Iot card abnormal scene real-time early warning and automatic disposal system and method

By combining the improved isolated forest algorithm with the periodic patterns of IoT card services, and dynamically optimizing the handling instructions, the problems of insufficient accuracy in IoT card anomaly identification and lack of flexibility in handling strategies are solved, achieving accurate identification and efficient handling.

CN122248031APending Publication Date: 2026-06-19湖北思极科技有限公司

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
湖北思极科技有限公司
Filing Date
2026-05-09
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

In existing technologies, IoT card anomaly identification relies on conventional isolated forest algorithms, resulting in insufficient identification accuracy, serious false alarms and missed alarms, and a lack of flexibility in handling strategies, making it unable to adapt to anomaly scenarios of different severity and impact range.

Method used

Collect multi-dimensional behavioral data from IoT cards, perform deep anomaly identification by combining the improved isolated forest algorithm with the inherent periodic patterns of IoT card business behavior, generate anomaly event alarms, and dynamically optimize handling operation instructions based on confidence scores and impact range assessments.

Benefits of technology

It improves the accuracy of anomaly identification, reduces false alarms and missed alarms, and enables targeted and flexible anomaly handling, adapting to different types and levels of anomaly scenarios, thus enhancing the rationality and efficiency of anomaly handling.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122248031A_ABST
    Figure CN122248031A_ABST
Patent Text Reader

Abstract

This invention relates to the field of IoT card management technology, specifically to a real-time early warning and automated handling system and method for IoT card anomaly scenarios. The system includes: collecting a multi-dimensional behavioral data set during IoT card operation, such as communication traffic time-series data, network access behavior logs, tariff consumption rates, and terminal device status information; performing initial screening for anomalies to extract suspected abnormal behavior features; invoking an improved isolated forest algorithm that combines IoT card service periodicity patterns with optimized random segmentation strategies to conduct deep anomaly identification, generating alarms containing anomaly type labels, confidence scores, and impact range assessments; matching handling strategies and retrieving corresponding instruction sets; dynamically optimizing instruction parameters based on confidence scores and impact range assessments; and generating final execution control instructions. This invention can reduce false alarms and missed alarms in anomaly identification, adapt to various anomaly scenarios, and achieve accurate early warning and efficient handling of IoT card anomalies.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of IoT card management technology, and in particular to a real-time early warning and automated handling system and method for abnormal IoT card scenarios. Background Technology

[0002] IoT SIM cards are widely used in various IoT terminal devices, and their operational stability directly affects the overall operational efficiency of the IoT system. During operation, IoT SIM cards are prone to various problems such as communication anomalies and billing anomalies. Therefore, appropriate technologies are needed to achieve real-time early warning and automated handling of abnormal scenarios. In existing technologies, anomaly identification often relies on conventional isolated forest algorithms, which collect basic operational data from the IoT SIM card for identification. Anomaly handling employs a preset fixed strategy, directly executing fixed operation commands upon anomaly detection, thus completing the entire process of anomaly early warning and handling.

[0003] Conventional Isolation Forest algorithms employ a general random segmentation strategy, failing to consider the inherent periodic patterns of IoT SIM card business behavior. This leads to biases in the deep identification of suspected abnormal behavior characteristics, making it difficult to accurately distinguish between normal business fluctuations and abnormal behavior, resulting in false positives and false negatives. Furthermore, existing handling strategies lack flexibility, directly executing fixed command parameters after matching the anomaly type without tailoring adjustments based on the anomaly's confidence score and impact range. This fails to adapt to anomaly scenarios with varying severity and impact, leading to ineffective anomaly handling. Therefore, it is necessary to address the issues of insufficient identification accuracy and lack of flexibility in handling strategies in conventional algorithms to achieve accurate identification and efficient handling of IoT SIM card anomalies. Summary of the Invention

[0004] The purpose of this invention is to address the shortcomings of existing technologies by proposing a real-time early warning and automated handling system and method for abnormal scenarios of Internet of Things cards.

