IoT device anomaly identification and isolation method and apparatus, electronic device, and storage medium

By constructing a behavioral baseline map through edge computing and monitoring traffic characteristics in real time, and combining it with micro-segmentation technology to dynamically segment VLANs, the latency and security issues of abnormal identification and isolation of IoT devices are solved, achieving efficient and secure anomaly handling.

CN122160153APending Publication Date: 2026-06-05SHENZHEN SINOBRY ELECTRONICS LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHENZHEN SINOBRY ELECTRONICS LTD
Filing Date
2026-03-24
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

In existing technologies, cloud-based detection of IoT devices suffers from high latency, making it impossible to locally cut off lateral intrusions and leading to easy leakage of privacy data. Local protection is difficult to implement due to computing power limitations, and rule-based firewalls have a high false alarm rate and cannot adapt dynamically, resulting in insufficient home network security.

Method used

By using edge computing to perform traffic fingerprint analysis when IoT devices access the gateway, a behavioral baseline map is constructed, traffic characteristics are monitored in real time, an alarm mechanism is triggered by setting an abnormal threshold, VLANs are dynamically segmented using micro-segmentation technology, and a visual management interface is provided for isolation and recovery.

Benefits of technology

It enables accurate identification and rapid isolation of IoT device anomalies, improves network security and stability, reduces response latency, protects user privacy, and reduces false alarm rates.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160153A_ABST
    Figure CN122160153A_ABST
Patent Text Reader

Abstract

The embodiment of the application discloses an IoT device anomaly identification and isolation method and device, electronic equipment and a storage medium, and relates to the technical field of network security and edge computing, wherein the method comprises: when an IoT device accesses a gateway and utilizes edge computing to perform traffic fingerprint analysis, recording communication characteristics and integrating them into a behavior benchmark atlas. In device use, current network traffic data is continuously captured, compared and analyzed with the behavior benchmark atlas in real time, and it is judged whether there is an anomaly. If the device is abnormal, an abnormal traffic threshold is set, an alarm mechanism is triggered, and an isolation instruction is generated and pushed to the underlying router. The router dynamically adjusts network configuration by using micro-isolation technology, and migrates the abnormal device to an isolated VLAN to limit network access. The isolated device information and reasons can be visually displayed through a development management interface. After the user confirms the safety of the device and performs a one-key recovery operation, the device is migrated back to the main network and the permission is restored. The application effectively solves the problem of IoT device anomaly processing in the prior art.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the fields of network security and edge computing technology, and in particular to a method, apparatus, electronic device and storage medium for identifying and isolating anomalies in IoT devices. Background Technology

[0002] With the rapid popularization of smart home and Internet of Things (IoT) devices, home network environments are becoming increasingly complex. Various IoT terminals, due to security vulnerabilities such as outdated firmware updates and weak passwords, frequently become entry points for hackers. Hackers often exploit these vulnerabilities to incorporate IoT devices into "botnets," launching distributed denial-of-service (DDoS) attacks, data theft, or lateral movement attacks, seriously threatening home network security and user privacy.

[0003] However, traditional security solutions mainly rely on cloud detection, which has significant drawbacks: cloud detection requires uploading home traffic data to a server for analysis, which not only has high latency (usually several seconds to minutes), causing delayed attack response, but also cannot directly cut off the lateral penetration path of infected devices locally (such as attacking core devices such as NAS and computers within the home).

[0004] Furthermore, cloud-based solutions rely on a centralized architecture, meaning that the home network will lose its protection if cloud services are interrupted or attacked. Additionally, user privacy data (such as device behavior logs and communication content) needs to be uploaded to third-party servers, posing a risk of leakage. Existing local protection technologies are difficult to implement due to computing power limitations. Home routers have limited computing power and cannot support complex deep learning models for real-time traffic analysis; while traditional rule-based firewalls require manual rule configuration and cannot dynamically adapt to the diverse behavior patterns of IoT devices, resulting in high false alarm rates and poor protection effectiveness.

[0005] Therefore, there is an urgent need for a method for identifying and isolating abnormal IoT device traffic at low cost and high efficiency, and to achieve real-time detection and isolation. Summary of the Invention

[0006] This invention provides a method for identifying and isolating anomalies in IoT devices, addressing the problems of high latency in cloud-based detection, inability to locally prevent lateral movement, easy leakage of privacy data, difficulty in implementing local protection due to computing power limitations, and high false alarm rates and inability to dynamically adapt to existing rule-based firewalls. The technical solution is as follows: According to one aspect of the present invention, a method for identifying and isolating anomalies in IoT devices is provided. The method includes: when an IoT device is connected to a gateway, performing traffic fingerprint analysis on the IoT device through edge computing to record communication characteristics and obtain a behavioral baseline map; the communication characteristics include domain name, server IP address, average peak traffic, and communication protocol type; during the use of the IoT device, performing traffic monitoring on the IoT device to obtain current network traffic data, and performing real-time comparison and traffic anomaly analysis with the communication characteristics in the behavioral baseline map to obtain a determination result of whether the IoT device is abnormal; if the IoT device is abnormal, triggering an alarm mechanism through a policy engine, using a router to dynamically split the IoT device into virtual island VLANs based on micro-segmentation technology, migrating the IoT device from the main network to an isolated VLAN; displaying a list of isolated IoT devices and the reasons for isolation through a visual management interface; if the user confirms the IoT device is safe through the management interface and performs a one-click recovery operation, adjusting the network configuration through the router to reconnect the IoT device to the main network and restore normal operation.

[0007] In one embodiment, a private key and software upgrade file are loaded. When an IoT device connects to the gateway, traffic fingerprint analysis is performed on the IoT device using edge computing to record communication characteristics and obtain a behavioral baseline map. This is achieved through the following steps: When the IoT device connects to the gateway for the first time, the edge computing capabilities of the gateway or router are used to perform a 24- to 72-hour traffic fingerprint analysis on the device locally and record communication characteristics; the collected communication characteristics are integrated into a behavioral baseline map corresponding to the IoT device; the behavioral baseline map is used as a reference standard for traffic monitoring.

