An abnormal event multi-source coupling security hidden danger prediction method
By constructing a time-space causal graph of multi-source data of abnormal events, the problem of existing monitoring systems relying on manual rules and causal directions to identify coupled security risks of multi-source abnormal events is solved. This enables real-time and interpretable early warning and operation and maintenance suggestions for system-level security risks, thereby improving the security and efficiency of the monitoring system.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- HOHAI UNIV
- Filing Date
- 2026-05-13
- Publication Date
- 2026-06-16
Smart Images

Figure CN122222397A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of intelligent security and safety hazard prediction technology, specifically involving a method for predicting safety hazards caused by multi-source coupling of abnormal events. In particular, it relates to a method for predicting safety hazards caused by multi-source coupling of abnormal events in a monitoring scenario based on cloud platform causal inference. It is applicable to safety management systems deployed in closed or semi-closed places (such as production sites, water pumping stations, hydropower stations, comprehensive management areas of small and medium-sized river basins, large construction sites, parks, campuses, etc.) with video, environmental and equipment status perception capabilities. Background Technology
[0002] With the deepening of smart security construction, current mainstream monitoring systems generally adopt a "cloud-edge-device" collaborative architecture: edge devices (such as smart cameras, environmental sensors, and access control controllers) are responsible for real-time data collection and preliminary analysis, while the cloud platform aggregates multi-source data and provides a global view. However, major security risks in actual operation often do not stem from a single device failure, but rather from multiple seemingly isolated abnormal events coupled, interacting, or even amplified under specific conditions, resulting in coupled security risks.
[0003] (1) Explanation of hidden dangers / risks In the field of safety engineering, the relevant concepts of hidden dangers / risks have been clearly defined: Coupled security risks: refer to the interaction between two or more independent anomalous data in a specific time and space, resulting in an overall security threat that is significantly higher than the sum of the individual effects of each event; Chain reaction risk: refers to the initial anomaly triggering a chain of secondary events, resulting in cascading failures; Systemic risk: refers to the threat to the overall operational stability posed by the spread of local disturbances through internal system interactions.
[0004] (2) Manifestations of Coupled Safety Hazards in Typical Engineering Scenarios Various monitoring scenarios generally share the common characteristic of "frequent single-item anomalies and rare combined anomalies".
[0005] (3) Limitations of existing monitoring systems in identifying coupled security risks Although the industry has recognized the limitations of a single alert and has attempted to identify correlations between anomalous data through various methods, existing methods still have significant shortcomings in terms of dynamism, generalization, and deployability. One drawback of existing technology is its reliance on manually defined rules, which makes it difficult to cover dynamic scenarios. Methods based on rules or expert knowledge (such as event association engines and pre-defined knowledge graphs) rely on manually defining causal or logical relationships between events. However, in complex engineering scenarios, abnormal combination patterns are highly dynamic and difficult to exhaustively enumerate. New coupling risks often exceed the coverage of pre-defined rules, resulting in high false negative rates and high maintenance costs.
[0006] Second deficiency of existing technology: It only captures correlation and cannot distinguish the direction of causation. Multi-alarm fusion methods based on statistics or machine learning employ clustering, association rule mining, or simple weighted scoring to determine the "quantity superposition" or "co-occurrence frequency" of multi-source alarms. However, these methods only capture correlations, cannot distinguish causal directions, and are even less capable of modeling "nonlinear amplification effects."
[0007] The third drawback of existing technology is its reliance on a large number of accident samples, making real-time deployment difficult. Deep learning-based risk propagation models use graph neural networks or time series models to simulate the spread of safety hazards, but they usually require a large number of labeled "abnormal-consequence" samples for training. However, serious accidents rarely occur in real-world scenarios, and positive samples are extremely scarce. At the same time, such models have high computational complexity, making it difficult to achieve low-latency, high-concurrency real-time simulations on cloud platforms.
[0008] The fourth defect of the existing technology is that the output is uninterpretable and cannot be integrated into the operation and maintenance closed loop. Even if some systems can output "high security risk coupling", the results are mostly black-box scores or uninterpretable vectors, which cannot generate structured and actionable early warning suggestions and are difficult to integrate into existing operation and maintenance processes.
[0009] It should be noted that existing technologies generally treat abnormal data as independent inputs and lack explicit modeling of the "integrity of the security protection logic chain," which is the core difference between this invention and all known solutions.
[0010] In summary, current technology has not yet formed a coupled security hazard prediction mechanism that does not require manual rules, does not rely on accident labeling, supports causal inference, and can explicitly detect the failure of the protective layer. Summary of the Invention
[0011] Purpose of the Invention: Addressing the four main shortcomings of the existing technologies, the purpose of this invention is to provide a method for predicting security risks arising from multi-source coupling of abnormal events in monitoring scenarios based on cloud platform causal inference, specifically solving the following problems: To address defect 1 (reliant on manual rules): This addresses the issue of missed detection of hidden system-level risks caused by "multiple low-risk abnormal data occurring simultaneously but security protection not starting as expected." It automatically discovers the coupling relationship of abnormal data by constructing an unsupervised cause-effect graph, without the need for manually preset rules. To address the second defect (capturing only correlation): This addresses the prediction challenge of "multiple anomalous events interacting in causal loops, triggering systemic risk resonance far exceeding linear superposition," by distinguishing causal directions and quantifying nonlinear amplification effects through causal direction deduction and risk resonance detection. Regarding defect 3 (dependence on incident samples): Real-time inference can be achieved without a large number of labeled samples through event cause-effect graphs, supporting low-latency and high-concurrency deployment on cloud platforms; To address defect four (uninterpretable output): generate structured early warning information containing high-risk areas, dominant event chains, expected impact range, and operation and maintenance recommendations, and directly integrate it into existing operation and maintenance processes.