[0005] To achieve the above objectives, the present invention adopts the following technical solution: a method for real-time early warning and automated handling of abnormal scenarios of Internet of Things (IoT) cards, comprising:

[0006] Collect a multi-dimensional behavioral data set generated by the IoT card during operation. The multi-dimensional behavioral data set includes communication traffic time-series data, network access behavior logs, tariff consumption rate and terminal device status information.

[0007] The multi-dimensional behavioral data set is subjected to anomaly feature screening to extract suspected abnormal behavioral features;

[0008] The improved Isolation Forest algorithm is invoked to perform deep anomaly identification on the suspected abnormal behavior features. The improved Isolation Forest algorithm optimizes the random segmentation strategy based on the inherent periodicity pattern of IoT card service behavior.

[0009] Based on the results of deep anomaly identification, an IoT card anomaly event alarm is generated. The anomaly event alarm includes an anomaly type label, an anomaly confidence score, and an impact range assessment.

[0010] The abnormal event alarm is matched with the handling strategy, and the handling operation instruction set corresponding to the abnormal type label is retrieved from the predefined automated handling strategy library;

[0011] Based on the anomaly confidence score and the impact range assessment, the instruction parameters in the disposal operation instruction set are dynamically optimized to generate the final execution control instructions.

[0012] As a further aspect of the present invention, the multi-dimensional behavioral data set is subjected to anomaly feature screening to extract suspected abnormal behavioral features, including:

[0013] The suspected abnormal behavior characteristics include traffic mutation patterns, unauthorized access attempts, abnormal resource consumption, and abnormal device status.

[0014] The communication traffic time series data is periodically decomposed to separate the traffic sequence of long-term trend component, periodic component and residual component;

[0015] Based on the periodic components, the inherent periodicity pattern of the IoT card service behavior is constructed, and the inherent periodicity pattern includes the traffic peak and valley time regularity and the baseline of traffic fluctuation amplitude.

[0016] The residual component of the current period is compared with the residual component of the same period in history. If the deviation exceeds a preset threshold, it is marked as the traffic mutation mode.

[0017] The network access behavior logs are analyzed to identify combinations of abnormal access time, sudden changes in access geographical location, and frequent switching of access base stations. Behaviors that do not conform to the normal roaming or dwell patterns are marked as illegal access attempts.

[0018] The data consumption rate is calculated in real time and compared with the data consumption rate range predicted based on historical usage habits. Cases that continuously exceed the upper limit of the data consumption rate range are marked as abnormal resource consumption.

[0019] Monitor the status information of the terminal device and mark situations such as abnormal device restart, sudden high traffic after long-term offline, or frequent changes in the International Mobile Equipment Identity (IMEI) as abnormal device status.

[0020] As a further aspect of the present invention, the improved isolated forest algorithm optimizes the random segmentation strategy based on the inherent periodicity pattern of IoT card service behavior, and its working principle includes:

[0021] Construct an isolated forest model containing multiple isolated trees, each of which is built based on the suspected abnormal behavior features;

[0022] When constructing a single isolated tree, feature selection is guided by the inherent periodicity pattern. Specifically, from the suspected abnormal behavior features, features with high sensitivity to periodic changes in the inherent periodicity pattern are preferentially selected as the features to be segmented.

[0023] On the selected feature dimension to be segmented, the range of segmentation points is determined based on the statistical distribution pattern of historical normal behavior data on the feature dimension to be segmented. The range of segmentation points excludes the normal value interval within the periodic pattern.

[0024] Randomly select a value within the range of the specified split points as the split point for the current node;

[0025] Based on the split point, the sample data input to the current node is divided into two child nodes, and the feature selection and splitting process is recursively executed until the preset tree depth limit is reached or the number of samples in the node meets the preset condition, thus completing the construction of the isolated tree.

[0026] Traverse all isolated trees in the isolated forest model, calculate the path length of each suspected abnormal behavior feature in each isolated tree, calculate the corresponding anomaly score based on the average path length, and complete deep anomaly identification based on the anomaly score.

