An AI-based intelligent risk control and dynamic scheduling method for an internet of things card

By performing graph structure and time series collaborative feature extraction and causal analysis on multi-source heterogeneous data from IoT cards, an atomic network action set is generated, which solves the problem of the separation between risk control and resource scheduling in IoT card management and achieves a balance between security and efficiency in dynamic network environments.

CN122160189APending Publication Date: 2026-06-05HANGZHOU MUCHEN TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HANGZHOU MUCHEN TECHNOLOGY CO LTD
Filing Date
2026-05-08
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

In existing IoT SIM card management, risk control and network resource scheduling are disconnected and difficult to coordinate. Risk perception is limited in dimensions, diagnosis is inaccurate, response is delayed, and handling strategies are static and rigid, making it unable to adapt to dynamic and complex network environments and security threats.

Method used

By extracting collaborative features based on graph structure and time series from multi-source heterogeneous data in the IoT card network domain, associated terminal device domain, and upper-layer business domain, interpretable causal discovery and quantitative analysis are performed. This generates an atomic set of network actions bound to risk causal logic and business context, and solves collaborative strategies to output dynamic network resource scheduling strategies.

Benefits of technology

It enables the identification, root cause location, and transmission path quantification of potential risks in IoT SIM card networks, and generates control actions closely bound to the causal logic of risks and business context, ensuring that network resources are intelligently and efficiently scheduled in complex and dynamic environments, and guaranteeing system security, business continuity, and service quality.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160189A_ABST
    Figure CN122160189A_ABST
Patent Text Reader

Abstract

The application discloses an AI-based Internet of Things card intelligent risk control and dynamic scheduling method, and belongs to the technical field of communication. Through deep fusion of collaborative feature extraction of multi-source heterogeneous data, interpretable causal discovery and quantitative analysis, decoupling and mapping of resource control intention, and collaborative strategy solving, the problems of risk control and resource scheduling fragmentation, limited risk perception dimension, inaccurate diagnosis, response lag, and static and rigid treatment strategy in the management of Internet of Things cards are effectively solved. Thus, the identification, root location and conduction path quantification of potential risks in the Internet of Things card network are realized, and atomized control actions closely bound with risk causal logic and business context can be generated. Through collaborative strategy solving with the balanced target of inhibiting risk diffusion and guaranteeing the quality of key business services, it is ensured that network resources can be intelligently and efficiently scheduled in a complex and dynamic Internet of Things environment.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of communication technology, and in particular to an AI-based intelligent risk control and dynamic scheduling method for IoT cards. Background Technology

[0002] The Internet of Things (IoT) technology is driving the development of key areas such as connected vehicles and the industrial internet, and IoT SIM cards, as core connectivity carriers, are becoming increasingly important and widespread. However, the management of IoT SIM cards currently faces serious security risks and resource efficiency challenges. Malicious attacks and device malfunctions can lead to service interruptions and wasted network resources.

[0003] Existing solutions generally suffer from the following problems: risk control and network resource scheduling are disconnected and difficult to coordinate; the perception of risks is limited, resulting in inaccurate diagnosis and delayed response; and the handling strategies are often static and rigid, unable to adapt to the dynamic and complex network environment and the continuously evolving security threats.

[0004] Therefore, the industry urgently needs a technical solution that can achieve a balance between security and efficiency in complex and dynamic IoT environments. Summary of the Invention

[0005] This application provides an AI-based intelligent risk control and dynamic scheduling method for IoT cards, the technical solution of which is as follows: On the one hand, an AI-based intelligent risk control and dynamic scheduling method for IoT cards is provided, the method comprising: For multi-source heterogeneous data from IoT card network domain, associated terminal device domain and upper-layer service domain, collaborative feature extraction based on graph structure and time series is performed to obtain topological feature vector and behavioral feature vector. The topological feature vector represents the spatial association between entities, and the behavioral feature vector is used to describe the temporal evolution of entity states. Based on the topological feature vector and the behavioral feature vector, interpretable causal discovery and quantitative analysis are performed to obtain a set of causal nodes and a set of weighted causal edges. The set of causal nodes is used to identify the root causes of risks, and the set of weighted causal edges is used to characterize the risk transmission path and intensity. The resource regulation intent is decoupled and mapped from the causal node set, the weighted causal edge set, and the key business identifiers extracted from the business domain data of the multi-source heterogeneous data, generating an atomic network action set bound to risk causal logic and business context. Based on the weighted causal edge set, the atomic network action set, and the real-time network resource status, a collaborative strategy is solved with the balanced objective of suppressing the spread of risk along the causal edges and ensuring the quality of critical business services. The network resource scheduling strategy is then output and executed.

[0006] On the one hand, an AI-based IoT card intelligent risk control and dynamic scheduling device is provided, the device comprising: The feature extraction module is used to perform collaborative feature extraction based on graph structure and time series on multi-source heterogeneous data from IoT card network domain, associated terminal device domain and upper layer business domain to obtain topological feature vector and behavioral feature vector. The topological feature vector represents the spatial relationship between entities, and the behavioral feature vector is used to describe the temporal evolution of entity state. The analysis module is used to perform interpretable causal discovery and quantitative analysis based on the topological feature vector and the behavioral feature vector, to obtain a set of causal nodes and a set of weighted causal edges. The set of causal nodes is used to identify the root causes of risks, and the set of weighted causal edges is used to characterize the risk transmission path and intensity. The extraction module is used to decouple and map the resource regulation intentions of the causal node set, the weighted causal edge set, and the key business identifiers extracted from the business domain data of the multi-source heterogeneous data, and generate an atomic network action set bound to the risk causal logic and business context. The solution module is used to solve a collaborative strategy based on the weighted causal edge set, the atomic network action set, and the real-time network resource status, with the balance goal of suppressing the spread of risk along the causal edges and ensuring the quality of critical business services, and outputs and executes the network resource scheduling strategy.

[0007] On one hand, a computer device is provided, the computer device including one or more processors and one or more memories, the one or more memories storing at least one computer program, the computer program being loaded and executed by the one or more processors to implement the AI-based IoT card intelligent risk control and dynamic scheduling method.

[0008] On the one hand, a computer-readable storage medium is provided, wherein at least one computer program is stored in the computer-readable storage medium, the computer program being loaded and executed by a processor to implement the AI-based IoT card intelligent risk control and dynamic scheduling method.

[0009] On the one hand, a computer program product or computer program is provided, which includes program code stored in a computer-readable storage medium. The processor of a computer device reads the program code from the computer-readable storage medium and executes the program code, causing the computer device to execute the aforementioned AI-based IoT card intelligent risk control and dynamic scheduling method. Attached Figure Description

[0010] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0011] Figure 1 This is a schematic diagram of the implementation environment of an AI-based IoT card intelligent risk control and dynamic scheduling method provided in an embodiment of this application; Figure 2 This is a flowchart of an AI-based IoT card intelligent risk control and dynamic scheduling method provided in an embodiment of this application; Figure 3 This is a flowchart of another AI-based IoT card intelligent risk control and dynamic scheduling method provided in the embodiments of this application; Figure 4 This is a flowchart of another AI-based IoT card intelligent risk control and dynamic scheduling method provided in the embodiments of this application; Figure 5 This is a flowchart of another AI-based IoT card intelligent risk control and dynamic scheduling method provided in the embodiments of this application; Figure 6 This is a flowchart of another AI-based IoT card intelligent risk control and dynamic scheduling method provided in the embodiments of this application; Figure 7 This is a schematic diagram of the structure of an AI-based IoT card intelligent risk control and dynamic scheduling device provided in an embodiment of this application; Figure 8 This is a schematic diagram of the structure of a server provided in an embodiment of this application. Detailed Implementation

[0012] To make the objectives, technical solutions, and advantages of this application clearer, the embodiments of this application will be described in further detail below with reference to the accompanying drawings.

[0013] In this application, the terms "first," "second," etc., are used to distinguish identical or similar items with essentially the same function. It should be understood that there is no logical or temporal dependency between "first," "second," and "nth," nor are there any restrictions on quantity or execution order.

[0014] Artificial intelligence (AI) is the theory, methods, technology, and application systems that use digital computers or machines controlled by digital computers to simulate, extend, and expand human intelligence, perceive the environment, acquire knowledge, and use that knowledge to achieve better results. In other words, AI is a comprehensive technology within computer science that attempts to understand the essence of intelligence and produce a new kind of intelligent machine that can react in a way similar to human intelligence. AI studies the design principles and implementation methods of various intelligent machines, enabling them to possess the functions of perception, reasoning, and decision-making.

[0015] Artificial intelligence (AI) is a comprehensive discipline encompassing a wide range of fields, including both hardware and software technologies. Fundamental AI technologies generally include sensors, dedicated AI chips, cloud computing, distributed storage, big data processing, operating / interactive systems, and mechatronics. AI software technologies primarily include computer vision, speech processing, natural language processing, and machine learning / deep learning.

[0016] Machine learning (ML) is a multidisciplinary field involving probability theory, statistics, approximation theory, convex analysis, and algorithm complexity theory, among others. It specifically studies how computers can simulate or implement human learning behavior to acquire new knowledge or skills, and reorganize existing knowledge sub-models to continuously improve their performance. Machine learning is the core of artificial intelligence and the fundamental way to endow computers with intelligence; its applications span all areas of artificial intelligence. Machine learning and deep learning typically include techniques such as artificial neural networks, belief networks, reinforcement learning, transfer learning, inductive learning, and instruction-based learning.

[0017] IoT SIM card network domain: refers to the communication network environment in which the IoT SIM card is located, including infrastructure such as base stations, core network elements, and transmission links. Its data usually includes traffic, connection status, signaling information, etc.

[0018] Associated terminal device domain: refers to various terminal devices that connect to the IoT card and interact with it for data, such as sensors, smart terminals, and industrial control equipment. Their data usually includes device operating status, sensor readings, log information, etc.

[0019] Upper-layer business domain: refers to various application services carried by IoT cards and terminal devices, such as vehicle networking applications, industrial control applications, smart home applications, etc. Its data usually includes business type, priority, service quality indicators, etc.

[0020] Multi-source heterogeneous data: refers to a collection of data from different systems, formats, and semantics. In this method, it specifically refers to data from the IoT card network domain, associated terminal device domain, and upper-layer business domain.

[0021] Graph structure: refers to a data organization form that uses nodes and edges to represent entities and their relationships, effectively capturing the spatial relationships between entities.

[0022] Time series: refers to a set of data points arranged in chronological order, which can reflect the dynamic evolution of an entity's state over time.

[0023] Topological feature vector: refers to the numerical representation obtained through feature extraction that characterizes the spatial relationships and structural properties between entities.

[0024] Behavioral feature vector: refers to the numerical representation obtained through feature extraction that describes the temporal evolution pattern and dynamic behavioral characteristics of an entity's state.

[0025] Causal node set: refers to the set of entities or events that are the root causes of risk, identified through causal discovery and quantitative analysis.

[0026] Weighted causal edge set: refers to the set of directed edges obtained through causal discovery and quantitative analysis, which characterizes the transmission path and intensity of risk between entities, with each edge having a weight value.

[0027] Key business identifiers: These are tags extracted from business domain data to identify specific businesses that have high requirements for business continuity or service quality.

[0028] Atomized network action set: refers to the smallest granular set of network control operation instructions that are generated after decoupling and mapping, are closely bound to the risk causal logic and business context, and can be directly executed.

[0029] Real-time network resource status: refers to dynamic information such as the availability, utilization rate, and load of various resources in the current network.

[0030] Collaborative strategy solution: refers to the process of finding the optimal or near-optimal decision solution that can simultaneously satisfy multiple objectives (such as risk mitigation and business protection) under multi-objective constraints through optimization algorithms.

[0031] Network resource scheduling strategy: refers to the specific scheme or instruction sequence generated based on the solution results of the cooperative strategy, which is used to guide the allocation, configuration and adjustment of network resources.

[0032] It should be noted that the information (including but not limited to user device information, user personal information, etc.), data (including but not limited to data used for analysis, data stored, data displayed, etc.) and signals involved in this application are all authorized by the user or fully authorized by all parties, and the collection, use and processing of related data must comply with the relevant laws, regulations and standards of the relevant countries and regions.

[0033] Figure 1 This is a schematic diagram illustrating the implementation environment of an AI-based IoT card intelligent risk control and dynamic scheduling method provided in this application embodiment. See also... Figure 1 This implementation environment may include node 110 and server 140.

[0034] Node 110 connects to server 140 via a wireless or wired network. Optionally, node 110 can be a smartphone, tablet, laptop, desktop computer, etc., but is not limited to these. Node 110 has an application installed and running that supports AI-based IoT card intelligent risk control and dynamic scheduling.

[0035] Server 140 is a standalone physical server, a server cluster or distributed system composed of multiple physical servers, or a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, Content Delivery Network (CDN), and big data and artificial intelligence platforms. Server 140 can provide background services for applications running on node 110.

[0036] Traditional IoT SIM card management suffers from a disconnect between risk control and network resource scheduling, hindering their coordination. Limited risk perception dimensions lead to inaccurate diagnosis and delayed responses. Furthermore, response strategies are often static and rigid, failing to adapt to dynamic and complex network environments and continuously evolving security threats. These issues collectively impede achieving a balance between security and efficiency in complex and dynamic IoT environments.

[0037] To address this, this application proposes an AI-based intelligent risk control and dynamic scheduling method for IoT SIM cards. This method comprehensively perceives the spatial relationships between entities and the temporal evolution of entity states by extracting collaborative features from multi-source heterogeneous data from the IoT SIM card network domain, associated terminal device domain, and upper-layer business domain based on graph structure and time series. Based on the extracted topological feature vectors and behavioral feature vectors, interpretable causal discovery and quantitative analysis are performed to identify the root causes of risks and quantify the risk transmission paths and intensity. Furthermore, the resource regulation intentions of the causal node set, weighted causal edge set, and key business identifiers are decoupled and mapped to generate an atomic set of network actions bound to the risk causal logic and business context. Based on the weighted causal edge set, atomic network action set, and real-time network resource status, a collaborative strategy is solved with the balanced objective of suppressing risk propagation along causal edges and ensuring the quality of key business services. The resulting dynamic network resource scheduling strategy is then output and executed.

[0038] See Figure 2 This includes the following steps.

[0039] 201. For multi-source heterogeneous data from the IoT SIM card network domain, associated terminal device domain, and upper-layer service domain, perform collaborative feature extraction based on graph structure and time series to obtain topological feature vectors and behavioral feature vectors. The topological feature vectors represent the spatial relationships between entities, while the behavioral feature vectors describe the temporal evolution of entity states.

[0040] In one implementation, data can be collected independently from the IoT SIM card network domain, associated terminal device domain, and upper-layer service domain. For example, the network domain can collect traffic and connection logs; the device domain can collect sensor data and device alarms; and the service domain can collect service requests and quality of service reports. These independently collected data undergo preliminary processing. For instance, simple connectivity analysis is performed on network connection data to form a preliminary topology, and statistical calculations are performed on device sensor data within a time window to form preliminary time-series features. These preliminary topological and time-series features can be easily concatenated or combined to form topological feature vectors and behavioral feature vectors, respectively. In another implementation, a set of rules can be predefined. Based on these rules, fields related to the network topology are filtered from multi-source heterogeneous data and converted into a graph structure representation. For example, the connection relationship between the IoT SIM card and the base station is directly mapped to edges in the graph. Simultaneously, numerical sequences related to changes in entity state are extracted from the data, such as changes in IoT SIM card traffic and changes in device CPU utilization, and these are used as time-series features. After standardization, these features constitute topological feature vectors and behavioral feature vectors, respectively.

[0041] 202. Based on the topological feature vector and behavioral feature vector, interpretable causal discovery and quantitative analysis are performed to obtain the causal node set and the weighted causal edge set. The causal node set is used to identify the root causes of risk, and the weighted causal edge set is used to characterize the risk transmission path and intensity.

[0042] In one implementation, the statistical correlation between topological feature vectors and behavioral feature vectors can be calculated, for example, using a simplified form of mutual information or Granger causality test to identify potential associations. Entities or events with high correlation are initially identified as candidate causal nodes, and candidate causal edges are assigned an initial weight based on the correlation strength. These candidate causal relationships are then screened and adjusted through manual review or based on preset rules to improve their interpretability. In another implementation, a causal rule base based on expert knowledge can be constructed, for example, "If the CPU utilization of device A increases abnormally, it may lead to abnormal traffic of its connected IoT card B." When the topological feature vector and behavioral feature vector satisfy the rule conditions, the corresponding entity is identified as a causal node, and weighted causal edges are generated according to the preset strength values ​​of the rules.

[0043] 203. Decouple and map the resource regulation intent of the causal node set, the weighted causal edge set, and the key business identifiers extracted from the business domain data of multi-source heterogeneous data, and generate an atomic network action set bound to the risk causal logic and business context.

[0044] In one implementation, an action library can be predefined, containing a series of standardized network control actions, such as "rate limiting," "blocking," and "routing switching," each with a default parameter range. When a set of causal nodes and a set of weighted causal edges are identified, one or more matching action templates are selected from the action library based on the risk type (indicated by the set of causal nodes) and the risk propagation strength (indicated by the set of weighted causal edges). A critical business identifier can be used to simply filter out actions that may affect critical business operations, or to assign a fixed high priority to actions related to critical business operations. In another implementation, a simple mapping table can be constructed to directly map specific risk scenarios (described by the set of causal nodes and the set of weighted causal edges) to a predefined sequence of control actions. The critical business identifier serves as additional input, used to coarsely adjust the granularity or intensity of the actions during the mapping process; for example, for critical business operations, a milder control action can be selected to avoid over-intervention.

[0045] 204. Based on the weighted causal edge set, the atomic network action set, and the real-time network resource status, solve the collaborative strategy with the balance goal of suppressing the spread of risk along the causal edge and ensuring the quality of critical business services, and output and execute the network resource scheduling strategy.

[0046] In one implementation, a rule-based decision-making system can be employed. This system pre-defines a series of priority rules, such as "prioritizing the suppression of risk propagation on high-weight causal edges" or "prioritizing the minimum service quality of critical services." When faced with risk, an action is selected from the set of atomic network actions according to these rules, and a simple resource availability check is performed in conjunction with real-time network resource status. For example, if an action requires significant bandwidth, but real-time network resources indicate insufficient bandwidth, the action may be downgraded or replaced. The decision-making process can be a simple sequential execution process until a pre-defined single objective is met. In another implementation, a heuristic algorithm can be used. In each iteration, this algorithm evaluates the potential impact of each atomic network action on risk suppression and service assurance, and selects the currently optimal action. For example, fixed weights can be assigned to risk suppression and service assurance, and then a weighted score can be calculated for each action, selecting the action with the highest score. Real-time network resource status is used to assess the feasibility of the action, for example, checking whether there are sufficient resources to execute a particular action.

[0047] The method proposed in this application effectively addresses the problems of fragmented risk control and resource scheduling, limited risk perception dimensions, inaccurate diagnosis, delayed response, and static and rigid handling strategies in IoT SIM card management by deeply integrating multi-source heterogeneous data for collaborative feature extraction, interpretable causal discovery and quantitative analysis, decoupling and mapping of resource regulation intentions, and collaborative strategy solving. This enables the identification, root cause localization, and quantification of transmission paths of potential risks in IoT SIM card networks, and generates atomic control actions closely bound to risk causal logic and business context. By solving collaborative strategies with the balanced goal of suppressing risk propagation and ensuring the quality of critical business services, the method ensures that network resources can be intelligently and efficiently scheduled in complex and dynamic IoT environments. This maintains business continuity and service quality while ensuring system security, achieving a dynamic balance between security and efficiency.

[0048] In some of the embodiments described above in this application, a collaborative feature extraction based on graph structure and time series is proposed to extract topological feature vectors and behavioral feature vectors. However, in its implementation, there is a lack of an efficient method to construct a graph structure that integrates multi-domain entities, process the dual-stream interaction of graph and time series, and generate feature vectors that enhance contextual information. This results in insufficient accuracy and completeness of feature extraction, affecting the accuracy of subsequent risk diagnosis and resource scheduling.