[0012] The present invention aims to achieve accurate identification and early warning of system-level security risks caused by multi-source coupling of events, and to achieve a substantial leap from "passive response" to "proactive prediction".
[0013] Technical Solution: A method for predicting security risks caused by multi-source coupling of abnormal events in monitoring scenarios based on cloud platform causal inference, including the following: An event causal graph is constructed to represent the temporal-spatial causal relationships of multi-source data on abnormal events. The correlations between the multi-source data of abnormal events are calculated to obtain the temporal-spatial causal relationships. Multi-source data of abnormal event entities are used as nodes in the event causal graph, and the temporal-spatial causal relationships of the multi-source data are used as the link strength between nodes. The event causal graph is trained and optimized using historical multi-source data of abnormal events to provide a model for predicting coupled security risks of abnormal events. The cloud platform receives multi-source data of abnormal events reported by multiple edge devices within the monitoring scenario. This data is used as input to the event causal graph. A causal path breakage detection mechanism and a causal loop risk resonance detection mechanism are introduced to calculate the coupled security risk value. When the coupled security risk value exceeds an adaptive dynamic threshold, structured early warning information is generated.
[0014] The term "coupled security risks" specifically refers to system-level security threats arising from the synchronous activation of two or more originally isolated multi-source data points in a monitoring scenario due to potential causal relationships or spatiotemporal correlations, under external disturbances or implicit system dependencies, and through nonlinear interaction effects. The severity of these threats is significantly higher than the simple superposition of individual multi-source data points. This invention focuses on the early identification and prediction of such coupled security risks. Its core lies in automatically discovering non-obvious collaborative patterns from multi-source heterogeneous alarms, even if these data points appear to have no direct correlation.
[0015] The method for predicting safety hazards includes the following: I. Constructing an event cause-effect graph to describe the temporal-spatial causal relationships of multi-source data on anomalous events. Construct an event cause-effect graph describing the time-space causal relationships of multi-source data on abnormal events based on the abnormal event entities in the monitoring scene data:
[0016] in, for tEntities of abnormal events at any given time. for t - w Time's up t Multi-source data vector of anomalous events at any given time. w This represents the granularity of the time section.
[0017] right t Entities of abnormal events at any time Perform a linear transformation:
[0018] This formed a basis for the t The feature encoding of an abnormal event entity at a given time, where Linear() is the linear transformation function.
[0019] In extracting the temporal causal relationship coupling of multi-source data for anomalous event entities, the multi-head attention mechanism in the Transformer architecture is used for computation. t - w Time's up t Multi-source data vector of time-sensitive abnormal events Correlation between them: , , , in, , , The weights calculated for the Transformer model; , , These are the Query, Key, and Value calculated for the Transformer model, respectively.
[0020] Therefore, the weights of temporal causal correlation among multi-source data vectors of abnormal events can be calculated as follows:
[0021] in, Measured multi-source data vectors of anomalous events Temporal causal correlation d To embed feature dimensions, () is the max pooling function.
[0022] The feature encoding of the abnormal event entity after coupling with the time causal relationship is calculated as follows:
[0023] In the context of causal coupling across multi-source data of anomalous events, the Transformer model input is the feature encoding of the anomalous event entities after temporal causal coupling. First, calculate the autocorrelation among the multi-source data of the anomalous event:
[0024] In addition to the autocorrelation among multi-source data, this invention also considers the external correlation constrained by prior experience, that is, the prior knowledge describing the correlation among multi-source data of anomalous events. .
[0025] In applications, if prior knowledge exists, the autocorrelation between multiple sources of data on anomalous events can be considered. If it does not exist, then the autocorrelation between multiple sources of abnormal event data is considered. .
[0026] The multi-head attention mechanism in the Transformer architecture is used to calculate the correlation between multi-source data of anomalous event entities. , ,
[0027] in, , , The weights calculated for the Transformer model; Subsequently, the spatial causal correlation weights of multi-source data for anomalous events can be calculated as follows:
[0028] in, For the embedded feature dimension.
[0029] Finally, the time-space causal relationship of the multi-source data of the anomalous event was calculated as follows:
[0030] in Adjustment weights for temporal and spatial causal relationships.
[0031] by As nodes in the event cause-effect graph, This relates to the link strength between nodes in the event causal graph. By using multi-source data of historical anomalous events, an event causal graph that reflects the temporal and spatial causal relationships of multi-source data is trained and optimized, providing a model for predicting coupled security risks from anomalous events.
[0032] The cloud platform receives multi-source data of abnormal events reported by multiple edge devices in the monitoring scene. The multi-source data includes fields such as event type, timestamp, spatial location, device ID, and anomaly confidence level. These fields provide necessary input data for coupling causal inference of security risks and early warning output.