[0008] In one embodiment, the process of monitoring the network traffic of the IoT device during its use, obtaining current network traffic data, and comparing it in real time with the communication characteristics in the behavioral benchmark graph, and performing traffic anomaly analysis, is achieved through the following steps: During normal use of the IoT device, the IoT device's traffic is monitored, and the current network traffic data of the IoT device is continuously captured; the traffic data includes real-time domain name, target IP, traffic volume, and protocol type; the traffic data is compared in real time with the communication characteristics in the behavioral benchmark graph, and traffic anomaly analysis is performed to analyze whether there are any deviations; the anomalies include abnormal IP connections, sudden large traffic uploads, and scanning of other ports on the local area network.

[0009] In one embodiment, if the IoT device malfunctions, an alarm mechanism is triggered through the policy engine by the following steps: setting an abnormal traffic threshold; when the current network traffic data monitoring index of the IoT device exceeds the threshold, it is marked as abnormal and an abnormality determination result is obtained; the policy engine triggers an alarm mechanism based on the abnormality determination result, generates an isolation command, and pushes it to the router's underlying layer.

[0010] In one embodiment, the IoT device is dynamically segmented into virtual island VLANs using micro-segmentation technology by the router. The migration of the IoT device from the main network to the isolated VLAN is achieved through the following steps: by using micro-segmentation technology at the router's underlying layer and dynamically adjusting the network configuration, the IoT device is migrated from the main network to the isolated VLAN; the device under the isolated VLAN only retains the necessary communication with the router's management plane and cannot access the Internet or other terminals within the local area network.

[0011] In one embodiment, displaying the list of isolated IoT devices and the reasons for isolation through a visual management interface is achieved through the following steps: An App or Web management interface is developed to display the isolation information and reasons for isolation of the isolated IoT devices in a visual list format; the isolation information includes device name, MAC address, timestamp of abnormal behavior, trigger rules, and historical records; the reasons for isolation include abnormal IP connection and excessive traffic.

[0012] In one embodiment, if the user confirms the IoT device is secure through the management interface and performs a one-click recovery operation, the IoT device can be reconnected to the main network and restored to normal operation by adjusting the network configuration through the router. This is achieved through the following steps: After the user confirms the IoT device is secure through the management interface and clicks the one-click recovery button, the router sends a network configuration adjustment command. According to the network configuration adjustment command, the IoT device is migrated from the isolated VLAN back to the main network, and normal network access permissions are restored.

[0013] According to one aspect of the present invention, an IoT device anomaly identification and isolation device is provided, the device comprising: a graph construction and feature recording module, configured to perform traffic fingerprint analysis on the IoT device through edge computing and record communication features when the IoT device is connected to a gateway, thereby obtaining a behavioral baseline graph; the communication features include domain name, server IP address, average peak traffic, and communication protocol type; and a traffic monitoring and anomaly determination module, configured to perform traffic monitoring on the IoT device during its use to obtain current network traffic data, and perform real-time comparison and traffic anomaly analysis with the communication features in the behavioral baseline graph to obtain the IoT device anomaly identification and isolation device. The system includes: a device malfunction determination result; a dynamic isolation and VLAN segmentation module, used to trigger an alarm mechanism through a policy engine if the IoT device malfunctions, and to use the router to dynamically segment the IoT device into a virtual island VLAN based on micro-segmentation technology, migrating the IoT device from the main network to an isolated VLAN; and a user interface and one-click recovery module, used to display a list of isolated IoT devices and the reasons for isolation through a visual management interface. If the user confirms the IoT device is safe through the management interface and performs a one-click recovery operation, the network configuration can be adjusted through the router to reconnect the IoT device to the main network and restore normal operation.

[0014] According to one aspect of the present invention, an electronic device includes at least one processor and at least one memory, wherein computer-readable instructions are stored on the memory; the computer-readable instructions are executed by one or more of the processors to cause the electronic device to implement the IoT device anomaly identification and isolation method as described above.

[0015] According to one aspect of the present invention, a storage medium has computer-readable instructions stored thereon, which are executed by one or more processors to implement the IoT device anomaly identification and isolation method as described above.

[0016] The beneficial effects of the technical solution provided by this invention are: In the above technical solution, this invention utilizes edge computing to perform 24-72 hour traffic fingerprint analysis when IoT devices connect to the gateway, recording communication characteristics and integrating them into a behavioral baseline map as a traffic monitoring reference standard. During device use, current network traffic data is continuously captured and compared in real-time with the behavioral baseline map to determine if there are abnormal IP connections, sudden large traffic uploads, or other anomalies. If a device is found to be abnormal, an abnormal traffic threshold is set, triggering an alarm mechanism and generating an isolation command that is pushed to the router's underlying layer. The router employs micro-segmentation technology to dynamically adjust network configuration, migrating abnormal devices to isolated VLANs and restricting their network access. An App or Web management interface is developed to visually display the information of the isolated devices and the reasons for their isolation. Once the user confirms the device's safety and performs a one-click recovery operation, the router sends a network configuration adjustment command to migrate the device back to the main network and restore its permissions. This method achieves accurate identification and effective isolation of IoT device anomalies, enhancing network security and stability, and effectively addressing the shortcomings of existing technologies in handling IoT device anomalies. Attached Figure Description

[0017] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments of the present invention will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention, and those skilled in the art can obtain other drawings based on these drawings without creative effort.

[0018] Figure 1 This is a flowchart illustrating an IoT device anomaly identification and isolation method according to an exemplary embodiment; Figure 2 This is a schematic diagram of the architecture of an IoT device anomaly identification and isolation method in an application scenario; Figure 3 yes Figure 2 A flowchart illustrating the process of determining anomalies in IoT devices in corresponding application scenarios; Figure 4 This is a block diagram illustrating an IoT device anomaly identification and isolation device according to an exemplary embodiment; Figure 5 This is a hardware structure diagram of an electronic device according to an exemplary embodiment; Figure 6 This is a block diagram illustrating an electronic device according to an exemplary embodiment. Detailed Implementation

[0019] Embodiments of the present invention are described in detail below. Examples of these embodiments are shown in the accompanying drawings, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary and are only used to explain the present invention, and should not be construed as limiting the present invention.