[0049] To address this, this application further proposes a method for collaborative feature extraction based on graph structure and time series from multi-source heterogeneous data from the IoT SIM card network domain, associated terminal device domain, and upper-layer service domain, to obtain topological feature vectors and behavioral feature vectors. (See [link to relevant documentation]). Figure 3 The method includes: 301. Based on the communication connection and business affiliation between the IoT card and the access base station and associated business server, construct a multi-level heterogeneous graph that integrates network domain, device domain and business domain entities, and map the attributes in the multi-source heterogeneous data to the corresponding nodes and edges of the multi-level heterogeneous graph.

[0050] 302. For this multi-level heterogeneous graph, perform two-stream interactive processing of graph convolution and node temporal states to obtain the result of the interactive processing.

[0051] 303. Based on the interaction processing results, a topological feature vector and a behavioral feature vector are generated respectively. The topological feature vector integrates multi-level entity association and cross-domain interaction information, while the behavioral feature vector strengthens the temporal pattern based on the graph structure context.

[0052] Specifically, when constructing a multi-level heterogeneous graph that integrates entities from the network domain, device domain, and service domain, the multi-level heterogeneous graph is a complex data structure that can effectively integrate nodes and edges from different domains with different types. It abstracts entities such as IoT cards, base stations, and service servers as nodes in the graph, and abstracts the communication connections and service affiliations between them as edges, thus forming a unified, structured data representation. This graph structure can capture complex relationships between entities, such as the physical connection between IoT cards and base stations, and the logical affiliation between IoT cards and service servers. The multi-level characteristic allows for modeling entities and relationships at different granularities or abstraction levels; for example, it can include physical connection relationships or logical service dependencies. The construction of this multi-level heterogeneous graph can be stored and managed using graph databases (such as Neo4j and JanusGraph), where nodes and edges can have different labels and attributes. Alternatively, the graph structure can be represented using an in-memory adjacency matrix or adjacency list, and a dictionary or hash table can be used to store the attributes of different types of nodes and edges. Alternatively, graph data structures provided by graph neural network frameworks (such as PyTorchGeometric and DGL) can be used to construct them. These frameworks typically support the definition and manipulation of heterogeneous graphs.

[0053] Mapping attributes from multi-source heterogeneous data to corresponding nodes and edges in a multi-level heterogeneous graph is a crucial step in endowing the graph with semantic and quantitative information. These attributes can be static, such as device model and geographical location, or dynamic, such as real-time traffic, signal strength, service priority, and sensor readings. Through mapping, each node and edge in the graph carries rich contextual information, enabling the graph to represent not only relationships between entities but also the characteristics and states of the entities themselves. This mapping enhances the graph's expressive power and provides a more comprehensive data foundation for subsequent feature extraction and analysis. The mapping process can directly store the original data fields as attribute values ​​for nodes or edges. For example, traffic values ​​from network domain data can be used as weight attributes for communication connection edges, and priority values ​​from service domain data can be used as type attributes for service-assigned edges. Alternatively, the original data can be preprocessed or feature-engineered. For instance, statistical features (mean, variance, trend, etc.) can be extracted from sensor time-series data, and these statistical features can then be used as fusion state attributes for IoT card nodes. Alternatively, embedding techniques can be used to map high-dimensional raw attribute data into low-dimensional vector representations through a neural network, and then these vectors can be used as attributes of nodes or edges.

[0054] When performing two-stream interactive processing of graph convolution and node temporal states on this multi-level heterogeneous graph, the two-stream interactive processing aims to simultaneously capture the spatial dependencies in the graph structure and the temporal evolution patterns of node attributes, and generate more insightful feature representations through the interaction between the two. Graph convolution operations can aggregate information about node neighbors, thereby capturing spatial associations and structural dependencies between entities. For example, the risk state of an IoT SIM card may be related to the state of its connected base station or other IoT SIM cards under the same base station. Node temporal state processing focuses on the changes in individual node attributes over time, such as the temporal fluctuations in IoT SIM card traffic, signal quality, or service session state. Two-stream interaction means that these two information processing processes are not independent but mutually influential and reinforcing. For example, the result of graph convolution can guide the temporal processing to focus on specific neighbors, and the result of temporal processing can, in turn, affect how graph convolution aggregates neighbor information. This two-stream interactive processing can employ an attention-based fusion method, introducing attention weights for node temporal states or attention weights for graph structural context during graph convolution processing, to achieve dynamic weighted fusion of cross-modal information. Alternatively, two-stream interaction can be achieved through gating mechanisms (such as gating units in GRU or LSTM), where the output of one stream serves as a gating signal for the other, controlling the flow and fusion of information. Another approach is to design a multi-head self-attention network that simultaneously processes graph structure and temporal information, establishing connections and interactions between different modalities through self-attention mechanisms.

[0055] When generating topological and behavioral feature vectors based on the interaction processing results, decoupling and generating these vectors from the dual-stream interaction processing results is crucial for more clearly and specifically characterizing different aspects of the IoT SIM card system. Topological feature vectors primarily describe the spatial relationships and structural dependencies between entities. They integrate the positions, connections, and cross-domain interaction information of multi-level entities within the graph structure, reflecting the relatively stable or slowly changing parts of the system. Behavioral feature vectors, on the other hand, focus on describing the temporal evolution patterns of entity states. They reinforce the temporal patterns based on the graph structure context, capturing the patterns and abnormal behaviors of dynamic changes in entities. This separation allows subsequent risk diagnosis and scheduling decisions to utilize structural and dynamic information separately, improving the accuracy and interpretability of the analysis. This generation process can be achieved by designing two independent feature extraction heads (e.g., two different fully connected layers or convolutional layers) to extract topological and behavioral features from the interaction processing results, respectively. Alternatively, a feature decoupling network can be used, employing techniques such as orthogonality constraints or mutual information minimization to force the two generated feature vectors to be as independent as possible, representing topological and behavioral information respectively. Alternatively, the results of the interactive processing can be decomposed into dimensions (such as PCA or NMF), and then topological feature vectors and behavioral feature vectors can be constructed according to the degree of correlation between the decomposed components and topological or temporal information.

[0056] Through the above technical solutions, this application effectively solves the problems of inaccurate diagnosis and delayed response caused by the lack of efficient feature extraction methods in IoT card intelligent risk control and dynamic scheduling. By constructing a multi-level heterogeneous graph that integrates network domain, device domain, and service domain entities, and mapping the attributes in multi-source heterogeneous data to corresponding nodes and edges, this application can integrate originally scattered and heterogeneous data into a unified and structured representation, overcoming the challenge of difficult collaborative analysis of multi-source data, and laying the foundation for comprehensive perception of the IoT card system's state. Performing graph convolution and node temporal state dual-stream interactive processing on the multi-level heterogeneous graph enables the simultaneous capture of spatial relationships between entities and the temporal evolution of entity attributes. Through deep interaction between the two, the limitations of separating spatial and temporal feature processing in traditional methods are avoided, ensuring a comprehensive understanding of complex dynamic network environments. Based on the interactive processing results, topological feature vectors and behavioral feature vectors are generated respectively. The topological feature vectors integrate multi-level entity associations and cross-domain interaction information, while the behavioral feature vectors enhance the temporal patterns based on the graph structure context. This decoupled feature representation enables subsequent risk causal discovery and resource regulation to better identify the root causes and transmission paths of risks, and to perform refined scheduling based on the dynamic changes in entity behavior, thereby improving the accuracy of IoT card intelligent risk control and the adaptability of dynamic scheduling strategies.

[0057] In some of the embodiments described above in this application, a multi-level heterogeneous graph is proposed to support collaborative feature extraction. However, in its implementation, how to dynamically construct the graph structure to reflect network changes in real time and accurately map multi-source heterogeneous data to nodes and edges to ensure the accuracy and adaptability of feature extraction is a challenge.

[0058] To address this, this application further proposes a step-by-step approach: constructing a multi-level heterogeneous graph that integrates network domain, device domain, and service domain entities based on the communication connections and service affiliation relationships between IoT cards, access base stations, and associated service servers. This involves mapping attributes from multi-source heterogeneous data to corresponding nodes and edges in the multi-level heterogeneous graph. Specifically, this includes: creating a node set and an edge set for the multi-level heterogeneous graph. The node set includes IoT card nodes, base station nodes, and service server nodes; the edge set includes communication connection edges and service affiliation edges. Based on real-time network signaling and service logic configuration, specific nodes in the node set are instantiated, and the edges in the edge set are used to connect corresponding nodes according to actual physical connections and service affiliation relationships, thus completing the dynamic construction of the multi-level heterogeneous graph. Traffic characteristics and signal quality characteristics in the network domain data are mapped to the weight attributes of the communication connection edges; service priority characteristics in the service domain data are mapped to the type attributes of the service affiliation edges; and sensor timing characteristics in the device domain data and network session state characteristics of the IoT card node are jointly mapped to the fusion state attributes of the IoT card node. Based on the completed multi-level heterogeneous graph, the fusion state attributes of the IoT card node are subjected to graph-structure-based neighborhood feature aggregation to generate enhanced node attributes containing network topology context information.

[0059] The process involves creating a multi-level heterogeneous graph, including a node set, a base station node set, and a service server node set. The edge set includes communication connection edges and service affiliation edges. This step lays the foundation for constructing the multi-level heterogeneous graph by clarifying the types of entities included in the graph and their relationships. The node set defines the various entities to be represented in the graph, such as IoT card nodes, base station nodes, and service server nodes, which respectively represent the core connection devices, network access points, and backend systems providing services in the IoT system. The edge set defines the possible connection types between these entities, such as communication connection edges and service affiliation edges, representing physical or logical data transmission paths and service-related subordinate or service relationships, respectively. One implementation approach is to define the types of nodes and edges during system initialization using a pre-defined metadata model or configuration file, assigning a unique identifier and attribute template to each type. Another implementation approach is for the system to dynamically identify and register new node and edge types based on the IoT platform's registration information, network topology discovery protocols (such as LLDP / CDP), and data from the service orchestration system, thereby flexibly expanding the graph's structural definition.

[0060] Based on real-time network signaling and business logic configuration, specific nodes in the node set are instantiated, and the corresponding nodes are connected using the edges in the edge set according to the actual physical connection and service affiliation, thus completing the dynamic construction of this multi-level heterogeneous graph. This step is crucial for the graph structure to reflect network changes in real time. Through real-time network signaling (such as RRC connection establishment / release, attach / detach process, data session activation, etc.) and business logic configuration (such as the binding relationship between IoT cards and specific service servers, QoS policy configuration, etc.), specific IoT card nodes, base station nodes, and service server nodes can be dynamically instantiated, and communication connection edges and service affiliation edges can be established and updated according to the actual physical connection (such as which base station the IoT card accesses through) and service affiliation (such as which service platform the IoT card belongs to). This dynamic construction mechanism ensures that the graph structure can accurately capture the rapidly changing IoT environment. One implementation method is to deploy a real-time signaling parsing module and a service configuration synchronization module. The signaling parsing module continuously listens to control plane messages in the network and extracts connection events between IoT cards and base stations. The service configuration synchronization module periodically obtains the binding information between IoT cards and service servers from the service management platform. This information is sent to the graph database management system, which is responsible for creating, deleting, and establishing and updating edges. Another implementation method is to adopt an event-driven architecture. When critical events occur in the network (such as IoT card launch, base station failure, service migration) or service configuration changes, the corresponding event handlers trigger the graph update service. This service incrementally modifies the multi-level heterogeneous graph according to the event content and preset rules to maintain the real-time performance of the graph.

[0061] This step maps traffic and signal quality features from the network domain data to weight attributes of the communication connection edges, service priority features from the service domain data to type attributes of the service-assigned edges, and sensor timing features from the device domain data and network session state features of the IoT SIM card node to a fused state attribute of the IoT SIM card node. This process effectively integrates heterogeneous data from different data sources into a multi-level heterogeneous graph, providing rich and meaningful input for subsequent feature extraction. By mapping traffic features (such as uplink / downlink bandwidth and packet loss rate) and signal quality features (such as RSRP and SINR) from the network domain data to weight attributes of the communication connection edges, the quality and load of the connection can be quantified. Mapping service priority features (such as emergency services and normal services) from the service domain data to type attributes of the service-assigned edges distinguishes the importance of different services. Mapping sensor timing features (such as temperature, humidity, and location information) from the device domain data and network session state features (such as connection status, IP address, and session duration) of the IoT SIM card node to a fused state attribute comprehensively describes the IoT SIM card's operational status and network behavior. This refined attribute mapping enables nodes and edges in the graph to possess not only structural information but also rich semantic and state information. One implementation approach is to define a unified data model and mapping rules. When raw data is received from the network domain, business domain, or device domain, the data preprocessing module converts the raw data fields into key-value pairs of graph attributes according to these rules and associates them with the corresponding nodes or edges. For example, traffic characteristics can be obtained by calculating the number of bytes or data packets per unit time and used as floating-point weights for communication connection edges. Another implementation approach is to utilize machine learning models for attribute mapping. For example, for complex sensor time-series features, a feature encoder can be trained to compress them into low-dimensional vectors and use them as part of the fused state attributes of IoT card nodes. For business priorities, they can be encoded as enumerated types or one-hot encodings as type attributes of business-assigned edges.

[0062] Based on the constructed multi-level heterogeneous graph, a graph-based neighborhood feature aggregation is performed on the fused state attributes of the IoT SIM card node to generate enhanced node attributes containing network topology context information. This step is crucial for enhancing node attributes using graph structure context information. After the multi-level heterogeneous graph is constructed, performing graph-based neighborhood feature aggregation on the fused state attributes of the IoT SIM card node means that each IoT SIM card node not only considers its own attributes but also incorporates the attribute information of its direct or indirect neighbors. This aggregation operation can capture the interaction between a node and its surrounding environment; for example, the abnormal behavior of an IoT SIM card node may be associated with the state of its connected base station or its associated service server. Through aggregation, enhanced node attributes containing network topology context information can be generated. These attributes more comprehensively reflect the role and state of the IoT SIM card in the entire network, providing richer feature representations for subsequent risk perception and analysis. One implementation approach is to use aggregation functions in graph neural networks (GNNs), such as average aggregation, maximum aggregation, or attention aggregation. For example, for an IoT SIM card node, its own fusion state attribute can be weighted and averaged with the fusion state attributes of all its direct neighbors (such as connected base stations, affiliated service servers, and other IoT SIM cards under the same base station). The weights can be based on the edge type or weight attribute. Another approach is to use random walk or graph diffusion algorithms to capture a wider range of neighborhood information. By simulating the information propagation process in the graph, a context vector containing information about its multi-hop neighbors can be generated for each IoT SIM card node. This context vector can then be concatenated or fused with the IoT SIM card's own fusion state attribute to obtain enhanced node attributes.

[0063] Through the above technical solution, this application effectively addresses the challenge of dynamically constructing a graph structure to reflect network changes in real time and accurately mapping multi-source heterogeneous data to nodes and edges during the construction of a multi-level heterogeneous graph to support collaborative feature extraction, thereby ensuring the accuracy and adaptability of feature extraction. Specifically, by creating a set of nodes including IoT card nodes, base station nodes, and service server nodes, as well as a set of edges including communication connection edges and service affiliation edges, this application provides a clear and structured basic framework for the construction of multi-level heterogeneous graphs. This allows subsequent graph construction and attribute mapping to be performed within a well-defined semantic space, avoiding feature extraction deviations caused by ambiguous graph structure definitions. Based on this, nodes are dynamically instantiated and connected according to real-time network signaling and business logic configuration, completing the dynamic construction of the multi-level heterogeneous graph. This mechanism enables the graph structure to respond in real time to changes in physical connections and adjustments in service affiliation in the IoT environment, ensuring that the graph model remains synchronized with the actual network state. Compared to static graph models, this dynamic construction capability improves the real-time performance of feature extraction and its adaptability to network changes, providing the latest and most accurate topology information for subsequent risk perception. Simultaneously, this application maps traffic characteristics and signal quality characteristics in network domain data to weight attributes of communication connection edges, maps service priority characteristics in service domain data to type attributes of service-assigned edges, and maps sensor time-series characteristics and network session state characteristics of IoT card nodes in device domain data to fused state attributes of IoT card nodes. This refined, multi-dimensional attribute mapping strategy effectively integrates heterogeneous data from different sources, transforming originally scattered and isolated data into semantically rich attributes on nodes and edges in the graph. This not only solves the problem of the difficulty in uniformly representing multi-source heterogeneous data, but also enriches the expressive power of the graph model, enabling each node and edge to carry more comprehensive operational state and business context information, providing high-quality input for subsequent causal discovery and risk analysis. Based on the constructed multi-level heterogeneous graph, a graph-structure-based neighborhood feature aggregation is performed on the fused state attributes of IoT card nodes to generate enhanced node attributes containing network topology context information. This aggregation process ensures that the features of each IoT card node not only contain its own information, but also incorporate the state and behavioral information of its neighboring nodes (such as connected base stations and affiliated service servers), thereby capturing the interdependence and influence between entities. This context-aware feature enhancement enables the generated feature vectors to more comprehensively and deeply reflect the potential risks and abnormal behaviors of IoT cards throughout the network, improving the depth and relevance of feature extraction and providing a more reliable and insightful foundation for subsequent risk diagnosis and scheduling decisions.In summary, this application constructs a multi-level heterogeneous graph that can be dynamically updated in real time and effectively integrate multi-source heterogeneous data through the above technical solutions. On this basis, it generates enhanced node attributes containing rich network topology context information, thereby laying a solid foundation for subsequent collaborative feature extraction, interpretable causal discovery and quantitative analysis, and improving the accuracy and real-time performance of IoT card intelligent risk control and dynamic scheduling.

[0064] In some of the above-mentioned schemes in this application, a two-stream interactive processing of execution graph convolution and node temporal state is proposed to extract spatial and temporal features. However, in this process, spatial structure dependency features and temporal evolution features may be processed independently, lacking an effective fusion mechanism, resulting in insufficient feature interaction and failure to capture complex dependencies between nodes, thereby affecting the accuracy of risk diagnosis and response efficiency.

[0065] To address this, this application further proposes a two-stream interactive processing method for the multi-level heterogeneous graph, involving graph convolution and node temporal states. The method includes: extracting spatial structural dependency features between nodes in the multi-level heterogeneous graph through graph convolution; extracting temporal evolution features of the attributes attached to each node in the multi-level heterogeneous graph through temporal convolution; and applying cross-modal attention weighting to the spatial structural dependency features and the temporal evolution features during the interaction process to obtain the final interactive processing result.

[0066] Specifically, graph convolution is used to extract spatial structural dependency features between nodes in a multi-level heterogeneous graph, aiming to capture the connection patterns and structural relationships of entities such as IoT cards, base stations, and service servers in the network topology. This graph convolution can be implemented in various ways. For example, a standard Graph Convolutional Network (GCN) layer can be used, updating the node representation by aggregating features of each node itself and its neighbors, thereby encoding local graph structure information. Another implementation is a Graph Attention Network (GAT), which assigns different weights to different neighboring nodes through an attention mechanism, enabling more flexible capture of spatial dependencies between different types of entities in heterogeneous graphs. Furthermore, a Heterogeneous Graph Neural Network (HGNN) can be used, specifically designed to handle graphs with multiple node and edge types, extracting richer spatial structural dependency features through type-specific message passing and aggregation mechanisms.

[0067] Temporal convolution extracts the temporal evolution features of the attributes attached to a node on a multi-level heterogeneous graph, aiming to capture the dynamic patterns of attribute changes over time for each IoT card node, base station node, or service server node. This temporal convolution can be implemented in various ways. For example, a one-dimensional convolutional neural network (1D CNN) can be used, operating on the time series of node attributes by sliding convolution kernels to identify short-term temporal patterns, trends, or anomalous fluctuations. Another implementation is to use recurrent neural networks (RNNs) or their variants, such as long short-term memory networks (LSTM) or gated recurrent units (GRUs), which can effectively capture long-term dependencies and complex temporal evolution patterns in the time series. Furthermore, temporal convolutional networks (TCNs) can be used, which utilize dilated convolution to expand the receptive field, thereby capturing longer temporal dependencies while maintaining computational efficiency.

