only static fingerprint records but no communication behavior, such as temperature and humidity sensors that have just connected to the network but have not initiated any requests. The fingerprint-driven graph includes a global version timestamp. Historical snapshots are stored in a sliding window, retaining records from the most recent 24 hours at a 5-minute interval. Snapshots exceeding the window are archived and compressed for storage. The compression format retains full information on node attributes and edge weights to support backtracking analysis.
[0019] In some embodiments, the step of generating a counterfeit risk identifier by identifying fingerprint drift features from the fingerprint driving map includes: extracting fingerprint baseline feature sets for each type of device by grouping the fingerprint driving map according to device type; generating a fingerprint change rate distribution by performing temporal difference processing on the fingerprint baseline feature sets; identifying abrupt transition segments based on the fingerprint change rate distribution to generate an abrupt transition candidate set; and extracting counterfeit features based on the abrupt transition candidate set to generate a counterfeit risk identifier.
[0020] The fingerprint-driven graph is grouped by device type, and fingerprint baseline feature sets for each device type are extracted. The device type label for each node in the fingerprint-driven graph is jointly inferred from the operating system type and open ports of the device fingerprint data. The inference rules are derived from a pre-built device type feature library, which covers common IoT terminal types such as smart cameras, temperature and humidity sensors, industrial gateways, and smart locks. The feature library can be manually expanded to adapt to the access scenarios of new terminal devices. Nodes of the same type in the fingerprint-driven graph are grouped together. Within each group, the mode, mean, and standard deviation of the fingerprint-driven graph node attributes are extracted as the fingerprint baseline feature set for that type. The mode reflects the most frequent attribute value, and the standard deviation reflects the attribute dispersion. Attribute fields with a standard deviation close to zero are considered strongly constrained attributes; any deviation from a strongly constrained attribute triggers a high-confidence anomaly alarm. The fingerprint baseline feature set is stored indexed by device type. For example, a certain model of temperature and humidity sensor has a stable TTL value of 64 and a fixed window size of 1024 bytes. The corresponding fingerprint baseline feature set has a TTL mode of 64 and a standard deviation close to 0, and a window size mode of 1024 and a standard deviation less than 5 bytes. The fingerprint baseline feature set is fully recalculated every 24 hours and incrementally updated every 5 minutes with the map snapshot to track short-term changes. When the number of terminals in a group is less than 3, the corresponding fingerprint baseline feature set is marked as insufficient sample and will not participate in subsequent differential processing. Groups with insufficient samples are replaced by a globally universal baseline to ensure the integrity of the process. Terminals whose device type cannot be identified are classified into the unknown type group. The fingerprint baseline feature set of the unknown type is obtained by jointly statistically analyzing the fingerprint attributes of all terminals in the same group. The baseline confidence of the unknown type group is lower than that of the known type group. The corresponding anomaly judgment deviation threshold in the mutation and jump detection is relaxed by 20% to accommodate the unstable statistical regularity of fingerprint attributes of such terminals.
[0021] A fingerprint change rate distribution is generated by temporal differential processing of the fingerprint baseline feature set. The differential processing takes historical snapshot sequences of fingerprint attributes from each terminal node in the fingerprint driving map as input. These snapshots are synchronized with the fingerprint driving map snapshots, with a 5-minute acquisition interval. The fingerprint attribute records from two adjacent time points of the same terminal are used to calculate the attribute difference. This difference is divided by the time interval to obtain the change rate of each attribute field for that terminal. The change rate is then compared with the corresponding fingerprint baseline feature set to determine anomalies. The change rate sequences of each attribute field for each terminal are arranged on the time axis to form a rate time series. The rate time series of multiple attribute fields together constitute the fingerprint change rate distribution, organized in matrix form. Rows correspond to time nodes, and columns correspond to attribute fields. The dimension of each element in the matrix is determined by the data type of the corresponding attribute field. The change rate of the operating system type field is always zero under normal circumstances; non-zero values directly trigger high-priority anomaly marking. The MAC address change rate is always zero; a non-zero rate is considered a high-confidence anomaly. This non-zero value appears as a significant deviation point in the fingerprint change rate distribution and is preferentially marked as a high-risk mutation event during the mutation jump identification in sub-step 3. When the number of historical snapshots of the fingerprint baseline feature set is less than 3, the fingerprint change rate distribution of the corresponding attribute field is marked as insufficient data and will not enter the abrupt change recognition. It will be automatically supplemented after more than 3 snapshots are accumulated.
[0022] A mutation / jump candidate set is generated based on the fingerprint change rate distribution to identify abrupt change segments. The detection method employs a sliding window mean deviation method, using the rate sequence of each attribute field in the fingerprint change rate distribution as the detection object. The window length is set to 5 time nodes, and the step size is 1 time node. When the deviation between the mean rate within the window and the global mean exceeds three times the global standard deviation, the window is determined to be a mutation segment. The start time, end time, and peak rate of the mutation segment are recorded as a mutation event, with the peak rate being the maximum absolute value of the rate sequence within the mutation segment. When multiple attribute fields simultaneously trigger mutation detection within a single detection period, it is marked as a joint mutation event. For example, if the MAC address and TTL value of a terminal simultaneously change, it indicates that the device has been completely replaced. Joint mutations are more severe than single-field mutations, and the more attribute fields involved in a joint mutation, the greater the risk weight. All mutation events are arranged in ascending order of time and accompanied by a corresponding terminal identifier, forming a mutation jump candidate set. Adjacent mutation events in the mutation jump candidate set with a time interval of less than two snapshot intervals (i.e., 10 minutes) are merged into the same jump segment. The peak rate after merging is the maximum value of each event, and the duration is the full span from the start to the end of the merged segment. When the mutation jump candidate set is empty, it indicates that the device fingerprint is generally stable during the current time period, the spoofing risk level of all monitored terminals is set to no risk, and no spoofing risk identifier is generated.
[0023] Counterfeiting risk identifiers are generated by extracting counterfeiting features from a mutation jump candidate set. The peak rate, duration, and number of joint mutation attributes for each jump segment in the mutation jump candidate set are extracted as jump feature triples. Counterfeiting features are jointly determined by the jump feature triples corresponding to each jump segment in the mutation jump candidate set and the corresponding terminal's historical fingerprint compliance records. When an attribute value that has never appeared in the compliance records suddenly appears within a jump segment, it is considered a counterfeiting feature. The tolerance range is defined as the mean of historical attribute values ± 3 standard deviations. The severity of counterfeiting features is scored in three levels: a jump duration exceeding 60 seconds and having more than 3 joint mutation attributes is considered high counterfeiting risk; a duration exceeding 20 seconds or having 2 or more joint mutation attributes is considered medium counterfeiting risk; and all other cases are considered low counterfeiting risk. The counterfeiting risk identifier consists of three parts: terminal identifier, counterfeiting risk level, and a list of attribute fields that triggered the jump. When the mutation jump candidate set is empty, the counterfeiting risk level of all monitored terminals is set to no risk, and no counterfeiting risk identifier is generated. The counterfeit risk marker is accompanied by a generation timestamp. If the marker is not updated every 20 minutes after its generation, the risk level will be downgraded by one level until it becomes risk-free. The downgrade time is aligned with the map snapshot refresh cycle, and the downgrade record is written to the audit log for verification.
[0024] Step S120: Based on the fingerprint-driven graph, perform identity recognition topology reorganization to generate a high-risk terminal distribution map. Based on the high-risk terminal distribution map and the impersonation risk identifier, perform trust decay analysis to construct an effective access coverage area.
[0025] Specifically, a high-risk terminal distribution map is generated by performing identity recognition topology reorganization based on the fingerprint-driven graph. The identity recognition topology reorganization uses the current snapshot of the fingerprint-driven graph as input, matching and verifying the fingerprint attributes of each node in the graph with historical compliance records. The matching deviation is measured by the standardized distance between the measured value of each attribute field and the mean of the compliance baseline. Nodes with a distance exceeding 5 times the standard deviation are identified as high-risk nodes and prioritized for reorganization. Nodes with a distance between 3 and 5 times the standard deviation are identified as medium-to-low-risk suspected nodes, their records are retained but not included in the heatmap statistics. High-risk nodes are extracted from the fingerprint-driven graph and reorganized into subgraphs according to their risk level. During the reorganization process, the original communication edges of the fingerprint-driven graph are retained in the subgraphs. Edges from high-risk nodes to low-risk nodes are marked as potential infection paths, and edges from low-risk nodes to high-risk nodes are marked as risk exposure paths. These two types of paths are distinguished by different identifiers in the high-risk terminal distribution map. The high-risk terminal distribution map is generated by overlaying the identity-questionable sub-map with the corresponding physical network location information, and output in the form of a heatmap. The heatmap value is obtained by normalizing the product of the risk level of the high-risk node and the density of the high-risk node, and the denominator of the normalization is the maximum value of this product for all regions in the current high-risk terminal distribution map. The high-risk terminal distribution map is refreshed every 5 minutes synchronously with the fingerprint-driven map snapshot update. Regions with heatmap values higher than the threshold of 0.6 are automatically marked as key monitoring areas. Regions with heatmap values that continue to rise for two consecutive update cycles will trigger an additional upgraded alarm.