[0033] Multi-source data of abnormal events are input into an event causal graph representing the temporal-spatial causal relationship of multi-source data, and data is transmitted through the event causal graph network. A causal path breakage detection mechanism and a causal loop risk resonance detection mechanism are introduced: In the event causal graph, abnormal events in the monitoring scenario correspond to nodes in the event causal graph—abnormal event entities. When a node is activated, but its expected subsequent multi-source abnormal event data is not reported, the causal path is determined to be broken, indicating a failure of security protection, and is treated as a high-risk signal. Furthermore, closed feedback loops formed on the causal graph by multi-source data nodes corresponding to multiple abnormal events are identified, and the risk resonance intensity caused by the closed feedback loop is calculated. A coupled security risk value is calculated based on both path breakage and closed feedback loop scenarios. The coupled security risk value comprehensively reflects the activation intensity of the causal chain, the number of path breaks, the resonance intensity of the loop, the criticality of the event, and the vulnerability of the system, and is not a linear superposition of the security risks of each event.
[0034] When the value of the coupled security risk exceeds the adaptive dynamic threshold, a structured early warning message (i.e. a standardized early warning message containing predefined fields) is generated and pushed to the monitoring and management terminal.
[0035] Furthermore, the structured early warning information includes the following fields: (1) High-risk area: determined by the spatial location of the abnormal event corresponding to the currently active node; (2) Dominant event chain: It consists of the node with the highest activation value in the event causal graph and its predecessor node, in the form of “Event A → Event B → Event C”; (3) Expected impact range: Based on the spatial location of the terminal abnormal event in the dominant event chain and the historical impact range of the terminal abnormal event (area and range of high-risk areas); (4) Operation and maintenance suggestions: Based on the type of the dominant event chain and the path break detection results, match the corresponding handling measures from the preset suggestion library.
[0036] Furthermore, in the event causal graph that trains and optimizes the temporal-spatial causal relationships of multi-source data, anomalous event entities are included. As nodes in the event causality graph, the temporal-spatial causal relationships of multi-source data on abnormal events are used as the link strength between nodes. This forms the initial model framework for the event causality graph. In practical applications, the event causality graph model needs to be retrained based on historical multi-source data of abnormal events under actual working conditions. The loss function during training is calculated as follows: ,in It is a binary cross-entropy function. To adjust the parameters, This represents the predicted value of the abnormal event at time t (i.e., which type of abnormal event occurred). Let t be the actual value of the abnormal event at time t.
[0037] Furthermore, the causal deduction of coupled security risks involves: entitling abnormal event entities... As graph nodes, data is input to the dynamic event causality graph and transmitted through the event causality graph network. The data transmission rule, i.e., the update formula for node activation values, is as follows:
[0038] in: Represents a node In the Activation value after round propagation For nodes In the Activation value after round propagation; Pointing to a node predecessor node set Nodes in the event cause-effect graph and nodes The strength of the link between edges The weights; The path breakage penalty coefficient (e.g.) ); The causal path integrity indicator is defined as follows:
[0039] In an event cause-effect graph, nodes represent anomalous event entities, the events... That is, the nodes in the event cause-effect graph. The physical meaning of this formula is: if a causal edge exists... And the predecessor node is the cause event. Activated ( Representative event (Activated), but the resulting event Not reported (i.e.) If the initial activation value is 0, then the edge is determined. The causal path is broken. .
[0040] This is precisely the core of the "causal path breakage detection mechanism" of this invention: the system anticipates the problem according to security logic. It should be triggered after it occurs (For example, "pressure increase" should trigger "safety valve opening"), if If it is missing, it indicates that the security protection has failed and should be treated as a high-risk signal.
[0041] The meanings of the symbols in the formulas are shown in Table 1.
[0042] Table 1. Symbol Meaning Comparison Table
[0043] It is worth noting that, despite It manifests as a suppressor in message passing, but its core value lies in triggering. The accumulation of these factors amplifies the risk score significantly, enabling the system to transform "silent failures" (such as a safety valve not opening) into quantifiable high-risk signals. This represents the number of causal path breaks currently detected.
[0044] The coupling security risk value Calculate using the following formula:
[0045] in: It represents the coupled security risk value in the current monitoring scenario. It is a non-negative real number used to quantify the degree of system-level security threat formed by the combined effects of causal interaction and system state of multi-source abnormal events.
[0046] This represents the maximum activation value of all nodes after two rounds of data transmission, reflecting the activation strength of the strongest causal chain. In other words, it represents the node with the largest activation value after two rounds of data transmission.
[0047] For each node in the event cause-effect graph, ... It corresponds to a predefined abnormal event (such as "video interruption", "temperature and humidity exceeding limits", etc.).
[0048] For nodes The activation value after two rounds of message passing is calculated using the data passing rules of the event causal graph, reflecting the combined intensity of the event and its upstream causal chain being triggered by the current abnormal combination.
[0049] The path breakage sensitivity gain coefficient is a preset positive real constant used to adjust the amplification effect of causal path breakage on the overall coupling safety hazard value.
[0050] This represents the number of causal path breaks detected so far; specifically, if a strong causal edge exists... (i.e., directed edges with weights exceeding a threshold in a dynamic event causal graph), and predecessor events It has been activated (i.e., its initial confidence is above the threshold), but subsequent events If it is not reported (i.e., its initial activation value is zero), then the causal path (i.e., causal edge) is determined. A breakage occurred, and it was included in the calculation. .