[0068] The key innovation of this application is to achieve cross-modal attention weighting of the spatial structure-dependent features and the temporal evolution features during the interaction process to obtain the interaction processing result. This cross-modal attention weighting mechanism aims to dynamically evaluate and fuse feature information from different modalities (spatial and temporal) to generate a more comprehensive and discriminative interaction processing result. This cross-modal attention weighting can be implemented in various ways. For example, an additive attention mechanism can be used, where spatial and temporal features are linearly transformed and then added together, and attention weights are generated through an activation function. These weights are then applied to the original features and fused. Another implementation is a multiplicative attention mechanism, such as dot product attention, where features from one modality are used as the query and features from the other modality are used as the key. Attention weights are generated by calculating their similarity, thereby achieving weighted feature fusion. Furthermore, a gating mechanism, similar to the gating unit in a recurrent neural network, can be used to control the degree of fusion between spatial and temporal features through learned gating weights, thereby adaptively adjusting the contributions of the two modalities.

[0069] Through the aforementioned technical solution, this application extracts spatial structure dependency features and node temporal evolution features from multi-level heterogeneous graphs using graph convolution and temporal convolution, respectively. Furthermore, it introduces a cross-modal attention weighting mechanism, enabling dynamic and adaptive fusion of these two different modalities during interaction. This fusion method avoids the limitations of simple splicing or independent processing, and can better capture the complex dependencies and dynamic changes between entities in IoT SIM card networks. Specifically, the cross-modal attention weighting mechanism allows for intelligent adjustment of the relative importance of spatial and temporal information based on the current risk scenario or business context. For example, spatial features are emphasized when detecting network topology anomalies, while temporal features are emphasized when identifying device behavior anomalies. This improves the comprehensiveness and accuracy of feature representation, providing more reliable input for subsequent interpretable causal discovery and quantitative analysis, thereby effectively solving the problem of insufficient feature interaction and improving the accuracy of risk diagnosis and the response efficiency of network resource scheduling.

[0070] In some of the embodiments described above in this application, a method is proposed to generate topological feature vectors and behavioral feature vectors based on the interactive processing results to extract features from multi-source heterogeneous data. However, in the implementation process, feature extraction may not fully consider the sensitivity of risk propagation and the influence of graph neighbor context, resulting in the generated feature vectors being inaccurate and unable to effectively support subsequent risk root cause identification and resource scheduling decisions.

[0071] To address this, this application further proposes generating topological feature vectors and behavioral feature vectors based on the interactive processing results. This includes: decoupling the features of the interactive processing results to separate structural components highly correlated with the graph structure and temporal components highly correlated with the temporal evolution of nodes; based on key business identifiers extracted from the business domain data of this multi-source heterogeneous data, performing feature selection and enhancement on the structural component based on risk propagation sensitivity to generate the topological feature vector; and based on the topological structure of this multi-level heterogeneous graph, refining and normalizing the temporal pattern of the temporal component based on the graph neighbor context to obtain the behavioral feature vector.

[0072] Specifically, decoupling the features of the interactive processing result to separate the structural components highly correlated with the graph structure and the temporal components highly correlated with the temporal evolution of nodes means decomposing the mixed feature information into multiple independent or weakly correlated components based on their inherent attributes or sources. The aim here is to separate the static information related to the graph structure and the dynamic information related to the temporal evolution of nodes in the interactive processing result. This separation helps in subsequent targeted processing and optimization of different types of features, avoiding inaccurate analysis caused by information mixing. For example, a deep learning-based decoupling method can be used, employing variants of variational autoencoders (VAEs) or generative adversarial networks (GANs), designing specific loss functions to force the encoder to map the input features to two independent latent spaces, representing the structural and temporal components respectively. Alternatively, matrix factorization techniques, such as nonnegative matrix factorization (NMF) or independent component analysis (ICA), can be used to decompose the feature matrix of the interactive processing result into two or more matrices, where the basis vectors of one matrix primarily capture structural information, and the other primarily captures temporal information.

[0073] Based on key business identifiers extracted from the business domain data of this multi-source heterogeneous data, feature selection and enhancement based on risk propagation sensitivity are performed on the structural component to generate the topological feature vector. Here, key business identifiers are labels or attributes extracted from the business domain data that reflect the importance, priority, or specific attributes of the business. Feature selection and enhancement based on risk propagation sensitivity refers to selectively highlighting or suppressing feature dimensions in the structural component according to the importance of different nodes or entities in the risk propagation path and their impact on key businesses. The aim is to enable the generated topological feature vector to more accurately reflect the spatial relationships between entities and the potential propagation capability of risks along these relationships, with particular attention to the impact on key businesses. For example, a risk propagation sensitivity score can be assigned to each node by calculating the centrality index of nodes in the graph structure (such as degree centrality, betweenness centrality, eigenvector centrality, etc.) and combining it with the key business identifier. Then, the feature dimensions of the corresponding nodes in the structural component are weighted according to this score, with high-sensitivity feature dimensions receiving higher weights and low-sensitivity feature dimensions receiving lower weights, thereby achieving feature enhancement and selection. For example, an attention-based module can be built. This module takes key business identifiers and structural components as input and learns an attention weight matrix. This matrix can dynamically allocate attention to different feature dimensions in the structural components, so that feature dimensions with high sensitivity to risk propagation receive more attention. As a result, these key features are effectively enhanced when generating topological feature vectors.

[0074] Based on the topology of this multi-level heterogeneous graph, the temporal component is refined and normalized using graph neighbor context to obtain the behavioral feature vector. Here, graph neighbor context refers to the information carried by a node's direct or indirect neighboring nodes in the multi-level heterogeneous graph. Temporal pattern refinement and normalization based on graph neighbor context means, based on the analysis of the node's own temporal components, combining the temporal information of its neighboring nodes to more comprehensively and accurately capture the temporal evolution pattern of node behavior and eliminate noise or inconsistencies. The aim is to ensure that the behavioral feature vector not only reflects the node's own dynamic changes but also its interaction with the surrounding environment, thereby more effectively describing the temporal evolution of entity states. For example, temporal extension models in graph neural networks (GNNs), such as graph recurrent networks (GRNs) or spatiotemporal graph convolutional networks (STGCNs), can be used to aggregate the temporal components of a node with those of its neighboring nodes. During the aggregation process, an attention mechanism can be introduced to dynamically adjust the contribution of neighbor information to the extraction of the current node's temporal pattern based on the strength or importance of the relationship between neighboring nodes and the current node, thereby regularizing a more representative temporal pattern. For example, the temporal components of each node can be independently decomposed (e.g., into trend, periodic, and residual components), and then these decomposed pattern components can be propagated and aggregated on the graph structure using graph diffusion or message passing mechanisms. By comparing and fusing the node's own pattern components with the aggregated neighbor pattern components, a more stable and representative temporal pattern within the graph structure context can be extracted and regularized to eliminate abnormal fluctuations.

[0075] Through the above technical solution, this application effectively separates structural information from temporal information by decoupling the interactive processing results, laying the foundation for subsequent refined processing. Based on this, key business identifiers are used to guide the feature selection and enhancement of structural components, enabling the topological feature vectors to capture key information related to the risk propagation path and intensity, avoiding interference from irrelevant features, thereby improving the accuracy of risk root cause identification. Simultaneously, combined with the topological structure of a multi-level heterogeneous graph, temporal components are refined and regularized based on graph neighbor context, ensuring that the behavioral feature vectors not only reflect the dynamic changes of the IoT card itself but also incorporate the contextual information of its network environment, enhancing the ability to perceive abnormal behavior and potential risks. This refined, context-aware feature extraction method improves the accuracy and representativeness of feature vectors, providing high-quality input for subsequent interpretable causal discovery and quantitative analysis, thereby supporting more accurate risk diagnosis and more effective network resource scheduling decisions, achieving overall performance optimization of IoT card intelligent risk control and dynamic scheduling.

[0076] In some of the embodiments described above in this application, a feature selection and enhancement based on risk propagation sensitivity of structural components is proposed to generate topological feature vectors based on key business identifiers. However, in this process, there is a lack of a mechanism to accurately quantify the sensitivity of each node in risk propagation, resulting in insufficient feature selection and an inability to effectively distinguish the impact of security business-related nodes and risk monitoring focus nodes.

[0077] To address this, this application further proposes a method for generating a topological feature vector by performing feature selection and enhancement based on risk propagation sensitivity on structural components using key business identifiers extracted from business domain data of multi-source heterogeneous data. This method includes: dividing nodes in the multi-level heterogeneous graph into security business-related nodes and risk monitoring focus nodes based on the key business identifiers; constructing a risk propagation subgraph centered on risk monitoring focus nodes and a security business subgraph centered on security business-related nodes based on the node division results; determining a first centrality metric and a second centrality metric for each node in the risk propagation subgraph and the security business subgraph, respectively, and calculating the difference between the first and second centrality metrics to obtain a risk propagation sensitivity score for each node; and selectively enhancing and suppressing the feature dimensions of the corresponding nodes in the structural component based on the risk propagation sensitivity score to generate the topological feature vector.

[0078] Specifically, when dividing nodes in this multi-level heterogeneous graph into security-related business nodes and risk monitoring focus nodes, the aim is to clarify the role of each node in the overall business process and potential risk scenarios, providing a refined foundation for subsequent risk analysis. One approach is to use predefined business rules and configuration lists to mark nodes closely related to core business processes, high-value data transmission, and critical service provision as security-related business nodes. Simultaneously, nodes that have historically exhibited abnormal behavior, are associated with high-risk areas, or have been identified as potential attack targets are marked as risk monitoring focus nodes. Another approach is to utilize machine learning classifiers, using key business identifiers as input features, to train a model that automatically identifies the business attributes and potential risk attributes of nodes, thereby performing dynamic and intelligent node division. For example, based on historical traffic patterns, connection durations, and business types of IoT cards, clustering or classification algorithms can be used for segmentation.

[0079] When constructing risk propagation subgraphs centered on risk monitoring nodes and security business subgraphs centered on security business-related nodes based on node partitioning results, the purpose is to decompose complex heterogeneous graphs into more targeted analysis units. This isolates risk propagation paths and business assurance paths, allowing feature analysis to focus more on their respective domains and reducing unnecessary cross-interference. One implementation approach is to use all risk monitoring nodes as starting points for the risk propagation subgraph, traversing multi-level heterogeneous graphs using breadth-first search (BFS) or depth-first search (DFS) algorithms. Within a limited number of hops or path weight thresholds, nodes directly or indirectly related to these core nodes and their edges are included in the subgraph. Similarly, the security business subgraph is constructed with security business-related nodes as the core. Another approach is to use graph pruning or graph slicing techniques to extract subgraphs containing only specific types of nodes and their related edges from the original multi-level heterogeneous graph based on the node partitioning results. For example, the risk propagation subgraph can only include IoT card nodes, base station nodes, and the communication connection edges between them, while the security business subgraph can focus more on the business ownership edges between IoT card nodes and business server nodes.

[0080] When determining the first centrality metric and the second centrality metric of each node in the risk propagation subgraph and the security business subgraph of the multi-level heterogeneous graph, and calculating the difference between the first and second centrality metrics to obtain the risk propagation sensitivity score for each node, the aim is to quantify the importance of the node in different business contexts and highlight its sensitivity in risk propagation. One implementation is to use degree centrality (the number of connections a node has in the risk propagation subgraph), betweenness centrality (the frequency with which a node acts as a mediator in the shortest path), or eigenvector centrality (the degree to which a node is connected to nodes with high centrality) for the first centrality metric. The second centrality metric can also use the above methods, but is calculated in the security business subgraph. The difference calculation can be a simple subtraction (first centrality minus second centrality), or a normalized ratio, logarithmic ratio, etc., to amplify the difference. Another approach is to use the PageRank algorithm for the first centrality metric to assess the importance or influence of a node in the risk propagation subgraph. For the second centrality metric, Katz centrality can be used to measure the extent to which a node is connected to other nodes in the security business subgraph through all paths (including long paths). Differences can be calculated using weighted differences; for example, assigning higher weights to centrality in the risk propagation subgraph to emphasize risk sensitivity.

[0081] When generating the topological feature vector by selectively enhancing and suppressing the feature dimensions of corresponding nodes in a structural component based on the risk propagation sensitivity score, the aim is to dynamically adjust the feature representation of the nodes according to their risk sensitivity, making the risk features of high-sensitivity nodes more prominent and the features of low-sensitivity nodes smoother. One implementation is to multiplicatively enhance the risk-related feature dimensions (e.g., abnormal connection count, abnormal traffic patterns) of nodes in their structural component for nodes with high risk propagation sensitivity scores, by multiplying them by a weight factor greater than 1. For nodes with low risk propagation sensitivity scores, multiplicatively suppress their feature dimensions by multiplying them by a weight factor less than 1, or by performing feature dimensionality reduction. Another implementation is to use an attention mechanism, dynamically allocating the risk propagation sensitivity score as attention weight to different feature dimensions in the structural component. Nodes with high sensitivity scores will receive higher attention weights for their risk-related feature dimensions, thus being enhanced in the topological feature vector. Conversely, the feature weights of nodes with low sensitivity scores will be suppressed.

[0082] Through the above technical solution, this application addresses the problem of insufficient feature selection by employing a sensitivity quantification mechanism based on centrality differences, ensuring that the topological feature vector can more accurately reflect the impact of risk propagation. Specifically, nodes are divided into security business-related nodes and risk monitoring focus nodes based on key business identifiers. Identifiers in the business domain data ensure that the division is closely related to the business context, allowing for targeted processing of different node types in subsequent analysis and avoiding interference from irrelevant nodes in risk feature extraction. A risk propagation subgraph and a security business subgraph are constructed based on the node division results. By constructing subgraphs centered on risk monitoring focus nodes and security business-related nodes respectively, risk propagation paths and business assurance paths are isolated, making feature analysis more focused on their respective domains and reducing cross-interference. The first and second centrality measures of each node are determined, and the difference is calculated to obtain a sensitivity score. By quantifying the difference between the centrality of a node in the risk propagation subgraph and its centrality in the security business subgraph, the sensitivity difference of nodes in risk propagation is highlighted; a larger difference indicates higher sensitivity, providing an objective quantitative basis for feature selection. Based on sensitivity scores, feature dimensions are selectively enhanced and suppressed. High-risk sensitive nodes are enhanced to amplify risk signals, while features of low-sensitivity nodes are suppressed to reduce noise, thereby generating more accurate topological feature vectors and effectively improving the targeting of risk identification. This allows the structural components decoupled from the interactive processing results to be utilized more effectively. The generated topological feature vectors can more accurately integrate multi-level entity relationships and cross-domain interaction information, especially in terms of risk propagation, providing high-quality input for subsequent causal discovery and quantitative analysis, thus improving the accuracy and efficiency of IoT card-based intelligent risk control.

[0083] In some of the embodiments described above in this application, temporal pattern extraction and normalization based on graph neighbor context is proposed to generate behavioral feature vectors. However, in its implementation, due to the lack of an effective decomposition mechanism for temporal components and a neighbor context propagation aggregation method, the behavioral feature vectors cannot fully capture the complex temporal pattern dependencies between nodes, affecting the accuracy of risk analysis and the efficiency of subsequent resource scheduling.

[0084] To address this, this application further proposes a topological structure based on this multi-level heterogeneous graph, and performs temporal pattern extraction and regularization of the temporal component based on graph neighbor context to obtain the behavioral feature vector, specifically including the following steps: The time series component is decomposed into multiple pattern components representing periodicity, trend, and suddenness. This step aims to break down the original, complex time series component into more fundamental and easily analyzable parts. Through this decomposition, recurring periodic patterns, long-term trends, and sudden short-term changes can be clearly identified, providing refined input for subsequent pattern analysis. For example, the Seasonal-Trend decomposition using Loess (STL) method can be used to decompose the time series component into trend components, seasonal components, and residual components. The seasonal components represent periodicity, the trend components represent trends, and outliers in the residual components can be further identified as sudden events. Alternatively, wavelet decomposition can be used to decompose the time series component into components at different frequency scales. High-frequency components can capture sudden changes, while low-frequency components can capture trends and periodic changes.

[0085] Based on the edge connections of this multi-level heterogeneous graph, a graph diffusion algorithm is used to propagate and aggregate the pattern component of each node to its neighboring nodes, obtaining a neighboring context pattern representation for each node. This step aims to leverage the topological structure of the multi-level heterogeneous graph to fuse the temporal pattern information of a node with that of its neighboring nodes, thereby obtaining a more global perspective on contextual information. The graph diffusion algorithm can simulate the propagation process of information in a graph structure, ensuring that each node not only contains its own pattern information but also incorporates the pattern features of its neighboring nodes (including direct and indirect neighbors), thus reflecting the mutual influence and association between nodes. For example, a Personalized PageRank (PPR) algorithm can be used, starting from each node, performing a random walk on the graph, and weighting and aggregating the pattern components of neighboring nodes encountered during the walk according to their access frequency, thereby obtaining a neighboring context pattern representation for that node. Alternatively, the Heat Kernel Diffusion algorithm can be used to simulate the diffusion process of heat on the graph. The pattern components of a node are used as the initial heat, and the heat is transferred to neighboring nodes and aggregated through the diffusion process to capture the temporal pattern information of the neighborhood.

[0086] Next, the pattern components of each node are aligned and fused with the corresponding neighbor context pattern representations to obtain refined temporal pattern features for each node. This step aims to organically combine the node's inherent temporal behavior with the external influences from its network neighbors, forming a more comprehensive and accurate refined temporal pattern feature. Pattern alignment ensures the consistency of pattern information from different sources in the temporal dimension, while fusion integrates this information into a unified representation. For example, the node's own pattern components and neighbor context pattern representations can be concatenated into feature vectors, and then input into a Multi-Layer Perceptron (MLP) for learning and fusion to obtain refined temporal pattern features. Alternatively, an attention mechanism can be used to dynamically learn the importance weights between the node's own pattern components and neighbor context pattern representations, and perform weighted summation or more complex fusion operations based on these weights.

[0087] The refined temporal pattern features of all nodes are standardized and vectorized to form the behavioral feature vector. This step aims to standardize the previously obtained refined temporal pattern features, making them conform to the requirements of machine learning models for input data, and converting them into a unified vector form for easier subsequent calculation and analysis. Standardization can eliminate the differences in dimensions between different features, avoiding excessive influence of certain features on model training. Vectorization encodes complex pattern information into numerical vectors, making them directly processable by the algorithm. For example, the Z-score standardization method can be used to convert the refined temporal pattern features into a distribution with a mean of 0 and a variance of 1 to eliminate the influence of dimensions. At the same time, vectorization can be completed by arranging the standardized features of each node into a vector of fixed length. Alternatively, the min-max normalization method can be used to scale the features to a specific range (such as [0,1]) and then vectorize them.

[0088] Through the above technical solution, this application effectively solves the problem that behavioral feature vectors cannot fully capture the complex temporal pattern dependencies between nodes. Specifically, by decomposing the temporal components into multiple pattern components such as periodicity, trend, and burstiness, the dynamic behavior of IoT cards and their associated entities can be more finely characterized, avoiding the limitations of a single temporal feature representation. Based on this, a graph diffusion algorithm is used to propagate and aggregate the pattern components to neighboring nodes, ensuring that each node's behavioral features not only contain its own information but also incorporate the contextual influence of its network neighbors, enhancing the relevance and richness of the features. Furthermore, through pattern alignment and fusion, the node's own pattern is organically combined with the neighbor's contextual pattern, generating more detailed and comprehensive refined temporal pattern features, thereby more accurately reflecting the real behavioral patterns of IoT cards in complex network environments. Standardization and vectorization ensure the standardization and usability of the behavioral feature vectors. In view of this, the generated behavioral feature vectors can more accurately describe the temporal evolution of entity states, providing high-quality input for subsequent interpretable causal discovery and quantitative analysis, thereby improving the accuracy of risk analysis and providing a more reliable decision-making basis for IoT card intelligent risk control and dynamic scheduling, thus ensuring the service quality of key businesses and the efficient utilization of network resources.

