Industrial adaptive security protection system and method based on terminal load perception
The industrial adaptive safety protection system based on terminal load perception solves the problem of time resource competition between protection and control tasks in industrial control systems, realizes the coordinated execution of real-time safety protection and control, and improves the stability and determinism of the system.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- XIAMEN KUAIKUAI NETWORK TECH CO LTD
- Filing Date
- 2026-05-18
- Publication Date
- 2026-06-19
AI Technical Summary
Existing technologies struggle to balance the real-time performance and security protection of industrial control systems, leading to issues such as control task jitter, deadline breaches, and message timeouts.
The industrial adaptive security protection system based on terminal load perception acquires joint state data, performs time axis alignment and amplitude normalization processing, evaluates the time and resource requirements of protection tasks, splits protection tasks into task units and assigns scheduling priorities, constructs a task performance dataset, and performs feedback analysis and self-learning optimization.
It effectively reduces the real-time interference of protection tasks on control tasks, improves the operational determinism and stability of industrial control systems, avoids control task jitter and message timeouts, and achieves closed-loop feedback optimization of protection execution effect and control real-time performance.
Smart Images

Figure CN122240331A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of security protection technology, specifically to an industrial adaptive security protection system and method based on terminal load perception. Background Technology
[0002] With the development of the Industrial Internet, intelligent manufacturing, and the real-time and networked nature of industrial control systems, industrial terminals, while undertaking tasks such as logical operations, status acquisition, message interaction, and control command issuance, also need to perform security protection tasks such as vulnerability scanning, industrial protocol detection, log auditing, and malicious code interception in parallel. Existing technologies are unable to balance control real-time performance with security protection strength.
[0003] For example, invention patent CN105989270B discloses a database security protection method based on cloud computing on the Android platform. This method includes: a security mechanism for database protection implemented in the cloud using cloud computing technology; an authentication method based on user biometric recognition; an SQL injection prevention method; and a hybrid encryption algorithm, achieving three layers of database protection. This invention addresses the shortcomings of existing Android platform database protection technologies, such as the lack of SQL injection detection mechanisms and the difficulty in guaranteeing performance and efficiency. By relying on cloud-based security protection, it effectively reduces the load on local mobile terminals, ensures device performance, and makes database security protection on the Android platform more comprehensive and reliable, while also guaranteeing high efficiency and stability.
[0004] For example, invention patent CN117056085B discloses a load balancing method, apparatus, and security protection system, including: determining a target file to be detected; obtaining the current predicted idle state release time and current number of idle threads from each idle electronic device; obtaining a list of predicted idle durations ΔT based on the current time and each predicted idle state release time; iterating through ΔT, and if ΔTi > YT, determining the idle electronic device corresponding to ΔTi as a key electronic device to obtain several key electronic devices; determining the key electronic device with the largest current number of idle threads among the several key electronic devices as the target electronic device; and sending the target file to be detected to the target electronic device so that the target electronic device can perform security detection on the target file. This application can reduce the load on the detection server and achieve higher detection efficiency when performing security detection on the target file.
[0005] In existing technologies, the computational load of control cycle tasks in current systems exhibits periodic pulses and is sensitive to deadlines; while protection tasks may generate continuous occupancy or sudden peaks upon triggering. When the two overlap in the critical computation phase of the same control cycle, it causes control tasks to be preempted, execution windows to be squeezed, resulting in cycle jitter and deadline violations. In severe cases, it can lead to control message sending / receiving timeouts or queue overflows, creating a contradiction between real-time performance and security.
[0006] Therefore, in order to address the above issues, there is an urgent need for an industrial adaptive security protection system and method based on terminal load perception. Summary of the Invention
[0007] Technical problems to be solved To address the shortcomings of existing technologies, this invention provides an industrial adaptive security protection system and method based on terminal load perception, which solves the problem of resource competition between security protection tasks and control cycle tasks on the time scale, leading to increased control task jitter, deadline defaults, message timeouts, and even instruction loss.
[0008] Technical solution To achieve the above objectives, the present invention provides the following technical solution: an industrial adaptive security protection system and method based on terminal load perception, comprising: S1, acquiring joint state data and performing time axis alignment, feature extraction, and amplitude normalization on the joint state data; S2, evaluating the time and resource requirements of the protection task based on the joint state data, assessing the schedulability of the protection task, and outputting a protection scheduling dataset; S3, dividing the protection task into task units, assigning scheduling priorities, performing adaptation evaluation on the execution of each task unit, and constructing a task performance dataset; S4, extracting and constructing feedback analysis data, evaluating the degree of deviation between the current protection and the actual operating state, and outputting a self-learning result dataset.
[0009] Furthermore, the specific process of acquiring joint state data and performing time axis alignment, feature extraction, and amplitude normalization on the joint state data is as follows: Real-time acquisition of CPU utilization, memory usage, network bandwidth utilization, disk utilization, task queue length, and production task priority during the operation of the industrial terminal; monitoring and controlling the time distribution of task cycle duration, cycle start time, end time, key calculation segments, communication interaction segments, and available idle segments within a single cycle to acquire joint state data. The joint state data includes basic load level, production task priority labels, idle time window list, and number of idle time slices; and time axis alignment and feature extraction are performed on the joint state data based on control cycle synchronization. Each control cycle is divided into three time intervals: critical calculation segment, communication interaction segment, and concedeable idle segment. Each concedeable idle segment constitutes an idle time window, which is further divided into time slices. Each time slice is labeled with a time location tag, a duration tag, and a preemptibility level tag. The preemptibility level tag is mapped based on the interval type to which the time slice belongs and the current production task priority. Abnormal data caused by transient disturbances is filtered out using an outlier removal method. An adaptive adjustment strategy based on terminal type is used to reduce the acquisition frequency of PLC hard real-time terminals and DCS hard real-time terminals during priority task execution, thereby reducing the interference of acquisition behavior on control tasks. The amplitude of the joint state data is normalized.
[0010] Furthermore, based on joint state data, the specific process for assessing the time and resource requirements of protection tasks is as follows: Based on joint state data, according to the basic load level and production task priority, and in accordance with the hierarchical mapping criteria, preliminary protection tasks and lists are determined; time and resource assessments are performed on the preliminary protection tasks: the total estimated execution time of the preliminary protection tasks is calculated using a task complexity model, and the total available idle time in the next N periods is estimated through time series analysis using the number of idle time slices and the list of idle time windows; the terminal type is obtained from the terminal configuration information, the basic resource occupancy threshold is obtained according to the corresponding hierarchical mapping criteria, and the resource occupancy data of the protection tasks on the target terminals is collected, with the statistical peak value used as the estimated resource occupancy rate.
[0011] Furthermore, the specific process for evaluating the schedulability of protection tasks is as follows: Divide the total idle time selected based on the idle time window list and preemptible level labels by the total estimated execution time to obtain the time resource matching item; Subtract the basic resource occupancy threshold from the resource occupancy rate and compare it with zero to obtain the larger value, which is the resource occupancy over-limit; Divide the resource occupancy over-limit by the basic resource occupancy threshold to obtain the normalized resource over-limit item; Multiply the normalized resource over-limit item by the penalty factor dynamically associated with the current control cycle segment type to obtain the resource occupancy penalty item; Subtract the resource occupancy penalty item from the time resource matching item to obtain the protection schedulable value.