[0051] The preset event criticality benchmark weight is a pre-defined positive real constant used to reflect the inherent importance of typical abnormal events in the security system. This value can be configured according to specific application scenarios (e.g., "main transformer high temperature" in a power scenario). It can be set to 1.5, while in ordinary parks, "video lag" occurs. It can be set to 1.0). The default value can be used when no special configuration is required. .
[0052] This represents the risk resonance amplification factor.
[0053] It represents the set of all closed loops (causal loops) formed by activated nodes in the current event causal graph.
[0054] Representing a circuit Middle Dynamic weights.
[0055] The system vulnerability coefficient is used to characterize the overall vulnerability of the current monitoring system due to the increased proportion of abnormal devices and the enhanced persistence of anomalies.
[0056] The physical meaning of the above formula is that the first term captures the intensity of the abnormal evolution that has already appeared, the second term specifically amplifies the risk of "protection failure", and the third term specifically captures and exponentially amplifies the "risk resonance intensity" caused by the causal loop. These three terms are completely missing in traditional linear superposition or pure correlation models.
[0057] The physical meaning of the formula consists of three parts: ① Causal chain activation term : Capture the strongest event chain formed after the anomalies that have occurred spread through the event causality graph, reflecting the risk of "chain evolution"; ② Path breakage penalty item It specifically identifies protection failure behaviors that should have been triggered but were not (such as "pressure rises but ventilation does not start") and amplifies them based on the importance of the event and the current load status of the system.
[0058] ③ Loop resonance amplification term It specifically identifies closed causal loops formed by multiple anomalous events and amplifies them nonlinearly based on the internal coupling strength and system vulnerability of the loop, reflecting the systemic threat of "risk resonance intensity".
[0059] The combination of these three elements enables the present invention not only to detect already apparent high-risk combinations, but also to provide early warning of hidden protective layer failures and potential systemic risk resonance, thereby achieving comprehensive coverage and forward-looking prediction of coupled security risks.
[0060] Furthermore, the system vulnerability coefficient The calculation formula is as follows:
[0061] The system vulnerability coefficient characterizes the overall vulnerability of the current monitoring system due to the increased proportion of abnormal devices and the enhanced persistence of anomalies. This represents the number of edge devices in an active abnormal state within the current time window. This represents the total number of edge devices deployed within the monitored scenario. This represents the duration of the current anomaly since its initial reporting. The preset time observation window (typically 300 seconds); For indicator functions, it is defined as: when the same device is The value is 1 if the same type of abnormal event is repeatedly reported within a time period, and 0 otherwise. This is the system vulnerability adjustment coefficient, which is a preset positive real number (e.g., it can be taken as follows). , ).
[0062] A computer device includes a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it implements the steps of the security hazard prediction method for multi-source coupling of abnormal events as described above.
[0063] Beneficial effects: Compared with the prior art, the present invention has the following beneficial effects: (1) Automatically discover implicit coupling relationships and get rid of manual rule dependence: Through the construction of unsupervised dynamic event causal graph, the causal dependence between events is automatically learned without the need for preset rules; when new combinations such as "pressure rises but ventilation is not started" occur, the protective layer failure can be automatically identified, avoiding the problem of missed reports in traditional rule engines.
[0064] (2) Distinguish between causal direction and nonlinear amplification, and break through the limitations of correlation analysis: By explicitly modeling the causal flow through a directed weighted dynamic event causal graph, and combining path breakage and loop resonance detection, it is possible to identify the nonlinear amplification effect of "high systemic risk after coupling of three low-risk anomalies", which solves the defect of traditional statistical methods that only capture co-occurrence frequency and cannot distinguish causal direction.
[0065] (3) Real-time simulation without accident samples overcomes the deployment obstacles of deep learning: The parameter-free lightweight graph neural network (i.e., event causal graph) is adopted, the model size is less than 50KB, and no large number of accident samples are required for training; it supports elastic scaling triggered by events, realizes low latency and high concurrency real-time simulation, and overcomes the problems of scarce samples and high computational complexity in traditional deep learning.
[0066] (4) Generate structured and interpretable early warnings and directly integrate them into the operation and maintenance closed loop: output structured information including high-risk areas, dominant event chains, expected impact range and operation and maintenance suggestions, so that operation and maintenance personnel can directly understand "why it is high-risk", "where it is affected" and "how to deal with it", which solves the pain points of traditional methods outputting uninterpretable information and being difficult to integrate into the operation and maintenance process. Attached Figure Description
[0067] Figure 1 This is a flowchart of a specific embodiment. Detailed Implementation
[0068] The present invention will be further illustrated below with reference to specific embodiments. It should be understood that these embodiments are for illustrative purposes only and are not intended to limit the scope of the invention. After reading the present invention, any modifications of the present invention in various equivalent forms by those skilled in the art will fall within the scope defined by the appended claims.
[0069] like Figure 1 As shown, the method for predicting security risks caused by multi-source coupling of abnormal events includes the following: An event causal graph is constructed to represent the temporal-spatial causal relationships of multi-source data on abnormal events. This involves acquiring multi-source data on abnormal event entities, calculating the correlations and autocorrelations between these data sources, determining the spatial causal correlation weights, and calculating the temporal-spatial causal relationships. The multi-source data of abnormal event entities serves as nodes in the event causal graph, and the temporal-spatial causal relationships represent the link strength between these nodes. The event causal graph is trained and optimized using historical multi-source data on abnormal events, providing a model for predicting coupled security risks from abnormal events. A cloud platform receives multi-source data on abnormal events reported by multiple edge devices within the monitoring scenario. This data is used as input to the event causal graph. A causal path breakage detection mechanism and a causal loop risk resonance detection mechanism are introduced to calculate coupled security risk values. When these values exceed an adaptive dynamic threshold, structured early warning information is generated.