[0089] In some of the embodiments described above in this application, causal discovery and quantitative analysis based on topological feature vectors and behavioral feature vectors are proposed. However, when faced with multi-source heterogeneous data from the Internet of Things, existing causal analysis methods often suffer from inconsistent feature representations, inaccurate causal structure learning, and lack of quantitative evaluation, resulting in inaccurate identification of risk causes, ambiguity of transmission path strength, and difficulty in supporting resource regulation.

[0090] To this end, this application further proposes an interpretable causal discovery and quantitative analysis based on the topological feature vector and the behavioral feature vector, obtaining a set of causal nodes and a weighted set of causal edges. See [link to relevant documentation]. Figure 4 The method includes: 401. Perform feature alignment and fusion on the topological feature vector and the behavioral feature vector to generate a unified feature representation for causal discovery.

[0091] 402. Based on this unified feature representation, an interpretable causal discovery algorithm is used to learn the potential causal structure between nodes in the multi-level heterogeneous graph to obtain an initial causal graph, which contains candidate causal nodes and candidate causal edges.

[0092] 403. Quantitatively evaluate the causal effect strength and statistical significance of each candidate causal edge in the initial causal graph, obtain the quantitative evaluation result, and convert the quantitative evaluation result into the weight of the candidate causal edge.

[0093] 404. Based on the quantitative evaluation results, select the set of causal nodes from the candidate causal nodes, and select the set of weighted causal edges from the candidate causal edges.

[0094] Specifically, in the step of feature alignment and fusion of the topological feature vector and the behavioral feature vector to generate a unified feature representation for causal discovery, this step aims to integrate topological and behavioral feature vectors from different dimensions and semantics into a unified and comparable data space, thereby providing consistent and comprehensive input for subsequent causal discovery algorithms. This unified representation can eliminate differences between heterogeneous data, avoid analytical biases caused by feature mismatches or scale discrepancies, and ensure the accuracy and reliability of causal analysis. One implementation is to standardize the topological and behavioral feature vectors to make them have similar numerical ranges or distributions, and then merge them into a longer vector through feature concatenation. Based on this, dimensionality reduction techniques such as Principal Component Analysis (PCA) or autoencoders can be further employed to extract key information after fusion, while reducing the dimensionality of the feature space, reducing computational complexity, and suppressing noise. Another implementation is to use a fusion network based on an attention mechanism. For example, a multimodal attention module can be designed to allow topological feature vectors and behavioral feature vectors to "attention" to each other during the fusion process, dynamically learning the importance weights between them. In this way, the model can adaptively enhance or suppress the influence of certain features according to the needs of the current analysis task, thereby generating a more expressive and robust unified feature representation.

[0095] Based on this unified feature representation, an interpretable causal discovery algorithm is used to learn the potential causal structure between nodes in the multi-level heterogeneous graph, resulting in an initial causal graph. This step aims to mine potential causal relationships between entities such as IoT cards, base stations, and service servers from the unified feature representation and present them initially in the form of a graph. The choice of an "interpretable" algorithm ensures that the discovered causal structure is not only valid but also understandable and verifiable by humans, thus providing a transparent logical basis for identifying risk root causes and analyzing transmission paths. One implementation approach is to use constraint-based causal discovery algorithms, such as the PC algorithm or FCI algorithm. These algorithms identify conditional independence relationships between variables through a series of conditional independence tests and progressively construct or prune the edges of the causal graph accordingly. For example, if variables A and B are independent given variable C, it can be inferred that there is no direct causal relationship between A and B, or that their causal relationship is mediated by C. By iteratively performing these tests, an initial causal graph representing the causal dependencies between nodes can be obtained. Another implementation approach is to use a scoring-based causal discovery algorithm, such as the GES (Greedy Equivalence Search) algorithm. These algorithms measure the goodness of fit of different causal graph structures to a given dataset by defining a scoring function (such as the Bayesian Information Criterion (BIC) or the Akaike Information Criterion (AIC). The algorithm starts with an empty or fully connected graph and iteratively searches by adding, deleting, or reversing edges, selecting the graph structure that maximizes the score in each operation until a local optimum is reached, thus obtaining the initial causal graph.

[0096] Furthermore, the causal effect strength and statistical significance of each candidate causal edge in the initial causal graph are quantitatively evaluated, and the quantitative evaluation results are converted into weights for the candidate causal edges. This step aims to refine the initially discovered causal relationships, not only confirming their existence but also quantifying their strength and reliability. By evaluating the causal effect strength, we can understand the magnitude of an causal variable's influence on the outcome variable. By evaluating statistical significance, we can determine whether this influence is accidental, thus providing a solid quantitative basis for subsequent screening. One approach is to construct a regression model for each candidate causal edge in the initial causal graph (e.g., from node X to node Y). For example, a linear regression or generalized linear regression model can be used, with the characteristics of node Y as the dependent variable, the characteristics of node X as the independent variable, and possibly other potential confounding variables as control variables. The regression coefficient of the characteristics of node X in the model can serve as a measure of the causal effect strength, while the p-value of this coefficient can serve as a measure of statistical significance. Another approach is to employ an intervention-based causal effect estimation method. For example, structural causal models (SCM) or methods such as propensity score matching can be used to simulate an intervention in the causal node X (e.g., changing its state), and then the characteristic changes in the target node Y can be observed. The amount of change in Y resulting from this simulated intervention can serve as an estimate of the strength of the causal effect. Statistical significance can be calculated using resampling methods such as bootstrap or permutation tests.

[0097] Based on the quantitative evaluation results, a set of causal nodes is selected from the candidate causal nodes, and a set of weighted causal edges is selected from the candidate causal edges. This step is a refinement of the causal discovery process, aiming to identify those truly high-intensity and high-reliability risk roots (causal nodes) and their transmission paths (weighted causal edges) from a large number of candidate causal relationships. Through rigorous screening, it ensures that the output causal information is meaningful and operationally instructive, avoiding the inclusion of weak or spurious causal relationships in subsequent resource regulation decisions. One implementation method is to set predefined thresholds. For example, a causal effect strength threshold and a statistical significance p-value threshold can be set. Only when the causal effect strength of a candidate causal edge is higher than the strength threshold and its p-value is lower than the significance threshold is the edge retained. For candidate causal nodes, their out-degree (i.e., the number of edges acting as causal nodes) or the sum of the weights of all their out-degree edges can be calculated, and a node causal influence threshold can be set. Only nodes with influence exceeding this threshold are included in the causal node set. Another implementation method is to combine network centrality analysis. On the initial causal graph after quantitative evaluation, various centrality metrics, such as degree centrality, betweenness centrality, or eigenvector centrality, are calculated for each candidate node. These centrality metrics reflect the importance or influence of a node in the causal network. By setting a centrality threshold, the nodes with the greatest influence are selected as the causal node set. Simultaneously, only causal edges connecting these causal nodes with weights satisfying certain conditions are retained, forming a weighted causal edge set.

[0098] Through the above technical solutions, this application effectively addresses the problems of inaccurate risk causes and ambiguous transmission path strength caused by inconsistent feature representations, imprecise causal structure learning, and lack of quantitative assessment in existing causal analysis methods when dealing with multi-source heterogeneous data from the Internet of Things. Specifically, by aligning and fusing topological feature vectors and behavioral feature vectors, a unified feature representation is generated, overcoming the data consistency problem in causal analysis of multi-source heterogeneous data and providing high-quality input for subsequent analysis. An interpretable causal discovery algorithm is used to learn the potential causal structure and obtain an initial causal graph, which clearly structures the complex inter-entity relationships into causal hypotheses, enhancing the transparency and credibility of risk diagnosis. Furthermore, the quantification of the causal effect strength and statistical significance of each candidate causal edge is performed and converted into weights, achieving an objective and refined measurement of causal relationships, enabling precise characterization of the risk transmission path and strength. Based on rigorous quantitative evaluation results, a set of causal nodes and a set of weighted causal edges were selected, ensuring that the identified risk sources and transmission paths were verified and highly reliable. This provided a solid and reliable basis for subsequent resource regulation based on precise causal logic, and improved the accuracy and effectiveness of IoT card-based intelligent risk control and dynamic scheduling.

[0099] In some of the above-mentioned schemes in this application, an interpretable causal discovery based on unified feature representation is proposed to obtain an initial causal graph. However, in its implementation, due to the lack of effective utilization of temporal evolution information and network structure constraints, the identified causal relationships may be inaccurate, spurious relationships may exist, and the causal direction may be unclear, affecting the reliability of the causal graph and the accuracy of subsequent quantitative analysis.

[0100] To address this, this application further proposes a method based on this unified feature representation, using an interpretable causal discovery algorithm to learn the potential causal structure between nodes in the multi-level heterogeneous graph, thus obtaining the initial causal graph. The method includes: based on the temporal evolution information of nodes in the unified feature representation, identifying candidate node pairs and causal directions with causal relationships through time-lag correlation analysis; constructing network structure constraints for causal discovery based on existing communication connection edges and service attribution edges in the multi-level heterogeneous graph; performing conditional independence tests on the candidate node pairs under these constraints to eliminate spurious correlations and obtain a reliable set of causal edges; combining this reliable set of causal edges with the initially identified causal directions to construct the initial causal graph, and assigning an initial causal strength estimate to each causal edge in the initial causal graph.

[0101] Specifically, in the step of identifying candidate node pairs and causal directions with causal relationships based on the temporal evolution information of nodes in this unified feature representation through time-lag correlation analysis, this step aims to infer the chronological relationship of events by utilizing the temporal order of data, thereby initially identifying potential causal relationships and their directions. By analyzing the time-lag correlation of different node feature sequences, misjudgments caused by relying solely on static correlations can be effectively avoided, improving the accuracy of causal direction determination. For example, the Granger Causality Test can be used to establish a Vector Autoregression (VAR) model to determine whether one time series can predict another, thereby identifying causal directions and relationships. Alternatively, information theory methods such as Mutual Information or Transfer Entropy can be used, combined with sliding time windows and lag analysis, to quantify the degree to which information is transmitted from one node to another, thereby inferring causal relationships and directions.

[0102] In the step of constructing network structure constraints for causal discovery based on existing communication connection edges and service affiliation edges in the multi-level heterogeneous graph, this step aims to use the actual physical connections and business logic relationships of the IoT card network domain, associated terminal device domain, and upper-layer business domain as prior knowledge for causal discovery. This ensures that the discovered causal relationships conform to the real network topology and business logic, avoiding the generation of unreasonable or false causal paths. For example, the existing communication connection edges and service affiliation edges in the multi-level heterogeneous graph can be directly used as the potential edge set of the causal graph, restricting the causal discovery algorithm to search only on these predefined connections. Alternatively, these existing edges can be introduced as regularization terms into the objective function of the causal discovery algorithm, encouraging the algorithm to discover causal relationships consistent with the existing network structure, thereby enhancing the real-world relevance of the causal graph.

[0103] Under the constraints of this network structure, the step of performing conditional independence tests on candidate node pairs to eliminate spurious correlations and obtain a reliable set of causal edges aims to verify the independence between candidate node pairs using rigorous statistical methods, while considering the network structure constraints. This distinguishes between genuine causal relationships and mere statistical correlations (i.e., spurious correlations), thereby improving the reliability and robustness of causal relationships. For example, causal discovery algorithms based on conditional independence tests, such as the Peter-Clark algorithm (PC) or the Fast Causal Inference algorithm (FCI), can be used. These algorithms construct causal graphs by iteratively testing the conditional independence between variables. Alternatively, information theory-based methods, such as Conditional Mutual Information (CMI), can be used to assess whether two variables remain interdependent given other variables, thus eliminating spurious correlations.

[0104] In the step of combining the reliable set of causal edges with the initially identified causal directions to construct the initial causal graph, and assigning an initial causal strength estimate to each causal edge in the initial causal graph, the aim is to integrate the validated reliable causal edges and their directions to form a preliminary causal graph with strength estimates. This provides a solid foundation for subsequent quantification analysis of causal effects and identification of risk transmission paths. For example, reliable causal edges obtained through conditional independence tests can be used as the edge set of the graph, directions obtained from time-lag correlation analysis can be used as the edge directions, and the F-statistic or mutual information value from the Granger causality test can be used as the initial causal strength. Alternatively, methods such as structural equation modeling (SEM) or Bayesian networks can be used to estimate the strength parameters of causal paths while constructing the causal graph, thereby assigning an initial causal strength estimate to each causal edge.

[0105] Through the above technical solutions, this application effectively solves the problems of inaccurate causal discovery, the existence of spurious correlations, and unclear causal directions. Based on the temporal evolution information of nodes in the unified feature representation, time-lag correlation analysis can be used to preliminarily determine causal relationships and directions using the order of events, avoiding misjudgments caused by relying solely on static features and improving the accuracy of causal directions. The network structure constraints for causal discovery are constructed based on the existing communication connection edges and service affiliation edges in the multi-level heterogeneous graph, using actual physical and business relationships as prior knowledge to ensure that the causal graph conforms to the real network topology, preventing the generation of unreasonable causal paths and enhancing the real-world relevance of the causal graph. Next, under these network structure constraints, conditional independence tests are performed on the candidate node pairs, effectively eliminating spurious correlations and retaining only edges with genuine causal relationships, improving the robustness and reliability of the causal graph and reducing noise interference. This reliable set of causal edges is combined with the preliminarily identified causal directions to construct the initial causal graph, and each causal edge in the initial causal graph is assigned an initial causal strength estimate, providing an accurate and reliable foundation for subsequent risk transmission analysis and quantitative assessment. Overall, these technical features work together to make the causal discovery process more interpretable, providing a solid data foundation for IoT card-based intelligent risk control and dynamic scheduling. This enables more accurate identification of risk sources and transmission paths, supports subsequent decoupling of resource control intentions and solution of collaborative strategies, and achieves more efficient and reliable risk suppression and business assurance.

[0106] In some of the solutions described above in this application, a quantitative evaluation of each candidate causal edge in the initial causal graph is proposed to determine the weight of the causal edge. However, in its implementation, the quantitative evaluation may lack specific methods to ensure the accurate calculation of the strength and statistical significance of the causal effect, resulting in inaccurate weights and affecting the reliability of risk diagnosis.

[0107] To address this, this application further proposes a quantitative evaluation of the causal effect strength and statistical significance of each candidate causal edge in the initial causal graph. The quantitative evaluation results are then converted into weights for the candidate causal edges. Specifically, this involves: for each candidate causal edge, extracting the feature sequences of the source and target nodes within multiple time windows based on a unified feature representation, and calculating the causal effect strength index of the feature sequences and the corresponding statistical significance p-value. The causal effect strength index of each candidate causal edge is normalized into a directional strength score, and the statistical significance p-value of each candidate causal edge is converted into a reliability confidence score. Based on the weighted product of the directional strength score and the reliability confidence score, the quantitative evaluation result of each candidate causal edge is determined, and this result is directly used as the weight of the candidate causal edge.

[0108] Specifically, when extracting the feature sequences of the source and target nodes of candidate causal edges across multiple time windows, the unified feature representation is a comprehensive feature that integrates topological feature vectors and behavioral feature vectors. It contains spatial relationships between entities, temporal evolution information, and all the information required for causal discovery. Extracting feature sequences aims to capture the temporal dynamics of causal relationships, as these relationships are often not instantaneous but emerge over time. For example, a sliding time window approach can be used to extract feature values ​​of the source and target nodes at multiple consecutive time steps from the unified feature representation, forming their respective feature sequences. Alternatively, an event-driven approach can be adopted, where feature data within a certain time range before and after a specific event related to a candidate causal edge is detected, constructing a feature sequence.

[0109] When calculating the causal effect strength index and its corresponding statistical significance p-value for a feature sequence, the causal effect strength index quantifies the magnitude of the influence of one event on another, while the statistical significance p-value assesses whether this influence is accidental, i.e., its statistical reliability. Combining these two ensures that the identified causal relationship is both practically significant and statistically reliable. For example, the Granger causality test can be used to calculate the causal effect strength index (such as the F-statistic) and the corresponding p-value. Alternatively, information theory-based methods, such as transfer entropy or mutual information, can be used to quantify the strength of information flow from the source node feature sequence to the target node feature sequence, and combined with non-parametric methods such as the permutation test to calculate the statistical significance p-value.

[0110] When normalizing the causal effect strength index of each candidate causal edge into a directional strength score, the purpose of normalization is to eliminate differences in the dimensions and numerical ranges of different causal effect strength indices, making them comparable, and converting them into a score within a specific range (such as 0 to 1) to uniformly measure the direction and strength of causal influence. For example, the Min-Max normalization method can be used to linearly scale all causal effect strength indices to the [0,1] interval. Alternatively, the Z-score normalization method can be used to convert the strength index into a distribution with a mean of 0 and a standard deviation of 1, and then map it to the [0,1] or [-1,1] interval using the Sigmoid or Tanh function to obtain the directional strength score.

[0111] When converting the statistical significance p-value of each candidate causal edge into a reliability confidence score, a smaller p-value indicates that the observed causal effect is less likely to be caused by random factors, i.e., higher statistical reliability. Converting it to a confidence score can intuitively represent the credibility of the causal relationship, facilitating subsequent weighting and decision-making. For example, (1-p-value) can be directly used as the reliability confidence score, or the p-value can be logarithmically transformed and then normalized. Alternatively, a significance level threshold (such as 0.05) can be set; if the p-value is less than this threshold, the confidence score is higher, otherwise the confidence score is lower, or a smoother function can be used to map the p-value to a confidence score in the range [0,1].

[0112] When determining the quantitative evaluation result of each candidate causal edge based on the weighted product of the directional strength score and the reliability confidence score, a weighted product of the actual strength of the causal effect (directional strength score) and the statistical confidence score (reliability confidence score) can comprehensively consider these two key dimensions, thus obtaining a more comprehensive and accurate quantitative evaluation result. This avoids the bias that may arise from judging solely based on strength or significance. For example, the directional strength score can be directly multiplied by the reliability confidence score. Alternatively, weighting factors can be introduced, such as evaluation result = w1 × directional strength score × w2 × reliability confidence score, where w1 and w2 are adjustable weights used to balance the relative importance of strength and confidence.

[0113] Using the quantitative assessment result directly as the weight of the candidate causal edge simplifies the subsequent processing and ensures that the weight can directly reflect the strength and reliability of the causal relationship, providing accurate input for the quantitative analysis of risk transmission paths.

[0114] Through the above technical solution, this application provides a specific quantitative assessment method that solves the problem of inaccurate causal edge weights in risk diagnosis. Based on a unified feature representation, feature sequences of source and target nodes are extracted within multiple time windows. This ensures that the assessment is based on dynamic time-series data, capturing the temporal evolution characteristics of causal relationships and avoiding the limitations of static assessment. Calculating the causal effect strength index and corresponding statistical significance p-value of the feature sequences provides an objective quantitative measure, enhancing the scientific rigor and interpretability of the assessment. Normalizing the causal effect strength index into a directional strength score makes the strength values ​​of different causal edges comparable, facilitating subsequent processing. Simultaneously, converting the statistical significance p-value into a reliability confidence score improves the reliability and operability of the assessment results. The quantitative assessment result is determined based on the weighted product of the directional strength score and the reliability confidence score, and directly used as the weight of candidate causal edges. This integrates causal strength and statistical reliability, avoiding the bias of a single indicator, ensuring the accuracy and direct applicability of the weights, thereby improving the accuracy of risk diagnosis and making subsequent risk transmission path analysis and network resource scheduling strategy formulation more reliable and effective.