[0012] Furthermore, the specific process of outputting the protection scheduling dataset is as follows: compare the protection schedulable value with the scheduling threshold in real time, and dynamically adjust the protection task in combination with the protection exemption rules: when the protection schedulable value is lower than the scheduling threshold, the protection task is split into task units and allocated to the periodic idle time slice for serial execution in an interruptible and recoverable manner; when the protection schedulable value is not lower than the scheduling threshold, the original protection task is maintained, the available resources are dynamically calculated according to the terminal type, and task slices and allocation time windows are generated, and the protection scheduling dataset is output.
[0013] Furthermore, the specific process of breaking down the protection task into task units and assigning scheduling priorities is as follows: A protection scheduling dataset is received, including a task splitting scheme, a time slice allocation table, and personalized resource occupancy thresholds. The protection task is decomposed into independently executable task units with savable states at the atomic operation granularity. Each task unit is associated with an execution context snapshot structure. Idle time windows are registered as a dynamic time slice resource pool. The task unit is assigned a scheduling priority lower than that of the control task and is awakened for execution within the specified idle time slice according to the time slice allocation table. When the control task enters a critical computation segment, communication interaction segment, or a sudden priority production task occurs, the task unit immediately saves the current execution context snapshot and interrupts after detecting the start timestamp of the critical computation segment, resuming execution from the breakpoint in the next idle time slice. Resource occupancy of each task unit is monitored in real time during execution.
[0014] Furthermore, the specific process of adapting and evaluating the execution of each task unit and constructing a task performance dataset is as follows: The actual execution time of each task unit is recorded through real-time monitoring; the allocated time slice length is obtained through the time window allocated by the task scheduler; historical interruption counts are statistically analyzed through interrupt service routines; the total historical execution count is accumulated through task execution counts; and peak resource usage during execution is collected in real-time through the resource monitoring interface. The above information is integrated to generate a task execution log. Based on the task execution log, a recursive sliding window algorithm is used to calculate the execution adaptation value of each task unit in real-time: the execution adaptation value of the previous moment is multiplied by a forgetting factor to obtain the initial term; the actual execution time is divided by the time slice length to obtain the time term; the historical interruption count is divided by the total historical execution count to obtain the interruption frequency term; the interruption frequency term is then multiplied by an interrupt sensitivity coefficient to obtain the interruption penalty term; and it is determined whether the peak resource usage exceeds the basic resource usage threshold. If the value is greater than the threshold, the indicator function is set to 1; otherwise, it is set to 0. The value of the indicator function is multiplied by the over-threshold penalty coefficient to obtain the over-limit penalty term. The interruption penalty term and the over-threshold penalty term are subtracted from the time term, and the difference is multiplied by the result of 1 minus the forgetting factor to obtain the deviation term. The initial term and the deviation term are added to obtain the execution adaptation value at the current moment. The execution adaptation value is compared with the performance threshold range in real time. The performance threshold range includes the lower threshold and the upper threshold: when the execution adaptation value is lower than the lower threshold, the task scheduler is triggered to perform finer-grained splitting of the task unit and the task is marked as a performance decay task, generating a performance decay alarm signal; when the execution adaptation value is higher than the upper threshold, it is determined that there is a resource contention anomaly, and the system is triggered to roll back to the previous version of the protection rule or switch to the backup rule version; when the execution adaptation value is within the threshold range, the current splitting scheme and rule version are maintained, and the task is marked as a normal performance task, constructing a task performance dataset containing the adaptation value and adjustment records.
[0015] Further, the specific process of extracting and constructing feedback analysis data to assess the deviation between the current protection and the actual operating state is as follows: The fluctuation of the time deviation in each control cycle is statistically analyzed, and the variance of the cycle time deviation is normalized to obtain the control cycle jitter rate; the sending time of each control message is recorded, and the proportion of messages exceeding the message time limit to the total number of messages is statistically analyzed to obtain the message timeout rate; the number of triggers where the CPU utilization, memory utilization, cache utilization, or bus bandwidth utilization exceeds the basic resource utilization threshold during the execution of the task unit is statistically analyzed, and the number of triggers is divided by the total number of execution cycles to obtain the resource over-threshold trigger frequency; the number of performance degradation tasks is statistically analyzed, and the proportion of performance degradation tasks is obtained by dividing by the total number of task units; the execution results of each task unit belonging to the same original protection task are summarized, and the proportion of completed task units to the total number of task units is statistically analyzed to obtain the protection completion rate; the allocated idle time is statistically analyzed. The total time actually effectively occupied by task units within a time slice is divided by the total duration of allocated idle time slices to obtain the idle time slice utilization rate, which constitutes the feedback analysis data. The control cycle jitter rate is multiplied by the jitter coefficient to obtain the jitter item; the message timeout rate is multiplied by the timeout coefficient to obtain the timeout item; the resource over-threshold trigger frequency and the proportion of performance degradation tasks are added together and then multiplied by the execution risk coefficient to obtain the execution risk item; the jitter item, timeout item, and execution risk item are all added together to obtain the rule mismatch amount; the protection completion rate is multiplied by the completion rate support coefficient to obtain the completion rate support item; the idle time slice utilization rate is multiplied by the time slice coefficient to obtain the time slice support item; the completion rate support item, time slice support item, and bias item are added together to obtain the rule support amount; the rule mismatch amount is divided by the rule support amount to obtain the rule correction strength value; when the rule support amount is lower than the support threshold, it is determined to be a high correction strength; the deviation between the current protection and the actual operating state is assessed.
[0016] Furthermore, the specific process of outputting the self-learning result dataset is as follows: The rule correction intensity value is compared with the correction threshold in real time. When the rule correction intensity value is higher than the correction threshold, it indicates that the current protection strategy is not adequately adapted, triggering the rule optimization process. Within M consecutive control cycles, if the number of resource exceedances after optimization increases compared to the same length window before optimization, the optimization effect is deemed to have deteriorated, and the system is rolled back to the previous stable rule version that meets the upper limits of jitter rate and timeout rate within the same window. When the rule correction intensity value is not higher than the correction threshold, the current terminal type, basic load level, and corresponding rule version number are recorded, and the self-learning result dataset is output.
[0017] Furthermore, a second aspect of the present invention provides an industrial adaptive security protection system based on terminal load perception, applied to an industrial adaptive security protection method based on terminal load perception, comprising: a load perception and time slice monitoring module, used to acquire joint state data and perform time axis alignment, feature extraction, and amplitude normalization processing on the joint state data; a strategy decision and resource coordination module, used to evaluate the time and resource requirements of protection tasks based on the joint state data, evaluate the schedulability of protection tasks, and output a protection scheduling dataset; an isolation protection execution module, used to split protection tasks into task units, assign scheduling priorities, perform adaptation evaluation on the execution of each task unit, and construct a task performance dataset; and a feedback optimization and rule self-learning module, used to extract and construct feedback analysis data, evaluate the degree of deviation between the current protection and the actual operating state, and output a self-learning result dataset.