[0026] In some embodiments, the step of constructing an effective access coverage area based on the trust decay analysis of the high-risk terminal distribution map and the spoofing risk identifier includes: dividing the high-risk terminal distribution map according to physical area boundaries to generate regional risk sub-maps; performing inter-regional risk propagation intensity analysis based on the regional risk sub-maps and the spoofing risk identifier to generate a risk propagation constraint matrix; performing differentiated trust decay processing on the risk propagation constraint matrix to generate a dynamic trust scoring sequence; and setting an access trust threshold based on the dynamic trust scoring sequence to construct an effective access coverage area.
[0027] The distribution map of high-risk terminals is divided into regional risk sub-maps based on physical region boundaries. Physical region boundaries are determined jointly by the subnetting in the network topology and the actual deployed physical isolation boundaries. Terminals within the same subnet and physically adjacent to each other are assigned to the same region; terminals crossing subnets or physical isolation boundaries are assigned to different regions. Region boundary information is pre-entered into the topology configuration library. Adding a new isolation boundary triggers an update to the configuration library and simultaneously refreshes the region division results. In the high-risk terminal distribution map, nodes are grouped according to their respective regions, with each region corresponding to a sub-map. The edge set within each sub-map consists of directed communication edges within the region. Cross-regional communication edges are included in the inter-regional edge set and recorded separately. The size of the inter-regional edge set reflects the degree of interconnectivity between regions. The percentage of high-risk nodes within each sub-map is extracted as a regional-level indicator. When the percentage of high-risk nodes exceeds 30%, the overall risk level of the region is determined to be high-risk; when the percentage exceeds 50%, a severe risk label is added to the corresponding sub-map. All regional subgraphs and their regional indicators are aggregated to form a regional risk subgraph set. The number of regions expands dynamically with the network size. Adding a new region triggers an incremental update of the regional risk subgraph set. When a region is deleted, the corresponding subgraph is removed from the set and historical data is archived.
[0028] A risk propagation constraint matrix is generated based on the analysis of inter-regional risk propagation intensity using regional risk sub-maps combined with counterfeit risk identifiers. The inter-regional risk propagation intensity is jointly determined by the number of cross-regional directed communication edges between two regions and the number of cross-regional terminals carrying high-risk counterfeit risk identifiers. The number of cross-regional directed communication edges reflects the physical connectivity between the two regions, while the number of cross-regional terminals carrying high-risk counterfeit risk identifiers reflects the potential scale of the carriers for the cross-regional spread of counterfeit risks. Propagation intensity is limited only when connectivity is high but there are no terminals with high-risk counterfeit risk identifiers, and propagation paths are blocked only when there are many terminals with high-risk counterfeit risk identifiers but sparse inter-regional communication. Cross-regional terminals participating in the propagation intensity statistics are located based on the terminal identifier in the counterfeit risk identifier. Terminals with a high counterfeit risk level are included in the N_ij statistics. Terminals whose attribute fields trigger a jump and simultaneously change are given higher weight in the N_ij statistics. The propagation intensity W_ij between two regions i and j is determined by the formula W_ij = α × E_ij / E_max + β × N_ij / N_max, where E_ij is the number of directed cross-regional communication edges from region i to region j, E_max is the maximum number of directed cross-regional edges in all region pairs and not less than the lower limit of 5, N_ij is the number of high-risk cross-regional terminals that meet the above conditions, and N_max is the maximum number of such terminals in all region pairs and not less than the lower limit of 3. α and β are taken as 0.4 and 0.6, respectively. Both E_ij and N_ij are statistically analyzed using directionality to ensure that W_ij and W_ij can reflect the differences between the two propagation directions. The propagation intensity W_ij of all region pairs is filled into a square matrix to form a risk propagation constraint matrix, with diagonal elements set to 0. Region pairs with values exceeding 0.7 in the risk propagation constraint matrix are marked as high-risk propagation channels.
[0029] A dynamic trust score sequence is generated by performing differentiated trust decay processing on the risk propagation constraint matrix. Differentiated trust decay starts from the initial trust score of each terminal. Newly connected terminals are assigned a default initial trust score of full marks. For terminals with historical records, the initial trust score is taken from the trust score at the end of the previous evaluation period. The decay magnitude is determined based on the propagation intensity distribution of the region where the terminal is located in the corresponding row of the risk propagation constraint matrix. The higher the outward propagation intensity of the region, the greater the decay of the terminal's trust score in that region. The concentration of the propagation intensity distribution is measured by the coefficient of variation of the non-zero elements in the corresponding row. When the coefficient of variation is less than 0.5, it is judged as a uniform distribution, and the equal-weighted average of each direction is used as the decay benchmark. When the coefficient of variation reaches 0.5 or above, it is judged as a concentrated distribution, and the maximum propagation intensity in the corresponding row is used as the decay benchmark to conservatively estimate the risk. Trust decay employs a hop-by-hop propagation model. The number of hops is the shortest path length between the target area and high-risk areas. The first hop decay is equal to the maximum outward propagation intensity of that area multiplied by a decay coefficient of 0.3. The second hop decay coefficient is halved to 0.15. When a terminal is affected by multiple high-risk areas, the maximum decay value of each path is used. Propagation paths exceeding two hops do not continue to decay. Terminals completely isolated from high-risk areas retain their initial trust scores unaffected by decay. The trust scores of each terminal after completing the risk propagation constraint matrix decay process are arranged chronologically to form a trust scoring time series. The set of trust scoring time series for all terminals constitutes a dynamic trust scoring sequence. Terminals in the dynamic trust scoring sequence that experience a continuous decline of more than three time points are marked as terminals with continuously deteriorating trust. The list of continuously deteriorating terminals is appended to the dynamic trust scoring sequence as a high-priority review list.
[0030] An effective access coverage area is constructed by setting an access trust threshold based on a dynamic trust scoring sequence. The latest trust score of each terminal in the dynamic trust scoring sequence is extracted to form a current trust score snapshot. The access trust threshold is determined by taking the larger value of the mean trust score of all terminals in the snapshot minus 0.5 times the standard deviation, and the smaller value of the other two values (0.3 and 0.8). This setting ensures that terminals with trust scores higher than the effective threshold are included in the effective access coverage area, while retaining access rights for terminals with slightly lower than the mean but not significantly deviating from it, thus avoiding the mistaken exclusion of terminals due to short-term fluctuations in trust scores. Terminals with trust scores higher than the actual effective threshold are included in the effective access coverage area. Terminals with trust scores lower than the actual effective threshold are marked as restricted terminals and handled according to risk levels. Terminals with trust scores below 0.3 are directly blocked from access and trigger manual verification. Terminals with trust scores between 0.3 and the actual effective threshold are downgraded to read-only permissions, allowing data reporting but prohibiting command issuance. Terminals in the high-priority review list in the dynamic trust scoring sequence are simultaneously triggered for manual review regardless of whether their trust scores are higher than the actual effective threshold. The traffic of read-only terminals is continuously monitored, and full access permissions are automatically restored when the trust score recovers to above the actual effective threshold. The effective access coverage area is refreshed every 5 minutes with the dynamic trust scoring sequence. Terminals whose trust scores cross the threshold boundary trigger access status change notifications, and the change records are written to the audit log to support post-event traceability.
[0031] Step S130: Perform token lifecycle analysis on the effective access coverage area to extract authentication confidence identifier and token time window constraint, and generate authentication task allocation strategy by mapping permission interval based on authentication confidence identifier and effective access coverage area.
[0032] In some embodiments, the step of performing token lifecycle analysis to extract authentication confidence identifiers and token time window constraints on the effective access coverage area includes: extracting token request records for each terminal within the effective access coverage area; performing lifecycle parsing and frequency feature extraction on the token request records to generate token remaining lifecycle and frequency fluctuation indicators; jointly evaluating the frequency fluctuation indicators and the token remaining lifecycle to generate a confidence score matrix; and extracting low-confidence terminal markers based on the confidence score matrix to generate authentication confidence identifiers and token time window constraints.
[0033] Extract token request records from each terminal within the valid access coverage area. The interaction messages between each terminal and the authentication server within the valid access coverage area are filtered and parsed from network traffic mirroring by the message acquisition module, extracting four fields: the sending timestamp of the token request, the request source identifier, the token type, and the request result. These four fields together reconstruct the complete behavioral outline of a single token request. Token request records are grouped by terminal identifier, with one time-series record corresponding to each terminal. The time span of the time-series records is aligned with the statistical period of the valid access coverage area, defaulting to covering all request behaviors within the most recent 24 hours. The statistical period can be adjusted to 6 hours or 48 hours depending on network scale and analysis needs. The token request result field distinguishes between three states: authorization success, authorization failure, and token renewal. Terminals with authorization failure frequencies exceeding 20% of the total number of requests are marked as high-failure-rate terminals, and their token request records are prioritized for analysis in subsequent frequency feature extraction. Terminals with missing token request records within the effective access coverage area for more than 6 consecutive hours are marked as having incomplete records. In subsequent confidence assessments, the corresponding node scores of terminals with incomplete records will be marked with gap correction labels to avoid misjudging normal terminals due to low confidence assessment caused by data collection interruptions.