[0115] In some of the embodiments described above in this application, a causal effect strength index and a statistical significance p-value are proposed to quantify the causal effect strength and statistical significance of candidate causal edges. However, in the implementation process, the calculation method may not be accurate or reliable enough, resulting in insufficient accuracy of risk transmission analysis.

[0116] To address this, this application further proposes the following steps for calculating the causal effect strength index of the feature sequence and the corresponding statistical significance p-value: Based on the feature sequence, a vector autoregression model for Granger causality testing is constructed. Using this vector autoregression model, a hypothesis test is performed on the Granger causal relationship between the source node and the target node to obtain the F-statistic characterizing the causal effect strength as the causal effect strength index. A resampling method is used to calculate the distribution of the F-statistic under the null hypothesis, and the corresponding statistical significance p-value is determined based on this distribution.

[0117] Specifically, the phrase "constructing a vector autoregressive model for Granger causality testing based on this feature sequence" refers to the fact that the feature sequence is an ordered set of data extracted and processed from multi-source heterogeneous data during the causal discovery and quantitative analysis process, used to describe the changes in the state of entities such as IoT cards, base stations, and business servers over time. Constructing a vector autoregressive (VAR) model aims to capture the dynamic relationships between these multivariate time series data, particularly their mutual influence over time. The VAR model models each variable as a linear function of its own lagged value and the lagged values ​​of all other variables, thus providing a structured mathematical framework for subsequent Granger causality testing. In practice, the least squares (OLS) method can be used to estimate the coefficients in the VAR model. That is, for each variable, it is treated as the dependent variable, and all other variables and their lagged terms are treated as independent variables. The model parameters are solved by minimizing the sum of squared residuals. Alternatively, a Bayesian method can be used to estimate the VAR model. By introducing a prior distribution and combining it with observed data, the posterior distribution of the model parameters can be obtained, which provides a more robust estimate when the amount of data is limited or uncertain.

[0118] The statement "Using the vector autoregressive model to perform hypothesis testing on the Granger causal relationship between the source node and the target node, and obtaining the F-statistic as an indicator of the strength of the causal effect" refers to the Granger causality test, a statistical method used to determine whether one time series can predict another. Here, it is used to assess whether the temporal changes of the source node (potential cause) can predict the temporal changes of the target node (potential effect). Hypothesis testing quantifies this predictive ability, and the F-statistic represents the strength of the causal effect. A larger F-statistic generally indicates a stronger predictive ability of the source node for the target node, i.e., a stronger causal effect. Based on the constructed VAR model, an F-test can be performed. Specifically, an "unconstrained" model containing all lags of both the source and target nodes is built, followed by a "constrained" model without lags from the source node. The F-statistic is calculated by comparing the sum of squared residuals of the two models to test whether the lags of the source node contribute to the prediction of the target node. Alternatively, stepwise regression or information criteria (such as AIC, BIC) can be used to select the optimal lag order for the VAR model, ensuring that the model can fully capture the dynamic characteristics of the time series, and then Granger causality test can be performed to improve the accuracy of the F statistic.

[0119] The phrase "using resampling methods to calculate the distribution of the F-statistic under the null hypothesis, and determining the statistical significance p-value corresponding to the F-statistic based on this distribution" refers to the fact that the statistical significance p-value is an indicator of the degree of inconsistency between observed data and the null hypothesis (i.e., the absence of a causal relationship). Traditional p-value calculations often rely on theoretical distribution assumptions, but in practical applications, data may not perfectly conform to these assumptions. Resampling methods (such as Bootstrap or Permutation Test) construct an empirical distribution of the F-statistic under the null hypothesis by repeatedly sampling from the original data, thereby estimating the p-value more accurately and robustly, avoiding strict dependence on theoretical distributions, and improving the reliability of statistical inference. For example, samples can be drawn with replacement from the original feature sequence, and a VAR model can be reconstructed and the F-statistic calculated for each resampled sample. This process can be repeated many times (e.g., 1000 times) to obtain an empirical distribution of the F-statistic. Then, the p-value is determined by comparing the actually observed F-statistic with this empirical distribution. Alternatively, under the null hypothesis, the order of the source node feature sequences can be randomly shuffled while keeping the target node feature sequences unchanged, or the pairing relationship between the two sequences can be randomly shuffled. The F-statistic is recalculated for each shuffled data, and this process is repeated multiple times to construct the null hypothesis distribution of the F-statistic, and then the p-value is calculated.

[0120] Through the above technical solutions, this application provides a systematic method for accurately calculating the causal effect strength index and the statistical significance p-value, thereby solving the problems of inaccurate and unreliable calculations and improving the accuracy of risk transmission analysis. Specifically, a vector autoregression model for Granger causality testing is constructed based on the feature sequence. This fully utilizes the time series characteristics of the feature sequence, establishing a solid mathematical foundation for causality testing, ensuring that the model accurately captures the dynamic relationships of the data, and effectively avoiding bias caused by model mismatch. On this basis, the vector autoregression model is used to perform hypothesis testing on the Granger causal relationship between the source node and the target node, obtaining the F-statistic as the causal effect strength index. This directly quantifies the strength of the causal effect and enhances the objectivity and repeatability of the measurement through a rigorous hypothesis testing framework, effectively solving the uncertainty of subjective assessment. Furthermore, a resampling method is used to calculate the distribution of the F-statistic under the null hypothesis, and the statistical significance p-value is determined based on this distribution. This ensures the reliability and robustness of the p-value by simulating the statistical distribution, overcoming the instability of traditional methods when the sample is limited. This improves the overall accuracy of risk transmission analysis and the credibility of decision-making, providing a more solid data foundation for the subsequent generation of atomic network action sets bound to risk causal logic and business context.

[0121] In some of the solutions mentioned above in this application, an initial causal graph is obtained by learning the potential causal structure based on a unified feature representation and an interpretable causal discovery algorithm to identify the root causes and transmission paths of risks. However, in this process, the initial causal graph may contain candidate nodes and edges with low weight or weak influence, which may lead to inaccurate risk diagnosis, low resource scheduling efficiency, and may introduce redundant paths to interfere with subsequent decisions.

[0122] To address this, this application further proposes a method for selecting a set of causal nodes from candidate causal nodes and a set of weighted causal edges from candidate causal edges based on quantitative evaluation results. This method includes: setting a causal edge weight threshold and a node causal influence threshold; filtering out edges with weights lower than the causal edge weight threshold from the candidate causal edges to obtain a primary causal edge set; calculating the causal influence score of each candidate causal node based on the primary causal edge set, and filtering out nodes with causal influence scores lower than the node causal influence threshold to obtain a set of causal nodes; and retaining edges in the primary causal edge set whose two endpoints both belong to the causal node set to form a weighted causal edge set.

[0123] Setting thresholds for causal edge weights and node causal influence is a key parameter for quantitative screening, defining the minimum importance of causal edges and nodes in the risk transmission network. Specifically, an empirically fixed threshold can be determined through statistical analysis of historical risk event data, or it can be manually configured by the system administrator based on the risk tolerance of the current network environment. Alternatively, a dynamic adjustment mechanism can be used, such as adaptive optimization based on real-time network conditions, the severity of risk events, or through machine learning models (e.g., reinforcement learning), to ensure the thresholds flexibly adapt to the constantly changing operating environment. Another approach is to use a percentile method based on statistical distribution, for example, setting a threshold to retain the top X% of edges or nodes by weight or influence, thereby achieving relative screening.

[0124] Edges with weights below a preset threshold are filtered out from the candidate causal edges to obtain a preliminary set of causal edges. This step aims to remove edges in the initial causal graph where the causal relationship is not present or may be caused by noise, thereby focusing on more reliable and influential causal paths. In practice, the system can iterate through all candidate causal edges, comparing their quantified weights with a preset threshold, and removing any edge with a weight below that threshold from the candidate set. Alternatively, all candidate causal edges can be sorted in descending order of their weights, and then truncated according to a threshold or a preset upper limit on the number of edges, retaining only the edges with the highest weights to form the preliminary set of causal edges.

[0125] Based on the initial set of causal edges, a causal influence score is calculated for each candidate causal node. This calculation aims to assess the importance of each node in the preliminarily selected causal network or its risk propagation capability to identify potential risk sources. Specifically, various centrality measures from graph theory can be employed. For example, the out-degree or in-degree of a node can be used to measure its direct influence range, or betweenness centrality can be used to assess its role as an intermediary in risk propagation paths. Furthermore, variations of algorithms such as PageRank or HITS can be used, considering the weights and directions of causal edges, to iteratively calculate the causal influence score of nodes, thus more comprehensively reflecting their influence in the network. Another approach is to simulate the propagation process of risk in the initial set of causal edges, statistically analyzing the range or intensity of influence each node can exert as a source, thereby quantifying its causal influence score.

[0126] Nodes with causal influence scores below a certain threshold are filtered out, resulting in a set of causal nodes. This step further refines the identification of risk root causes, ensuring that the set of causal nodes only includes key nodes that have a substantial impact on risk propagation. Specifically, the system compares the causal influence score of each candidate causal node with a preset threshold; any node with a score below this threshold is removed from the candidate causal node set. Alternatively, all candidate causal nodes can be sorted in descending order of their causal influence scores, and then truncated according to a threshold or a preset maximum number of nodes, retaining only the nodes with the highest influence, thus obtaining the set of causal nodes.

[0127] Edges in the primary causal edge set whose two endpoints both belong to the causal node set are retained to form a weighted causal edge set. This operation aims to ensure that the weighted causal edge set only connects nodes that have been identified as key risk sources, thereby constructing a highly focused and effective risk transmission network. Specifically, the system can traverse each edge in the primary causal edge set and check whether its source node and target node both exist in the obtained causal node set. If both endpoints belong to the causal node set, the edge is retained and added to the weighted causal edge set. Alternatively, the causal node set can be used as a new node set, and all edges connecting these nodes can be selected from the primary causal edge set to construct a new subgraph, whose edges constitute the weighted causal edge set.

[0128] Through the above technical solution, this application effectively solves the problem that the initial causal graph may contain candidate nodes and edges with low weight or weak influence, leading to inaccurate risk diagnosis, low resource scheduling efficiency, and the potential introduction of redundant paths that interfere with subsequent decision-making. Specifically, by setting thresholds for causal edge weights and node causal influence, an objective and unified quantitative benchmark is provided for the entire screening process, avoiding subjective arbitrariness. Filtering out edges with weights below the thresholds in the candidate causal edges can directly eliminate low-significance paths, reduce noise interference, and make risk transmission analysis more accurate. On this basis, the causal influence score of each candidate causal node is calculated, and nodes with low influence are filtered out to ensure that only key risk sources that play a core role in risk propagation are retained, avoiding irrelevant nodes from diluting the diagnostic effect. By retaining edges in the initial causal edge set whose two endpoints both belong to the causal node set, a pure and focused weighted causal edge set is constructed, ensuring that all edges connect to key nodes, thereby providing a more reliable basis for subsequent network resource scheduling and improving the accuracy of risk diagnosis and the efficiency of resource scheduling.

[0129] In some of the embodiments described above in this application, a method for decoupling and mapping the resource regulation intentions of the causal node set, the weighted causal edge set, and the key business identifier is proposed to generate an atomic network action set bound to the risk causal logic and business context, so as to realize the expression of the resource regulation intentions. However, in this process, the granularity, intensity, and priority of the regulation actions may not fully consider the business assurance requirements, making it difficult for the action set to effectively balance risk suppression and business continuity in subsequent strategy solving.

[0130] To address this, this application further proposes decoupling and mapping the resource control intent of the causal node set, the weighted causal edge set, and the key business identifiers extracted from the business domain data of the multi-source heterogeneous data, generating an atomic network action set bound to the risk causal logic and business context. (See [link to relevant documentation]). Figure 5 The process includes: 501. Based on the risk type corresponding to the set of causal nodes and the weight distribution of the set of weighted causal edges, determine the orientation of the basic network regulation strategy.

[0131] 502. Based on the risk propagation topology represented by the weighted causal edge set, determine the network entities affected by risk transmission.

[0132] 503. For each determined network entity, map the aggregated weight values ​​of the weighted causal edge set pointing to that network entity to the preliminary control parameters of that network entity.

[0133] 504. Using this key business identifier, apply business assurance constraints to the preliminary control parameters of each network entity, calibrate the granularity, intensity, and priority of the control actions, and generate the atomic network action set.

[0134] Specifically, in determining the direction of the basic network control strategy, this step aims to provide a macro-level, directional guiding principle for subsequent resource control. The causal node set identifies the root cause of the risk, and its corresponding risk type (e.g., DDoS attack, abnormal traffic, equipment failure, etc.) determines the nature of the risk response. The weight distribution of the weighted causal edge set reflects the intensity and scope of the risk propagation in the network. Combining these two aspects, a preliminary, global control strategy direction can be formed, such as prioritizing the isolation of risk sources, limiting traffic in affected areas, or prioritizing the continuity of critical services. This direction can be determined through a pre-defined risk type-strategy direction mapping table. For example, when the risk type is "DDoS attack" and the weight distribution is concentrated, the direction might be "isolation priority." When the risk type is "equipment failure" and the weight distribution is dispersed, the direction might be "security priority." Alternatively, learning can be performed using machine learning models (such as decision trees or neural networks). The model takes the risk type encoding of the causal node set and the statistical characteristics of the weighted causal edge set (e.g., average weight, variance, maximum weight, etc.) as input and outputs a category or vector representing the strategy direction. Furthermore, a risk severity score can be obtained by quantifying the severity level of risk types, and a risk propagation concentration score can be obtained by performing a concentration analysis on the weight distribution of the weighted causal edge set. Based on these two scores, a target strategy mode can be determined by matching multiple strategy modes (such as isolation priority, flow restriction priority, and protection priority), thereby determining the orientation of the basic network control strategy.

[0135] When identifying network entities affected by risk propagation and mapping the aggregated weights of the weighted causal edge set pointing to those entities to their initial control parameters, this step aims to transform abstract risk causal relationships into actionable parameters for specific network entities. The weighted causal edge set not only reveals the propagation path of the risk, but its weights also quantify the propagation intensity. By analyzing these causal edges, it's possible to identify which network devices, services, or connections are direct or indirect victims of risk propagation—the "network entities affected by risk propagation." Aggregating the weights of the causal edges pointing to these entities—for example, by summing, averaging, or taking the maximum value—directly reflects the degree to which the entity is affected by the risk, and then mapping this value to the entity's "initial control parameters," serving as the starting point for subsequent refined control. This process can be achieved by traversing the weighted causal edge set, identifying all network entities as target nodes, and summing the weights of all causal edges pointing to the same target entity as the aggregated value. For example, if a base station node is pointed to by multiple high-weight causal edges, its aggregated value will be high, and the initial control parameters may indicate the need for stricter traffic restrictions. Alternatively, graph algorithms (such as variations of PageRank or Betweenness Centrality) can be used to assess the importance or impact of each network entity in the risk propagation topology, and these metrics can be aggregated as weights. Initial control parameters could include traffic limiting ratios, connection disconnection commands, priority adjustments, etc.

[0136] This step is crucial for achieving a balance between risk mitigation and service assurance when applying service assurance constraints to the initial control parameters of various network entities using this critical service identifier, calibrating the granularity, intensity, and priority of control actions, and generating the atomic network action set. Critical service identifiers (e.g., high-priority services, key users, core services, etc.) provide contextual information at the service level. After the initial control parameters are determined, these service identifiers need to be used to fine-tune the control parameters to ensure that risk mitigation measures do not excessively affect the normal operation of critical services, while allowing for more aggressive control over non-critical services. Calibration includes the "granularity" of the control actions (whether it's for a single connection, a port, or the entire device), "intensity" (e.g., percentage of rate limiting, duration of disconnection), and "priority" (which actions need to be executed immediately, and which can be postponed). These calibrated parameters are then transformed into a specific, executable "atomic network action set." This calibration process can be implemented using a pre-defined service assurance policy rule base. For example, if a network entity carries traffic with a "critical service identifier" of "VIP user communication," its initial control parameters (such as a 50% rate limit) might be calibrated to a lower rate limit (such as a 10% rate limit) or a higher priority. Alternatively, a policy engine-based or reinforcement learning-based approach can be used. The policy engine dynamically calculates and adjusts the granularity, strength, and priority based on the critical service identifier, initial control parameters, and predefined Service Level Agreement (SLA) rules. The reinforcement learning model, through interaction with the environment, learns how to optimally calibrate these parameters under different business scenarios. Furthermore, based on the critical service identifier, network entities can be divided into critical service entities requiring protection and controllable ordinary service entities. High service continuity constraints are configured for critical service entities, and resource efficiency optimization constraints are configured for ordinary service entities. Based on these rules, the initial control parameters for critical and ordinary service entities are differentially calibrated, generating a set of atomic network actions.

[0137] Through the above technical solution, this application solves the problem of improper setting of action granularity, intensity, and priority in the decoupling and mapping of resource control intentions by deeply integrating business assurance constraints into the control action generation process. This improves the accuracy and adaptability of the atomic network action set, ensuring that it effectively balances risk suppression and business continuity in subsequent strategy solving. Specifically, the guidance of the basic network control strategy is determined based on the risk type corresponding to the causal node set and the weight distribution of the weighted causal edge set. This step provides global directional guidance for control through comprehensive analysis of risk type and weight distribution, avoiding the strategy from deviating from the root cause and transmission intensity characteristics of the risk, and ensuring the initial alignment of the action set with the risk logic. The network entities affected by risk transmission are determined based on the risk propagation topology represented by the weighted causal edge set, and for each entity, the weight aggregation value of the weighted causal edge set pointing to that entity is mapped to preliminary control parameters. This process uses the path structure of the propagation topology to identify affected entities and transforms the causal edge weight aggregation into specific control parameters, enabling actions to be dynamically generated for the risk transmission path, enhancing the targeting and response efficiency of the actions. By applying business assurance constraints to the initial control parameters of each network entity using key business identifiers, and calibrating the granularity, intensity, and priority of control actions, this crucial step introduces contextual constraints through business identifiers, directly calibrating control parameters. This refines the granularity of actions, rationalizes their intensity, and optimizes their priority, thereby deeply binding risk causality with business needs. This generates a highly adaptable set of atomic actions, laying the foundation for solving equilibrium strategies. Therefore, the atomic network action set generated in this application can more accurately reflect the causal logic of risks and the business context, providing high-quality input for subsequent collaborative strategy solutions. This allows the output network resource scheduling strategy to achieve a better balance between suppressing the spread of risks along causal edges and ensuring the quality of critical business services, improving the overall efficiency of IoT SIM card intelligent risk control and dynamic scheduling.

[0138] In some of the solutions mentioned above in this application, a guiding principle for determining the basic network control strategy is proposed to guide the decoupling and mapping of resource control intentions. However, in this process, due to the lack of quantitative analysis of the severity of risks and the concentration of propagation, the strategy guidance may be based on experience or fixed rules, which cannot dynamically adapt to different risk scenarios, resulting in inaccurate strategy selection, delayed response, and difficulty in achieving a balance between security and efficiency in complex IoT environments.

[0139] To address this, this application further proposes a method for determining the direction of basic network control strategies based on the risk types corresponding to the causal node set and the weight distribution of the weighted causal edge set. This process includes: quantifying the severity level of the risk types corresponding to the causal node set to obtain a risk severity score; and performing a concentration analysis on the weight distribution of the weighted causal edge set to obtain a risk propagation concentration score. Based on the risk severity score and the risk propagation concentration score, a target strategy mode is determined by matching multiple strategy modes, including isolation priority, rate limiting priority, and protection priority. This target strategy mode is then transformed into a priority configuration for network resource scheduling in terms of security and service continuity to determine the direction of the basic network control strategy.