[0027] As a further aspect of the present invention, the abnormal event alarm is subjected to handling strategy matching, and the handling operation instruction set corresponding to the abnormality type label is retrieved from a predefined automated handling strategy library, including:

[0028] The abnormal event alarm is analyzed to identify the abnormal type label, which includes traffic theft, malicious registration, botnet control, and billing fraud.

[0029] Based on the anomaly type label, a multi-level index query is performed in the automated handling strategy library. First, the first-level strategy category is matched, and then the second-level strategy subclass is matched according to the anomaly confidence score.

[0030] From the matched strategy subclasses, extract the basic handling operation instruction set, which includes the instruction operation object, instruction triggering condition, and instruction execution action;

[0031] Based on the number of IoT cards, geographical distribution, and customer level involved in the impact scope assessment, the triggering conditions of the instructions in the basic handling operation instruction set are modified with range constraints.

[0032] Based on the current system load and the availability of processing resources, the execution priority of the instruction execution actions in the basic processing operation instruction set is sorted to form a preliminary processing operation instruction set.

[0033] As a further aspect of the present invention, a handling intensity adjustment coefficient positively correlated with the anomaly confidence score is set. This handling intensity adjustment coefficient is used for numerical parameters in the linear scaling instruction involving traffic rate limiting thresholds, connection frequency limits, or temporary shutdown durations, including:

[0034] Obtain the anomaly confidence score from the anomaly event alarm;

[0035] The abnormal confidence score is input into a preset linear mapping function, which defines the correspondence between the confidence score interval and the treatment intensity adjustment coefficient interval.

[0036] The adjustment coefficient for the handling intensity corresponding to the current alarm is calculated using the linear mapping function.

[0037] Extract the numerical command parameters that need to be dynamically adjusted from the initial set of handling operation instructions. The numerical command parameters include the traffic rate limit threshold, the connection frequency limit value, and the temporary shutdown duration.

[0038] Multiply the treatment intensity adjustment coefficient by the original value of the corresponding numerical command parameter to obtain the dynamic parameter value scaled by the treatment intensity adjustment coefficient.

[0039] Replace the original numerical instruction parameters in the initial processing operation instruction set with the dynamic parameter values.

[0040] As a further aspect of the present invention, based on the anomaly confidence score and the impact range assessment, the instruction parameters in the handling operation instruction set are dynamically optimized, including:

[0041] Set a handling intensity adjustment coefficient that is positively correlated with the anomaly confidence score. The handling intensity adjustment coefficient is used for numerical parameters in the linear scaling instruction that involve traffic rate limiting thresholds, connection frequency limits, or temporary shutdown durations.

[0042] Based on the geographical distribution involved in the impact range assessment, the corresponding regional strategy template is called from the geofencing strategy library to limit the execution scope of the disposal action to the high-risk area identified by the geographical distribution.

[0043] Based on the anomaly confidence score, the execution mode of the handling action is dynamically selected. For high-confidence anomalies, the immediate execution mode is selected, and for medium- and low-confidence anomalies, the observation-after-execution or phased gray-scale execution mode is selected.

[0044] The aforementioned handling intensity adjustment coefficient, the regional strategy template, and the selected execution mode are applied to the preliminary handling operation instruction set. The numerical parameters, scope of action, and execution sequence of all instructions are uniformly adjusted to generate the final execution control instruction adapted to the current alarm.

[0045] As a further aspect of the present invention, the method further includes:

[0046] The execution control command is sent to the corresponding IoT card management gateway to trigger an automated handling action on the target IoT card and simultaneously initiate the handling effect tracking process;

[0047] The execution control command is sent to the corresponding IoT card management gateway to trigger automated processing actions on the target IoT card, including:

[0048] The final execution control instructions are encapsulated into standardized network management protocol instruction messages;

[0049] Based on the operator network and region to which the target IoT card belongs, the instruction message is routed to the corresponding IoT card management gateway;

[0050] The IoT card management gateway receives and parses the instruction message, and locates the specific target IoT card based on the instruction operation object identifier therein;

[0051] The IoT card management gateway executes actions according to instructions to exert control on the target IoT card. The control includes: adjusting the access point name configuration of the target IoT card, setting a temporary traffic limit, adding it to the low-speed access list, or initiating a temporary shutdown command.