[0034] Token request records are analyzed for lifecycle and frequency features to generate remaining lifecycle and frequency fluctuation indicators. Lifecycle analysis extracts the token issuance timestamp and validity period fields from the token request records. The remaining lifecycle is determined by subtracting the current time from the token's expiration time; a negative difference indicates the token has expired but is still in use. Expired tokens are assigned negative remaining lifecycle values to distinguish them from normal tokens. The larger the absolute value of the negative value, the longer the token has been in use beyond its expiration period. Expiration indicates a malfunction in the terminal's token refresh mechanism or that it has been bypassed. The reasonable range for the remaining lifecycle is determined by both the device type and the business scenario. For resource-constrained terminals, the token validity period is typically 1 to 4 hours, while for managed terminals, it is typically 8 to 24 hours. Measured values deviating from the reasonable range by more than 50% are marked as abnormal lifecycles. Frequency feature extraction counts the number of requests per unit time from the timestamp sequence of token request records. The request frequency within each window is calculated using a 15-minute statistical window. The frequency value sequence of all windows forms a frequency time series. The mean and variance of the frequency time series together constitute the frequency fluctuation index. The mean reflects the overall authentication activity of the terminal, and the variance reflects the stability of the authentication frequency. The two components of the frequency fluctuation index serve as the basis for confidence judgment in different dimensions in the subsequent joint evaluation.
[0035] For example, the step of jointly evaluating the frequency fluctuation index and the remaining lifetime of the token to generate a confidence score matrix includes: performing time-series difference processing on the frequency fluctuation index to generate a frequency change rate sequence; identifying frequency surge segments from the frequency change rate sequence to generate a surge trigger set; performing confidence prediction correction on the surge trigger set in conjunction with the frequency fluctuation index to generate a prediction correction confidence group; and performing time-varying mapping on the remaining lifetime of the token based on the prediction correction confidence group to generate a confidence score matrix.
[0036] A frequency change rate sequence is generated by performing time-series differencing on the frequency fluctuation index. This differencing is applied to the frequency time series within the frequency fluctuation index. The difference between the frequency values of two adjacent statistical windows, divided by the window interval, yields the frequency change rate at that time point. A positive rate of change indicates an increase in the request frequency, while a negative rate indicates a decrease. Larger absolute values indicate more drastic frequency changes. Alternating large positive and negative values indicate that the terminal authentication frequency is in a state of repeated oscillation. The frequency change rate sequence is one element shorter than the frequency time series. Elements in the frequency change rate sequence whose absolute value exceeds 1.3 times the mean absolute value of all elements in the sequence are considered significant change points. The distribution density of significant change points on the time axis reflects the stability of the terminal authentication behavior; a sparse distribution indicates occasional frequency changes, while a dense distribution indicates that the frequency is in a state of long-term, drastic fluctuation. Terminals with extremely low variance in the frequency fluctuation index generally have smaller frequency change rate sequence values, resulting in a correspondingly higher sensitivity for sudden increase detection. This increased sensitivity is achieved by tightening the significant change threshold to 1.0 times the mean absolute value of all elements in the frequency change rate sequence. The continuous appearance of positive and significant change points in the frequency change rate sequence indicates that the frequency is in a continuous rising phase. This phase is the main detection target for subsequent sudden increase segment identification. When the frequency change rate sequence is a sequence of all zeros, it means that the terminal's authentication frequency is completely constant within the statistical period and will not enter the subsequent sudden increase segment identification process.
[0037] Frequency surge segments are identified from the frequency change rate sequence to generate surge trigger sets. The identification of frequency surge segments employs a continuous positive threshold judgment method. A surge segment is defined as three or more consecutive elements in the frequency change rate sequence whose rate values exceed the surge threshold. The surge threshold is set to 1.4 times the average absolute value of each element in the frequency change rate sequence. This threshold filters out normal business fluctuations while retaining the ability to detect moderate-intensity surges. The start element index, end element index, and maximum rate value within the surge segment are extracted to form a surge segment description triplet. A larger difference between the start and end indices indicates a longer surge duration, and a higher maximum rate indicates a stronger surge. If a terminal's rate continuously exceeds the threshold for multiple consecutive windows in the frequency change rate sequence, and the maximum rate is significantly higher, it indicates that the terminal is experiencing a prolonged period of abnormally high authentication frequency increases. The burst trigger set is composed of the sum of all burst segment description triplets. Two adjacent burst segments with a starting index difference of less than 2 are merged into one segment to handle artificial breaks in burst segments caused by missing data in a single statistical window. The maximum rate of the merged segment is the larger of the two values, and the duration of the merged segment is the full span. A larger number of elements in the burst trigger set indicates more frequent frequency bursts for that terminal within the statistical period. If there are no consecutive elements exceeding the threshold in the frequency change rate sequence, the burst trigger set is empty, and subsequent confidence correction steps are not performed.
[0038] For surge trigger sets, a confidence prediction correction is performed using frequency fluctuation indicators to generate a predicted correction confidence level group. The peak rate of each surge segment in the surge trigger set and the average frequency of the corresponding time window in the frequency fluctuation indicator together constitute a trigger feature pair. The peak rate reflects the severity of the frequency increase, and the average frequency of the frequency fluctuation indicator reflects the actual level of the request frequency after the surge. Together, they determine the overall risk intensity of the surge event. A strong surge event is defined as a peak rate exceeding 80% of the average frequency fluctuation indicator and the corresponding average frequency exceeding 60% of the historical maximum value, with a corresponding confidence prediction correction magnitude of -0.25. A moderate surge corresponds to a correction magnitude of -0.15, and a weak surge corresponds to a correction magnitude of -0.05. The correction magnitude is added to the initial confidence score of the corresponding terminal to form the predicted correction confidence level. The initial confidence score is assigned a default full score to newly connected terminals, while for terminals with existing historical records, the latest column value of the confidence score matrix from the previous evaluation period is used. When the pre-corrected confidence level is below 0, it is truncated to 0; when it is above the initial value, it is reset to the initial value, ensuring that the confidence score always remains within the range of 0 to 1. The set of pre-corrected confidence levels for all terminals constitutes the pre-judgmented confidence level group. For terminals with an empty trigger set due to sudden increases, the pre-corrected confidence level equals the initial confidence level. Terminals with extremely low variance in frequency fluctuation indicators show a synchronous narrowing of score fluctuations in the pre-judgmented confidence level group, reflecting that the confidence level correction range for terminals with long-term stable authentication behavior is naturally limited.
[0039] Based on the predicted and revised confidence level group, a time-varying mapping is applied to the remaining lifespan of the token to generate a confidence score matrix. The time-varying mapping establishes a dynamic correspondence between the predicted and revised confidence level of each terminal in the predicted and revised confidence level group and the corresponding time position of the remaining lifespan of the token. The mapping weight of the confidence level varies depending on the stage of the remaining lifespan of the token. When the remaining time exceeds 60% of the validity period, the weight is set to 1.0; when the remaining time is less than 20% of the validity period, the weight is reduced to 0.6 to suppress the confidence score at the critical state and reflect the expiration risk. The weight of the transition interval is determined by linear interpolation. The predicted and revised confidence level of each terminal in the predicted and revised confidence level group is multiplied by the corresponding weight of the remaining lifespan stage of the token to obtain a weighted confidence level. When the weighted result exceeds the range of 0 to 1, it is truncated to the boundary value. The weighted confidence level of each terminal at each evaluation time node is filled into the matrix to form a confidence score matrix, with the matrix rows corresponding to terminals and the columns corresponding to evaluation time nodes. The introduction of time-varying weights results in lower mapping scores for the same pre-corrected confidence level during the token critical phase, reflecting the risk amplification effect during the expiration phase. Terminals at different remaining lifecycle stages in the confidence score matrix exhibit dynamic score differences linked to the token expiration time. The time-series trend of the matrix column mean reflects the evolution of the overall authentication security level. A global confidence warning is triggered when the column mean decreases for three consecutive nodes, indicating an increase in the overall authentication risk of the current network.