[0140] Specifically, the severity level of the risk type corresponding to the set of causal nodes is quantified to obtain a risk severity score. This technical feature aims to transform the abstract risk type corresponding to the set of causal nodes into a comparable and quantifiable value, so as to identify and prioritize high-risk events. In practice, a set of mapping rules between risk types and severity levels can be preset, and a weighted average or statistical analysis can be performed based on the actual impact of historical risk events (such as business interruption duration, economic losses, number of user complaints, etc.) to assign an initial severity score to each risk type. Alternatively, an evaluation model can be constructed that comprehensively considers multiple dimensions such as the scope, degree, and recovery cost of the potential business impact of a risk event, and calculates the comprehensive severity score of the risk through methods such as multi-indicator weighted summation or analytic hierarchy process. In addition, a machine learning classifier can be trained, taking risk type-related features (such as the number of affected devices, business priority, potential attack type, etc.) as input, and outputting the severity level or continuous severity score of the risk.

[0141] Simultaneously, a concentration analysis is performed on the weight distribution of the weighted causal edge set to obtain a risk propagation concentration score. This technical feature is used to assess the degree of concentration of risk propagation in the network represented by the weighted causal edge set, identify key paths or hotspots in risk propagation, and thus guide strategy formulation to focus on the most critical transmission links. Specifically, the Gini coefficient or information entropy of the weights in the weighted causal edge set can be calculated to measure the unevenness of the weight distribution; a higher Gini coefficient or lower information entropy indicates a more concentrated weight distribution. Alternatively, the weighted causal edge set can be treated as a weighted graph, and various centrality measures of the nodes in the graph (such as eigenvector centrality, betweenness centrality, and compactness centrality) can be calculated. These centrality measures can then be aggregated or statistically analyzed to reflect the degree of concentration in risk propagation.

[0142] Based on this, a target strategy pattern is determined by matching the risk severity score and the risk propagation concentration score from multiple strategy patterns. This technical feature aims to dynamically select the most suitable macroeconomic control strategy based on the quantified risk severity and risk propagation concentration to adapt to different risk scenarios. In specific implementation, a two-dimensional decision matrix or lookup table can be predefined, with its rows and columns corresponding to different intervals of the risk severity score and the risk propagation concentration score, respectively. The matrix cells store the corresponding target strategy patterns, and the matching strategy pattern is directly searched based on the calculated two score values. Alternatively, a rule-based expert system can be established to determine the target strategy pattern through a rule-based reasoning mechanism.

[0143] These multiple strategy modes include isolation priority, rate limiting priority, and assurance priority. These modes represent different focuses and priorities in risk response and resource allocation, providing the system with flexible macro-control directions. Specifically, the isolation priority mode focuses on quickly severing the connection between the risk source or infected entity and other parts of the network to prevent further risk spread. The rate limiting priority mode focuses on restricting resource usage in affected areas or entities to mitigate the impact of risk while maintaining minimum service availability as much as possible. The assurance priority mode focuses on ensuring the continuous operation of critical businesses or core services, prioritizing resource allocation even in risky environments. In addition to the above modes, other options may include, for example, a recovery priority mode, which prioritizes resource allocation for fault recovery and service reconstruction after a risk occurs; or a monitoring priority mode, which prioritizes strengthening monitoring and data collection in relevant areas in the early stages of a risk.

[0144] Furthermore, the target policy pattern is transformed into a priority configuration for network resource scheduling based on security and service continuity. This technical feature concretizes the abstract policy pattern into operable resource scheduling instructions, providing clear priority guidance for subsequent atomic network action generation and collaborative policy solution. In practical implementation, a detailed priority configuration template can be preset for each policy pattern. For example, in the "isolation priority" mode, security priority is set to the highest, and service continuity priority is set to medium. Alternatively, a parameter mapping table can be established to map the policy pattern to a series of specific parameter values, which define the relative priority and weight of different types of network resources in dimensions such as security, service continuity, and performance.

[0145] This determines the direction of the basic network control strategy. This technical feature is the output of the entire process, providing high-level guidelines and goal setting for subsequent decoupling and mapping of resource control intentions and solving collaborative strategies. The direction of this basic network control strategy can be expressed as a set of explicit weight values, indicating the relative importance of different objectives such as security, business continuity, and resource efficiency in resource scheduling decisions. Alternatively, it can be expressed as a series of hard constraints that must be met. Or it can be one or more mathematical expressions that define the objectives that need to be maximized or minimized during resource scheduling.

[0146] Through the above technical solution, this application achieves intelligent and adaptive selection of risk response strategies. By quantifying the severity level of the risk type corresponding to the causal node set and performing concentration analysis on the weight distribution of the weighted causal edge set, risk severity scores and risk propagation concentration scores can be obtained, thus providing a quantitative basis for subsequent strategy selection. Based on these two scores, the target strategy mode most suitable for the current risk situation can be dynamically matched and determined from multiple preset strategy modes. This dynamic matching mechanism overcomes the limitations of traditional static and rigid strategies, enabling network control strategies to adapt to different risk scenarios. Furthermore, the determined target strategy mode is transformed into a priority configuration for network resource scheduling in terms of security and business continuity, providing a clear guide for the decoupling and mapping of subsequent resource control intentions. This ensures that in a complex and ever-changing IoT environment, network security and business continuity can be flexibly balanced according to the actual severity and propagation characteristics of the risk, avoiding response delays or resource waste caused by inappropriate strategy selection, and improving the accuracy and effectiveness of IoT card intelligent risk control and dynamic scheduling.

[0147] In some of the solutions described above in this application, service assurance constraints are imposed using critical service identifiers to calibrate the granularity, intensity, and priority of control actions. However, if network entities are not divided into critical service entities requiring assurance and controllable ordinary service entities based on critical service identifiers, and if differentiated constraint rules are not applied, it may lead to insufficient assurance of critical service continuity or inadequate optimization of resource efficiency. To address this, this application further proposes using critical service identifiers to impose service assurance constraints on the preliminary control parameters of each network entity, calibrating the granularity, intensity, and priority of control actions, and generating an atomic set of network actions. This method includes the following steps.

[0148] Based on critical service identifiers, network entities are divided into critical service entities requiring protection and controllable general service entities. Critical service identifiers are key information used to identify the importance, priority, or service level agreement (SLA) of a service. For example, critical service identifiers can be identified based on a pre-configured service priority list or service whitelist, marking IoT cards or service servers related to high-priority applications such as emergency communications, industrial control, and healthcare as critical service entities. Alternatively, critical service identifiers can be dynamically assessed and identified based on real-time service data analysis, such as service traffic, revenue contribution, number of users, or SLA requirements, thereby classifying the corresponding network entities as critical service entities. This classification ensures that different strategies are adopted for services of different importance during resource allocation, providing a basis for subsequent differentiated constraints.

[0149] Configure high business continuity constraints for critical business entities and resource efficiency optimization constraints for general business entities. High business continuity constraints aim to ensure the stable operation of critical businesses under risks or resource constraints, minimizing interruptions. Examples include guaranteeing minimum bandwidth, prioritizing scheduling queues, configuring redundant paths, implementing rapid failover mechanisms, ensuring Quality of Service (QoS) levels, and prioritizing resource allocation during resource contention. Resource efficiency optimization constraints allow for flexible adjustments to resource usage for general business entities without affecting core functions, improving overall resource utilization. Examples include allowing service degradation, flexible resource allocation ranges, low-priority scheduling, reclaiming idle resources, and performing traffic shaping or rate limiting during resource constraints. By applying specific rules to different entity types, high business continuity constraints strengthen the stability of critical businesses, while resource efficiency optimization constraints allow for flexible resource adjustments for general business entities.

[0150] Based on high business continuity constraints and resource efficiency optimization constraints, the initial control parameters of critical business entities and ordinary business entities are calibrated differently. These initial control parameters are network control parameters initially generated based on risk causal logic and business context. Differentiated calibration refers to fine-tuning these initial parameters according to the aforementioned configured constraint rules to better meet the assurance requirements of critical business operations and the efficiency optimization goals of ordinary business operations. For example, for critical business entities, if the initial control parameters involve bandwidth limitations, high business continuity constraints may require calibrating the limitation to no less than a preset minimum guaranteed bandwidth value. If latency is involved, it is calibrated to no more than a maximum allowable latency value. For ordinary business entities, resource efficiency optimization constraints may allow bandwidth limitations to be calibrated to a lower elasticity range or allow higher latency. The calibration process can be performed using a rule engine-based approach, making conditional judgments and numerical corrections to the initial control parameters based on predefined business strategies and constraints. Alternatively, calibration can be performed using optimization algorithms, using high business continuity constraints and resource efficiency optimization constraints as optimization targets or constraints to iteratively adjust the initial control parameters. This calibration process incorporates business context, making control parameters more granular and robust to actual needs, thus avoiding insufficient assurance or waste of resources caused by uniform processing.

[0151] Based on the calibrated control parameters, an atomic network action set is generated. This set includes specific operation objects, action types, and parameter values. The atomic network action set is the smallest granular set of operation instructions that can be directly issued to network devices or executed by management. For example, the operation object can be a specific IoT card ID, base station ID, service server IP address, or port. The action type can be "set bandwidth limit," "modify route priority," "enable / disable service," "adjust QoS level," etc. The parameter values ​​are specific numerical values, such as "bandwidth: 10Mbps," "priority: high," "QoS level: EF," etc. This atomic network action set can be represented in JSON, XML, or other structured data formats for easy parsing and execution by automated systems, or encapsulated into scripts or API calls to directly interface with network controllers, SDN (Software-Defined Networking) controllers, or cloud platforms for automated deployment and execution. This ensures that the actions have clear executability, facilitating the implementation of control strategies.

[0152] Through the aforementioned technical solution, this application introduces critical business identifiers to divide network entities into critical business entities requiring protection and controllable ordinary business entities. It then configures targeted high business continuity constraint rules and resource efficiency optimization constraint rules, thereby differentially calibrating initial control parameters. This series of operations ensures that critical businesses receive priority protection during risk control, avoiding business interruptions or service quality degradation caused by uniform policies. Simultaneously, ordinary businesses can be flexibly optimized for resource efficiency, avoiding unnecessary resource waste. The generated atomic network action set has clearly defined operation objects, action types, and parameter values, enabling the control strategy to be implemented efficiently. Through this business identifier-driven differential processing, this application effectively solves the problems of insufficient critical business continuity protection and inadequate resource efficiency optimization in complex IoT environments, achieving a balance between security and efficiency.

[0153] In some of the solutions mentioned above in this application, a collaborative strategy solution based on weighted causal edge set, atomic network action set and real-time network resource status is proposed to suppress risk diffusion and ensure service quality. However, in this process, the inefficiency of integrating multi-source information to construct the decision space leads to response delay, the difficulty in efficiently solving multi-objective optimization conflicts leads to policy imbalance, and the lack of dynamic matching between policy selection and current network preferences results in insufficient adaptability.

[0154] To address this, this application further proposes a method for solving a collaborative strategy based on the weighted causal edge set, the atomic network action set, and the real-time network resource state. This strategy aims to balance the spread of risk along causal edges with ensuring the quality of critical business services, and then outputs and executes a network resource scheduling strategy. (See [link to relevant documentation]). Figure 6 The method includes: 601. Integrate the weighted causal edge set, the atomic network action set, and the real-time network resource state to construct a multi-dimensional decision state space for policy solving.

[0155] 602. Within this multidimensional decision state space, the suppression of risk diffusion along the weighted causal edge set and the assurance of key business service quality are modeled as multi-objective optimization functions.

[0156] 603. The multi-agent collaborative decision-making algorithm is used to iteratively solve the multi-objective optimization function to obtain the Pareto optimal solution set.

[0157] 604. Select the optimal solution that matches the current network optimization preference from the Pareto optimal solution set, decode the optimal solution into a network resource scheduling strategy and execute it.

[0158] Specifically, by integrating the weighted causal edge set, the atomic network action set, and the real-time network resource state, a multi-dimensional decision state space is constructed for policy solving. This aims to unify dispersed risk, control, and resource information, providing a comprehensive context for subsequent decision-making. The weighted causal edge set, obtained through causal discovery and quantitative analysis in previous steps, clearly characterizes the transmission path and intensity of risk in the IoT SIM card network, serving as the core basis for risk perception and prediction. The atomic network action set is generated by decoupling and mapping resource control intentions; it contains refined control operations for different network entities and risk types, serving as the execution means to achieve risk mitigation and business assurance. The real-time network resource state refers to the dynamic information such as the actual usage, load, available bandwidth, and latency of various resources in the current network, reflecting the immediate constraints and capabilities of the network environment. Constructing a multidimensional decision state space can be achieved by fusing features of these heterogeneous information sources. For example, the weighted causal edge set can be transformed into a risk adjacency matrix, the atomized network action set can be encoded into an action feature vector, and the real-time network resource state can be used as an additional feature dimension to form a high-dimensional tensor or vector representation. This allows for a comprehensive characterization of the current network's risk situation, available control measures, and the carrying capacity of network resources.

[0159] Within this multidimensional decision-making state space, modeling the suppression of risk propagation along the weighted causal edge set and the assurance of critical business service quality as a multi-objective optimization function aims to find the optimal balance between risk control and business continuity. The objective of suppressing risk propagation along the weighted causal edge set can be quantified as minimizing the cumulative weight along the risk propagation path or maximizing the isolation effect of the risk source nodes. The objective of ensuring critical business service quality can be quantified as minimizing the latency and packet loss rate of critical services or maximizing their throughput. Constructing these two objectives as a multi-objective optimization function means simultaneously considering and optimizing these two potentially conflicting metrics. For example, mathematical methods such as weighted summation, ε-constraints, or goal programming can be used to model these metrics and seek a solution that achieves the optimal trade-off between them.

[0160] A multi-agent cooperative decision-making algorithm is employed to iteratively solve the multi-objective optimization function, obtaining a Pareto optimal solution set. This approach aims to efficiently explore complex decision spaces and acquire a series of non-dominated solutions. Multi-agent cooperative decision-making algorithms, such as reinforcement learning-based multi-agent systems or distributed optimization algorithms, can decompose complex global optimization problems into multiple sub-problems, which are then processed in parallel by different agents. Each agent is responsible for optimization within its local decision space, and through communication and cooperation among agents, they gradually converge to the global Pareto optimal solution set. The iterative solution process allows the algorithm to gradually approach the optimal policy through continuous trial and error and learning, thus overcoming the limitations of traditional optimization methods in handling high-dimensional, nonlinear, and dynamic problems. The Pareto optimal solution set contains all policies that are superior to other solutions on at least one objective and not inferior to other solutions on all objectives, providing a rich set of policy selection options.

[0161] Selecting the optimal solution from the Pareto optimal solution set that matches the current network optimization preferences, and then decoding and executing this optimal solution into a network resource scheduling strategy, is a key step in achieving dynamic adaptive decision-making. The current network optimization preferences refer to the priority or weighting of risk mitigation and business assurance objectives at a specific point in time or under specific business scenarios. For example, during extreme risk events, there might be a preference for isolation, while in daily operations, there might be a preference for business continuity. By introducing a utility function or decision rule, combined with the current optimization preferences, a single optimal solution that best meets the current needs can be selected from the Pareto optimal solution set. This abstract optimal solution is decoded into a specific sequence of network resource configuration instructions, such as adjusting bandwidth, modifying routes, isolating specific devices, or limiting traffic, forming an executable network resource scheduling strategy. These instructions are then issued to network devices and executed, thereby achieving intelligent control of IoT SIM card network resources.

[0162] Through the above technical solutions, this application can systematically integrate risk, control actions, and real-time resource information to construct a unified decision-making space, effectively solving the problem of low integration efficiency caused by the dispersion of multi-source information. Simultaneously, risk suppression and business assurance are modeled as multi-objective optimization functions, clarifying the mathematical expression of conflict objectives. Efficient iterative solutions are obtained through a multi-agent collaborative decision-making algorithm, overcoming the limitations of traditional methods in handling objective conflicts and complex dynamic environments, and quickly obtaining a series of non-dominated strategy options. Furthermore, by dynamically matching the current network optimization preferences to select the optimal solution from the Pareto optimal solution set, the adaptability and flexibility of the executed strategy are ensured, avoiding the failure of static strategies in dynamic network environments. Decoding and executing the optimal solution realizes closed-loop control from risk perception to strategy execution, improving the response efficiency and decision quality of IoT card intelligent risk control and dynamic scheduling, and effectively balancing network security and business continuity.

[0163] In some of the solutions mentioned above in this application, a multi-dimensional decision state space is proposed to integrate risk propagation information, available control actions, and real-time network states for policy solving. However, in this process, due to the diverse data sources, heterogeneous formats, and inconsistent dimensions, the state space construction may be inefficient and data fusion may be difficult, affecting the accuracy and real-time performance of policy solving.

[0164] To address this, this application further proposes a method for integrating the weighted causal edge set, the atomic network action set, and the real-time network resource state to construct a multidimensional decision state space for policy solving. This method includes: converting the weighted causal edge set into a risk adjacency matrix representing the risk propagation topology; organizing the atomic network action set into an action feature matrix representing available control actions and their parameters; performing spatiotemporal alignment and feature normalization on the risk adjacency matrix, the action feature matrix, and the real-time network resource state to form a standardized joint feature matrix; and constructing a unified multi-channel feature tensor based on this joint feature matrix, which constitutes the multidimensional decision state space for policy solving.

[0165] Specifically, this weighted set of causal edges is transformed into a risk adjacency matrix representing the risk propagation topology. The aim is to convert complex risk causal relationships—the transmission paths and strengths of risks among IoT entities—into a standardized mathematical representation. This matrix form facilitates efficient computer processing and subsequent policy-solving algorithms. For example, a sparse matrix can be used, where the rows and columns correspond to nodes in a multi-level heterogeneous graph, and the values ​​of the matrix elements represent the weights of the corresponding causal edges; if no causal edge exists between nodes, the element's value is zero. Alternatively, a fully connected matrix can be used, where the weights of non-causally related edges are set to a minimum or negative infinity to clearly distinguish causally related edges.

[0166] Simultaneously, the set of atomic network actions is organized into an action feature matrix representing available control actions and their parameters. The set of atomic network actions consists of specific network control instructions generated based on risk causal logic and business context. Organizing it into an action feature matrix aims to unify and vectorize these discrete, structured action instructions and their parameters, making them usable as input for policy-solving algorithms for processing and optimization. For example, action types (such as isolation, rate limiting, and priority adjustment) can be one-hot encoded, and parameter values ​​(such as bandwidth limits and priority values) can be numericalized. These encodings and values ​​are then combined into action vectors, thus forming the action feature matrix. Alternatively, embedding techniques can be used to map each atomic action to a low-dimensional continuous vector space, ensuring that semantically similar actions are close in distance within the vector space, thereby forming the action feature matrix.

[0167] Based on this, the risk adjacency matrix, action feature matrix, and real-time network resource state are spatiotemporally aligned and feature normalized to form a standardized joint feature matrix. Since the risk adjacency matrix, action feature matrix, and real-time network resource state may come from different data sources with different timestamps, sampling frequencies, and numerical ranges, spatiotemporal alignment aims to eliminate these heterogeneities, ensuring that all data are synchronized in the time dimension and correspond to the same entity or context in the spatial dimension. For example, time window aggregation or interpolation methods can be used to unify data with different sampling frequencies to the smallest common time granularity. Spatial alignment can be achieved through entity ID mapping, ensuring that the rows / columns of the matrix correspond one-to-one with the actual entities in the network. Feature normalization unifies features with different dimensions to a similar numerical range, preventing certain features from dominating model training due to excessively large values, thereby improving the stability and convergence of policy solutions. For example, Min-Max normalization can be used to scale features to the [0,1] interval, or Z-score normalization can be used to convert features into a distribution with a mean of 0 and a standard deviation of 1.