[0018] Beneficial effects The present invention has the following beneficial effects: (1) This invention introduces a time-slice collaborative protection mechanism under control cycle perception, which performs fine-grained matching between the protection task execution process and the key calculation segment, communication interaction segment and transferable idle segment in the industrial terminal control cycle, so that the security protection behavior changes from preemptive execution to intermittent execution, effectively reducing the real-time interference of the protection task on the control task and improving the determinism and stability of the industrial control system operation.
[0019] (2) This invention establishes a protection schedulable value calculation mechanism, which comprehensively considers the total idle time, total estimated execution time, resource occupancy rate and basic resource occupancy threshold, and jointly evaluates the time resource matching degree and resource over-limit risk of protection tasks. It can determine the schedulability of protection tasks in advance before they are executed, thereby avoiding blindly executing protection tasks under conditions of resource shortage or insufficient time slices, and reducing control task jitter, deadline default and message timeout problems.
[0020] (3) In this invention, by constructing a dynamic time slice resource pool and assigning task units a scheduling priority lower than that of control tasks, each task unit is awakened and executed only within a specified idle time slice; at the same time, when the control task is detected to enter a critical computing segment, communication interaction segment or a sudden high-priority production task, the execution context can be saved immediately and the task unit can be interrupted, and execution can be resumed after the idle time slice arrives, thereby effectively preventing the protection task from encroaching on the control critical resources.
[0021] (4) This invention introduces an execution adaptation value to recursively quantify the execution efficiency, execution stability, and resource overrun of task units within idle time slices. Based on the rule correction intensity value, it comprehensively controls the cycle jitter rate, message timeout rate, resource overrun trigger frequency, efficiency decay task ratio, protection completion rate, and idle time slice utilization rate, and performs dynamic correction to achieve closed-loop feedback optimization between protection execution effect and control real-time performance.
[0022] Of course, any product implementing this invention does not necessarily need to achieve all of the advantages described above at the same time. Attached Figure Description
[0023] Figure 1 This is a flowchart of the industrial adaptive security protection method based on terminal load perception of the present invention; Figure 2 This is a diagram of the industrial adaptive security protection system architecture based on terminal load awareness, as described in this invention. Figure 3 This is a graph showing the changes in adaptation values for the task unit execution in this invention. Figure 4 This is a dynamic change diagram of the intensity value of the rule correction in this invention; Figure 5 This is a statistical chart showing the distribution of intensity values for rule correction in this invention. Detailed Implementation
[0024] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0025] Please see Figures 1-5 This invention provides a technical solution: an industrial adaptive security protection method based on terminal load perception, comprising: S1, acquiring joint state data and performing time axis alignment, feature extraction, and amplitude normalization on the joint state data; S2, evaluating the time and resource requirements of the protection task based on the joint state data, assessing the schedulability of the protection task, and outputting a protection scheduling dataset; S3, dividing the protection task into task units, assigning scheduling priorities, performing adaptation evaluation on the execution of each task unit, and constructing a task performance dataset; S4, extracting and constructing feedback analysis data, evaluating the degree of deviation between the current protection and the actual operating state, and outputting a self-learning result dataset.
[0026] Specifically, the process of acquiring joint state data and performing time-axis alignment, feature extraction, and amplitude normalization on the joint state data is as follows: Real-time acquisition of CPU utilization, memory usage, network bandwidth utilization, disk utilization, task queue length, and production task priority during industrial terminal operation; the acquisition interface is implemented based on operating system performance counters and terminal data agents, reading data at fixed sampling periods; monitoring and controlling the time distribution of task cycle duration, cycle start time, end time, key calculation segments, communication interaction segments, and available idle segments within a single cycle to acquire joint state data, which includes basic load levels, production task priority labels, idle time window lists, and the number of idle time slices; and dividing the data into k levels from L1 to Lk based on a weighted score of CPU utilization, memory usage, network bandwidth utilization, disk utilization, and task queue length.
[0027] Based on the time attribute analysis of control cycle synchronization and control task cycle duration, start time, and end time, a cycle start time alignment and linear interpolation method is used to align the joint state data on the time axis and extract features. Each control cycle is divided into three time intervals: critical calculation segment, communication interaction segment, and concedeable idle segment. Each concedeable idle segment constitutes an idle time window, which is further divided into time slices. Each time slice is labeled with a time position label, a duration label, and a preemptibility level label. The preemptibility level label is mapped according to the interval type to which the time slice belongs and the current production task priority. An outlier removal method is used, employing a sliding window mean filter to remove abnormal data caused by transient disturbances. An adaptive adjustment strategy based on terminal type is used to reduce the acquisition frequency of PLC hard real-time terminals and DCS hard real-time terminals during priority task execution, reducing the interference of acquisition behavior on control tasks. The joint state data is subjected to amplitude normalization. Min-max normalization or Z-score normalization methods are used to normalize the amplitude, mapping each indicator to the range [0,1].
[0028] This implementation scheme improves the accuracy of identifying the execution rhythm of control tasks and available time resources. At the same time, through outlier cleaning, adaptive adjustment of acquisition frequency, and amplitude normalization, it enhances the stability, consistency, and comparability of joint state data, reduces the interference of transient disturbances and acquisition behavior itself on the real-time control process of the terminal, and thus provides accurate, stable, and industrial-scenario-adaptive basic data support for the assessment of the schedulability of protection tasks, time-slice collaborative scheduling, and rule self-optimization.
[0029] Specifically, the process of assessing the time and resource requirements of protection tasks based on joint state data is as follows: Based on the joint state data, and according to the basic load level and production task priority, a preliminary list of protection tasks is determined according to the hierarchical mapping criteria. The hierarchical mapping criteria divide the protection tasks into three levels: basic protection, standard protection, and deep protection, based on the combination of basic load level and production task priority. Each level is associated with a list of protection tasks. The specific mapping relationship is as follows: when the basic load level is low and the production task priority is low, it is mapped to the deep protection level; when the basic load level is medium and the production task priority is medium, it is mapped to the standard protection level; when the basic load level is high and the production task priority is high, it is mapped to the basic protection level.
[0030] Time and resource assessment of the initial protection tasks: The total estimated execution time of the initial protection tasks is calculated using a task complexity model. The total available idle time in the next N periods is estimated through time series analysis using the number of idle time slices and the list of idle time windows. The terminal type is obtained from the terminal configuration information. The basic resource occupancy threshold is obtained according to the corresponding hierarchical mapping criteria. Resource occupancy data of the protection tasks on the target terminals is collected. The statistical peak value is used as the estimated resource occupancy rate for comparison with the basic resource occupancy threshold.
[0031] This implementation plan avoids the interference of blindly executing high-intensity protection tasks on the control process, and also avoids security gaps caused by insufficient protection strength in low-load scenarios. It improves the rationality and foresight of protection strategy selection, enhances the matching degree between protection tasks and available computing resources and time slice resources on the terminal, and provides a reliable basis for protection schedulability assessment and time slice collaborative execution.