[0040] The authentication confidence identifier and token time window constraint are generated by extracting low-confidence terminal markers from the confidence score matrix. The average score of each terminal in the confidence score matrix over the three most recent evaluation time points is used as the current confidence representative value. The average of three points is used instead of a single point value to resist the interference of instantaneous fluctuations on the judgment result. When calculating the confidence representative value of terminals with incomplete records, the node corresponding to the gap is skipped, and the average of the remaining valid nodes is used. Terminals with a current confidence representative value below the threshold of 0.5 are extracted as low-confidence terminals. The identifier of the low-confidence terminal and its corresponding confidence representative value together constitute the authentication confidence identifier. The authentication confidence identifiers are arranged in ascending order of confidence representative value, with terminals with lower confidence ranking higher. The lowest-confidence terminals are given priority in being assigned strong authentication tasks to achieve effective concentration of authentication resources. The token time window constraint is determined segmented based on the confidence representative value of each terminal in the authentication confidence identifier. Terminals with a confidence representative value below 0.3 have a token time window constraint of 15 minutes, terminals with a confidence representative value between 0.3 and 0.5 have a constraint of 30 minutes, and normal terminals with a confidence representative value above 0.5 maintain the standard validity period. Shorter time windows require terminals to re-authenticate more frequently to continuously verify identity legitimacy. After the token time window constraint takes effect, the authentication server forcibly rejects token requests exceeding the time window and requires a complete re-authentication. Terminals that fail to re-authenticate will have their latest evaluation node score in the confidence score matrix reduced by 0.1 for each failure. After three cumulative failures, the corresponding node score is forcibly reset to zero, triggering a recalculation of the confidence representative value. If the recalculated result is below 0.3, the terminal is removed from the effective access coverage area.
[0041] An authentication task allocation strategy is generated by mapping permission intervals based on authentication confidence identifiers and effective access coverage domains. Permission interval mapping combines the confidence representative value of each terminal in the authentication confidence identifier with the corresponding trust score in the effective access coverage domain, using two dimensions to determine the applicable permission interval for that terminal. Terminals with high confidence representative values and high trust scores are mapped to a wide permission interval; terminals with both values are mapped to the narrowest permission interval and are subject to mandatory multi-factor authentication; and terminals with low values in any single aspect are mapped to an intermediate permission interval with additional enhanced verification requirements in the corresponding direction. A wide permission interval allows terminals to access all authorized resources without additional verification for token renewal. A narrow permission interval restricts terminals to accessing only core business resources, and each token renewal requires device fingerprint verification. The narrowest permission interval further requires terminals to include real-time behavioral traffic characteristics with each access, which are then compared by the server with the behavioral baseline of the corresponding node in the fingerprint-driven graph. The authentication task allocation strategy consists of the target permission range and corresponding authentication strength requirements for each terminal. The authentication strength requirements in the authentication task allocation strategy include two parameters: token renewal frequency and abnormal response action. The token renewal frequency is consistent with the token time window constraint. The abnormal response action specifies the handling method when a terminal authentication request triggers a real-time abnormality. The options include three levels: alarm notification, temporary demotion, and immediate disconnection. The lower the authentication confidence level, the stricter the corresponding abnormal response action. When a new terminal is added to the effective access coverage area, it is automatically added to the authentication task allocation strategy after the permission range is mapped according to its confidence level representative value and trust score. When a terminal is moved out of the coverage area, the corresponding entry is marked as invalid.
[0042] Step S140: Decompose the authentication task allocation strategy into core authentication sequence and auxiliary authentication sequence. Perform elastic access capacity analysis on the auxiliary authentication sequence to form a hot standby authentication node cluster. Perform unauthorized access anomaly monitoring on the core authentication sequence and obtain distortion signals by combining token time window constraints.
[0043] Specifically, the authentication task allocation strategy is broken down into core authentication sequences and auxiliary authentication sequences. The strategy groups and decomposes tasks based on the authentication strength requirements and permission range identifiers of each terminal. Terminals with two-factor authentication requirements or the narrowest permission range are forcibly assigned to the core authentication sequence. These terminals have the lowest confidence and highest risk, and the consequences of authentication failure are the most severe; downgrading or delayed processing is not allowed. Auxiliary authentication sequences handle the remaining terminal tasks. The strategy ensures complete coverage of all terminals according to this rule, with no terminal simultaneously assigned to two sequences or not assigned to any sequence. The core authentication sequence typically accounts for 20% to 40% of the total authentication task allocation strategy, but its overall risk weight accounts for over 60% of all terminals. Prioritizing the execution of the core authentication sequence maximizes authentication protection benefits. Auxiliary authentication sequences typically account for 60% to 80% of the total authentication task allocation strategy. These terminals have a relatively high tolerance for authentication task processing latency, allowing for appropriate delays in execution when the authentication node load is too high. After the core authentication sequence and the auxiliary authentication sequence are decomposed, they are each assigned a priority weight. The priority weight of the core authentication sequence is fixed at 1.0, while the priority weight of the auxiliary authentication sequence is linearly mapped from the confidence level of the corresponding terminal to the range of 0.3 to 0.7. The lower the confidence level, the higher the weight, to ensure that terminals with relatively high risk in auxiliary tasks can also be given priority scheduling when resources are sufficient.
[0044] In some embodiments, the step of performing elastic access capacity analysis on the auxiliary authentication sequence to form a hot standby authentication node cluster includes: dividing the auxiliary authentication sequence into a same-domain authentication node group and a cross-domain authentication node group according to network topology location; calculating the topological proximity of the same-domain authentication node group and the cross-domain authentication node group to generate a proximity distribution matrix; performing elastic access capacity aggregation analysis on the proximity distribution matrix to generate a capacity-proximity joint scoring sequence; and selecting high-priority nodes to form a hot standby authentication node cluster based on the capacity-proximity joint scoring sequence.
[0045] The auxiliary authentication sequence is divided into intra-domain authentication node groups and cross-domain authentication node groups based on network topology location. The network topology location of each authentication node in the auxiliary authentication sequence is determined by its subnet identifier and physical access layer. Nodes with the same subnet identifier and access layer at the same aggregation layer are assigned to the intra-domain authentication node group, while nodes with different subnet identifiers or those crossing aggregation layer boundaries are assigned to the cross-domain authentication node group. Within the intra-domain authentication node group, the communication paths between nodes are short and the latency is low, making it suitable for latency-sensitive authentication tasks. The average round-trip latency between nodes is typically in the range of 1 to 5 ms; if it exceeds this range, the intra-domain partition boundary is re-examined for rationality. Authentication tasks for the same terminal in the auxiliary authentication sequence are preferentially assigned to the intra-domain authentication node group. Only when no intra-domain node is available will the task fall back to the cross-domain authentication node group. The fallback trigger threshold is when the average current load of all nodes in the intra-domain authentication node group exceeds 85%. Within the cross-domain authentication node group, nodes cross network boundaries, resulting in longer communication paths that may be subject to routing policy restrictions. The average round-trip latency between cross-domain nodes is typically in the range of 10 to 50 ms. When the number of nodes in the same domain authentication node group is 1, it is marked as a single point of risk group. In the subsequent calculation of the proximity distribution matrix, the cross-domain proximity weight of the corresponding row of the single point of risk group is increased, and the node with the highest proximity in the cross-domain authentication node group is introduced first as a backup to eliminate the potential single point of failure.
[0046] A proximity distribution matrix is generated based on topological proximity calculations performed on intra-domain and cross-domain authentication node groups. Topological proximity reflects the closeness between two authentication nodes in the network topology. Higher proximity indicates lower communication costs and smaller state synchronization delays when the nodes are backups of each other. The proximity between any two nodes within an intra-domain authentication node group is determined by the number of hops and the link bandwidth. The proximity P_intra is obtained by normalizing the formula P_intra=B / (H×D_avg), where B is the minimum uplink link bandwidth of the shortest path between the two nodes, H is the number of hops, and D_avg is the average delay of each hop on the path. P_intra is normalized to the range of 0 to 1 with the maximum value of B / (H×D_avg) among all intra-domain node pairs. A larger P_intra value indicates a higher degree of proximity within the same domain. The cross-domain proximity between cross-domain authentication node groups and intra-domain authentication node groups introduces a cross-domain penalty coefficient λ on top of P_intra. λ ranges from 0.3 to 0.7, with the penalty coefficient decreasing as more network boundaries are crossed. The cross-domain proximity P_cross = λ × P_intra reflects the additional overhead of cross-domain communication compared to intra-domain communication. The P_cross values of each node in the cross-domain authentication node group are synchronously included in the normalization calculation to ensure consistency in the proximity metric. The proximity values between all authentication node pairs are filled into a square matrix to form a proximity distribution matrix. When calculating the proximity of node X to node Y in the matrix, B takes the uplink bandwidth of the path from X to Y, and when calculating the proximity of node Y to node X, B takes the uplink bandwidth of the path from Y to X. The difference between uplink and downlink bandwidths leads to different proximity values in the two directions, resulting in an asymmetry in the matrix. Node pairs with values below 0.1 in the proximity distribution matrix are marked as low proximity channels. Node pairs with low proximity channels are not suitable for mutual backup relationships. The proximity distribution matrix is updated in real time with changes in network topology, and the corresponding row and column values are reset to 0 when a link fails or a node goes offline.