[0020] Those skilled in the art will understand that, unless specifically stated otherwise, the singular forms “a,” “an,” “the,” and “the” used herein may also include the plural forms. It should be further understood that the term “comprising” as used in this disclosure means the presence of the stated features, integers, steps, operations, elements, and / or components, but does not exclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and / or groups thereof. It should be understood that when we say an element is “connected” or “coupled” to another element, it can be directly connected or coupled to the other element, or there may be intermediate elements. Furthermore, “connected” or “coupled” as used herein can include wireless connections or wireless coupling. The term “and / or” as used herein includes all or any units and all combinations of one or more associated listed items.

[0021] This invention provides a method for identifying and isolating anomalies in IoT devices. By constructing a behavioral baseline graph, performing real-time traffic comparison and analysis, triggering alarms to isolate abnormal devices, and providing visualization and one-click recovery mechanisms, it achieves accurate identification and rapid isolation of IoT device anomalies. This effectively solves the problems of low efficiency and insufficient security in existing IoT device security management technologies. This method is applicable to IoT device anomaly identification and isolation devices, which can be electronic devices. The IoT device anomaly identification and isolation method in this invention can be applied to various scenarios, such as IoT device anomaly identification and isolation.

[0022] Please see Figure 1 This invention provides a method for identifying and isolating anomalies in IoT devices, applicable to electronic devices.

[0023] In the following method embodiments, for ease of description, the execution subject of each step of the method is an electronic device, but this does not constitute a specific limitation.

[0024] like Figure 1 As shown, the method may include the following steps: Step 110: When an IoT device connects to the gateway, traffic fingerprint analysis is performed on the IoT device through edge computing to record communication characteristics and obtain a behavioral baseline map.

[0025] In one possible implementation, when an IoT device first connects to the gateway, the edge computing capabilities of the gateway or router are used to perform a 24- to 72-hour traffic fingerprint analysis on the device locally and record communication characteristics; the collected communication characteristics are then integrated into a behavioral baseline map corresponding to the IoT device.

[0026] Among them, the behavioral baseline map is used as a reference standard for traffic monitoring; communication characteristics include domain name, server IP address, average peak traffic, communication protocol type, etc., which are not specified here.

[0027] Specifically, when an IoT device first connects to the gateway, the edge computing capabilities of the gateway or router are used to perform a 24-72 hour traffic fingerprint analysis on the device locally. During this period, detailed communication characteristics of the device are recorded, covering key information such as commonly used domain names (DNS), the IP address of the fixed connection server, average peak traffic, and communication protocol types (e.g., MQTT, HTTP). These collected communication characteristics are integrated to form a behavioral baseline map corresponding to the IoT device. This map will serve as an important reference standard for subsequent traffic monitoring to determine whether the device's traffic is normal.

[0028] The 24-72 hour analysis period is designed to comprehensively and accurately capture the network traffic characteristics of devices under normal conditions. Different types and usage scenarios of IoT devices exhibit varying traffic patterns; a longer analysis period can cover traffic activity across different time periods and under different operations, thus constructing a more realistic baseline profile. Recording multiple communication characteristics is crucial because these characteristics reflect the device's network behavior from multiple dimensions, and a comprehensive consideration allows for a more accurate assessment of the device's status.

[0029] In the above process, the embodiments of the present invention utilize edge computing to perform long-term traffic fingerprint analysis and construct behavioral benchmark maps locally, thereby enabling a comprehensive and accurate grasp of the normal traffic characteristics of IoT devices, providing a reliable traffic monitoring reference standard, and laying the foundation for accurate identification of abnormal traffic in the future.

[0030] Step 120: During the use of the IoT device, traffic monitoring is performed to obtain the current network traffic data, and the data is compared in real time with the communication characteristics in the behavioral benchmark graph and traffic anomaly analysis is performed to obtain the judgment result of whether the IoT device is abnormal.

[0031] In one possible implementation, during normal use of IoT devices, traffic monitoring is performed on the IoT devices, continuously capturing the current network traffic data of the IoT devices, and comparing the traffic data with the communication characteristics in the behavioral benchmark map in real time and performing traffic anomaly analysis to analyze whether there are any deviations.

[0032] Traffic data includes real-time domain names, target IPs, traffic volume, protocol types, etc.; anomalies include abnormal IP connections, sudden large traffic uploads, scanning of other ports on the local area network, etc., none of which are specified here.

[0033] Specifically, during normal use of IoT devices, continuous traffic monitoring is performed to capture real-time network traffic data, including real-time domain names, target IPs, traffic volume, and protocol types. The captured traffic data is then compared in real-time with the communication characteristics in the behavioral baseline graph constructed in step one, and traffic anomaly analysis is performed. Careful analysis is conducted to identify any discrepancies, with a focus on abnormal IP connections (such as attempts to connect to unauthorized overseas IPs), sudden large upload volumes, and scanning of other ports on the local area network.

[0034] Continuous real-time monitoring is crucial for promptly detecting even the slightest changes in device traffic and addressing any potential anomalies. Comparing real-time data with a baseline graph is essential because the baseline graph represents the traffic pattern under normal device conditions; this comparison allows for quick assessment of whether current traffic deviates from the normal range. Paying attention to specific anomalies is also vital because these often indicate attacks or malfunctions, and timely detection effectively prevents the escalation of security issues.

[0035] In the above process, the embodiments of the present invention continuously monitor traffic in real time and compare and analyze it with a benchmark graph, which enables timely detection of abnormal changes in the traffic of IoT devices, provides a timely and effective means of anomaly detection, and realizes rapid detection of abnormal behavior of IoT devices.

[0036] Step 130: If the IoT device is abnormal, the alarm mechanism is triggered through the policy engine. The router uses micro-segmentation technology to dynamically split the IoT device into virtual island VLANs and migrate the IoT device from the main network to the isolated VLAN.

[0037] In one possible implementation, an abnormal traffic threshold is set. When the current network traffic data monitoring index of the IoT device exceeds the threshold, it is marked as abnormal and an abnormality judgment result is obtained. The policy engine triggers an alarm mechanism based on the abnormality judgment result, generates an isolation command, and pushes it to the router's underlying layer.

[0038] One possible implementation involves using micro-segmentation technology at the router level to dynamically adjust network configurations and migrate IoT devices from the main network to isolated VLANs.

[0039] Devices in isolated VLANs only retain necessary communication with the router's management plane and cannot access the Internet or other terminals within the local area network.