[0070] In the current smart security industry ecosystem, a typical system integration model is being widely adopted: cloud service providers (CPs), such as Alibaba Cloud, Huawei Cloud, and Tencent Cloud, provide underlying IaaS / PaaS capabilities, while independent software vendors (ISVs) develop vertical-domain intelligent analysis engines based on the cloud platform and deliver them to end users in the form of SaaS. This model fully leverages the infrastructure advantages of cloud vendors in elastic computing, high-availability storage, and security compliance, while relying on the algorithm accumulation and business understanding of ISVs in specific scenarios (such as campus security and industrial monitoring) to achieve efficient collaboration between "infrastructure + intelligent applications".
[0071] The "CP + ISV" cooperation model has become the mainstream architecture for the construction of smart security systems in parks, campuses, and other similar institutions, and has been widely validated at the policy, technology, and commercial levels.
[0072] In this embodiment, the multi-source anomaly event coupling security risk prediction method in a monitoring scenario based on cloud platform causal inference belongs to this type of intelligent engine for coupling security risk prediction developed by ISVs and deployed on cloud platforms. It does not rely on specific hardware and can be seamlessly integrated into existing monitoring systems. It receives multi-source anomaly event streams through standardized interfaces and completes causal inference and early warning output of coupling security risks on the cloud side. The specific implementation of the present invention will be described in detail below with reference to a specific deployment environment.
[0073] (I) Method Deployment The multi-source anomaly event coupling security risk prediction method in the monitoring scenario of this embodiment adopts a "cloud-edge collaborative architecture". The edge side is responsible for raw data collection and lightweight anomaly detection, while the cloud platform side is responsible for constructing an event causal graph of the time-space causal relationship of multi-source data of anomalies and generating structured early warning information. This architecture can both protect the privacy of local data in the park and realize global intelligent analysis by utilizing the elastic computing power of the cloud.
[0074] "Cloud platform" refers to a cloud computing environment that provides computing, storage, networking and platform services, and its specific form can be flexibly selected according to the user's security strategy and business needs.
[0075] A standardized structure is used to encapsulate multi-source data on abnormal events, with specific field definitions shown in Table 2. This design ensures that data reported by edge devices from different vendors and of different types has unified semantics, supporting cross-modal event correlation analysis on cloud platforms.
[0076] Table 2. Definition of Fields for Multi-Source Data on Abnormal Events
[0077] Note: All of the above fields are required to ensure that the cloud platform can accurately identify the source, spatiotemporal attributes, and reliability of abnormal events, providing basic input for subsequent cause-effect graph construction.
[0078] (1) Deployment environment On the cloud platform side: The core engine of this embodiment (including constructing an event causal graph of multi-source data time-space causal relationships for abnormal events and generating structured early warning information, etc.) is deployed on a cloud platform, specifically a public cloud platform (such as Alibaba Cloud ECS instances, Huawei Cloud CCE container clusters, Tencent Cloud CVM, etc.), a private cloud platform (such as a customer-owned data center cloud environment built on OpenStack, VMware, or Alibaba Cloud Apsara Stack), or a hybrid cloud architecture. The cloud platform provides highly available computing resources, distributed storage, and API gateway services, supporting on-demand scaling to cope with sudden peaks in the event flow within the campus.
[0079] Edge devices deployed at various physical locations within the park include, but are not limited to: intelligent video devices (such as intelligent NVRs or AI cameras from Hikvision and Dahua Technology, with built-in video quality diagnostic capabilities), environmental sensors (such as PM2.5 / CO2 concentration detectors, temperature and humidity transmitters, smoke alarms, etc., connected to the edge gateway via LoRa, Zigbee, or RS485), and security and IT devices (such as access control controllers, UPS power monitoring modules, network switch SNMP agents, etc., capable of reporting device offline, heartbeat packet loss, storage anomalies, and other status events). All edge devices do not upload raw video, images, or audio; they only perform preliminary analysis locally to generate structured multi-source data on abnormal events.
[0080] (2) Data reporting mechanism Edge devices report multi-source data of abnormal events to the cloud platform in real time through a secure communication protocol. The specific process is as follows: Event trigger: When the edge device detects an anomaly (such as no frames in the video stream for 3 consecutive seconds, PM2.5 > 150 μg / m³), the event triggers the event. 3 This means generating a structured exception event record; Data Encapsulation: When an edge device detects an anomaly, it generates a structured anomaly event record, encapsulating the multi-source data of the anomaly event using a standardized data format. This complete anomaly event record is used to subsequently construct an event cause-effect graph of the time-space causal relationship of the multi-source data of the anomaly event on the cloud platform and generate structured early warning information. This encapsulation method does not rely on the original video, image, or audio content; it only transmits lightweight, anonymized structured information, ensuring data privacy while significantly reducing network bandwidth consumption.
[0081] Secure transmission: HTTPS protocol (TLS 1.2+) is preferred for reporting via RESTful API, suitable for high-bandwidth, low-latency networks; in weak network or low-power scenarios, MQTT over TLS protocol can be used to achieve reliable asynchronous transmission through message queues; all communication requires two-way authentication: edge devices hold device certificates, and the cloud platform verifies their legitimacy before accepting data.