[0052] After executing the control, the IoT card management gateway generates an instruction execution receipt, which includes the execution result status code, the effective time of the action, and a real-time status snapshot of the target card.

[0053] As a further aspect of the present invention, the synchronous initiation of the treatment effect tracking process includes:

[0054] After triggering the automated handling action, an enhanced monitoring task is started for the target IoT card. The enhanced monitoring task collects behavioral feedback data of the target IoT card at a higher frequency than regular monitoring.

[0055] The collected behavioral feedback data is analyzed to calculate the abnormal behavior fading index, which is used to quantify the overlap between the behavioral characteristics of the target IoT card and its historical normal behavior patterns.

[0056] The abnormal behavior fading index is compared with a preset successful handling threshold. If the abnormal behavior fading index continues to be better than the successful handling threshold within a preset tracking time window, the automated handling is determined to be successful.

[0057] If the abnormal behavior regression index does not reach the successful handling threshold by the end of the tracking time window, an alarm for poor handling effect is generated, and this alarm, together with the behavior feedback data, is used as feedback information.

[0058] As a further aspect of the present invention, before performing initial screening of abnormal features on the multi-dimensional behavioral data set, a data fusion and context enhancement step is also included:

[0059] Obtain the static attribute information of the IoT card from the IoT card management platform. The static attribute information includes the package type, the enterprise to which the card belongs, and the business scenario identifier.

[0060] Subscribe to the latest IoT security threat signature information from external threat intelligence sources;

[0061] The static attribute information is associated with the multi-dimensional behavioral data set to tag the behavioral data with business scenario labels;

[0062] The security threat feature information is matched in real time with the network access behavior log and the terminal device status information to identify behavioral fragments with known threat patterns;

[0063] Behavioral data with business scenario tags and identified behavioral fragments with known threat patterns are used together as context-enhanced data and input into the subsequent anomaly feature initial screening process.

[0064] As a further aspect of the present invention, the present invention also includes a real-time early warning and automated handling system for abnormal IoT card scenarios. The system includes a memory, a processor, and a computer program stored in the memory and running on the processor. When the processor executes the computer program, it implements the steps of the above-described real-time early warning and automated handling method for abnormal IoT card scenarios.

[0065] Compared with the prior art, the advantages and positive effects of the present invention are as follows:

[0066] By optimizing the random segmentation strategy of the Isolation Forest algorithm based on the inherent periodic patterns of IoT SIM card business behavior, the improved algorithm can fully adapt to the periodic changes in multi-dimensional behavioral data such as IoT SIM card communication traffic time-series data, network access behavior logs, tariff consumption rates, and terminal device status information. It avoids the anomaly identification bias caused by the conventional Isolation Forest algorithm, which uses a general random segmentation strategy and lacks business specificity. It can accurately capture abnormal behaviors that do not conform to the characteristics of the business cycle, reduce false alarms and missed alarms in the anomaly identification process, and make the deep anomaly identification process more in line with the actual IoT SIM card operation scenario. This improves the accuracy and reliability of anomaly identification and makes the anomaly identification results more in line with the actual needs of IoT SIM card business operation.

[0067] After matching the set of handling operation instructions corresponding to the anomaly type label, the instruction parameters are dynamically optimized based on the anomaly confidence score and impact range assessment. This breaks the limitation of fixed instruction parameters in conventional handling strategies. Differentiated execution control instructions can be generated according to the confidence level and impact range of the anomaly itself, avoiding the problem of normal communication interruption of IoT cards caused by over-handling, and also avoiding the problem of anomaly spread caused by under-handling. This makes the handling operation more targeted and flexible, and can adapt to different types and levels of IoT card anomaly scenarios. It makes the anomaly handling process more in line with the actual situation of the anomaly, improves the rationality and efficiency of anomaly handling, and achieves precise adaptation between anomaly handling and anomaly scenarios. Attached Figure Description

[0068] Figure 1 This is a flowchart of the IoT card abnormal scenario real-time early warning and automated handling method described in this invention;

[0069] Figure 2 Flowchart of the work on the improved Isolation Forest algorithm;

[0070] Figure 3 This is a flowchart for matching disposal strategies and retrieving disposal operation instruction sets. Detailed Implementation

[0071] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the invention.