[0047] Elastic access capacity aggregation analysis is performed on the proximity distribution matrix to generate a capacity-proximity joint scoring sequence. Elastic access capacity reflects the additional number of authentication requests an authentication node can handle beyond its current load. The elastic access capacity C_i of each authentication node is determined by the difference between its current maximum concurrent authentication capacity and the measured load: C_i = C_max - C_current. Here, C_max is pre-defined by the node's hardware specifications and authentication protocol overhead, and C_current is the average concurrent number of authentication requests in the last 5 minutes. A negative C_i indicates that the node is overloaded, and overloaded nodes do not participate in subsequent aggregation scoring. When a node has sufficient capacity but surrounding nodes are generally fully loaded, hot standby switching cannot leverage neighboring nodes to share the overflow requests, thus limiting the value of hot standby. Elastic access capacity aggregation jointly evaluates the C_i of each node and the proximity distribution of the corresponding row in the proximity distribution matrix. The aggregation method is to weighted sum the proximity P_ij of each node j relative to the target node i, with the weight being the elastic access capacity C_j of the corresponding node j. The aggregation result S_i = C_i + Σ(P_ij × C_j) reflects the total remaining capacity of node i and the surrounding available backup resources. For example, if a node's S_i is low, and after investigation it is found that the load of all its neighboring nodes exceeds 80%, it indicates that the overall authentication resources in the area are becoming strained and need to be expanded in advance. The capacity-proximity joint scoring sequence is composed of the S_i values of all certified nodes arranged in descending order. Nodes with high S_i have sufficient capacity and abundant surrounding backup resources, making them suitable as hot standby priority nodes. The capacity-proximity joint scoring sequence is refreshed every minute according to the load of certified nodes, and when the sorting changes, it triggers a re-selection of the hot standby node cluster.
[0048] High-priority nodes are selected based on the capacity-proximity joint scoring sequence to form a hot standby authentication node cluster. The top N nodes with the highest S_i ranking in the capacity-proximity joint scoring sequence are determined as hot standby candidate nodes. N is determined by the ratio of the total number of tasks in the current auxiliary authentication sequence to the C_max of a single node, with a minimum value of 3 to ensure the minimum redundancy of the hot standby node cluster. Candidate nodes must also pass a health check, which verifies three indicators: network connectivity, authentication service process status, and the time of the most recent heartbeat. Nodes with abnormal indicators are removed from the candidate list and replaced by the next-ranked node in the capacity-proximity joint scoring sequence. The set of candidate nodes that pass the health check constitutes the hot standby authentication node cluster. Each node in the hot standby authentication node cluster is assigned a takeover priority according to its S_i score, with the node with the highest S_i taking over first to ensure optimal authentication performance after takeover. After the hot standby authentication node cluster is established, it continuously synchronizes its session state with the primary authentication node in the background. The synchronized content includes the current active token list and authentication event records from the last 10 minutes. The synchronization interval is 30 seconds. A synchronization failure alarm is triggered if the synchronization delay exceeds 5 seconds. Session state synchronization ensures that the hot standby authentication node cluster can seamlessly take over without losing the session continuity of authenticated terminals after the primary node fails. The active token list and authentication event records serve as the complete state basis for session migration during the takeover of the authentication link. When the number of nodes in the hot standby authentication node cluster falls below the minimum redundancy of 3, an alarm is triggered to notify the administrator to replenish node resources. The composition of the hot standby authentication node cluster is dynamically adjusted as needed after the capacity-neighborhood joint scoring sequence is refreshed.
[0049] In some embodiments, the step of performing unauthorized access anomaly monitoring on the core authentication sequence and obtaining distortion signals in conjunction with the token time window constraint includes: extracting unauthorized access behavior from the core authentication sequence to generate an unauthorized access event sequence; aligning the unauthorized access event sequence with the token time window constraint to generate a request density distribution within the time window; extracting request source jump frequencies from the request density distribution within the time window to generate a source jump distribution sequence; and identifying abnormal source jump segments based on the source jump distribution sequence to generate distortion signals.
[0050] Unauthorized access behavior is extracted from the core authentication sequence to generate an unauthorized access event sequence. Access behavior logs for each terminal corresponding to each authentication task in the core authentication sequence are collected in real-time from the access control module of the authentication server. The logs record four fields for each access request: the initiating terminal identifier, the target resource identifier, the request timestamp, and the access result. These four fields together reconstruct the complete behavioral outline of a single access request. Unauthorized access behavior is defined as an access request initiated by a terminal whose target resource identifier exceeds the permission range allocated to that terminal in the authentication task allocation strategy. Unauthorized access is determined by performing a set difference operation between the target resource identifier and the list of authorized resources within the permission range; if the difference is not empty, it is considered unauthorized access. Unauthorized access types are distinguished into horizontal and vertical unauthorized access. Horizontal unauthorized access refers to accessing authorized resources of other terminals at the same permission level, while vertical unauthorized access refers to accessing resources at a higher permission level. Vertical unauthorized access has a higher risk level than horizontal unauthorized access. If a terminal repeatedly triggers vertical unauthorized access prompts in the core authentication sequence, indicating an intent to escalate privileges, the unauthorized access type field of that terminal is separately marked in the unauthorized access event sequence to support risk classification during subsequent distortion signal generation. The unauthorized access event sequence consists of unauthorized access behaviors generated by all terminals in the core authentication sequence, arranged in ascending order of timestamps. When the unauthorized access event sequence is an empty set, it means that there is currently no unauthorized behavior in the core authentication sequence, and subsequent timing alignment steps will not be executed.
[0051] The unauthorized access event sequence is time-aligned with the token time window constraint to generate a request density distribution within the time window. Time alignment maps the timestamps of each unauthorized access event in the sequence to the time segment defined by the corresponding terminal token time window constraint. The token time window constraint divides the terminal's authentication validity period into several consecutive time windows, each with a length equal to the terminal's token time window constraint value. Unauthorized events fall into the corresponding time window number based on their timestamps, thus converting the absolute time dimension into a relative time dimension within the token's lifecycle. The significance of time alignment lies in revealing the distribution pattern of unauthorized behavior within the token's lifecycle. Unauthorized behavior occurring when the token is newly issued prompts the terminal to immediately attempt access beyond the authorized scope after obtaining a new token. Unauthorized behavior occurring when the token is nearing expiration prompts the terminal to conduct centralized permission probing before the session ends. A terminal's unauthorized events are highly concentrated in the last 10% of the time window's duration; this distribution pattern strongly suggests concentrated permission abuse before the token expires. The number of unauthorized access events within each time window is counted as the request density for that time window. The request densities of all time windows are arranged in order of their time window numbers to form the request density distribution within each time window. A uniform density distribution indicates that unauthorized access behavior is randomly distributed, while a highly concentrated density indicates that unauthorized access behavior has a clear temporal regularity. When an unauthorized access event sequence contains unauthorized access events from multiple terminals, the request density distribution within each terminal's time window is counted independently. When the density distribution patterns of multiple terminals are highly consistent, a collaborative anomaly marker is added. This collaborative anomaly marker is used in conjunction with the anomaly strength index of the corresponding terminal to determine collaborative attack behavior when identifying abnormal segments in the source jump distribution sequence.
[0052] The request source jump frequency is extracted from the request density distribution within a time window to generate a source jump distribution sequence. A request source jump refers to a change in the network source address of an unauthorized request between two adjacent requests. The source address includes both IP address and MAC address; a change in either is considered a source jump. Unauthorized events within each time window are sorted by timestamp in the request density distribution. The source address fields of adjacent events are compared; if they do not match, it is recorded as a source jump. The timestamp of the source jump and the address pairs before and after the jump are recorded completely. The number of source jumps within each time window is divided by the number of valid comparisons within that time window to obtain the source jump frequency for that time window. The number of valid comparisons is the total number of unauthorized events in that time window minus 1. For time windows with fewer than 2 unauthorized events, the source jump frequency is assigned a value of -1 to mark a state where comparison is not possible. This distinguishes it from the normal state where the frequency is 0 when there are multiple events but no jumps. A high source jump frequency indicates that the source address of the unauthorized request is frequently changing, suggesting that attackers may initiate unauthorized requests through proxy pools or jump servers to circumvent access control policies based on source addresses. Within a time window, the source jump frequencies of different terminals in the request density distribution are calculated independently. The differences in jump patterns among terminals within a time window can be used to distinguish between single-terminal continuous attacks and multi-terminal coordinated attacks. The source jump frequencies of all time windows are arranged in order of time window number to form a source jump distribution sequence. The time window with zero overweight density in the request density distribution corresponds to the negative value position of the source jump distribution sequence. The negative value position divides the sequence into several effective detection intervals, and each effective detection interval is independently used for abnormal segment identification.
[0053] Distortion signals are generated based on the identification of abnormal source jump segments in the source jump distribution sequence. The identification of abnormal source jump segments in the source jump distribution sequence employs the baseline deviation method. The baseline is determined by the mean of the source jump distribution sequence within the historical normal operation cycle of the core authentication sequence. Under normal business scenarios, the baseline source jump frequency is typically below 0.1. Time windows deviating from the baseline by more than three standard deviations are marked as abnormal time windows. Three or more consecutive abnormal time windows constitute an abnormal source jump segment. The mean source jump frequency of each time window within the segment serves as the abnormality intensity index for that segment. Higher abnormality intensity indicates more frequent unauthorized request source address switching within the segment. The distortion signal consists of descriptive information for all abnormal source jump segments. The description of each segment includes four fields: the corresponding terminal identifier, the segment start time window number, the segment end time window number, and the segment abnormality intensity. These four fields jointly locate the subject, time range, and severity of the distortion behavior. When multiple terminals simultaneously exhibit abnormal source jump segments in the distorted signal, a collaborative anomaly marker is added. The threshold for determining collaborative anomalies is when the number of abnormal terminals within the same time range exceeds 20% of the total number of terminals in the core authentication sequence. This is combined with the collaborative anomaly markers added during the request density distribution phase within the time window for joint confirmation. Collaborative anomalies indicate unauthorized attack behavior carried out collaboratively by multiple terminals. When there are no consecutive threshold-exceeding segments in the source jump distribution sequence, the distorted signal is an empty set. An empty set indicates that the source address of unauthorized requests within the current core authentication sequence is generally stable.