[0040] Specifically, an abnormal traffic threshold is set. When the current network traffic data monitoring indicators of IoT devices exceed this threshold, they are marked as abnormal, and an anomaly determination result is obtained. The policy engine triggers an alarm mechanism based on the anomaly determination result, generates an isolation command, and pushes it to the router's underlying layer. The router's underlying layer employs micro-segmentation technology, dynamically adjusting network configurations to migrate IoT devices from the main network to isolated VLANs. Under the isolated VLAN, devices only retain necessary communication with the router's management plane and cannot access the internet or other terminals within the local area network.

[0041] Setting abnormal traffic thresholds clarifies the criteria for determining whether a device is abnormal, avoiding false positives and false negatives. Triggering alarm mechanisms and generating isolation commands through a policy engine enables automated response processes, improving efficiency. Employing micro-segmentation technology and dynamically adjusting network configurations to migrate abnormal devices to isolated VLANs effectively blocks communication between abnormal devices and other devices, preventing attack spread, while preserving necessary communication between the device and the router management plane for convenient subsequent management and recovery.

[0042] In the above process, the embodiments of the present invention, by setting thresholds, automatically triggering alarms and isolation commands, and adopting micro-segmentation technology, enable the rapid and accurate isolation of abnormal IoT devices, providing efficient security protection measures and preventing abnormal devices from causing further harm to the home network.

[0043] Step 140: The list of isolated IoT devices and the reasons for isolation are displayed through a visual management interface. If the user confirms the safety of the IoT devices through the management interface and performs a one-click recovery operation, the IoT devices can be reconnected to the main network and resume normal operation by adjusting the network configuration through the router.

[0044] One possible implementation involves developing an app or web management interface to display the isolation information and reasons for the isolation of the isolated IoT devices in a visual list format.

[0045] The isolation information includes device name, MAC address, timestamp of abnormal behavior, trigger rules and history, etc.; the reasons for isolation include abnormal IP connection, traffic exceeding limit, etc., none of which are specified here.

[0046] In one possible implementation, after the user confirms the IoT device is secure in the management interface and clicks the one-click restore button, a network configuration adjustment command is sent through the router. Based on the network configuration adjustment command, the IoT device is migrated from the isolated VLAN back to the main network, and normal network access is restored.

[0047] Specifically, an app or web management interface is developed to display the isolation information and reasons for the isolated IoT devices in a visual list format. Isolation information includes device name, MAC address, timestamps of abnormal behavior, trigger rules, and historical records; isolation reasons include abnormal IP connections and excessive traffic. Once the user confirms the IoT device's security in the management interface and clicks the one-click restore button, a network configuration adjustment command is sent through the router. Based on this command, the IoT device is migrated from the isolated VLAN back to the main network, and normal network access is restored.

[0048] The system features a visual management interface, allowing users to intuitively understand the status of isolated devices, including basic device information and details of abnormal behavior, which helps users make accurate judgments. A one-click recovery function simplifies the user operation process and improves the user experience. Users can perform the recovery operation after confirming the device's safety, ensuring that only confirmed devices can reconnect to the main network, thus guaranteeing network security.

[0049] In the above process, the embodiments of the present invention enable users to easily manage isolated IoT devices through visual management and one-click recovery functions, providing a user-friendly interactive experience and realizing the flexible restoration of normal network access of devices while ensuring network security.

[0050] Through the above process, this invention establishes a complete IoT device security protection system by constructing a behavioral baseline map, real-time traffic monitoring and anomaly analysis, isolation and handling of abnormal devices, and visualized management and recovery of isolated devices. This solution achieves the identification and automated isolation of abnormal traffic from IoT devices at the home gateway (router) level, effectively solving the problems of high latency in traditional cloud-based security detection and the inability to directly cut off lateral movement of infected devices locally. It features rapid response, privacy protection, and prevention of lateral movement, enabling timely detection and isolation of abnormal IoT devices and ensuring the safe and stable operation of the home network.

[0051] In one application scenario, the IoT device anomaly identification and isolation method of the present invention is used to identify and isolate IoT devices anomalies.

[0052] like Figure 2 The diagram illustrates the architecture for identifying and isolating IoT devices using the IoT device anomaly identification and isolation method of the present invention. The architecture mainly includes the external Internet, user terminals, home LAN assets, and home smart gateways / edge terminals.

[0053] External Internet: This includes legitimate cloud servers from the original manufacturer and unknown overseas IP addresses / attack control terminals. Legitimate cloud servers from the original manufacturer are used for normal data interaction and service support with home IoT devices; unknown overseas IP addresses / attack control terminals may launch malicious attacks, threatening home network security.

[0054] Home Smart Gateway / Edge Terminal: This is the core processing component of the entire architecture. The traffic interception module is responsible for capturing traffic entering and leaving the home network; the edge judgment engine identifies and judges traffic based on the behavioral benchmark graph database; the main network VLAN 10 is used for communication by normal devices; the isolation network Sandbox VLAN 20 is used to isolate abnormal devices; the behavioral benchmark graph database stores the normal behavioral characteristics of devices; and the VLAN dynamic switcher is responsible for switching network configurations.

[0055] Home LAN assets include smart speakers, NAS / private cloud devices, controlled / abnormal IoT devices, etc., which are various terminal devices in the home network.

[0056] User terminal: The mobile app alarm push module is used to send device abnormality alarm information to users and receive one-click recovery commands from users.

[0057] Specifically, the original manufacturer's legitimate cloud server and the overseas unfamiliar IP / attacker's control terminal are connected to the traffic interception module of the home smart gateway / edge terminal via the Internet; the home LAN assets are connected to the traffic interception module; the traffic interception module transmits traffic to the edge judgment engine; the edge judgment engine is connected to the main network VLAN 10, the isolated network Sandbox VLAN 20, the behavior baseline graph database, and the VLAN dynamic switch; the user terminal has a connection relationship with the devices in the home LAN assets and the VLAN dynamic switch (through command interaction).

[0058] Specifically, using the above architecture for IoT device anomaly identification and isolation may include the following steps: Step S1: Traffic capture and preliminary analysis.