[0082] Data retention strategy: Original sensitive data such as videos, images, and audio are always kept on edge devices or local NVRs and are not uploaded to the cloud platform; the cloud platform only stores anonymized abnormal event records, which are retained by default for 7 days and automatically deleted after the expiration period, in compliance with the Personal Information Protection Law and the Information Security Protection 2.0 requirements.
[0083] (3) Typical deployment example (taking a university campus as an example) A university deployed the method of this invention embodiment: • Install 200 Hikvision AI cameras in 10 buildings, and configure video quality diagnostic rules for each NVR; • 30 environmental monitoring stations were set up outdoors to collect PM2.5, noise, temperature and humidity data; • The access control system connects to 50 controllers and reports their online status; • All devices are connected to the campus private cloud platform (based on Apsara Stack) via the campus network. • When sandstorms cause multiple video feeds to lag and PM2.5 levels to spike, the cloud platform automatically constructs a cause-and-effect graph, predicting that "access control may fail within the next 30 minutes due to power fluctuations," and sends an early warning to the security department's large screen.
[0084] This deployment mode requires no modification to the existing monitoring infrastructure; it only requires edge devices to support structured event output (which is supported by most mainstream vendors) for rapid deployment.
[0085] (II) Definition of Abnormal Events Event types include, but are not limited to: Video-related issues include: screen occlusion, video interruption, and a sharp drop in target detection confidence. Environmental factors: Particulate matter concentration exceeds standards; temperature and humidity exceed limits. Device-related issues: Heartbeat packet loss, storage error, access control system offline.
[0086] (III) Construction of Event Cause-and-Effect Graph Collect unusual events during the past 7 days when there were no major events; In extracting the temporal causal relationship coupling of multi-source data of anomalous event entities, the multi-head attention mechanism in the Transformer architecture is used to calculate the multi-source data vector of anomalous events from time tw to time t. Correlation between them: , , ;in, , , The weights calculated for the Transformer model; , , Let be the entity representing the abnormal event at time t. for t - w Time's up t Multi-source data vector of anomalous events at any given time. w This represents the granularity of the time section. The temporal causal correlation between multi-source data vectors of anomalous events is calculated as follows:
[0087] in, Measured multi-source data vectors of anomalous events The temporal causal correlation between them, where d is the dimension of the embedded features. ( ) represents the max pooling function; The feature encoding of the abnormal event entity after coupling with the time causal relationship is calculated as follows: .
[0088] First, calculate the autocorrelation among the multi-source data of the anomalous event:
[0089] Simultaneously consider prior knowledge describing the correlation between multi-source data of anomalous events. In applications, if prior knowledge exists, the autocorrelation among multi-source data on anomalous events is: If no prior knowledge exists, then autocorrelation ; The multi-head attention mechanism in the Transformer architecture is used to calculate the correlation between multiple sources of data for anomalous event entities: , , ; in, , , The weights calculated for the Transformer model; , , Calculate the Query, Key, and Value for the Transformer model.
[0090] Subsequently, the spatial causal correlation weights of the multi-source data for anomalous events are calculated as follows:
[0091] in, To embed feature dimensions, ( ) represents the max pooling function; Finally, the time-space causal relationship of the multi-source data of the anomalous event was calculated as follows:
[0092] in Adjustment weights for temporal and spatial causal relationships; by t Entities of abnormal events at any time As nodes in the event cause-effect graph, To assess the link strength between nodes in the event causal graph; by training and optimizing the event causal graph of time-space causal relationships of multi-source data through historical abnormal event multi-source data, a model is provided for predicting safety hazards coupled by abnormal events.
[0093] (iv) Generate structured early warning information After completing the construction of the event cause-effect graph, lightweight graph reasoning is performed based on the graph structure to generate structured early warning information for the current abnormal event.
[0094] It should be noted that "lightweight graph neural network" specifically refers to a deterministic inference mechanism that does not require parameter learning, has a fixed topology, limited propagation depth, and directly reuses causal graph weights.
[0095] make Indicates the first abnormal event nodes after round propagation The activation value. Initial state. The confidence level is set based on the currently reported anomaly events. Subsequently, two rounds of message passing are executed (i.e., starting from the initial activation node, propagating twice along the event causal graph, simulating the secondary diffusion of the causal chain), with the following update rules for each round: in: :node In the The activation value after each round of data transmission (reflecting the degree to which the abnormal event of this node is triggered by the causal chain). Pointing to a node The set of predecessor nodes, all of which may trigger The set of predecessor event nodes (i.e., those pointed to in the event causality graph) (event nodes); Nodes in the event cause-effect graph and nodes Link strength between The preset path breakage penalty coefficient is set to 0.8. The causal path integrity indicator is defined as follows:
[0096] in This is the abnormal activation threshold.
[0097] After completing two rounds of message passing, calculate the global coupling security vulnerability value. Its expression is:
[0098] in: Represents a node The activation value after two rounds of data transfer have been completed.
[0099] This represents the number of currently detected causal path breaks. The preset criticality benchmark weight (typical value is 1.2); Let be the system vulnerability coefficient, where For the duration of the abnormality, Set a preset time window (e.g., 300 seconds). The value is 1 if the same type of abnormal event is repeatedly reported on the same device, and 0 otherwise. To adjust the parameters.