[0032] Specifically, the process for evaluating the schedulability of protection tasks is as follows: Divide the total idle time (screened based on the idle time window list and preemptible level labels) by the total estimated execution time to obtain a time-resource matching item. Subtract the basic resource occupancy threshold from the resource occupancy rate and compare it with zero, taking the larger value to obtain the resource occupancy over-limit. Divide the resource occupancy over-limit by the basic resource occupancy threshold to obtain a normalized resource over-limit item. Multiply the normalized resource over-limit item by a penalty factor dynamically associated with the current control cycle segment type to obtain a resource occupancy penalty item. The penalty factor is set to a larger value in critical calculation segments to suppress scheduling and a smaller value in yieldable idle segments to allow scheduling. This ensures that the construction of the protection schedulable value can adapt to the real-time requirements of the control tasks, prioritizing the scheduling of protection tasks during periods with sufficient idle resources and low interference risk, thereby reducing control jitter and timeout risks. Subtract the resource occupancy penalty item from the time-resource matching item to obtain the protection schedulable value.
[0033] The specific formula for calculating the schedulable protection value is as follows: ; In the formula, This indicates the schedulable protection value, used to determine whether a protection task can be directly scheduled; This represents the total idle time, the total amount of time and resources used to perform protection tasks. This indicates the total estimated execution time, used to determine whether time resources are sufficient; The penalty factor is obtained by statistically analyzing the relationship between the control task jitter rate, deadline default rate, message timeout rate and protection completion rate under different resource occupancy levels, and then performing normalization fitting through joint calibration. The value range is [0,1], and it is used to adjust the penalty intensity of resource occupancy exceeding the limit on scheduling decisions. This represents the resource utilization rate, used to assess the intensity of the protection task's consumption of terminal computing resources; This represents the basic resource usage threshold, determined by conducting multiple rounds of stress tests under unprotected tasks and different protection intensities, and statistically analyzing the control cycle jitter rate, message timeout rate, and task success rate. It is a real number ranging from 0% to 100% and serves as a baseline for resource usage.
[0034] This implementation plan enhances the adaptability of protection task scheduling decisions to the real-time requirements of industrial control, enabling protection tasks to be executed preferentially during periods with sufficient idle resources and low interference risks. This reduces the risks of control cycle jitter, deadline defaults, and message timeouts caused by resource competition, and improves the coordination and scheduling accuracy between protection and control tasks.
[0035] Specifically, the process of outputting the protection scheduling dataset is as follows: Real-time comparison of the schedulable protection value with the scheduling threshold, combined with protection exemption rules to dynamically adjust protection tasks: Protection exemption rules are set based on production task priority labels, terminal types, and control cycle stages, specifically including: when the production task priority label is urgent or high priority, all non-core protection tasks are exempted from execution; when the terminal type is a PLC or DCS hard real-time terminal and is in a critical computing or communication interaction segment, all protection tasks in the current cycle are exempted from execution; when the production task priority label is medium and is in a transferable idle segment, only the full data detection item in the deep protection task is exempted; when the production task priority label is low and the accumulated idle time slices are sufficient, exemption rules are not enabled, and all protection tasks are executed according to the original strategy.
[0036] When the schedulable protection value is lower than the scheduling threshold, the protection task is split into task units, and the idle time slices matched with the preemptible level label are allocated to the periodic idle time slices. Each task unit is associated with the execution context snapshot structure and executed serially in an interruptible and recoverable manner. When the schedulable protection value is not lower than the scheduling threshold, the original protection task is maintained, the available resources are dynamically calculated according to the terminal type, and task slices and allocation time windows are generated, and the protection scheduling dataset is output.
[0037] In this implementation plan, by comparing the schedulable protection value with the scheduling threshold in real time, and constructing differentiated protection exemption rules in combination with production task priority, terminal type and control cycle stage, dynamic screening and adaptive scheduling of protection tasks under different industrial operation scenarios are realized; protection tasks are prevented from encroaching on critical control resources; when the terminal is in a transferable idle period and the idle time slice is sufficient, a more complete protection task execution can be retained or restored, thereby ensuring the real-time and continuous control while taking into account the integrity of security protection.
[0038] Specifically, the process of breaking down protection tasks into task units and assigning scheduling priorities is as follows: The protection scheduling dataset is received, which includes a task splitting scheme, a time slice allocation table, and personalized resource usage thresholds dynamically adjusted based on the current terminal load level and production task priority, on top of the basic resource usage thresholds. The protection tasks are then decomposed into independently executable task units with savable states at the atomic operation granularity. The atomic operation granularity is the smallest indivisible execution unit that can maintain a consistent state, such as a single system call, a fixed-length data processing step, or a single rule check. Each task unit is associated with an execution context snapshot. The execution context snapshot structure includes a program counter, register status, processed data offset and timestamp, task status, and resource usage counter. Idle time windows are registered as dynamic time slice resource pools. Task units are assigned a scheduling priority lower than that of the control task and are awakened for execution within the specified idle time slice according to the time slice allocation table. When the control task enters a critical computation segment, communication interaction segment, or a sudden priority production task occurs, the task unit immediately saves the current execution context snapshot and interrupts after detecting the start timestamp of the critical computation segment, and resumes execution from the breakpoint in the next idle time slice. During execution, the resource usage of each task unit is monitored in real time.
[0039] Two levels of suppression logic are set up: The first level is triggered when resource consumption exceeds 80% of the personalized resource consumption threshold, reducing the task priority and releasing non-critical caches; the second level is triggered when resource consumption exceeds the personalized resource consumption threshold, immediately freezing the current task and calling the elastic degradation routine to split the task into finer-grained subtasks or replace it with an equivalent algorithm with low resource consumption.
[0040] In this implementation plan, by refining the protection task into independently executable and state-preservable task units, and configuring an execution context snapshot structure for each task unit, the protection task is able to execute in segments within fragmented idle time slices, interrupt on demand, and resume from breakpoints, which significantly enhances the adaptability of the protection task to the industrial control cycle environment; thereby improving the flexibility, stability, and resource constraint adaptability of industrial terminal security protection execution.
[0041] Specifically, the process of adapting and evaluating the execution of each task unit and constructing a task performance dataset is as follows: The actual execution time of each task unit is recorded through real-time monitoring; the allocated time slice length is obtained through the time window allocated by the task scheduler; historical interruption counts are calculated through interrupt service routines; the total historical execution count is accumulated through task execution counts; and peak resource usage during execution is collected in real-time through the resource monitoring interface. All of the above information is integrated to generate a task execution log. Based on the task execution log, a recursive sliding window algorithm is used to calculate the execution adaptation value of each task unit in real time: the execution adaptation value of the previous moment is... Multiplying the allocation value by the forgetting factor yields the initial term; dividing the actual execution time by the time slice length yields the time term; dividing the historical interruption count by the total historical execution count yields the interruption frequency term; multiplying the interruption frequency term by the interruption sensitivity coefficient yields the interruption penalty term; determining whether the peak resource usage exceeds the basic resource usage threshold—if it does, the indicator function is set to 1; otherwise, it is set to 0; multiplying the indicator function value by the over-threshold penalty coefficient yields the over-limit penalty term; subtracting the interruption penalty term and the over-limit penalty term from the time term, and multiplying the difference by 1 minus the forgetting factor, yields the deviation term; adding the initial term and the deviation term yields the execution adaptation value at the current moment. The time term reflects the degree of matching of the task unit to the allocated time window, guiding the refinement of the segmentation granularity to avoid encroaching on the control cycle; the interruption penalty term measures the frequency of preemption by controlled tasks, suppressing scheduling during interference-sensitive periods; the over-limit penalty term quantifies the resource competition risk, driving tasks to migrate to resource-rich periods; the forgetting factor and the recursive sliding window ensure the weighted fusion of historical and current characteristics, enabling the adaptation value to quickly respond to load fluctuations while maintaining decision stability. By quantifying in multiple dimensions, the tolerance of control tasks to idle resources and the interference risk of protection tasks can be unified into scheduling criteria, thereby eliminating timeout causes at the micro level and suppressing jitter accumulation at the macro level.