[0059] Specifically, the traffic interception module in the home smart gateway / edge device remains constantly operational, comprehensively and continuously capturing traffic from the external internet and home LAN assets. Regarding the external internet, it receives legitimate data related to home IoT devices from the manufacturer's legitimate cloud servers, such as device firmware update information and user remote control commands. It also handles malicious traffic potentially initiated by unknown overseas IPs or attacker control terminals, such as DDoS attack traffic and malicious scanning traffic. Similarly, the traffic interception module accurately captures various communication traffic generated during the operation of smart speakers, NAS / private clouds, and controlled / abnormal IoT devices within the home LAN assets.

[0060] Furthermore, the traffic interception module transmits the captured massive traffic data to the edge judgment engine stably and efficiently according to certain data formats and transmission rules, making full preparations for subsequent traffic analysis and anomaly detection.

[0061] In the above process, the embodiments of the present invention comprehensively and meticulously acquire network traffic through the traffic interception module. Regardless of whether the traffic source is a legitimate external service, a potential malicious attack, or normal or abnormal communication of home devices, it can be effectively captured, providing comprehensive and detailed data support for subsequent accurate anomaly judgment, and ensuring that no traffic information that may affect network security is missed.

[0062] Step S2: Traffic determination and device isolation.

[0063] Specifically, after receiving traffic data from the traffic interception module, the edge detection engine immediately initiates the detection process. It retrieves historical normal behavior data of relevant devices from the behavior baseline graph database. This data covers the communication characteristics of devices in different time periods and operating states, such as normal domain name access records, target IP distribution range, traffic volume variation patterns, and commonly used communication protocol types.

[0064] Next, the edge detection engine performs a detailed comparison and analysis of the captured real-time traffic data with normal behavioral characteristics in the behavioral baseline graph database. If the real-time traffic data highly matches the normal behavioral characteristics and is determined to be normal traffic, then the traffic is allowed to enter the main network VLAN 10 to ensure normal communication and data interaction between devices. If the real-time traffic data deviates significantly from the normal behavioral characteristics, such as abnormal IP connections (e.g., connections to known malicious IP addresses), sudden large traffic uploads (far exceeding the normal traffic range of the device), or frequent scanning of other ports on the local area network, then it is determined to be abnormal traffic.

[0065] Once abnormal traffic is identified, the edge detection engine quickly invokes the VLAN dynamic switcher to dynamically adjust network configuration, migrating the IoT device generating abnormal traffic from the main network VLAN 10 to the isolated Sandbox VLAN 20. In the isolated network, the device retains only necessary communication with the router's management plane for subsequent management and monitoring, while its communication links with the internet and other normal terminal devices within the local area network are severed to prevent further spread of abnormal behavior and disruption to the secure operation of other devices.

[0066] In the above process, the embodiments of the present invention, through the precise traffic determination of the edge judgment engine and the rapid isolation measures of the VLAN dynamic switch, can detect and handle abnormal devices in the first instance, effectively prevent abnormal devices from further damaging the home network, and ensure the stable operation of other normal devices in the main network and the overall network security.

[0067] like Figure 3 As shown, anomaly detection may specifically include the following steps: Step S201: Intercept communication messages and extract features.

[0068] Specifically, after starting to monitor IoT devices, the system first activates a message interception mechanism to accurately capture the headers of IoT device communication messages. This process needs to ensure the timeliness and completeness of the interception to avoid missing key information. Next, key features are meticulously extracted from the captured message headers, covering information such as the five-tuple (source IP address, destination IP address, source port number, destination port number, and transport layer protocol, which can identify the two communicating parties and the type of protocol used), traffic rate (reflecting the amount of data transmitted by the device per unit time, an important indicator for judging the device's communication activity), and geographical location (obtained through IP address resolution, etc., which helps identify whether there are abnormal remote connections).

[0069] Furthermore, these extracted features will serve as core data for subsequent comparison with the behavioral baseline map, and their accuracy and completeness directly affect the results of subsequent anomaly detection. By accurately intercepting messages and comprehensively extracting key features, a solid data foundation is built for accurately determining whether device behavior is normal, ensuring that in-depth analysis of device communication can be conducted from multiple key dimensions.

[0070] Step S202: Retrieve the baseline spectrum and compare and score it.

[0071] Specifically, based on the IoT device's unique identifier or type, the system retrieves the corresponding local behavioral benchmark map from a local behavioral benchmark map library. This map is pre-established through long-term monitoring and analysis of the device's normal communication behavior and includes the device's communication characteristics under various normal states. The features extracted in step S201 are compared one by one with the features in the retrieved behavioral benchmark map, and a score is awarded according to preset detailed scoring rules. The scoring rules comprehensively consider the matching degree of each feature, such as the matching of the five-tuple, the deviation range of the traffic rate, and the rationality of the geographical location.

[0072] Furthermore, this detailed comparison and scoring allows for a direct and quantitative understanding of the degree of deviation between the current device's communication characteristics and normal behavior patterns, providing a clear basis for subsequent risk level assessment. By retrieving targeted behavioral benchmark maps and conducting comprehensive and detailed comparison and scoring, it is possible to accurately measure whether abnormal device behavior has occurred, effectively avoiding misjudgments and omissions.

[0073] Step S203: Determine the risk level.

[0074] Specifically, based on the comparison and scoring results in step S202, the system determines whether there is an abnormal offset. If the comparison and scoring shows that the feature deviates from the normal range and an abnormal offset occurs, the risk level is further determined by combining information such as geographical location as high risk / overseas anomaly. This situation often means that the device may have suffered a malicious attack from overseas or has serious abnormal behavior. If there is no abnormal offset or the degree of offset is within the normal fluctuation range, it is determined to be low risk / occasional. This situation may be some accidental fluctuations in the device during normal communication.

[0075] Furthermore, for low-risk / occasional situations, the system records detailed log information, including device identification, time, comparison score, etc., and continuously observes the device's subsequent behavior in order to promptly detect potential abnormal trends; for high-risk / overseas abnormal situations, it immediately executes automated isolation commands, dynamically switches the device's MAC address to the Sandbox VLAN, and pushes security alarm notifications to the user.

[0076] In the above process, the embodiments of the present invention, through clear risk level judgment criteria and corresponding differentiated handling measures, can take the most appropriate response strategy according to the severity of the device anomaly, which not only ensures the security and stability of the home network, but also avoids affecting the use of normal devices due to excessive intervention.