[0054] Step S150: Extract permission correction parameters based on the distorted signal, perform deviation compensation matching between the permission correction parameters and the hot standby authentication node cluster to determine the takeover authentication link, and seamlessly connect the takeover authentication link with the core authentication sequence to output access authentication instructions.
[0055] Specifically, permission correction parameters are extracted based on the distorted signal. The terminal identifier described by each abnormal transition segment in the distorted signal is used to trace back the original permission range assigned to the terminal in the authentication task allocation strategy. The difference between the original permission range and the target resource permission level involved when the terminal actually initiates unauthorized access is calculated. A positive difference indicates that the terminal is attempting to access resources above the current authorization level, i.e., vertical unauthorized access; a difference of zero indicates that the terminal is accessing other unauthorized resources at the same level, i.e., horizontal unauthorized access. Both situations constitute permission boundary breaches. The permission deviation for vertical unauthorized access is taken as the absolute value of the difference, while the permission deviation for horizontal unauthorized access is fixed at 1 to ensure that it has a basic weight in the correction strength calculation. Both must be included in the permission correction parameter calculation. Terminals with high segment abnormality intensity in the distorted signal usually have larger permission deviations. The positive correlation between the two reflects that the more frequent the unauthorized behavior, the deeper the permission boundary breach of the terminal. The correction strength of the permission correction parameter is obtained by multiplying the normalized value of the permission deviation by 0.4, the normalized value of the segment anomaly strength by 0.4, and the unauthorized access type coefficient by 0.2. The unauthorized access type coefficient is 1.0 for vertical unauthorized access and 0.5 for horizontal unauthorized access. The correction strength ranges from 0 to 1. Terminals with a correction strength exceeding the threshold of 0.6 in the permission correction parameter are marked as high correction priority. High correction priority terminals are processed first in subsequent deviation compensation matching to ensure that the most dangerous terminal completes the takeover link switch first. When the distortion signal is an empty set, the permission correction parameter is an empty set, the corresponding process is not triggered, and the core authentication sequence maintains the current authentication link unchanged.
[0056] In some embodiments, the step of performing deviation compensation matching between the permission correction parameters and the hot standby authentication node cluster to determine the takeover authentication link includes: decomposing the permission correction parameters into short-range permission deviation components and permission drift components; performing permission similarity screening in the hot standby authentication node cluster based on the short-range permission deviation components to form a candidate takeover node set; extracting session context state parameters from the candidate takeover node set to generate a session continuity sequence; and performing a comprehensive adaptation evaluation combining the permission drift components and the session continuity sequence to determine the takeover authentication link.
[0057] The permission correction parameters are decomposed into short-range permission deviation components and permission drift components. The permission deviation is calculated independently within each time window of the distorted signal and arranged chronologically to form a deviation time series. The permission deviation for each time window is determined by averaging the difference between the permission level of the unauthorized access target and the terminal's original authorized permission level within that time window. The portion of the deviation time series where the absolute value of the difference between adjacent time windows is small and the overall value is concentrated near the mean is extracted as the short-range permission deviation component. This component reflects the local unauthorized access magnitude of the terminal within a short period; a stable magnitude indicates that the terminal has a fixed unauthorized target rather than random probing. The portion of the deviation time series exhibiting a monotonically increasing or continuously accumulating trend is extracted as the permission drift component. The permission drift component reflects the trend of the unauthorized access magnitude continuously expanding over time. The short-range permission deviation component typically has a concentrated numerical range and small variance, while the permission drift component has a wide numerical range and obvious monotonicity. The ratio between these two components reflects the type of unauthorized behavior. When the short-range permission deviation component dominates, it tends to indicate a fixed-target unauthorized behavior; when the permission drift component dominates, it tends to indicate a progressively expanding unauthorized behavior. When the permission correction parameter cannot separate a significant permission drift component, the permission drift component is assigned a zero vector. The zero vector corresponds to a stable amplitude of the unauthorized behavior throughout the entire distorted signal segment without showing an increasing trend.
[0058] In the hot standby authentication node cluster, a candidate takeover node set is formed by filtering based on the short-range permission deviation component for permission similarity. The permission range distribution corresponding to the authentication tasks currently carried by each node in the hot standby authentication node cluster is extracted from the node's running status. The permission range distribution reflects the permission handling experience of each hot standby node. Nodes that have long handled high-privilege authentication tasks have lower context switching costs when taking over high-privilege terminals involved in unauthorized behavior. Permission similarity is defined as the degree of overlap between the current permission range distribution of the hot standby node and the target permission range pointed to by the short-range permission deviation component. The degree of overlap is measured by the Jaccard coefficient of the permission level sets of the two. The Jaccard coefficient is equal to the intersection size divided by the union size. The higher the coefficient, the better the hot standby node is at handling the permission range involved by the current unauthorized terminal. If a hot standby node has long carried management-level authentication tasks and the unauthorized targets pointed to by the short-range permission deviation component are also concentrated in management-level resources, a Jaccard coefficient close to 0.9 indicates a high degree of permission matching. Nodes in the hot standby certified node cluster with a Jaccard coefficient higher than the screening threshold of 0.5 are included in the candidate takeover node set, while nodes with a coefficient lower than 0.5 are excluded. When the hot standby certified node cluster is small, the screening threshold is appropriately lowered to 0.3 to ensure that the candidate takeover node set contains at least two nodes. Each node in the candidate takeover node set is accompanied by a corresponding Jaccard coefficient, which serves as the initial weight input for the comprehensive adaptation evaluation. If the candidate takeover node set is empty, the screening threshold is lowered to 0.2 for re-screening. If the second screening is still empty, the node with the highest S_i score is directly selected from the hot standby certified node cluster and forcibly included.
[0059] Session context state parameters are extracted from the candidate takeover node set to generate a session continuity sequence. These parameters are extracted from the active session records currently maintained by each node in the candidate takeover node set. Each active session record contains four fields: session identifier, session establishment time, most recent interaction timestamp, and session protocol type. These four fields together describe the current session activity status and protocol characteristics of the node. The number of active sessions on each node in the candidate takeover node set reflects the current load. When the number of active sessions approaches the node's maximum concurrency limit, the takeover capability is limited. If a node's current active session count has reached 90% of its maximum concurrency, the remaining capacity after takeover can only accommodate a small number of new sessions, making it unsuitable as the primary takeover node. The session protocol type field statistically analyzes the proportion of each protocol in the current active sessions of each node. The degree of matching between the protocol distribution and the authentication protocol used by the terminal to be taken over determines the protocol switching cost after takeover. Nodes with highly consistent protocol distributions do not require protocol renegotiation during takeover, resulting in low takeover latency. The session context state parameters of each candidate node are arranged on the timeline according to the five most recent sampling points to form a state sequence. The stability of the state sequence reflects the degree of fluctuation in the node's session load. Nodes with drastic fluctuations have poor takeover stability. If the number of active sessions of a node fluctuates from 50 to 90 and then drops to 40 within five sampling points, this drastic fluctuation indicates that the node is in an unstable state and should not be the first choice for takeover. The state sequences of all candidate nodes are arranged by node identifier to form a session continuity sequence. Nodes with high stability and good protocol matching in the session continuity sequence receive higher adaptation scores in the comprehensive adaptation evaluation.
[0060] For example, the step of combining the permission drift component and the session continuity sequence to perform a comprehensive adaptation evaluation to determine the takeover authentication link includes: quantifying the error between the permission drift component and the session continuity sequence to generate an error coverage score sequence; extracting protocol adaptation features from the session continuity sequence to generate a protocol switching cost sequence; adaptively fusing the error coverage score sequence and the protocol switching cost sequence to generate a dynamic adaptation score matrix; and determining the takeover authentication link based on the score ranking of each node in the dynamic adaptation score matrix.