[0042] The specific formula for calculating the adaptation value is as follows: ; In the formula, This represents the execution adaptation value at the current moment, used to quantify the execution efficiency and stability of the task within the idle time slice; This represents the execution adaptation value from the previous moment, which serves as the basis for information recursion. The forgetting factor is obtained by performing a Bayesian optimization algorithm on the execution fit value. Its value range is (0,1), and it is used to control the rate of information decay. Indicates the actual execution time, used to measure the actual time consumed by the task; Indicates the length of the time slice, used as a benchmark for time utilization; This represents the interruption sensitivity coefficient. It is obtained by simulating the completion rate decay curve of various tasks under different interruption frequencies through offline stress testing, fitting the mapping relationship between interruption frequency and performance decline, and normalizing it. The value range is [0,1], which is used to adjust the penalty intensity of the number of interruptions on performance. This indicates the number of historical interruptions, used to reflect the stability of task execution; This represents the total number of executions in history, used as the denominator for the number of interrupts, to normalize the interrupt frequency; The threshold penalty coefficient is obtained by statistical analysis of the relationship between the decrease in task completion rate, control cycle jitter increment, and message timeout increment when the peak resource usage exceeds the basic resource usage threshold. The value range is [0,1], and it is used to apply additional penalties. This indicates an indicator function that takes the value 1 if the condition inside the parentheses is true, and 0 otherwise. This indicates the peak resource usage, used to determine if the limit has been exceeded. This represents the basic resource usage threshold, determined by conducting multiple rounds of stress tests under unprotected tasks and different protection intensities, and statistically analyzing the control cycle jitter rate, message timeout rate, and task success rate. It is a real number ranging from 0% to 100% and serves as a baseline for resource usage.
[0043] The system performs real-time comparisons between the execution adaptation value and the performance threshold range, which includes a lower threshold and an upper threshold. When the execution adaptation value is below the lower threshold, the task scheduler is triggered to perform finer-grained segmentation of the task unit, further decomposing it into smaller execution units at the atomic operation granularity. The task is then marked as a performance decay task, generating a performance decay alarm signal. When the execution adaptation value is above the upper threshold, an anomaly in resource contention is identified, triggering the system to roll back to the previous version of the protection rules or switch to a backup rule version. When the execution adaptation value is within the threshold range, the current splitting scheme and rule version are maintained, and the task is marked as a normal performance task. A task performance dataset containing adaptation values and adjustment records is constructed. The dataset includes task unit identifiers, historical sequences of adaptation values, number of splits, and rule version change records.
[0044] like Figure 3The graph shows the changes in execution adaptation values for task units. The horizontal axis represents time, and the vertical axis represents the execution adaptation value. The blue line represents the trend of execution adaptation values at different times, the red dashed line represents the preset performance threshold, and the red cross indicates a task point identified as experiencing performance degradation. As can be seen from the graph, the execution adaptation value is generally at a high level in the initial stage of operation, indicating that the task units execute relatively stably within idle time slices, with good time slice matching and resource utilization. As the operation progresses, the execution adaptation value shows a downward fluctuating trend, and repeatedly falls below the performance threshold, indicating that the task is gradually affected by factors such as increased interruption frequency, increased time slice fragmentation, or increased fluctuations in resource usage during subsequent execution, leading to a decrease in task execution efficiency and stability. This graph can intuitively reflect the changes in the execution quality of protection tasks within different time periods, providing a basis for identifying periods of performance degradation, locating scheduling mismatch problems, and adjusting task splitting granularity, time slice allocation strategies, and resource constraint parameters.
[0045] This implementation scheme enables continuous perception of the collaborative status between protection and control tasks at a micro-timescale, enhancing the stability and continuity of scheduling decisions. It effectively improves the matching degree of protection tasks within idle time slices, reduces control cycle jitter and message timeout risks, and provides quantitative basis for task performance evaluation, rule self-optimization, and abnormal period location.
[0046] Specifically, the process of extracting and constructing feedback analysis data to assess the deviation between the current protection and the actual operating state is as follows: The fluctuation of the time deviation in each control cycle is statistically analyzed. The variance of the cycle time deviation is normalized by dividing it by the 95th percentile of the maximum permissible jitter variance to obtain the control cycle jitter rate. The sending time of each control message is recorded, and the proportion of messages exceeding the message timeout limit to the total number of messages is statistically analyzed to obtain the message timeout rate. The number of triggers where the CPU utilization, memory utilization, cache utilization, or bus bandwidth utilization exceeds the basic resource utilization threshold during the execution of the task unit is statistically analyzed, and the number of triggers is divided by the total number of execution cycles to obtain the resource over-threshold trigger. Frequency; count the number of performance degradation tasks, divide by the total number of task units to obtain the percentage of performance degradation tasks; summarize the execution results of each task unit belonging to the same original protection task, and count the proportion of completed task units to the total number of task units to obtain the protection completion rate; count the total time actually effectively occupied by task units in the allocated idle time slices, divide by the total duration of the allocated idle time slices to obtain the idle time slice utilization rate, which constitutes the feedback analysis data; aggregate data belonging to the same terminal type, the same protection task type, the same basic load level range, the same production task priority range, and the same control cycle characteristic range to generate a feedback analysis subset.
[0047] All the above indicators have been normalized, with values ranging from [0,1]. The jitter rate normalization benchmark is the maximum allowable jitter variance, the timeout rate normalization benchmark is the message timeout, and the resource over-threshold trigger frequency normalization benchmark is the maximum allowable trigger frequency. The percentage of performance degradation tasks, protection completion rate, and idle time slice utilization rate are already ratio values and do not require additional normalization.
[0048] Multiply the control cycle jitter rate by the jitter coefficient to obtain the jitter item; multiply the message timeout rate by the timeout coefficient to obtain the timeout item; add the resource over-threshold trigger frequency and the proportion of performance degradation tasks, and then multiply by the execution risk coefficient to obtain the execution risk item; add the jitter item, timeout item, and execution risk item together to obtain the rule mismatch amount; multiply the protection completion rate by the completion rate support coefficient to obtain the completion rate support item; multiply the idle time slice utilization rate by the time slice coefficient to obtain the time slice support item; add the completion rate support item, time slice support item, and bias item together to obtain the rule support amount; divide the rule mismatch amount by the rule support amount to obtain the rule correction strength value; when the rule support amount is lower than the support threshold, it is judged as high correction strength; assess the degree of deviation between the current protection and the actual operating state.