[0077] In the above process, this embodiment of the invention first accurately intercepts the header of communication messages and extracts key features such as the five-tuple during the anomaly detection of IoT devices, laying a solid data foundation for analysis. Next, it retrieves the corresponding behavioral benchmark graph, meticulously compares and scores the data, and clarifies the degree of feature deviation. Then, based on the score, it determines the risk level; low-risk devices are logged for continuous observation, while high-risk devices are immediately isolated and the user is alerted. By establishing clear standards and differentiated measures, it can both promptly respond to serious anomalies to ensure network security and avoid excessive intervention in normal devices, achieving efficient and accurate detection and handling of IoT device anomalies.

[0078] Step S3, Alarm and Recovery.

[0079] Specifically, when an IoT device is identified as abnormal and migrated to the isolated Sandbox VLAN 20 network, the mobile app alarm push module will be activated immediately. It will send detailed abnormal alarm information to the corresponding app on the user's mobile phone through a pre-set communication protocol and push mechanism. The alarm information will not only clearly indicate the name and MAC address of the isolated device, but also detail the time of the abnormal behavior, the specific rules that triggered it, and related historical records, allowing the user to clearly understand the abnormal situation of the device.

[0080] After receiving an alarm message and carefully verifying that the device is safe, the user can initiate a recovery operation via the one-click recovery button on the mobile app. The mobile app will transmit the user's recovery command over the network to the home smart gateway / edge device. Upon receiving the command, the VLAN dynamic switch will dynamically adjust the network configuration again, migrating the device from the isolated Sandbox VLAN 20 network back to the main network VLAN 10 and restoring its normal network access permissions, enabling the device to resume normal communication and data interaction with other devices.

[0081] In the above process, the embodiments of the present invention promptly provide users with device anomaly information through the mobile app alarm push module, allowing users to keep abreast of network dynamics. At the same time, it provides a convenient one-click recovery operation, enabling users to quickly restore the normal operation of the device after confirming that the device is safe. Under the premise of ensuring network security, it greatly improves user experience and network availability.

[0082] Through the above process, this invention is applied to IoT device anomaly identification and isolation scenarios, with an architecture covering the external internet, user terminals, home LAN assets, and home smart gateways / edge devices. First, the traffic interception module comprehensively captures traffic, providing data for anomaly detection. Next, the edge detection engine performs traffic analysis, accurately identifying anomalies by combining behavioral benchmark maps, and isolating abnormal devices through a VLAN dynamic switch. In the anomaly detection stage, intercepted packets are first used to extract features, retrieve benchmark maps for comparison and scoring, and then the risk level is determined based on the results, with different measures taken accordingly. Finally, the mobile app alarm push module alerts the user, who can restore the device to the main network with a one-click operation. This invention achieves fully automated processing from traffic capture, anomaly detection, device isolation to user notification and recovery, effectively ensuring home network security and stability and improving user experience.

[0083] The following are embodiments of the apparatus of the present invention, which can be used to execute the IoT device anomaly identification and isolation method involved in the present invention. For details not disclosed in the apparatus embodiments of the present invention, please refer to the method embodiments of the IoT device anomaly identification and isolation method involved in the present invention.

[0084] Please see Figure 4 This invention provides an IoT device anomaly identification and isolation device 800.

[0085] The IoT device anomaly identification and isolation device 800 includes, but is not limited to: a map construction and feature recording module 810, a traffic monitoring and anomaly judgment module 830, a dynamic isolation and VLAN segmentation module 850, and an interface interaction and one-click recovery module 870.

[0086] Among them, the graph construction and feature recording module 810 is used to perform traffic fingerprint analysis on IoT devices and record communication characteristics through edge computing when IoT devices are connected to the gateway, so as to obtain a behavioral baseline graph; the communication characteristics include domain name, server IP location, average traffic peak, and communication protocol type.

[0087] The traffic monitoring and anomaly determination module 830 is used to monitor the traffic of IoT devices during their use to obtain current network traffic data, and to compare it in real time with the communication characteristics in the behavioral baseline graph and perform traffic anomaly analysis to obtain a determination result of whether the IoT device is abnormal.

[0088] The Dynamic Isolation and VLAN Segmentation Module 850 is used to trigger an alarm mechanism through the policy engine if an IoT device malfunctions. It uses the router to dynamically segment the IoT device into virtual island VLANs based on micro-segmentation technology, migrating the IoT device from the main network to the isolated VLAN.

[0089] The interface interaction and one-click recovery module 870 is used to display a list of isolated IoT devices and the reasons for isolation through a visual management interface. If the user confirms the safety of the IoT devices through the management interface and performs a one-click recovery operation, the IoT devices can be reconnected to the main network and resume normal operation by adjusting the network configuration through the router.

[0090] It should be noted that the IoT device anomaly identification and isolation provided in the above embodiments are only illustrated by the division of the above functional modules. In actual applications, the above functions can be assigned to different functional modules as needed. That is, the internal structure of the IoT device anomaly identification and isolation device will be divided into different functional modules to complete all or part of the functions described above.

[0091] Furthermore, the embodiments of the IoT device anomaly identification and isolation device and the IoT device anomaly identification and isolation method provided in the above embodiments belong to the same concept, and the specific way in which each module performs its operation has been described in detail in the method embodiments, and will not be repeated here.

[0092] Figure 5A schematic diagram of the structure of an electronic device according to an exemplary embodiment is shown.

[0093] It should be noted that this electronic device is merely an example adapted to the present invention and should not be construed as providing any limitation on the scope of use of the present invention. Furthermore, this electronic device should not be interpreted as requiring or depending on having... Figure 5 One or more components of the exemplary electronic device 2000 shown.

[0094] The hardware structure of electronic devices 2000 can vary significantly due to differences in configuration or performance, such as... Figure 5 As shown, the electronic device 2000 includes: a power supply 210, an interface 230, at least one memory 250, and at least one central processing unit (CPU) 270.

[0095] Specifically, power supply 210 is used to provide operating voltage for various hardware devices on electronic device 2000.

[0096] Interface 230 includes at least one wired or wireless network interface 231 for interacting with external devices. Of course, in other examples adapted to this invention, interface 230 may further include at least one serial-to-parallel conversion interface 233, at least one input / output interface 235, and at least one USB interface 237, etc. Figure 5 As shown, this does not constitute a specific limitation.