[0100] This design enables the automatic identification of coupled safety hazards such as "protective layer failure" when the expected causal event is missing (e.g., "pressure rises" but "ventilation is not started"), and significantly improves its score, thereby achieving accurate capture of high-risk anomaly combinations.
[0101] Each round of update rules describes a causal inference mechanism with fault detection capabilities: This formula, while simulating how anomalous events propagate along the causal chain, actively identifies broken paths where "the cause is present but the result is absent," and penalizes these broken paths through a penalty term. These abnormal patterns are explicitly encoded. The underlying principle is to diagnose whether the system responds as expected while simultaneously deducing causal evolution; if it fails to respond, it is considered a high-risk signal.
[0102] Although nodes The activation value is suppressed, but it will be recorded separately. The number of times as And in the final coupling security risk value Additional weighted penalties are applied (see) formula ).
[0103] Therefore, the core purpose of this mechanism is not to suppress the spread, but to accurately capture "defense failure" coupled security risks: this is something that traditional correlation analysis or ordinary graph neural networks (GNNs) cannot do.
[0104] For example (chemical industry scenario): Assume the causal graph has the edge: "Pressure increases" → "Safety valve opens", with weights... Current reported event: "Increased stress" However, the "safety valve opening" was not reported. Then, for the event node "safety valve opened": (Strong antecedent activated but itself not activated); even if there is The input, its updated value becomes Simultaneously, the system records one path break ( );final because A significant increase triggers a warning: "Abnormal pressure detected but the safety valve is not responding, indicating a serious safety hazard."
[0105] It is important to note that the causal path breakage detection mechanism proposed in this invention is fundamentally different from traditional fault diagnosis or anomaly detection: the former focuses on "whether the system responds according to safety logic," while the latter only focuses on "whether a certain component is abnormal." In the aforementioned chemical scenario, "pressure increase" itself is an anomaly, but if "the safety valve fails to open," it constitutes a protection failure. This invention addresses this by... Explicitly count such cases, and in This mechanism assigns high weight to high-risk items, thereby prioritizing their capture. This mechanism has not been disclosed in publicly available patent literature.
[0106] (v) Early warning output An adaptive dynamic threshold is set to determine whether to trigger a coupled security hazard warning. The dynamic threshold is the 95th percentile of the historical coupled security hazard value sequence, meaning that within a historical observation period (e.g., the past 7 days), the hazard value occurs at 95% of the time points. The value is below this threshold, with only 5% of cases exceeding it. This setting effectively suppresses false alarms caused by occasional fluctuations while ensuring that high-risk events are not missed, achieving a balance between early warning sensitivity and stability.
[0107] When the currently calculated coupling security risk value satisfies (history When the sequence reaches the 95th percentile, a structured alert is generated. A structured alert is a standardized message containing predefined fields, for example: "
High Risk
[0108] This invention acquires multi-source data on abnormal events from monitoring scenarios, composing a multi-source data vector of abnormal events. This vector forms the nodes of a causal graph model. The multi-source data vector is temporally coupled, followed by spatial coupling of the multi-source data. This combination of temporal and spatial coupling forms the temporal-spatial coupling relationship of the abnormal events, which serves as the link weight between nodes in the causal graph model. The abnormal causal graph model is trained based on historical data to achieve model optimization. A cloud platform receives current multi-source data, inputs the abnormal event causal graph, couples it with security risk deduction, and outputs structured early warning information. Obviously, those skilled in the art should understand that the steps of the multi-source coupling security hazard prediction method for abnormal events described in the above embodiments of the present invention can be implemented using general-purpose computing devices. They can be centralized on a single computing device or distributed across a network of multiple computing devices. Optionally, they can be implemented using device-executable program code, thereby storing them in a storage device for execution by the computing device. Furthermore, in some cases, the steps shown or described can be performed in a different order than presented here, or they can be fabricated as separate integrated circuit modules, or multiple modules or steps can be fabricated as a single integrated circuit module. Thus, the embodiments of the present invention are not limited to any specific hardware and software combination.
Claims
1. A method for predicting security risks caused by multi-source coupling of abnormal events, characterized in that, Includes the following: An event causal graph is constructed to represent the temporal-spatial causal relationships of multi-source data on abnormal events. The correlations between the multi-source data of abnormal events are calculated to obtain the temporal-spatial causal relationships. Multi-source data of abnormal event entities are used as nodes in the event causal graph, and the temporal-spatial causal relationships of the multi-source data are used as the link strength between nodes. The event causal graph is trained and optimized using historical multi-source data of abnormal events to provide a model for predicting coupled security risks of abnormal events. The cloud platform receives multi-source data of abnormal events reported by multiple edge devices within the monitoring scenario. This data is used as input to the event causal graph. A causal path breakage detection mechanism and a causal loop risk resonance detection mechanism are introduced to calculate the coupled security risk value. When the coupled security risk value exceeds an adaptive dynamic threshold, structured early warning information is generated.
2. The method for predicting security risks caused by multi-source coupling of abnormal events according to claim 1, characterized in that, In extracting the temporal causal relationship coupling of multi-source data of anomalous event entities, the multi-head attention mechanism in the Transformer architecture is used to calculate the multi-source data vector of anomalous events from time tw to time t. Correlation between them: , , ;in, , , The weights calculated for the Transformer model; , , Let be the entity representing the abnormal event at time t. for t - w Time's up t Multi-source data vector of anomalous events at any given time. w This represents the granularity of the time section.