[0049] The specific formula for calculating the rule correction strength value is as follows: ; In the formula, This represents the rule correction strength value, used to quantify the degree of deviation between the current protection strategy, resource constraint parameters, and time slice scheduling rules and the actual operating state of the industrial terminal; The jitter coefficient is obtained by statistical analysis of the correlation between the control cycle jitter rate and the instability event of the control task. The value range is [0,1], and it is used to adjust the contribution of the control cycle jitter rate to the rule correction intensity value. The timeout coefficient is obtained by statistical analysis of the correspondence between message timeout rate and communication real-time anomaly events. The value range is [0,1], and it is used to adjust the contribution of message timeout rate to the rule correction strength value. The execution risk coefficient is obtained by statistical analysis of the coupling relationship between the frequency of resource over-threshold triggering and the proportion of performance decay tasks, combined with the offline replay verification results and a normalized joint calibration method. The value range is [0,1], which is used to adjust the contribution of the frequency of resource over-threshold triggering and the proportion of performance decay tasks to the rule correction intensity value. The completion rate support coefficient is obtained through statistical analysis of the correspondence between the protection completion rate and the stability of the protection strategy. Its value range is [0,1], and it is used to adjust the support effect of the protection completion rate on the rule correction strength value. The time slice coefficient is obtained by statistical analysis of the relationship between idle time slice utilization and the sufficiency of scheduling resource utilization. Its value range is [0,1], and it is used to adjust the supporting role of idle time slice utilization on the rule correction strength value. This represents the control cycle jitter rate, used to reflect the temporal stability of the control task execution. This indicates the message timeout rate, which reflects the degree of impairment to real-time performance during communication interactions. This indicates the frequency of resource over-threshold triggering, reflecting how frequently resource consumption exceeds the personalized resource consumption threshold during task execution; This indicates the percentage of tasks with reduced performance, reflecting the proportion of tasks whose performance adaptation value is lower than the performance threshold. This indicates the protection completion rate, used to reflect the overall completion status of the current protection tasks; This indicates the utilization rate of idle time slices, reflecting the actual degree of utilization of allocated time slices; The bias term is obtained through statistical analysis of the minimum effective range of the rule support quantity. The range of values is a constant greater than 0, which is used to avoid the denominator being zero and to suppress the abnormal amplification of the rule correction strength value when the rule support quantity is too small.
[0050] Table 1, showing the endpoint protection performance evaluation data, is used to assess the operational status, protection performance, and rule correction strength of different endpoint types under various protection tasks. For the endpoint type "heavy" and the protection task type "basic vulnerability scanning": packet timeout rate is 0.14, resource threshold trigger frequency is 0.17, performance degradation task proportion is 0.22, protection completion rate is 0.88, and rule correction strength is 0.71. For the endpoint type "heavy" and the protection task type "network traffic analysis": packet timeout rate is 0.23, resource threshold trigger frequency is 0.05, performance degradation task proportion is 0.19, protection completion rate is 0.94, and rule correction strength is 0.43. For the endpoint type "light" and the protection task type "malware detection": packet timeout rate is 0.18, resource threshold trigger frequency is 0.22, and performance degradation task proportion is 0. 21. Protection completion rate: 0.64; Rule correction strength: 1.18; Terminal type: light; Protection task type: system update: Message timeout rate: 0.10; Resource threshold trigger frequency: 0.13; Performance degradation task percentage: 0.30; Protection completion rate: 0.97; Rule correction strength: 0.86; Terminal type: medium; Protection task type: security configuration check: Message timeout rate: 0.24; Resource threshold trigger frequency: 0.03; Performance degradation task percentage: 0.16; Protection completion rate: 0.60; Rule correction strength: 1.08; Terminal type: medium; Protection task type: deep security audit: Message timeout rate: 0.21; Resource threshold trigger frequency: 0.10; Performance degradation task percentage: 0.18; Protection completion rate: 0.70; Rule correction strength: 1.02.
[0051] Table 1. Terminal Protection Effectiveness Evaluation Data Table
[0052] like Figure 4 The graph shows the dynamic changes in rule correction intensity values. The horizontal axis represents time, and the vertical axis represents the rule correction intensity value. The blue line represents the rule correction intensity value calculated at each time point, and the red dashed line represents the preset correction threshold. As can be seen from the graph, the rule correction intensity value exhibits significant fluctuations over different time periods. At some times, it exceeds the correction threshold, indicating a significant deviation between the current protection strategy, resource constraint parameters, or time-slice scheduling rules and the actual operating state of the industrial terminal, requiring the triggering of the rule optimization process. When the rule correction intensity value is below the correction threshold, it indicates that the current rule system is well adapted to the terminal load state, control cycle characteristics, and protection task execution, and the existing parameter configuration can be maintained. This graph visually demonstrates the system's perception of rule mismatch during operation, providing a basis for determining when to initiate rule self-optimization, analyzing the frequency of strategy adjustments, and evaluating the effectiveness of the closed-loop self-optimization mechanism.
[0053] like Figure 5 The graph shows the distribution of rule correction intensity values. The horizontal axis represents the rule correction intensity value, and the vertical axis represents the sample frequency within the corresponding value range. The red dashed line represents the preset correction threshold. As can be seen from the graph, the rule correction intensity values are generally distributed within a certain range, with most samples concentrated near or below the correction threshold. This indicates that the system maintains good policy adaptability for most runtime periods, and the rule optimization requirements are within a controllable range. However, some samples are still distributed to the right of the correction threshold, indicating that during certain periods, due to control cycle jitter, message timeouts, resource over-threshold triggering, or increased performance degradation, the rule correction intensity value increases and exceeds the correction threshold, requiring adjustment of rule base parameters and optimization of scheduling strategies. This graph reflects the overall dispersion, central tendency, and frequency of exceeding the threshold of rule correction intensity values, providing a basis for verifying the rationality of the correction threshold setting and analyzing the long-term stability of the closed-loop self-optimization mechanism.
[0054] In this implementation plan, feedback analysis data that can simultaneously characterize control real-time performance, security protection effectiveness, resource constraint pressure, and task execution status is constructed. It enables an intuitive assessment of the deviation between the current protection strategy, resource constraint parameters, and time slice scheduling rules and the actual operating status of the industrial terminal, allowing the system to promptly identify strategy mismatch risks, determine rule optimization needs, and locate the main factors affecting collaborative efficiency.