[0097] The memory 250 serves as a carrier for resource storage and can be a read-only memory, random access memory, disk, or optical disk, etc. The resources stored on it include the operating system 251, application programs 253, and data 255, etc., and the storage method can be temporary storage or permanent storage.

[0098] The operating system 251 is used to manage and control the various hardware devices and application programs 253 on the electronic device 2000, so as to enable the central processing unit 270 to perform calculations and processing on the massive data 255 in the memory 250. It can be Windows Server™, Mac OS X™, Unix™, Linux™, FreeBSD™, etc.

[0099] Application 253 is a computer-readable instruction based on operating system 251 that performs at least one specific task, and may include at least one module ( Figure 5 (Not shown), each module may contain computer-readable instructions for the electronic device 2000. For example, the IoT device anomaly identification and isolation device can be considered as application 253 deployed on the electronic device 2000.

[0100] Data 255 may be signal information, etc., and is stored in memory 250.

[0101] The central processing unit 270 may include one or more processors and is configured to communicate with the memory 250 via at least one communication bus to read computer-readable instructions stored in the memory 250, thereby enabling the computation and processing of massive amounts of data 255 in the memory 250. For example, an IoT device anomaly identification and isolation method can be implemented by the central processing unit 270 reading a series of computer-readable instructions stored in the memory 250.

[0102] Furthermore, the present invention can also be implemented through hardware circuits or a combination of hardware circuits and software. Therefore, the implementation of the present invention is not limited to any specific hardware circuit, software, or combination thereof.

[0103] Please see Figure 6 This invention provides an electronic device 4000, which may include: a desktop computer, a laptop computer, a server, etc., with sensor recognition capabilities.

[0104] exist Figure 6 In this context, the electronic device 4000 includes at least one processor 4001 and at least one memory 4003.

[0105] The data interaction between the processor 4001 and the memory 4003 can be achieved through at least one communication bus 4002. This communication bus 4002 may include a path for transmitting data between the processor 4001 and the memory 4003. The communication bus 4002 may be a PCI (Peripheral Component Interconnect) bus or an EISA (Extended Industry Standard Architecture) bus, etc. The communication bus 4002 can be divided into an address bus, a data bus, a control bus, etc. For ease of representation, Figure 6 The bus is represented by a single thick line, but this does not mean that there is only one bus or one type of bus.

[0106] Optionally, the electronic device 4000 may further include a transceiver 4004, which can be used for data interaction between the electronic device and other electronic devices, such as sending and / or receiving data. It should be noted that in practical applications, the transceiver 4004 is not limited to one type, and the structure of the electronic device 4000 does not constitute a limitation on the embodiments of the present invention.

[0107] Processor 4001 may be a CPU (Central Processing Unit), a general-purpose processor, a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It can implement or execute the various exemplary logic blocks, modules, and circuits described in conjunction with the disclosure of this invention. Processor 4001 may also be a combination that implements computing functions, such as including one or more microprocessor combinations, a combination of a DSP and a microprocessor, etc.

[0108] The memory 4003 may be a ROM (Read Only Memory) or other type of static storage device capable of storing static information and instructions, RAM (Random Access Memory) or other type of dynamic storage device capable of storing information and instructions, or an EEPROM (Electrically Erasable Programmable Read Only Memory), CD-ROM (Compact Disc Read Only Memory) or other optical disc storage, optical disc storage (including compressed optical discs, laser discs, optical discs, digital universal optical discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium capable of carrying or storing desired program instructions or code in the form of instructions or data structures and accessible by the electronic device 4000, but not limited thereto.

[0109] The memory 4003 stores computer-readable instructions, and the processor 4001 can read the computer-readable instructions stored in the memory 4003 through the communication bus 4002.

[0110] The computer-readable instructions are executed by one or more processors 4001 to implement the IoT device anomaly identification and isolation methods in the above embodiments.

[0111] Furthermore, this embodiment of the invention provides a storage medium storing computer-readable instructions, which are executed by one or more processors to implement the IoT device anomaly identification and isolation method described above.

[0112] This invention provides a computer program product, which includes computer-readable instructions stored in a storage medium. One or more processors of an electronic device read the computer-readable instructions from the storage medium, load and execute the computer-readable instructions, thereby enabling the electronic device to implement the IoT device anomaly identification and isolation method as described above.

[0113] Compared with related technologies, the beneficial effects of the present invention are: 1. This invention can accurately identify abnormal behavior of IoT devices; by intercepting device communication messages and extracting key features such as the five-tuple, flow rate, and geographical location, it performs detailed comparison and scoring with a pre-established behavioral benchmark map, and accurately determines whether the device has abnormal deviations based on the scoring results, thereby accurately identifying abnormal behavior and effectively avoiding misjudgment and omission.

[0114] 2. This invention has the ability to quickly isolate abnormal devices; after determining that a device is abnormal through the edge judgment engine, it quickly calls the VLAN dynamic switcher to dynamically adjust the network configuration, migrates the abnormal device to the isolated network, cuts off its communication links with the Internet and other normal devices in the local area network, prevents the spread of abnormal behavior, and ensures the stable operation of other devices in the main network and the overall network security.

[0115] 3. This invention can promptly provide users with feedback on abnormal information; through the mobile app alarm push module, after the device is determined to be abnormal and isolated, detailed abnormal alarm information is immediately sent to the user, including basic device information, abnormal behavior time, trigger rules and historical records, so that the user can keep abreast of the abnormal situation of the device.

[0116] 4. This invention features a convenient device recovery mechanism; by having the user perform a one-click recovery operation on a mobile app, the recovery command is transmitted to the home smart gateway / edge terminal, and the VLAN dynamic switch dynamically adjusts the network configuration again, migrating the device back to the main network and restoring its normal network access permissions. This allows the user to quickly restore the device to normal operation after confirming its security, improving user experience and network availability.

[0117] 5. This invention can build a comprehensive data foundation; through the traffic interception module, it can comprehensively and meticulously capture traffic from external Internet and home LAN assets, regardless of whether the traffic source is legal or not, or whether the device communication is normal or not, and can effectively obtain it, providing comprehensive and detailed data support for subsequent operations such as anomaly judgment, isolation, alarm and recovery.