[0072] In the description of this invention, it should be understood that the terms "length," "width," "upper," "lower," "front," "rear," "left," "right," "vertical," "horizontal," "top," "bottom," "inner," and "outer," etc., indicating orientation or positional relationships, are based on the orientation or positional relationships shown in the accompanying drawings and are only for the convenience of describing the invention and simplifying the description, and do not indicate or imply that the device or element referred to must have a specific orientation, or be constructed and operated in a specific orientation, and therefore should not be construed as a limitation of the invention. Furthermore, in the description of this invention, "a plurality of" means two or more, unless otherwise explicitly specified.

[0073] See Figure 1 This invention provides a method for real-time early warning and automated handling of abnormal scenarios of IoT cards, and its overall implementation scheme is as follows:

[0074] A multi-dimensional behavioral data set generated by the IoT SIM card during operation is collected. This set includes communication traffic time-series data, network access behavior logs, data consumption rates, and terminal device status information. An initial screening process is performed on this multi-dimensional behavioral data set to extract suspected abnormal behavioral features. An improved Isolation Forest algorithm is then applied to perform deep anomaly identification on these suspected abnormal behavioral features. This improved Isolation Forest algorithm optimizes the random segmentation strategy based on the inherent periodic patterns of IoT SIM card service behavior. Based on the results of the deep anomaly identification, IoT SIM card abnormal event alarms are generated. These alarms include anomaly type labels, anomaly confidence scores, and impact scope assessments. Handling strategies are matched to these alarms, retrieving the corresponding handling operation instruction sets from a predefined automated handling strategy library. Based on the anomaly confidence scores and impact scope assessments, the instruction parameters in the handling operation instruction sets are dynamically optimized to generate the final execution control instructions.

[0075] In one embodiment of the present invention, during implementation, static attribute information of the IoT card is obtained from the IoT card management platform. This static attribute information includes the package type, affiliated enterprise, and business scenario identifier. The latest IoT security threat characteristic information is subscribed from external threat intelligence sources. The static attribute information is correlated with a multi-dimensional behavioral data set to tag the behavioral data with business scenario labels. The security threat characteristic information is matched in real-time with network access behavior logs and terminal device status information to identify behavioral fragments with known threat patterns. The behavioral data tagged with business scenario labels and the identified behavioral fragments with known threat patterns are combined as context-enhanced data and input into the subsequent anomaly feature initial screening process.

[0076] In the initial screening of abnormal features, the extracted suspected abnormal behavior features include traffic mutation patterns, unauthorized access attempts, abnormal resource consumption, and abnormal device status. Communication traffic time-series data is periodically decomposed to separate long-term trend components, periodic components, and residual components. Based on the periodic components, an inherent periodic pattern of IoT card service behavior is constructed, including traffic peak-valley time regularity and a baseline for traffic fluctuation amplitude. The residual component of the current period is compared with the residual component of the same historical period; if the deviation exceeds a preset threshold, it is marked as a traffic mutation pattern. Network access behavior logs are analyzed to identify combinations of abnormal access time, sudden changes in access geographical location, and frequent switching of access base stations; behaviors that do not conform to normal roaming or dwell patterns are marked as unauthorized access attempts. Real-time calculation of tariff consumption rate is performed and compared with a tariff consumption rate range predicted based on historical usage habits; situations that consistently exceed the upper limit of the tariff consumption rate range are marked as abnormal resource consumption. Terminal device status information is monitored; abnormal device restarts, sudden high traffic after prolonged offline periods, or frequent changes in International Mobile Equipment Identity (IMEI) are marked as abnormal device status.