[0061] Error coverage scoring sequences are generated by performing error quantization on the permission drift component and the session continuity sequence. Error quantization projects the expansion trend of the unauthorized access range described by the permission drift component onto the upper limit of the permission processing capacity of each candidate node in the session continuity sequence. The upper limit of the permission processing capacity is determined by the highest permission level task historically undertaken by the node. The projection difference reflects whether the node can completely cover the unauthorized access range described by the permission drift component after taking over. A negative projection difference indicates a coverage gap. For example, if a node's historical highest processing permission is level 3, but the unauthorized access target at the end of the permission drift component has expanded to level 5, a projection difference of -2 indicates that two levels of unauthorized access cannot be included in the control after the node takes over. Attackers can continue to perform unauthorized access within the gap without triggering the interception mechanism of the taking over node. The error coverage Cov_i is defined as the ratio of the node's upper limit of permission processing capacity to the highest unauthorized permission level at the end of the permission drift component. When the ratio is greater than 1, it is truncated to 1, indicating that the node can completely cover the unauthorized access range. The upper limit of the permission processing capacity of each candidate node in the session continuity sequence is extracted from the historical records of the corresponding state sequence. The more state sequence coverage sampling points, the more accurate the estimation of the upper limit of permission processing capacity. The error coverage score sequence is composed of the Cov_i of each candidate node in the order of node identifier. The node with the higher Cov_i value in the error coverage score sequence has a strong over-authority coverage capability after taking over. When the authority drift component is a zero vector, the Cov_i of all nodes in the error coverage score sequence is uniformly assigned a value of 1, indicating that there is no coverage gap in the no-drift scenario.
[0062] Protocol adaptation features are extracted from the session continuity sequence to generate a protocol switching cost sequence. Protocol adaptation features are extracted from the protocol distribution field of each candidate node in the session continuity sequence. The protocol distribution field records the percentage of sessions using each authentication protocol in the node's currently active sessions. The protocol with the highest percentage is defined as the node's dominant authentication protocol, reflecting the type of authentication interaction the node is currently best at handling. The dominant authentication protocol of each candidate node in the session continuity sequence is compared with the authentication protocol currently used by the terminal to be taken over. When the two protocols are the same, the protocol switching cost T_i is 0, indicating that no protocol renegotiation is needed after takeover, and the current session can continue directly. When the protocols are different, T_i is determined by the degree of protocol difference. The switching cost between protocols of the same family is assigned a value of 0.3, and the switching cost between protocols of different families is assigned a value of 0.8. Switching from a certificate-based authentication protocol to a pre-shared key-based authentication protocol requires re-establishing a trust chain, which is a typical high-switching-cost scenario. A lower T_i indicates better protocol compatibility after the candidate node takes over, and less impact on the service interruption of certified terminals during the takeover transition period. Zero-interruption takeover can be achieved when the dominant protocol of a candidate node is completely consistent with the protocol of the terminal to be taken over, resulting in optimal service continuity. The T_i values of all candidate nodes are arranged in order of node identifier to form a protocol switching cost sequence. Nodes with lower T_i values in the protocol switching cost sequence receive a higher adaptation advantage in the fusion score. Candidate nodes with missing dominant protocol fields in the session continuity sequence are assigned a T_i value of 0.5 as a neutral estimate.
[0063] The error coverage score sequence and the protocol switching cost sequence are adaptively fused to generate a dynamic adaptation score matrix. The adaptive fusion uses both the error coverage score sequence and the protocol switching cost sequence as dual inputs. The fusion weight is adaptively determined by the absolute magnitude of the permission drift component and the overall stability of the session continuity sequence. When the absolute magnitude of the permission drift component is large, permission coverage capability is more critical, and the fusion weight of the error coverage score is correspondingly increased. The overall stability of the session continuity sequence is measured by the mean variance of the number of active sessions on each candidate node within five sampling points. When the mean variance exceeds 30% of the mean of the sampling points, it is considered to have large overall fluctuations, and protocol adaptation stability is more critical, thus the fusion weight of the protocol switching cost is correspondingly increased. The fusion formula is Score_i = w_e × Cov_i + w_p × (1-T_i), where Cov_i is the error coverage of candidate node i, T_i is the corresponding protocol switching cost, w_e and w_p are adaptive fusion weights and w_e + w_p = 1. When the absolute magnitude of the permission drift component exceeds 3 permission levels, w_e is 0.7, and when it is less than 1 permission level, w_e is 0.4. Linear interpolation is used in the intermediate range. (1-T_i) converts the cost into a benefit so that the higher the fusion score, the better the adaptation effect. The Score_i of each candidate node is updated in the time dimension as the sampling points of the session continuity sequence roll. Each sampling point corresponds to a column of scores. The score columns of all sampling points are arranged side by side to form a dynamic adaptation score matrix. The rows of the matrix correspond to candidate nodes, and the columns correspond to time sampling points. If the value of a certain row in the matrix is consistently low, it means that the adaptation capability of the candidate node is always insufficient throughout the entire evaluation period and should not be the first choice for takeover. The maximum value of each column in the dynamic adaptation score matrix corresponds to the candidate node with the highest adaptation score at the sampling point. The fluctuation of the column maximum value over time reflects the dynamic switching of the optimal candidate node.
[0064] The takeover authentication link is determined based on the ranking of nodes in the dynamic adaptation scoring matrix. The row mean of each candidate node across all time sampling points in the dynamic adaptation scoring matrix is used as the comprehensive adaptation score of that node. The row mean reflects the stable adaptation capability of a node throughout the entire evaluation period better than the score of a single sampling point. If a node has a low score in the early sampling points but continuously improves in the later stages, the row mean can smooth out the impact of the low score in the early stages and comprehensively reflect its adaptation potential. The candidate node with the highest comprehensive adaptation score is determined as the primary takeover node, and the candidate node with the second highest comprehensive adaptation score is determined as the backup takeover node. The primary and backup nodes together constitute the takeover authentication link. The dual-node design ensures that if the primary takeover node fails during the switchover process, the backup node can immediately take over, avoiding the interruption of the core authentication sequence due to the failure of a single node takeover. Once the takeover authentication link is determined, a takeover command is issued to the primary takeover node. This command carries a list of terminal identifiers to be taken over and corresponding permission correction parameters. The primary takeover node tightens the permission range of the terminals to be taken over based on these parameters. After tightening, the permission range does not exceed the original authorized range. Terminals originally authorized to access resources at levels 1 to 3 are taken over due to unauthorized behavior; after takeover, their permissions are tightened to only allow access to resources at levels 1 to 2 until manual verification is completed. When the overall adaptation score of all candidate nodes in the dynamic adaptation scoring matrix is below 0.3, the takeover authentication link is marked as a low-quality takeover and an alarm is triggered to expand the hot standby authentication node cluster, indicating that the current hot standby resources are insufficient to support a high-quality takeover switch.
[0065] The takeover authentication link is seamlessly connected to the core authentication sequence, outputting access authentication commands. The core objective of seamless connection is to ensure that the services of normally authenticated terminals in the core authentication sequence are not affected by the takeover switch. Only unauthorized terminals are subject to permission correction and node switching, while non-unauthorized terminals continue to process on the original authentication nodes in the core authentication sequence. A session state mirroring channel is established between the main takeover node and the original authentication node in the core authentication sequence in the takeover authentication link. The token status, permission records, and authentication event history of the currently active sessions of unauthorized terminals are completely migrated to the main takeover node through the mirroring channel. After the migration is confirmed, the original authentication node in the core authentication sequence redirects subsequent requests from unauthorized terminals to the main takeover node. The redirection switching time window is set to the next token refresh time to minimize the impact on terminal services. Access authentication commands are generated by the main takeover node for each unauthorized terminal. The command content includes the tightened permission range definition, new token issuance parameters, and abnormal response action upgrade requirements. The new token issuance parameters compress the token validity period to 50% of the token time window constraint to strengthen the authentication frequency during the takeover period. The compressed validity period is no less than 5 minutes to ensure the normal completion of terminal-side authentication interactions. After the access authentication command is issued to the unauthorized terminal, the terminal will re-authenticate with the new parameters when the current token expires. If the re-authentication is successful, the takeover switch is complete; if the re-authentication fails, an immediate disconnection is triggered, and the terminal is removed from the valid access coverage area. In the takeover authentication link, the backup takeover node is downgraded to a monitoring role after the primary takeover node successfully completes the takeover. It continuously monitors the health status of the primary takeover node. If the primary takeover node fails, the backup takeover node immediately becomes the primary and re-executes the access authentication command issuance process, ensuring that the tightened permissions of the unauthorized terminal are not interrupted due to node failure during the takeover period.
[0066] To implement the IoT device access authentication method for smart campuses corresponding to the above method embodiments, and to achieve the corresponding functions and technical effects, see [link to documentation]. Figure 2 , Figure 2 This diagram illustrates a structural block diagram of an IoT device access authentication system 200 for a smart campus, as provided in an embodiment of this application. For ease of explanation, only the parts relevant to this embodiment are shown. The IoT device access authentication system 200 for a smart campus, as provided in this embodiment, includes: The graph construction module 201 is used to collect device fingerprint data and behavioral traffic signals of IoT terminals, construct a fingerprint-driven graph based on the device fingerprint data and the behavioral traffic signals, and identify fingerprint drift features from the fingerprint-driven graph to generate a counterfeiting risk identifier. The coverage access module 202 is used to perform identity recognition topology reorganization based on the fingerprint-driven map to generate a high-risk terminal distribution map, and to perform trust decay analysis based on the high-risk terminal distribution map and the spoofing risk identifier to construct an effective access coverage area. The strategy generation module 203 is used to perform token lifecycle analysis on the effective access coverage area to extract authentication confidence identifiers and token time window constraints, and generate authentication task allocation strategies based on the authentication confidence identifiers combined with the effective access coverage area by performing permission interval mapping. Node building module 204 is used to decompose the authentication task allocation strategy into a core authentication sequence and an auxiliary authentication sequence, perform elastic access capacity analysis on the auxiliary authentication sequence to form a hot standby authentication node cluster, and perform unauthorized access anomaly monitoring on the core authentication sequence in combination with the token time window constraint to obtain distortion signals. The instruction output module 205 is used to extract permission correction parameters based on the distorted signal, perform deviation compensation matching between the permission correction parameters and the hot standby authentication node cluster to determine the takeover authentication link, and seamlessly connect the takeover authentication link with the core authentication sequence to output access authentication instructions.