[0055] Specifically, the process of outputting the self-learning result dataset is as follows: The rule correction intensity value is compared with the correction threshold in real time. When the rule correction intensity value is higher than the correction threshold, it indicates that the current protection strategy is not adequately adapted, triggering a rule optimization process. This process includes adjusting the penalty factor and interruption sensitivity coefficient, switching to a candidate rule version, or generating a new rule version based on the current state. Within M consecutive control cycles, if the number of resource exceedances after optimization increases compared to the same length window before optimization, the optimization effect is deemed to have deteriorated, triggering a rollback mechanism to roll back to the previous stable rule version that meets the upper limits of jitter rate and timeout rate within the same window. The upper limits of jitter rate and timeout rate are dynamically determined based on the terminal type, basic load level, and production task priority. When the rule correction intensity value is not higher than the correction threshold, the current terminal type, basic load level, and corresponding rule version number are recorded, and the self-learning result dataset is output.
[0056] In this implementation plan, by comparing the rule correction intensity value with the correction threshold in real time, the system can promptly determine whether the existing protection strategy is inadequate based on the current operating status of the industrial terminal and the protection execution feedback results. When the rule mismatch increases, it automatically triggers parameter adjustment, rule switching, or new rule generation, which enhances the system's adaptive response capability to complex operating condition changes and fluctuations in protection requirements. It also ensures the pertinence, traceability, and security of the rule optimization process, and provides a stable data foundation and version management support for rule iteration, terminal differentiation adaptation, and closed-loop self-learning evolution.
[0057] Specifically, the second aspect of this invention provides an industrial adaptive security protection system based on terminal load perception, applied to an industrial adaptive security protection method based on terminal load perception, comprising: a load perception and time slice monitoring module, which collects CPU utilization, memory usage, and control task cycle parameters in real time through operating system performance counters and terminal agent interfaces; performs time axis alignment on the joint state data using cycle start time alignment and linear interpolation methods; removes transient disturbance abnormal data using sliding window mean filtering or the 3σ criterion; maps various indicators to the [0,1] interval using minimum-maximum normalization to obtain joint state data, and performs time axis alignment, feature extraction, and amplitude normalization on the joint state data; and a strategy decision and resource coordination module, which, based on the joint state data and according to the combination of basic load level and production task priority, initially selects a list of protection tasks from the protection task library according to a hierarchical mapping criterion. The system assesses the time and resource requirements of protection tasks, evaluates their schedulability, and outputs a protection scheduling dataset. The isolation protection execution module breaks down protection tasks into task units, assigns scheduling priorities, and performs adaptation evaluation on the execution of each task unit. It records actual execution time, allocated time slice length, historical interruption counts, and peak resource usage in real time, and uses a recursive sliding window algorithm to calculate execution adaptation values including time, interruption, and over-limit penalties, constructing a task performance dataset. The feedback optimization and rule self-learning module extracts control cycle jitter rate, packet timeout rate, resource over-threshold trigger frequency, performance decay task proportion, protection completion rate, and idle time slice utilization rate to construct feedback analysis data, aggregating it by terminal type, load level, task priority, and other dimensions to generate analysis subsets. Finally, it assesses the deviation between the current protection and actual operating status, outputting a self-learning result dataset.
[0058] In this implementation plan, by systematically integrating four functional modules—load perception and time slice monitoring, strategy decision-making and resource coordination, isolation and protection execution, and feedback optimization and rule self-learning—a complete industrial adaptive security protection link is realized, from joint state data acquisition, task schedulability assessment, task unit execution to rule closed-loop optimization.
[0059] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus.
[0060] The preferred embodiments of the present invention disclosed above are merely illustrative of the invention. These preferred embodiments do not exhaustively describe all details, nor do they limit the invention to the specific implementations described. Clearly, many modifications and variations can be made based on the content of this specification. This specification selects and specifically describes these embodiments to better explain the principles and practical applications of the invention, thereby enabling those skilled in the art to better understand and utilize the invention. The invention is limited only by the claims and their full scope and equivalents.
Claims
1. A method for industrial adaptive security protection based on terminal load awareness, characterized in that, Includes the following steps: S1, acquire joint state data, and perform time axis alignment, feature extraction and amplitude normalization on the joint state data; S2, based on joint state data, assesses the time and resource requirements of protection tasks, evaluates the schedulability of protection tasks, and outputs a protection scheduling dataset. S3 breaks down the protection task into task units, assigns scheduling priorities, performs adaptation evaluation on the execution of each task unit, and builds a task performance dataset. S4 extracts and constructs feedback analysis data, assesses the degree of deviation between the current protection and the actual operating status, and outputs the self-learning result dataset.
2. The industrial adaptive security protection method based on terminal load awareness according to claim 1, characterized in that: The specific process of acquiring joint state data and performing time axis alignment, feature extraction, and amplitude normalization on the joint state data is as follows: Real-time data collection of CPU utilization, memory usage, network bandwidth utilization, disk utilization, task queue length, and production task priority during industrial terminal operation; monitoring and control of task cycle duration, cycle start time, end time, key calculation segments, communication interaction segments, and available idle segments within a single cycle; acquisition of joint status data, including basic load level, production task priority label, idle time window list, and number of idle time slices. Based on control cycle synchronization, time axis alignment and feature extraction are performed on the joint state data. Each control cycle is divided into three time intervals: critical calculation segment, communication interaction segment, and concedeable idle segment. Each concedeable idle segment constitutes an idle time window, which is further divided into time slices. Each time slice is labeled with a time location tag, a duration tag, and a preemptibility level tag. The preemptibility level tag is mapped based on the interval type to which the time slice belongs and the current production task priority. Anomalies caused by transient disturbances are filtered out using an outlier removal method. An adaptive adjustment strategy based on terminal type acquisition frequency is implemented, which reduces the acquisition frequency of PLC hard real-time terminals and DCS hard real-time terminals during priority task execution to reduce the interference of acquisition behavior on control tasks. The joint state data is then normalized in amplitude.
3. The industrial adaptive security protection method based on terminal load awareness according to claim 1, characterized in that: The specific process for assessing the time and resource requirements of the protection task based on joint state data is as follows: Based on the joint state data, according to the basic load level and production task priority, and in accordance with the hierarchical mapping criteria, the initial protection tasks and list are determined; the time and resources of the initial protection tasks are evaluated: the total estimated execution time of the initial protection tasks is calculated using a task complexity model, and the total available idle time in the next N periods is estimated through time series analysis using the number of idle time slices and the list of idle time windows. The terminal type is obtained from the terminal configuration information. Based on the corresponding hierarchical mapping criteria, the basic resource usage threshold is obtained. Resource usage data of the protection task on the target terminal is collected, and the statistical peak value is used as the estimated resource usage rate.
4. The industrial adaptive security protection method based on terminal load awareness according to claim 3, characterized in that: The specific process for assessing the schedulability of protection tasks is as follows: Divide the total idle time (filtered from the idle time window list and preemptible level labels) by the total estimated execution time to obtain the time resource matching item; subtract the basic resource occupancy threshold from the resource occupancy rate and compare it with zero to obtain the larger value, which is the resource occupancy over-limit; then divide the resource occupancy over-limit by the basic resource occupancy threshold to obtain the normalized resource over-limit item; multiply the normalized resource over-limit item by the penalty factor dynamically associated with the current control cycle segment type to obtain the resource occupancy penalty item; subtract the resource occupancy penalty item from the time resource matching item to obtain the protection schedulable value.