3. The method for predicting security risks caused by multi-source coupling of abnormal events according to claim 2, characterized in that, The temporal causal correlation between multi-source data vectors of anomalous events is calculated as follows: in, Measured multi-source data vectors of anomalous events The temporal causal correlation between them, where d is the dimension of the embedded features. ( ) represents the max pooling function; The feature encoding of the abnormal event entity after coupling with the time causal relationship is calculated as follows: 。 4. The method for predicting security risks caused by multi-source coupling of abnormal events according to claim 2, characterized in that, In the context of spatial causal coupling of multi-source data on anomalous events, feature encoding of anomalous event entities based on temporal causal coupling is crucial. First, calculate the autocorrelation among the multi-source data of the anomalous event: Simultaneously consider prior knowledge describing the correlation between multi-source data of anomalous events. In applications, if prior knowledge exists, the autocorrelation among multi-source data on anomalous events is: If no prior knowledge exists, then autocorrelation... ; The multi-head attention mechanism in the Transformer architecture is used to calculate the correlation between multiple sources of data for anomalous event entities: , , ; in, , , The weights calculated for the Transformer model; , , These are the query, key, and value computed for the Transformer model, respectively. Subsequently, the spatial causal correlation weights of the multi-source data for anomalous events are calculated as follows: in, To embed feature dimensions, ( ) represents the max pooling function; Finally, the time-space causal relationship of the multi-source data of the anomalous event was calculated as follows: in Adjustment weights for temporal and spatial causal relationships; by t Entities of abnormal events at any time As nodes in the event cause-effect graph, To assess the link strength between nodes in the event causal graph; by training and optimizing the event causal graph of time-space causal relationships of multi-source data through historical abnormal event multi-source data, a model is provided for predicting safety hazards coupled by abnormal events.
5. The method for predicting security risks caused by multi-source coupling of abnormal events according to claim 1, characterized in that, The cloud platform receives multi-source data of abnormal events reported by multiple edge devices in the monitoring scene. The multi-source data includes event type, timestamp, spatial location, device ID, and anomaly confidence field.
6. The method for predicting security risks caused by multi-source coupling of abnormal events according to claim 1, characterized in that, The causal path breakage detection mechanism and the causal loop risk resonance detection mechanism are as follows: In the event causality graph, abnormal events in the monitoring scenario correspond to nodes in the event causality graph—abnormal event entities. When an abnormal event entity has been activated, but the multi-source data of its expected subsequent abnormal event entities has not been reported, it is determined that the causal path has been broken and is treated as a high-risk signal. It also identifies closed feedback loops formed by nodes corresponding to multiple abnormal events on the event causal graph and calculates the risk resonance intensity caused by the closed feedback loops.
7. The method for predicting security risks caused by multi-source coupling of abnormal events according to claim 1, characterized in that, The structured early warning information includes the following fields: (1) High-risk area: determined by the spatial location of the currently activated anomalous event; (2) Dominant event chain: It consists of the node with the highest activation value in the event causal graph and its predecessor node; (3) Expected impact range: Based on the spatial location of the terminal abnormal event in the dominant event chain and the historical impact range of the terminal abnormal event; (4) Operation and maintenance suggestions: Based on the type of the dominant event chain and the path break detection results, match the corresponding handling measures from the preset suggestion library.
8. The method for predicting safety hazards caused by multi-source coupling of abnormal events according to claim 7, characterized in that, Exception event entity As graph nodes, data is input to the event causality graph and transmitted through the event causality graph network. The data transmission rule, i.e., the update formula for node activation values, is as follows: in: Represents a node In the Activation value after round propagation For nodes In the Activation value after round propagation; Pointing to a node The set of predecessor nodes; Nodes in the event cause-effect graph and nodes Link strength between; This is the path breakage penalty coefficient; The causal path integrity indicator is defined as follows: In an event cause-effect graph, nodes represent anomalous event entities, the events... These are the nodes in the event causality graph. The physical meaning of this formula is: if a causal edge exists... And the predecessor node is the cause event. Activated, event initial activation value Representative event Activated, but resulting event Not reported, i.e. If the initial activation value is 0, then determine the edge. The causal path is broken. ; This is the abnormal activation threshold. Let be the set of edges of a causal graph.
9. The method for predicting security risks caused by multi-source coupling of abnormal events according to claim 1, characterized in that, The coupling security hazard value will be calculated, and when the coupling security hazard value exceeds the adaptive dynamic threshold, structured early warning information will be generated. The coupling security risk value Calculate using the following formula: in: This indicates the value of coupling security risks in the current monitoring scenario. The maximum activation value for all nodes after two rounds of data transmission. For each node in the event cause-effect graph, ... Corresponding to a predefined abnormal event, For nodes The activation value after two rounds of data transmission are completed. For path breakage sensitive gain coefficient, This represents the number of currently detected causal path breaks. The preset event criticality benchmark weight, This represents the risk resonance amplification factor. This represents the set of all closed loops formed by activated nodes in the current event causal graph. Representing a circuit Middle Dynamic weights, The system vulnerability coefficient is used to characterize the overall vulnerability of the current monitoring system due to the increased proportion of abnormal devices and the enhanced persistence of anomalies.
10. A computer device, characterized in that: The computer device includes a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it implements the steps of the security hazard prediction method for multi-source coupling of abnormal events as described in any one of claims 1-9.