[0118] It should be understood that although the steps in the flowcharts of the accompanying figures are shown sequentially as indicated by the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the accompanying figures may include multiple sub-steps or multiple stages. These sub-steps or stages are not necessarily completed at the same time, but can be executed at different times, and their execution order is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the sub-steps or stages of other steps.

[0119] The above description is only a partial embodiment of the present invention. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the principle of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.

Claims

1. A method for anomaly identification and isolation of IoT devices, characterized in that, The method includes: When an IoT device is connected to the gateway, edge computing is used to perform traffic fingerprint analysis on the IoT device to record communication characteristics and obtain a behavioral baseline map. The communication characteristics include domain name, server IP address, average peak traffic, and communication protocol type. During the use of the IoT device, traffic monitoring is performed on the IoT device to obtain the current network traffic data, and the data is compared in real time with the communication characteristics in the behavioral benchmark map and traffic anomaly analysis is performed to obtain the determination result of whether the IoT device is abnormal; If the IoT device malfunctions, an alarm mechanism is triggered through the policy engine, and the router dynamically splits the IoT device into virtual island VLANs based on micro-segmentation technology, migrating the IoT device from the main network to the isolated VLAN. The management interface displays a list of isolated IoT devices and the reasons for isolation. If the user confirms the IoT device is safe through the management interface and performs a one-click recovery operation, the network configuration can be adjusted through the router to reconnect the IoT device to the main network and restore normal operation.

2. The IoT device anomaly identification and isolation method as described in claim 1, characterized in that, When an IoT device connects to the gateway, edge computing is used to perform traffic fingerprint analysis on the IoT device to record communication characteristics and obtain a behavioral baseline map, including: When an IoT device first connects to the gateway, the edge computing capabilities of the gateway or router are used to perform a 24- to 72-hour traffic fingerprint analysis on the device locally and record its communication characteristics. The collected communication features are integrated into a behavioral baseline map corresponding to the IoT device; the behavioral baseline map is used as a reference standard for traffic monitoring.

3. The IoT device anomaly identification and isolation method as described in claim 1, characterized in that, The step of monitoring the network traffic of the IoT device during its use to obtain current network traffic data, and comparing it in real time with the communication characteristics in the behavioral benchmark map and performing traffic anomaly analysis, includes: During normal use of the IoT device, traffic monitoring is performed on the IoT device to continuously capture the current network traffic data of the IoT device; the traffic data includes real-time domain name, target IP, traffic volume, and protocol type; The traffic data is compared with the communication features in the behavioral baseline map in real time, and traffic anomaly analysis is performed to analyze whether there are any deviations; the anomalies include abnormal IP connections, sudden large traffic uploads, and scanning of other ports on the local area network.

4. The IoT device anomaly identification and isolation method as described in claim 3, characterized in that, If the IoT device malfunctions, an alarm mechanism is triggered through the policy engine, including: An abnormal traffic threshold is set. When the current network traffic data monitoring index of the IoT device exceeds the threshold, it is marked as abnormal and an abnormal judgment result is obtained. The policy engine triggers an alarm mechanism based on the abnormal judgment result, generates an isolation command, and pushes it to the router's underlying layer.

5. The IoT device anomaly identification and isolation method as described in claim 1, characterized in that, The step of using a router to dynamically segment the IoT devices into virtual island VLANs based on micro-segmentation technology, migrating the IoT devices from the main network to isolated VLANs, includes: By employing micro-segmentation technology at the router's underlying layer and dynamically adjusting network configuration, the IoT devices are migrated from the main network to an isolated VLAN. Devices in the isolated VLAN only retain necessary communication with the router's management plane and cannot access the Internet or other terminals within the local area network.

6. The IoT device anomaly identification and isolation method as described in claim 1, characterized in that, The list of isolated IoT devices and the reasons for isolation are displayed through a visual management interface, including: The isolation information and reasons for the isolated IoT devices are displayed in a visual list format through an app or web management interface. The isolation information includes the device name, MAC address, timestamp of abnormal behavior, trigger rules, and historical records. The reasons for isolation include abnormal IP connection and excessive traffic.

7. The IoT device anomaly identification and isolation method as described in claim 1, characterized in that, If the user confirms the IoT device is secure through the management interface and performs a one-click recovery operation, the IoT device is reconnected to the main network and restored to normal operation by adjusting the network configuration through the router, including: After the user confirms the IoT device is secure in the management interface and clicks the one-click restore button, a network configuration adjustment command is sent through the router. According to the network configuration adjustment command, the IoT device is migrated from the isolated VLAN back to the main network and normal network access is restored.

8. An IoT device anomaly identification and isolation device, characterized in that, The device includes: The graph construction and feature recording module is used to perform traffic fingerprint analysis on IoT devices and record communication characteristics through edge computing when IoT devices are connected to the gateway, thereby obtaining a behavioral baseline graph. The communication characteristics include domain name, server IP address, average traffic peak, and communication protocol type. The traffic monitoring and anomaly determination module is used to monitor the traffic of the IoT device during its use to obtain the current network traffic data, and to compare it in real time with the communication characteristics in the behavior benchmark map and perform traffic anomaly analysis to obtain a determination result of whether the IoT device is abnormal. The dynamic isolation and VLAN segmentation module is used to trigger an alarm mechanism through the policy engine if the IoT device is abnormal. The router uses micro-segmentation technology to dynamically segment the IoT device into virtual island VLANs and migrate the IoT device from the main network to the isolated VLAN. The interface interaction and one-click recovery module is used to display the list of isolated IoT devices and the reasons for isolation through a visual management interface. If the user confirms that the IoT device is safe through the management interface and performs a one-click recovery operation, the network configuration can be adjusted through the router to reconnect the IoT device to the main network and restore normal operation.

9. An electronic device, characterized in that, include: At least one processor and at least one memory, wherein, The memory stores computer-readable instructions; The computer-readable instructions are executed by one or more of the processors, causing the electronic device to implement the IoT device anomaly identification and isolation method as described in any one of claims 1 to 7.

10. A storage medium having computer-readable instructions stored thereon, characterized in that, The computer-readable instructions are executed by one or more processors to implement the IoT device anomaly identification and isolation method as described in any one of claims 1 to 7.