[0168] Based on this joint feature matrix, a unified multi-channel feature tensor is constructed, which constitutes the multi-dimensional decision state space for policy solving. The joint feature matrix already contains aligned and normalized risk, action, and resource information. Constructing the multi-channel feature tensor integrates these different types of standardized information in a higher dimension, forming a unified and rich state representation. This tensor structure can better capture the complex relationships between different feature dimensions, providing more comprehensive input for policy solving algorithms such as deep learning or reinforcement learning, thereby more accurately describing the current network state. For example, different parts of the joint feature matrix (such as risk information, action information, and resource information) can be regarded as different "channels" of the tensor, similar to RGB channels in image processing, and stacked together to form a three-dimensional tensor.

[0169] Through the above technical solution, this application systematically integrates and standardizes heterogeneous risk propagation information, executable control actions, and real-time network resource states. This effectively solves the problems of data fusion difficulties, low efficiency in state space construction, and impacts on the accuracy and real-time performance of strategy solutions caused by diverse data sources, heterogeneous formats, and inconsistent dimensions when constructing a multi-dimensional decision state space. Specifically, the weighted causal edge set is transformed into a risk adjacency matrix, realizing a quantitative representation of the risk propagation topology, enabling complex causal relationships to be efficiently processed by the algorithm in a structured matrix form. Simultaneously, the atomic network action set is organized into an action feature matrix, standardizing the description of control actions, making them parameterized and easy to integrate into the decision model. By strictly aligning and normalizing these matrices and real-time network resource states in time and space, and eliminating data inconsistencies and dimensional differences, all input data are compared and analyzed on a uniform scale. Based on the standardized joint feature matrix, a unified multi-channel feature tensor is constructed, which provides an efficient, consistent and information-rich state representation foundation for subsequent multi-agent collaborative decision-making algorithms. This greatly improves the accuracy, real-time performance and robustness of policy solving, thereby enabling more effective suppression of risk diffusion and ensuring the quality of critical business services.

[0170] In some of the solutions mentioned above in this application, a multi-agent collaborative decision-making algorithm is proposed to iteratively solve multi-objective optimization functions in order to efficiently find the Pareto optimal solution set. However, in this process, due to the complexity and large size of the multi-dimensional decision state space, the lack of effective space partitioning and agent collaboration mechanism may lead to inefficient solution process, waste of computing resources, low policy quality, and inability to quickly converge to a high-quality solution set, thereby affecting the response capability of real-time risk suppression and business assurance.

[0171] To address this, this application further proposes an iterative solution using a multi-agent collaborative decision-making algorithm to obtain a Pareto optimal solution set. This involves: dividing the multidimensional decision state space into multiple subspaces and assigning an agent to each subspace. Each agent, based on the information of its assigned subspace, searches and generates candidate local scheduling strategies in parallel. The agents exchange local scheduling strategies and their value assessments via a communication network, and collaboratively optimize the local scheduling strategies based on the exchange results. Finally, a multi-objective evaluation is performed on the locally optimized strategies to select a Pareto optimal solution set that is non-inferior in both risk mitigation and business assurance objectives.

[0172] Specifically, the multidimensional decision state space is divided into multiple subspaces, and an agent is assigned to each subspace. The multidimensional decision state space refers to a complex set of states used for policy solving, composed of information such as risk adjacency matrices, action feature matrices, and real-time network resource states. Dividing it into multiple subspaces aims to decompose a large and complex global decision problem into several smaller, more manageable local decision problems. For example, these subspaces can be divided according to the physical regions of the network topology, logical functional partitions (such as core network, access network), or service types (such as high-priority services, ordinary services). Each subspace is assigned an independent agent, which is responsible for decision-making and optimization within that subspace. The assignment of agents can adopt a preset static mapping method, where each subspace is fixed to one agent. Alternatively, a dynamic allocation method can be used, dynamically creating or scheduling agents based on the load or importance of the subspace. This partitioning and allocation mechanism effectively reduces the complexity of processing by a single agent and lays the foundation for subsequent parallel processing.

[0173] Each agent, based on its assigned subspace information, searches and generates candidate local scheduling policies in parallel. After obtaining its own subspace information, each agent independently and simultaneously explores possible combinations of scheduling actions within its assigned local area, forming a preliminary local scheduling policy. For example, agents can use reinforcement learning algorithms (such as Q-learning, Deep Q-Network (DQN), or Actor-Critic) to conduct exploratory learning within their subspace, discovering policies that can optimize local objectives through interaction with the environment. Alternatively, agents can employ heuristic search algorithms (such as genetic algorithms, particle swarm optimization, etc.) combined with specific constraints of the subspace to quickly generate a series of candidate policies that meet local requirements. This parallel search mechanism improves the efficiency of policy generation and avoids the computational bottleneck that centralized decision-making may cause.

[0174] Each agent exchanges its local scheduling policy and its value assessment through a communication network, and collaboratively optimizes the local scheduling policy based on the exchange results. To avoid agents getting trapped in local optima and to ensure the coordination and global optimality of the overall policy, agents need to interact with each other. The communication network can be a shared memory-based communication mechanism or an asynchronous communication mechanism based on message queues or distributed agent communication protocols. Agents not only exchange their generated local scheduling policies but also the value assessment results of these policies within their respective subspaces, such as the policy's contribution to risk mitigation and its impact on business assurance. Based on this exchanged information, agents can adjust their policy generation logic, for example, through collaborative mechanisms in multi-agent reinforcement learning (such as Multi-Agent Deep Deterministic Policy Gradient (MADDPG)) or through negotiation, voting, and bidding mechanisms, to iteratively optimize local policies in order to achieve a coordinated effect at the global level.

[0175] A multi-objective evaluation is performed on the locally scheduled strategies after agent-based collaborative optimization to select the Pareto optimal solution set that is non-inferior in both risk mitigation and business assurance objectives. After agent-based collaborative optimization, a comprehensive multi-objective evaluation of the integrated locally scheduled strategies is required. The evaluation process considers both risk mitigation objectives (e.g., risk spread range, risk level decline rate) and business assurance objectives (e.g., service quality degradation of critical services, business availability). The strategy set is non-inferiorly ranked using a multi-objective evaluation function, such as the evaluation method commonly used in multi-objective optimization algorithms like NSGA-II (Non-dominated Sorting Genetic Algorithm II). The selected Pareto optimal solution set is one in which no single strategy can improve all objectives without sacrificing another. This means that the strategies in this solution set achieve the best balance between risk mitigation and business assurance, providing a high-quality decision-making basis for subsequent selections.

[0176] Through the above technical solution, this application effectively decomposes the complex and massive multi-dimensional decision-making state space using a multi-agent collaborative decision-making mechanism, enabling each agent to search for local scheduling strategies in parallel and efficiently. The strategy and value evaluation exchange mechanism among agents promotes collaborative optimization of local strategies, effectively avoids local optima, and enhances the consistency of global strategies. The Pareto optimal solution set selected through multi-objective evaluation ensures strategy quality that is non-inferior in both risk mitigation and business assurance objectives. This method improves the efficiency and accuracy of obtaining high-quality scheduling strategies in complex dynamic network environments, effectively solving the problems of inefficient solution processes, wasted computational resources, and low strategy quality. It significantly enhances the responsiveness and robustness of IoT card intelligent risk control and dynamic scheduling systems in real-time risk mitigation and critical business assurance.

[0177] In some of the solutions mentioned above in this application, the optimal solution is selected from the Pareto optimal solution set to implement the resource scheduling strategy. However, in this process, due to the lack of a mechanism for dynamically obtaining preference parameters and a specific method for calculating fitness scores based on these parameters, the selected optimal solution may not accurately match the real-time network optimization preferences, affecting the balance between risk suppression and business assurance objectives, and reducing the adaptability and execution efficiency of resource scheduling.

[0178] To address this, this application further proposes a method for selecting the optimal solution matching the current network optimization preference from the Pareto optimal solution set, decoding the optimal solution into a network resource scheduling strategy, and executing the strategy. This method includes: obtaining current network optimization preference parameters, which characterize the weighting ratio between risk mitigation and service assurance objectives; calculating the comprehensive fitness score of each solution in the Pareto optimal solution set based on the network optimization preference parameters; selecting the solution with the highest comprehensive fitness score as the optimal solution; mapping the optimal solution into a network resource configuration instruction sequence, which constitutes the network resource scheduling strategy; and issuing and executing the network resource scheduling strategy.

[0179] Specifically, this involves acquiring current network optimization preference parameters. These parameters characterize the weighting ratio between risk mitigation and business assurance objectives, essentially providing an indicator to quantify the relative importance of these two goals. Their purpose is to dynamically capture real-time network environment demands, avoiding rigid policy selection and thus providing an accurate benchmark for subsequent policy evaluation. Specifically, these parameters can be loaded using preset policy templates or configuration files. These templates can predefine weighting ratios based on different business scenarios (e.g., prioritizing business continuity during peak periods and prioritizing risk suppression when high-risk threats are detected). Alternatively, these parameters can be dynamically generated using a machine learning model trained on historical network operation data, risk event frequency, Quality of Service (QoS) metrics, and administrator feedback, outputting in real-time the weighting ratio that best matches the current network state and operational objectives.

[0180] Based on this, the comprehensive fitness score of each solution in the Pareto optimal solution set is calculated based on the network optimization preference parameters. This refers to a quantitative indicator that measures the overall performance of each candidate strategy in the Pareto optimal solution set under the current network optimization preference. Its purpose is to achieve an objective evaluation of the solutions by quantifying the performance of each solution under the current preference weights, thereby enhancing the scientific nature and matching degree of the selection. Specifically, a weighted sum method can be used, multiplying the performance of each solution in the Pareto optimal solution set on risk mitigation objectives (e.g., degree of risk reduction) and service assurance objectives (e.g., degree of QoS improvement) by their corresponding preference weights, and then summing them to obtain the comprehensive fitness score. For example, the comprehensive fitness score can be expressed as: Score = W_risk × Risk_Reduction + W_biz × Biz_QoS_Improvement, where W_risk and W_biz are the preference weights for risk mitigation and service assurance, respectively. Alternatively, multi-attribute decision methods, such as TOPSIS or AHP, can be used, with preference parameters as weights in the decision matrix, to rank and score the various schemes in the Pareto solution set.

[0181] Selecting the solution with the highest overall fitness score as the optimal solution means choosing the strategy with the highest overall fitness score calculated based on the current network optimization preference parameters within the Pareto optimal solution set. Its purpose is to simplify the strategy selection process by directly basing decisions on quantified scores and ensuring that the selected strategy achieves an optimal balance between risk mitigation and business assurance objectives. Specifically, this can be achieved by traversing the Pareto optimal solution set, comparing the calculated overall fitness scores of each solution, and directly selecting the solution with the highest score. Alternatively, a priority queue or sorting algorithm can be used to sort all solutions, and then the solution at the top of the list can be retrieved.

[0182] Furthermore, the optimal solution is mapped to a sequence of network resource configuration instructions. This sequence constitutes the network resource scheduling policy, which is a set of concrete, executable network operation instructions that transform the abstract optimal solution. Its purpose is to convert abstract optimization results into concrete, executable instructions, facilitating rapid deployment and implementation of the policy. Specifically, predefined mapping rules or templates can be used to convert abstract control parameters (e.g., bandwidth adjustment ratio, traffic forwarding path, security policy enabling status, etc.) contained in the optimal solution into command-line interface (CLI) instructions, API calls, or SDN controller configurations that can be recognized and executed by specific network devices (e.g., routers, switches, firewalls, base station controllers). Alternatively, a configuration management system or automated operation and maintenance platform can be used to convert the optimal solution into structured configuration data (e.g., JSON, YAML format), which is then parsed and distributed to the corresponding network devices or virtualization resource managers.

[0183] The issuance and execution of the network resource scheduling policy refers to the process of deploying the generated network resource scheduling policy to the actual network environment and making it effective. Its purpose is to complete the closed-loop operation of the policy, ensuring that resource scheduling can take effect promptly and respond to network changes. Specifically, the generated network resource configuration command sequence can be sent to the target network device or virtualization platform through network management protocols (e.g., SNMP, Netconf, RESTful API) or SDN controller interfaces, and the execution status and results of the commands can be monitored in real time. Furthermore, it can be integrated into an existing automated operation and maintenance platform, which can then be responsible for batch issuance of commands, real-time feedback of execution status, and anomaly handling mechanisms.

[0184] Through the above technical solution, this application effectively addresses the mismatch between strategy selection and actual network preferences in multi-objective optimization. By dynamically acquiring network optimization preference parameters and calculating the comprehensive fitness score of each solution in the Pareto optimal solution set based on these parameters, it ensures that the selected strategy accurately matches the real-time requirements of the current network environment for risk mitigation and service assurance. This quantitative evaluation mechanism based on preference parameters enables the scientific and objective selection of the strategy that best meets the current network optimization objectives from the Pareto optimal solution set generated by the multi-agent collaborative decision-making algorithm. Transforming the abstract optimal solution into a concrete, executable sequence of network resource configuration instructions and issuing it for execution achieves seamless integration from intelligent decision-making to actual network operation, improving the adaptability, accuracy, and execution efficiency of network resource scheduling, thereby better balancing security and efficiency in complex and dynamic IoT environments.

[0185] In some of the solutions mentioned above in this application, steps such as collaborative feature extraction, causal discovery and quantitative analysis, decoupling and mapping of resource regulation intentions, and collaborative strategy solving are proposed to realize intelligent risk control and dynamic scheduling of IoT cards. However, in this process, due to the lack of a feedback mechanism after executing network resource scheduling strategies, the system cannot dynamically adjust according to the actual risk suppression effect and business service quality indicators. As a result, it is not adaptable enough and has low optimization efficiency when facing complex and ever-changing network environments and continuously evolving security threats, making it difficult to continuously improve the accuracy of risk control and the efficiency of resource scheduling.

[0186] In response, this application further proposes that the method also includes: after each execution of the network resource scheduling strategy, collecting risk suppression effect and service quality indicators as multi-dimensional feedback data. This multi-dimensional feedback data is then correlated with the multi-source heterogeneous data that triggered the current scheduling, forming a closed-loop experience sample. Using this closed-loop experience sample, at least one step in achieving the collaborative feature extraction, causal discovery and quantitative analysis, decoupling and mapping of resource regulation intentions, and solving the collaborative strategy is adaptively optimized.

[0187] Specifically, after each execution of a network resource scheduling strategy, the system collects risk mitigation effectiveness and service quality indicators as multi-dimensional feedback data. Risk mitigation effectiveness refers to the degree to which the network resource scheduling strategy curbs potential or existing risk events. This can be quantified as a decrease in abnormal traffic, a reduction in the number of malicious connections blocked, a decrease in the number of affected devices, or a shortening of the duration of risk events. It can also be reflected by monitoring the changing trends of risk indicators (such as abnormal behavior scores and attack success rates). Service quality indicators refer to the performance of critical services after the network resource scheduling strategy is executed. These can include network latency, throughput, packet loss rate, jitter, and service availability, or specific service key performance indicators (KPIs), such as video smoothness and industrial control command response time. This multi-dimensional feedback data is a comprehensive reflection of risk mitigation effectiveness and service quality indicators, and can be collected through various means, including network performance monitoring systems, application performance management (APM) tools, log analysis platforms, and operational status data reported by IoT devices themselves.

[0188] The multi-dimensional feedback data is correlated with the multi-source heterogeneous data that triggered the current scheduling, forming a closed-loop experience sample. This correlation operation aims to establish a logical connection between the feedback data and the original input data that led to the current scheduling decision. This can be achieved through timestamp matching, session ID association, device identifier binding (such as IoT card ID, terminal device MAC address), and policy execution ID tracking. For example, the system can record the execution time of each scheduling policy, the IoT cards involved, and the associated risk event ID, and then match the feedback data within the same time period or under the same event ID with this information. This closed-loop experience sample is a complete data record that includes the original multi-source heterogeneous data (input) that led to the scheduling decision, the executed network resource scheduling policy (action), and the risk mitigation effect and service quality indicators (results) produced after the policy execution. This sample structure enables the learning of the causal relationship of "what result will be produced by performing a specific action under a specific input".

[0189] Based on this, using the closed-loop experience samples, adaptive optimization is performed on at least one step in achieving the collaborative feature extraction, causal discovery and quantitative analysis, decoupling and mapping of resource regulation intentions, and solving the collaborative strategy. This adaptive optimization refers to dynamically adjusting its internal models, parameters, or rules based on historical experience samples to adapt to constantly changing network environments and risk patterns. For example, for the collaborative feature extraction step, the weights of features can be adjusted by analyzing the correlation between features and effects in the samples, or new effective features can be introduced, or even redundant features can be eliminated, to improve the accuracy and robustness of feature representation. For the causal discovery and quantitative analysis step, the causal model can be retrained or fine-tuned using sample data to improve the accuracy of causal relationship discovery and quantification. For example, the causal graph structure or causal strength assessment method can be corrected by analyzing the difference between the actual risk propagation path and the model's predicted path. For the decoupling and mapping of resource regulation intentions, the generation rules of atomic network actions can be optimized based on the matching degree between strategy execution and business assurance effects in the samples. For example, the granularity, intensity, or priority mapping relationship of actions can be adjusted to better meet actual business needs and risk mitigation objectives. For the collaborative strategy solving stage, sample data can be used to train the strategy solving algorithm (such as a reinforcement learning model) so that it can learn better scheduling strategies under different states. For example, a reward mechanism can be used to encourage strategies that can effectively suppress risks and ensure business quality, and to punish strategies that are ineffective.

[0190] By introducing closed-loop feedback and adaptive optimization mechanisms, this application effectively solves the core problem of the lack of dynamic adaptability in existing solutions, enabling continuous self-optimization of key links based on actual execution results, thereby improving the robustness and efficiency of overall risk control and scheduling performance. Specifically, after each execution of a network resource scheduling strategy, risk suppression effects and business service quality indicators can be collected in real time as multi-dimensional feedback data, providing a basis for objectively evaluating the effectiveness of the strategy. By associating this feedback data with the multi-source heterogeneous data that triggered the scheduling, a complete closed-loop experience sample can be formed, thereby establishing a causal relationship between the strategy execution result and the input data, avoiding experience fragmentation, and providing a data foundation for in-depth analysis of the reasons for the success or failure of the strategy. On this basis, using these closed-loop experience samples, at least one link in collaborative feature extraction, causal discovery and quantitative analysis, decoupling and mapping of resource control intentions, and collaborative strategy solution can be adaptively optimized. For example, through continuous learning, the system can improve the accuracy of feature extraction, enhance the reliability of causal discovery, optimize the generation logic of atomic network actions, or adjust the priority and objective function of strategy solution. This continuous adaptive optimization enables better adaptation to complex and ever-changing network environments and evolving security threats, improving the accuracy, response speed, and resource scheduling efficiency of IoT card intelligent risk control, and demonstrating stronger robustness and higher performance in ensuring the security and continuity of IoT services.

[0191] The following example will provide a more detailed explanation of the above technical solution: In a large-scale Industrial Internet of Things (IIoT) scenario, numerous IoT cards connect various sensors, actuators, and robotic devices on the production line. Data from these devices is transmitted to the business server via access base stations, supporting critical manufacturing operations. Currently, this IIoT faces risks such as equipment malfunctions and cyberattacks, potentially leading to production disruptions and resource waste. Traditional risk control and network scheduling systems operate independently, making effective collaboration difficult. Their limited risk perception dimensions result in inaccurate diagnosis, delayed responses, and rigid handling strategies that fail to adapt to dynamic and complex production environments.

[0192] This method aims to solve the above problems and realize intelligent risk control of IoT card security risks and dynamic scheduling of network resources.