5. The industrial adaptive security protection method based on terminal load awareness according to claim 1, characterized in that: The specific process of outputting the protection scheduling dataset is as follows: Real-time comparison of the schedulable protection value with the scheduling threshold, combined with the protection exemption rules, dynamically adjusts the protection task: when the schedulable protection value is lower than the scheduling threshold, the protection task is split into task units and allocated to the periodic idle time slice for serial execution in an interruptible and recoverable manner. When the schedulable protection value is not lower than the scheduling threshold, the original protection task is maintained, available resources are dynamically calculated according to the terminal type, and task slices and allocation time windows are generated, and the protection scheduling dataset is output.
6. The industrial adaptive security protection method based on terminal load awareness according to claim 1, characterized in that: The specific process of breaking down the protection task into task units and assigning scheduling priorities is as follows: The system receives a protection scheduling dataset, which includes a task splitting scheme, a time slice allocation table, and personalized resource occupancy thresholds. Protection tasks are decomposed into independently executable, state-preservable task units at the atomic operation granularity. Each task unit is associated with an execution context snapshot structure. Idle time windows are registered as dynamic time slice resource pools. Task units are assigned a scheduling priority lower than that of control tasks and are awakened for execution within a specified idle time slice according to the time slice allocation table. When a control task enters a critical computation segment, communication interaction segment, or experiences a sudden priority production task, the task unit immediately saves its current execution context snapshot and interrupts execution upon detecting the start timestamp of the critical computation segment, resuming execution from the breakpoint in the next idle time slice. During execution, the resource usage of each task unit is monitored in real time.
7. The industrial adaptive security protection method based on terminal load awareness according to claim 3, characterized in that: The specific process of adapting and evaluating the execution of each task unit and constructing a task performance dataset is as follows: The actual execution time of each task unit is recorded by real-time monitoring, the time window allocated by the task scheduler is recorded to obtain the allocated time slice length, the number of historical interruptions is counted by interrupt service routines, the total number of historical executions is accumulated by task execution count, and the peak resource usage during the execution process is collected in real time through the resource monitoring interface. The above information is integrated to generate a task execution log. Based on the task execution log, the recursive sliding window algorithm is used to calculate the execution adaptation value of each task unit in real time: the execution adaptation value of the previous moment is multiplied by the forgetting factor to obtain the initial term; Divide the actual execution time by the time slice length to obtain the time term; divide the number of historical interruptions by the total number of historical executions to obtain the interruption frequency term; multiply the interruption frequency term by the interruption sensitivity coefficient to obtain the interruption penalty term; determine whether the peak resource usage exceeds the basic resource usage threshold, if it does, set the indicator function to 1, otherwise set it to 0; multiply the value of the indicator function by the over-threshold penalty coefficient to obtain the over-limit penalty term; subtract the interruption penalty term and the over-limit penalty term from the time term, multiply the difference by 1 minus the forgetting factor to obtain the deviation term; add the initial term and the deviation term to obtain the execution adaptation value at the current moment. The system performs real-time comparisons between the execution adaptation value and the performance threshold range, which includes a lower threshold and an upper threshold. When the execution adaptation value is below the lower threshold, the task scheduler is triggered to perform finer-grained segmentation of the task unit and marks the task as a performance decay task, generating a performance decay alarm signal. When the execution adaptation value is above the upper threshold, an anomaly in resource contention is determined, triggering the system to roll back to the previous version of the protection rules or switch to a backup rule version. When the execution adaptation value is within the threshold range, the current splitting scheme and rule version are maintained, and the task is marked as a normal performance task, constructing a task performance dataset containing the adaptation value and adjustment records.
8. The industrial adaptive security protection method based on terminal load awareness according to claim 3, characterized in that: The specific process of extracting and constructing feedback analysis data to assess the deviation between the current protection and the actual operating status is as follows: The fluctuation of time deviation in each control cycle is statistically analyzed, and the variance of the cycle time deviation is normalized to obtain the control cycle jitter rate. The sending time of each control message is recorded, and the proportion of messages exceeding the message time limit to the total number of messages is calculated to obtain the message timeout rate. The number of triggers where the CPU utilization, memory utilization, cache utilization, or bus bandwidth utilization exceeds the basic resource utilization threshold during the execution of the task unit is calculated, and the number of triggers is divided by the total number of execution cycles to obtain the resource over-threshold trigger frequency. The number of performance degradation tasks is calculated and divided by the total number of task units to obtain the performance degradation task ratio. The execution results of each task unit belonging to the same original protection task are summarized, and the proportion of completed task units to the total number of task units is calculated to obtain the protection completion rate. The total amount of time actually effectively occupied by task units in the allocated idle time slices is calculated and divided by the total duration of the allocated idle time slices to obtain the idle time slice utilization rate, which constitutes the feedback analysis data. Multiply the control cycle jitter rate by the jitter coefficient to obtain the jitter term; Multiply the message timeout rate by the timeout coefficient to obtain the timeout item; add the resource over-threshold trigger frequency and the proportion of performance degradation tasks, and then multiply by the execution risk coefficient to obtain the execution risk item; add the jitter item, timeout item, and execution risk item together to obtain the rule mismatch amount; multiply the protection completion rate by the completion rate support coefficient to obtain the completion rate support item; multiply the idle time slice utilization rate by the time slice coefficient to obtain the time slice support item. The rule support quantity is obtained by adding the completion rate support quantity, the time slice support quantity, and the bias quantity; the rule correction intensity value is obtained by dividing the rule mismatch quantity by the rule support quantity; when the rule support quantity is lower than the support threshold, it is judged as high correction intensity; the degree of deviation between the current protection and the actual operating state is evaluated.
9. The industrial adaptive security protection method based on terminal load awareness according to claim 1, characterized in that: The specific process for outputting the self-learning result dataset is as follows: The rule correction intensity value is compared with the correction threshold in real time. When the rule correction intensity value is higher than the correction threshold, it indicates that the current protection strategy is not adapted enough. Then the rule optimization process is triggered. Within M consecutive control cycles, when the number of resource exceedances after optimization increases compared with the same length window before optimization, it is determined that the optimization effect has deteriorated. The system rolls back to the previous stable rule version that meets the upper limit requirements of jitter rate and timeout rate within the same window. When the rule correction intensity value is not higher than the correction threshold, the current terminal type, basic load level and corresponding rule version number are recorded, and the self-learning result dataset is output.
10. An industrial adaptive security protection system based on terminal load perception, employing the industrial adaptive security protection method based on terminal load perception as described in any one of claims 1-9, characterized in that, include: The load perception and time slice monitoring module is used to acquire joint state data and perform time axis alignment, feature extraction and amplitude normalization on the joint state data. The strategy decision-making and resource coordination module is used to assess the time and resource requirements of protection tasks based on joint state data, evaluate the schedulability of protection tasks, and output a protection scheduling dataset. The isolation and protection execution module is used to break down protection tasks into task units, assign scheduling priorities, perform adaptation evaluation on the execution of each task unit, and build a task performance dataset. The feedback optimization and rule self-learning module is used to extract and construct feedback analysis data, assess the degree of deviation between the current protection and the actual operating status, and output the self-learning result dataset.