[0067] The aforementioned IoT device access authentication system 200 for smart campuses can implement the IoT device access authentication method for smart campuses described in the above method embodiments. The options in the above method embodiments are also applicable to this embodiment and will not be detailed here. The remaining content of this application embodiment can be referred to the content of the above method embodiments, and will not be repeated in this embodiment.
[0068] The purpose of the above embodiments is to reproduce and derive the technical solution of the present invention by way of example, and to fully describe the technical solution, purpose and effect of the present invention. The purpose is to enable the public to have a more thorough and comprehensive understanding of the disclosure of the present invention, and not to limit the scope of protection of the present invention.
[0069] The above embodiments are not an exhaustive list based on the present invention, and there may be many other embodiments not listed. Any substitutions and improvements made without departing from the concept of the present invention are within the protection scope of the present invention.
Claims
1. A method for authenticating IoT device access in smart campuses, characterized in that, include: Collect device fingerprint data and behavioral traffic signals from IoT terminals, construct a fingerprint driving map based on the device fingerprint data and the behavioral traffic signals, and generate a counterfeiting risk identifier from the fingerprint driving map by identifying fingerprint drift features. Based on the fingerprint-driven graph, an identity recognition topology reorganization is performed to generate a high-risk terminal distribution map. Based on the high-risk terminal distribution map and the spoofing risk identifier, a trust decay analysis is performed to construct an effective access coverage area. Token lifecycle analysis is performed on the effective access coverage area to extract authentication confidence identifiers and token time window constraints. Based on the authentication confidence identifiers and the effective access coverage area, permission interval mapping is performed to generate an authentication task allocation strategy. The authentication task allocation strategy is decomposed into a core authentication sequence and an auxiliary authentication sequence. Elastic access capacity analysis is performed on the auxiliary authentication sequence to form a hot standby authentication node cluster. Unauthorized access anomaly monitoring is performed on the core authentication sequence, and distortion signals are obtained by combining the token time window constraint. Based on the distorted signal, the permission correction parameters are extracted, and the permission correction parameters are matched with the hot standby authentication node cluster to determine the takeover authentication link. The takeover authentication link is then seamlessly connected with the core authentication sequence to output the access authentication command.
2. The method according to claim 1, characterized in that, The step of generating a counterfeit risk identifier by identifying fingerprint drift features from the fingerprint driving map includes: The fingerprint driving map is grouped by device type, and the fingerprint baseline feature set of each type of device is extracted; The fingerprint baseline feature set is subjected to temporal difference processing to generate a fingerprint change rate distribution; Based on the fingerprint change rate distribution, abrupt change segments are identified to generate a candidate set of abrupt changes. Based on the mutation jump candidate set, counterfeit features are extracted to generate counterfeit risk identifiers.
3. The method according to claim 1, characterized in that, The construction of an effective access coverage domain based on trust decay analysis using the high-risk terminal distribution map and the spoofing risk identifier includes: The high-risk terminal distribution map is divided into regional risk sub-maps according to physical region boundaries; Based on the regional risk sub-atlas and the counterfeit risk identifier, an analysis of the risk propagation intensity between regions is performed to generate a risk propagation constraint matrix. A dynamic trust score sequence is generated by performing differentiated trust decay processing on the risk propagation constraint matrix. An effective access coverage area is constructed by setting an access trust threshold based on the dynamic trust scoring sequence.
4. The method according to claim 1, characterized in that, The step of performing token lifecycle analysis on the effective access coverage area to extract authentication confidence identifiers and token time window constraints includes: Extract the token request records of each terminal within the valid access coverage area; The token request records are parsed for lifecycle and frequency features are extracted to generate token remaining lifecycle and frequency fluctuation indicators; The frequency fluctuation index and the remaining lifespan of the token are jointly evaluated to generate a confidence score matrix; Based on the confidence score matrix, low-confidence terminal markers are extracted to generate authentication confidence identifiers and token time window constraints.
5. The method according to claim 1, characterized in that, The process of performing elastic access capacity analysis on the auxiliary authentication sequence to form a hot standby authentication node cluster includes: The auxiliary authentication sequence is divided into intra-domain authentication node groups and cross-domain authentication node groups according to the network topology location; A proximity distribution matrix is generated by performing topological proximity calculations on the same-domain authentication node group and the cross-domain authentication node group. Perform resilient access capacity aggregation analysis on the proximity distribution matrix to generate a capacity-proximity joint scoring sequence; Based on the capacity-neighbor joint scoring sequence, high-priority nodes are selected to form a hot standby authentication node cluster.
6. The method according to claim 1, characterized in that, The step of performing unauthorized access anomaly monitoring on the core authentication sequence, combined with obtaining distortion signals by the token time window constraint, includes: Unauthorized access behavior is extracted from the core authentication sequence to generate an unauthorized access event sequence; The sequence of unauthorized access events is time-aligned with the token time window constraint to generate a request density distribution within the time window; Extract the request source jump frequency from the request density distribution within the time window to generate a source jump distribution sequence; Based on the source jump distribution sequence, abnormal source jump segments are identified to generate distorted signals.
7. The method according to claim 1, characterized in that, The step of performing deviation compensation matching between the permission correction parameters and the hot standby authentication node cluster to determine the takeover authentication link includes: The permission correction parameter is decomposed into a short-range permission deviation component and a permission drift component; In the hot standby authentication node cluster, a candidate takeover node set is formed by filtering based on the short-range permission deviation component according to permission similarity. Extract session context state parameters from the candidate takeover node set to generate a session continuity sequence; The takeover authentication link is determined by combining the permission drift component with the session continuity sequence for comprehensive adaptation evaluation.
8. The method according to claim 4, characterized in that, The step of jointly evaluating the frequency fluctuation index and the remaining lifetime of the token to generate a confidence score matrix includes: The frequency fluctuation index is subjected to time-series differential processing to generate a frequency change rate sequence; From the frequency change rate sequence, identify frequency surge segments and generate surge trigger sets; For the sudden increase trigger set, the confidence prediction correction is performed in conjunction with the frequency fluctuation index to generate a prediction correction confidence group; Based on the predicted and corrected confidence group, a time-varying mapping is performed on the remaining lifetime of the token to generate a confidence score matrix.
9. The method according to claim 7, characterized in that, The step of combining the permission drift component with the session continuity sequence to perform a comprehensive adaptation evaluation to determine the takeover authentication link includes: The permission drift component and the session continuity sequence are subjected to error quantization to generate an error coverage score sequence; Extract protocol adaptation features from the session continuity sequence to generate a protocol handover cost sequence; The error coverage score sequence and the protocol switching cost sequence are adaptively fused to generate a dynamic adaptation score matrix. The takeover authentication link is determined based on the score ranking of each node in the dynamic adaptation scoring matrix.
10. An IoT device access authentication system for smart campuses, characterized in that, include: The graph construction module is used to collect device fingerprint data and behavioral traffic signals of IoT terminals, construct a fingerprint-driven graph based on the device fingerprint data and behavioral traffic signals, and identify fingerprint drift features from the fingerprint-driven graph to generate a counterfeiting risk identifier. The coverage access module is used to perform identity recognition topology reorganization based on the fingerprint-driven map to generate a high-risk terminal distribution map, and to perform trust decay analysis based on the high-risk terminal distribution map and the spoofing risk identifier to construct an effective access coverage area. The strategy generation module is used to perform token lifecycle analysis on the effective access coverage area to extract authentication confidence identifiers and token time window constraints, and generate authentication task allocation strategies based on the authentication confidence identifiers combined with the effective access coverage area by performing permission interval mapping. The node construction module is used to decompose the authentication task allocation strategy into a core authentication sequence and an auxiliary authentication sequence, perform elastic access capacity analysis on the auxiliary authentication sequence to form a hot standby authentication node cluster, and perform unauthorized access anomaly monitoring on the core authentication sequence in combination with the token time window constraint to obtain distortion signals. The instruction output module is used to extract permission correction parameters based on the distorted signal, perform deviation compensation matching between the permission correction parameters and the hot standby authentication node cluster to determine the takeover authentication link, and seamlessly connect the takeover authentication link with the core authentication sequence to output access authentication instructions.