[0193] Collaborative feature extraction is performed on multi-source heterogeneous data from the IoT SIM card network domain, associated terminal device domain, and upper-layer service domain. For example, data such as communication traffic and signal quality between the IoT SIM card and the access base station are collected from the network domain. Time-series data and device status from sensors (such as temperature, pressure, and vibration) are collected from the device domain. Information such as the business priority and key business identifiers of production line A are collected from the service domain. Based on this data, the system constructs a multi-level heterogeneous graph that integrates entities from the network, device, and service domains. The node set of this graph includes IoT SIM card nodes, base station nodes, and service server nodes, and the edge set includes communication connection edges and service affiliation edges. For example, IoT SIM card nodes are connected to access base station nodes via communication connection edges, and access base station nodes are also connected to service server nodes via communication connection edges. Additionally, there may be service affiliation edges between IoT SIM card nodes and service server nodes. Real-time network signaling and service logic configuration are used to instantiate these nodes and edges, completing the dynamic construction of the multi-level heterogeneous graph. Traffic and signal quality features in network domain data are mapped to weight attributes of communication connection edges; service priority features in service domain data are mapped to type attributes of service-assigned edges; and sensor timing features and network session state features of IoT SIM card nodes in device domain data are jointly mapped to fused state attributes of IoT SIM card nodes. Graph-based neighborhood feature aggregation is performed on the fused state attributes of IoT SIM card nodes to generate enhanced node attributes containing network topology context information.

[0194] Next, a two-stream interactive processing of graph convolution and node temporal states is performed on the multi-level heterogeneous graph. Graph convolution extracts spatial structural dependency features between nodes, for example, identifying the connection patterns between a given IoT SIM card node and its neighboring base station nodes, as well as other IoT SIM card nodes. Simultaneously, temporal convolution extracts the temporal evolution features of the node's own attachment attributes, such as the traffic fluctuation patterns or sensor reading trends of a given IoT SIM card node over a past period. During the interaction, spatial structural dependency features and temporal evolution features are weighted with cross-modal attention to obtain the interaction processing result. Feature decoupling is performed on the interaction processing result, separating structural components highly correlated with the graph structure and temporal components highly correlated with the node's temporal evolution. Based on key business identifiers extracted from business domain data (e.g., identifying "Production Line A" as a key business), feature selection and enhancement based on risk propagation sensitivity are performed on the structural components to generate a topological feature vector. Specifically, the nodes in the graph are divided into security-related nodes (such as IoT cards related to "Production Line A") and risk-monitoring-focused nodes (such as IoT cards with abnormal traffic). The difference in centrality metric between the risk propagation subgraph and the security-related subgraph for each node is calculated to obtain a risk propagation sensitivity score. Based on this score, the feature dimensions of corresponding nodes in the structural components are selectively enhanced or suppressed. Simultaneously, based on the topological structure of the multi-level heterogeneous graph, the temporal components undergo temporal pattern extraction and regularization based on graph neighbor context to obtain behavioral feature vectors. For example, the temporal components are decomposed into periodic, trend, and burst pattern components. A graph diffusion algorithm is used to propagate and aggregate the pattern components of each node to its neighboring nodes, and then align and fuse them with its own pattern components to form refined temporal pattern features, constituting behavioral feature vectors. These topological feature vectors characterize the spatial relationships between entities, and the behavioral feature vectors describe the temporal evolution of entity states.

[0195] After obtaining the topological feature vector and behavioral feature vector, the system performs interpretable causal discovery and quantitative analysis. Feature alignment and fusion are performed on the topological and behavioral feature vectors to generate a unified feature representation for causal discovery. Based on this unified feature representation, an interpretable causal discovery algorithm is used to learn the potential causal structure between nodes in a multi-level heterogeneous graph, resulting in an initial causal graph. For example, time-lag correlation analysis is used to identify the causal association direction between nodes, and existing communication connection edges and service affiliation edges in the multi-level heterogeneous graph are used as network structure constraints to perform conditional independence tests, eliminate spurious correlations, and obtain a reliable set of causal edges to construct the initial causal graph. The causal effect strength and statistical significance of each candidate causal edge in the initial causal graph are quantitatively evaluated. For example, for the candidate causal edge between the traffic anomaly of IoT card A and the response delay of business server B, their feature sequences within multiple time windows are extracted, a vector autoregression model of Granger causality test is constructed, the F-statistic is calculated as an indicator of causal effect strength, and the corresponding statistical significance p-value is calculated using a resampling method. The causal effect strength index is normalized into a directional strength score, and the p-value is converted into a reliability confidence score. The weighted product of the two is used to determine the weight of the candidate causal edge. Based on the quantitative evaluation results, a causal edge weight threshold and a node causal influence threshold are set. A set of causal nodes is selected from the candidate causal nodes (e.g., identifying an IoT SIM card node whose abnormal behavior is the root cause of network congestion). A set of weighted causal edges is selected from the candidate causal edges (e.g., determining the risk transmission path and its strength from the abnormal IoT SIM card node to its access base station node and then to the service server node). Unlike traditional methods that only identify correlations, this method clarifies the root cause and transmission path of risk through causal discovery, improving the accuracy of diagnosis.

[0196] Next, the resource control intent is decoupled and mapped from the causal node set, the weighted causal edge set, and the key business identifiers, generating a set of atomic network actions bound to the risk causal logic and business context. For example, if the causal node set indicates a risk type of "DDoS attack" and the weighted causal edge set shows a high concentration of risk propagation, the system will determine that the basic network control strategy is "isolation priority". Based on the risk propagation topology represented by the weighted causal edge set, the network entities affected by the risk propagation (such as attacked IoT cards, related base stations, and service servers) are identified, and the weighted aggregation values ​​of the weighted causal edge sets pointing to these entities are mapped to preliminary control parameters. For example, the preliminary control parameter for an attacked IoT card might be "rate limit 50%". Business assurance constraints are applied to the preliminary control parameters of each network entity using key business identifiers (such as the key business attributes of "production line A"). For example, network entities are divided into key business entities that need to be protected and ordinary business entities that can be controlled. For IoT cards related to "production line A", even if they are slightly affected, high business continuity constraint rules are configured to ensure that their service is not interrupted. For IoT cards used in non-critical business applications, resource efficiency optimization constraints are configured to allow for more aggressive resource control. Based on these rules, preliminary control parameters are differentially calibrated to generate a set of atomic network actions, including the specific operation object (e.g., IoT card ID), action type (e.g., rate limiting, blocking, route adjustment), and parameter value (e.g., rate limiting bandwidth). This overcomes the limitations of traditional static strategies, enabling more refined and business-sensitive control actions.

[0197] Based on a weighted causal edge set, an atomic network action set, and real-time network resource status, a collaborative strategy is solved to balance the objectives of suppressing risk propagation along causal edges and ensuring the quality of service for critical businesses. The system outputs and executes a network resource scheduling strategy. The system integrates the weighted causal edge set (converted into a risk adjacency matrix), the atomic network action set (organized as an action feature matrix), and real-time network resource status (such as base station load and link bandwidth) to construct a multi-dimensional decision state space for strategy solving. Within this space, suppressing risk propagation along the weighted causal edge set and ensuring the quality of service for critical businesses are modeled as multi-objective optimization functions. For example, one objective is to minimize the risk propagation intensity, and another is to maximize the throughput of critical businesses. A multi-agent collaborative decision-making algorithm is used to iteratively solve the multi-objective optimization function to obtain a Pareto optimal solution set. For example, the multi-dimensional decision state space is divided into multiple subspaces, with each agent responsible for searching local scheduling strategies and collaboratively optimizing through communication network strategy exchange and value evaluation. The optimal solution that matches the current network optimization preferences (such as the weighting ratio between risk mitigation and service assurance objectives) is selected from the Pareto optimal solution set. This solution is then decoded into a sequence of network resource configuration instructions to form a network resource scheduling strategy, which is then issued and executed. For example, in response to DDoS attacks, the strategy might include rate limiting for specific IoT cards, adjusting the routing of relevant base stations, and increasing bandwidth guarantees for critical service servers. This collaborative strategy solution method achieves a deep integration of risk control and resource scheduling, enabling dynamic adaptation to complex network environments and ensuring the continuity of critical services.

[0198] After each execution of a network resource scheduling strategy, the system collects risk mitigation effectiveness (such as the decrease in attack traffic) and service quality indicators (such as critical service latency and packet loss rate) as multi-dimensional feedback data. This feedback data is correlated with the multi-source heterogeneous data that triggered the scheduling, forming closed-loop experience samples. Using these closed-loop experience samples, at least one step in collaborative feature extraction, causal discovery and quantitative analysis, decoupling and mapping of resource control intentions, and collaborative strategy solution is adaptively optimized to achieve continuous learning and performance improvement, further enhancing the system's ability to cope with continuously evolving security threats.

[0199] All of the above-mentioned optional technical solutions can be combined in any way to form the optional embodiments of this application, and will not be described in detail here.

[0200] Figure 7 This is a schematic diagram of the structure of an AI-based IoT card intelligent risk control and dynamic scheduling device provided in an embodiment of this application. See also... Figure 7 The device includes: The feature extraction module 701 is used to perform collaborative feature extraction based on graph structure and time series on multi-source heterogeneous data from IoT card network domain, associated terminal device domain and upper layer business domain to obtain topological feature vector and behavioral feature vector. The topological feature vector represents the spatial relationship between entities, and the behavioral feature vector is used to describe the temporal evolution of entity state. Analysis module 702 is used to perform interpretable causal discovery and quantitative analysis based on the topological feature vector and the behavioral feature vector to obtain a set of causal nodes and a set of weighted causal edges. The set of causal nodes is used to identify the root causes of risks, and the set of weighted causal edges is used to characterize the risk transmission path and intensity. Extraction module 703 is used to decouple and map the resource regulation intention of the causal node set, the weighted causal edge set, and the key business identifiers extracted from the business domain data of the multi-source heterogeneous data, and generate an atomic network action set bound to risk causal logic and business context. The solution module 704 is used to solve a collaborative strategy based on the weighted causal edge set, the atomic network action set, and the real-time network resource status, with the balance goal of suppressing the spread of risk along the causal edge and ensuring the quality of critical business services, and outputs and executes the network resource scheduling strategy.

[0201] It should be noted that the AI-based IoT card intelligent risk control and dynamic scheduling device provided in the above embodiments is only illustrated by the division of the above functional modules during dynamic scheduling. In practical applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the computer device can be divided into different functional modules to complete all or part of the functions described above. Furthermore, the AI-based IoT card intelligent risk control and dynamic scheduling device provided in the above embodiments and the AI-based IoT card intelligent risk control and dynamic scheduling method embodiments belong to the same concept, and their specific implementation process is detailed in the method embodiments, which will not be repeated here.

[0202] Figure 8This is a schematic diagram of a server structure provided in an embodiment of this application. The server 800 can vary significantly due to different configurations or performance. It may include one or more Central Processing Units (CPUs) 801 and one or more memories 802. The one or more memories 802 store at least one computer program, which is loaded and executed by the one or more processors 801 to implement the methods provided in the various method embodiments described above. Of course, the server 800 may also have wired or wireless network interfaces, a keyboard, and input / output interfaces for input and output. The server 800 may also include other components for implementing device functions, which will not be elaborated upon here.

[0203] In an exemplary embodiment, a computer-readable storage medium is also provided, such as a memory including a computer program that can be executed by a processor to perform the AI-based IoT card intelligent risk control and dynamic scheduling method in the above embodiments. For example, the computer-readable storage medium may be a read-only memory (ROM), a random access memory (RAM), a compact disc read-only memory (CD-ROM), magnetic tape, floppy disk, or optical data storage device, etc.

[0204] In an exemplary embodiment, a computer program product or computer program is also provided, which includes program code stored in a computer-readable storage medium. The processor of a computer device reads the program code from the computer-readable storage medium and executes the program code, causing the computer device to perform the above-described AI-based IoT card intelligent risk control and dynamic scheduling method.

[0205] In some embodiments, the computer program involved in the present application embodiments may be deployed and executed on a computer device, or executed on multiple computer devices located in one location, or executed on multiple computer devices distributed in multiple locations and interconnected through a communication network. Multiple computer devices distributed in multiple locations and interconnected through a communication network may constitute a blockchain system.

[0206] Those skilled in the art will understand that all or part of the steps of the above embodiments can be implemented by hardware or by a program instructing related hardware. The program can be stored in a computer-readable storage medium, such as a read-only memory, a disk, or an optical disk.

[0207] The above are merely optional embodiments of this application and are not intended to limit this application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the protection scope of this application.

Claims

1. An AI-based intelligent risk control and dynamic scheduling method for IoT cards, characterized in that, The method includes: For multi-source heterogeneous data from IoT card network domain, associated terminal device domain and upper-layer service domain, collaborative feature extraction based on graph structure and time series is performed to obtain topological feature vector and behavioral feature vector. The topological feature vector represents the spatial association between entities, and the behavioral feature vector is used to describe the temporal evolution of entity states. Based on the topological feature vector and the behavioral feature vector, interpretable causal discovery and quantitative analysis are performed to obtain a set of causal nodes and a set of weighted causal edges. The set of causal nodes is used to identify the root causes of risks, and the set of weighted causal edges is used to characterize the risk transmission path and intensity. The resource regulation intent is decoupled and mapped from the causal node set, the weighted causal edge set, and the key business identifiers extracted from the business domain data of the multi-source heterogeneous data, generating an atomic network action set bound to risk causal logic and business context. Based on the weighted causal edge set, the atomic network action set, and the real-time network resource status, a collaborative strategy is solved with the balanced objective of suppressing the spread of risk along the causal edges and ensuring the quality of critical business services. The network resource scheduling strategy is then output and executed.

2. The method according to claim 1, characterized in that, The process involves extracting topological and behavioral feature vectors from multi-source heterogeneous data from the IoT card network domain, associated terminal device domain, and upper-layer service domain, based on graph structure and time series analysis. Based on the communication connection and service affiliation between the IoT card and the access base station and associated service server, a multi-level heterogeneous graph that integrates network domain, device domain and service domain entities is constructed, and the attributes in the multi-source heterogeneous data are mapped to the corresponding nodes and edges of the multi-level heterogeneous graph. For the multi-level heterogeneous graph, perform two-stream interactive processing of graph convolution and node temporal states to obtain the interactive processing result; Based on the interaction processing results, topological feature vectors and behavioral feature vectors are generated respectively. The topological feature vectors integrate multi-level entity associations and cross-domain interaction information, while the behavioral feature vectors enhance the temporal patterns based on the graph structure context.

3. The method according to claim 2, characterized in that, Based on the interaction processing results, the generation of topological feature vectors and behavioral feature vectors includes: The interaction processing results are decoupled by feature separation to separate the structural components that are highly correlated with the graph structure and the temporal components that are highly correlated with the temporal evolution of nodes. Based on the key business identifiers extracted from the business domain data of the multi-source heterogeneous data, feature selection and enhancement based on risk propagation sensitivity are performed on the structural components to generate the topological feature vector. Based on the topological structure of the multi-level heterogeneous graph, the temporal components are refined and normalized according to the temporal pattern based on the graph neighbor context to obtain the behavioral feature vector.

4. The method according to claim 1, characterized in that, Based on the topological feature vector and the behavioral feature vector, interpretable causal discovery and quantitative analysis are performed to obtain a set of causal nodes and a set of weighted causal edges, including: The topological feature vector and the behavioral feature vector are aligned and fused to generate a unified feature representation for causal discovery; Based on the unified feature representation, an interpretable causal discovery algorithm is used to learn the potential causal structure between nodes in the multi-level heterogeneous graph to obtain an initial causal graph, which includes candidate causal nodes and candidate causal edges. The causal effect strength and statistical significance of each candidate causal edge in the initial causal graph are quantitatively evaluated to obtain the quantitative evaluation results, and the quantitative evaluation results are converted into the weights of the candidate causal edges. Based on the quantitative evaluation results, the set of causal nodes is selected from the candidate causal nodes, and the set of weighted causal edges is selected from the candidate causal edges.

5. The method according to claim 4, characterized in that, The step of quantitatively evaluating the causal effect strength and statistical significance of each candidate causal edge in the initial causal graph, obtaining the quantitative evaluation result, and converting the quantitative evaluation result into the weight of the candidate causal edge includes: For each candidate causal edge, the feature sequence of the source node and target node of the candidate causal edge within multiple time windows is extracted based on the unified feature representation, and the causal effect intensity index of the feature sequence and the statistical significance p-value corresponding to the causal effect intensity index are calculated. The causal effect strength index of each candidate causal edge is normalized into a directional strength score, and the statistical significance p-value of each candidate causal edge is converted into a reliability confidence score. The quantitative evaluation result of each candidate causal edge is determined based on the weighted product of the directional strength score and the reliability confidence score, and the quantitative evaluation result is directly used as the weight of the candidate causal edge.

6. The method according to claim 1, characterized in that, The process of decoupling and mapping resource control intentions for the causal node set, the weighted causal edge set, and the key business identifiers extracted from the business domain data of the multi-source heterogeneous data, and generating an atomic network action set bound to risk causal logic and business context, includes: Based on the risk type corresponding to the set of causal nodes and the weight distribution of the set of weighted causal edges, the orientation of the basic network regulation strategy is determined. Based on the risk propagation topology represented by the weighted causal edge set, network entities affected by risk transmission are identified; for each identified network entity, the weight aggregation value of the weighted causal edge set pointing to the network entity is mapped to the preliminary control parameters of the network entity. The key business identifier is used to apply business assurance constraints to the preliminary control parameters of each network entity, calibrate the granularity, intensity and priority of the control actions, and generate the atomic network action set.

7. The method according to claim 6, characterized in that, The process of determining the direction of the basic network regulation strategy based on the risk type corresponding to the set of causal nodes and the weight distribution of the set of weighted causal edges includes: The severity level of the risk type corresponding to the set of causal nodes is quantified to obtain a risk severity score, and the concentration analysis of the weight distribution of the weighted causal edge set is performed to obtain a risk propagation concentration score. Based on the risk severity score and the risk propagation concentration score, a target strategy mode is determined by matching multiple strategy modes, including isolation priority, flow restriction priority and protection priority. The target policy pattern is transformed into a priority configuration for network resource scheduling in terms of security and service continuity, so as to determine the direction of the basic network control policy.

8. The method according to claim 1, characterized in that, The process involves solving a collaborative strategy based on the weighted causal edge set, the atomic network action set, and the real-time network resource status. The goal is to balance suppressing the spread of risk along causal edges with ensuring the quality of critical business services. The resulting network resource scheduling strategy is then output and executed. By integrating the weighted causal edge set, the atomic network action set, and the real-time network resource state, a multi-dimensional decision state space for policy solving is constructed. Within the multidimensional decision state space, suppressing the spread of risk along the weighted causal edge set and ensuring the quality of key business services are modeled as multi-objective optimization functions; A multi-agent collaborative decision-making algorithm is used to iteratively solve the multi-objective optimization function to obtain the Pareto optimal solution set; Select the optimal solution that matches the current network optimization preference from the Pareto optimal solution set, decode the optimal solution into a network resource scheduling strategy and execute it.

9. The method according to claim 8, characterized in that, The multi-agent cooperative decision-making algorithm is used to iteratively solve the multi-objective optimization function to obtain a Pareto optimal solution set, including: The multidimensional decision state space is divided into multiple subspaces, and an agent is assigned to each subspace; Each agent searches for and generates candidate local scheduling policies in parallel based on the subspace information it is assigned; Each intelligent agent exchanges the local scheduling strategy and the value assessment of the strategy through a communication network, and collaboratively optimizes the local scheduling strategy based on the exchange results; A multi-objective evaluation is performed on the local scheduling strategy after the intelligent agents' collaborative optimization, and the Pareto optimal solution set that is non-inferior in both risk suppression and business assurance objectives is selected.

10. The method according to claim 8, characterized in that, The step of selecting the optimal solution that matches the current network optimization preference from the Pareto optimal solution set, decoding the optimal solution into a network resource scheduling policy, and executing it includes: Obtain the current network optimization preference parameters, which are used to characterize the weight ratio between risk suppression and business assurance objectives; Based on the network optimization preference parameters, the comprehensive fitness score of each solution is calculated in the Pareto optimal solution set; The solution with the highest overall fitness score is selected as the optimal solution. The optimal solution is mapped to a sequence of network resource configuration instructions, and the sequence of network resource configuration instructions constitutes the network resource scheduling strategy. Issue and execute the network resource scheduling policy.