[0077] In practical implementation, an IoT card for a shared bicycle business scenario has a static attribute information indicating a "low-data package for shared devices" as its package type, belonging to "A Mobility Technology Co., Ltd.", and its business scenario identifier as "shared bicycle". An external threat intelligence source subscribes to a recent threat signature information regarding "Scanning and attack characteristics of the Mirai variant botnet targeting IoT devices." This signature information describes a specific access port sequence and abnormal heartbeat packet payload. In the data fusion step, the static attribute information provided by the IoT card management platform is correlated with the real-time multi-dimensional behavioral data set of the IoT card, tagging the communication traffic time-series data, network access behavior logs, data consumption rates, and terminal device status information with the "shared bicycle" business scenario label. Simultaneously, each connection record in the network access behavior log is matched in real-time with the process list in the terminal device status information, along with the security threat signature information provided by the external threat intelligence source. When a connection attempt initiated from this IoT card matches the port sequence pattern described in the threat signature information, that segment of the network access behavior log is identified as a behavioral fragment with a known threat pattern. Behavioral data tagged with the "shared bicycle" business scenario, together with identified behavioral fragments with known threat patterns, constitute context-enhanced data, which is then input into the anomaly feature initial screening process.

[0078] In some embodiments, anomaly screening is performed on the time-series communication traffic data in the context-enhanced data. Using hourly uplink traffic data from the past 30 days of an IoT card in a "shared bicycle" scenario as input, a seasonal decomposition method is used to decompose the traffic sequence into a long-term trend component, a periodic component with a 24-hour cycle, and a residual component. Based on the periodic component, the inherent periodic pattern of the card is constructed. The pattern shows that the traffic peak and trough time regularity is that traffic peaks occur daily from 7:00 to 9:00 and 17:00 to 19:00, and traffic troughs occur from 1:00 to 5:00 at night. The baseline of traffic fluctuation is that the average traffic during the peak period does not exceed 150KB / hour. At 8:00 in the current cycle (e.g., today), the residual component value at that moment is calculated to be +120KB, while the standard deviation of the residual component in the same historical period (8:00 on the same working day in the past four weeks) is 15KB. It can be understood that by comparing the current residual component with the historical residual component, the deviation ratio ρ = (current residual - mean of historical residual) / standard deviation of historical residual is calculated. When the absolute value of ρ exceeds the preset threshold of 4, it is marked as a traffic mutation mode. In this example, if the historical average residual is -5KB, then ρ = (120 - (-5)) / 15 ≈ 8.33, which exceeds the threshold of 4. Therefore, the behavior at this moment is marked as a traffic mutation mode.

[0079] In practice, access time, geographical location, and access base station information are analyzed. An IoT card identified as a "smart water and electricity meter" typically reports data within its home city at a fixed time each day, using a relatively fixed access base station. However, in practice, analysis revealed that between 2:00 AM and 4:00 AM on a given day, the card's network access logs showed its geographical location crossed three non-adjacent provinces within a short period, and there were over 20 access base station switches. This combination of behavior does not conform to normal roaming or dwell patterns, and therefore it was flagged as an unauthorized access attempt. Optionally, the initial screening of data consumption rate is based on predictions of historical usage habits. An IoT card with a 10MB monthly data plan has a historical data consumption rate range of 0.2MB to 0.5MB per day. Real-time calculation of its data consumption rate for the most recent hour is performed. If the rate consistently reaches 2MB / hour and this high-rate state persists for more than two hours, this situation, continuously exceeding the upper limit of the historical data consumption rate range, is flagged as abnormal resource consumption.

[0080] It's understandable that monitoring terminal device status information is continuous. For an IoT SIM card used in an in-vehicle infotainment system, the terminal device status information typically reports a stable online duration. In practice, this terminal device status information was detected to have reported three abnormal restart events within a short period. Furthermore, within five minutes of the most recent abnormal restart, the communication traffic surged to fifty times the normal level. This combination of "abnormal device restart and sudden high traffic after a long period of offline operation" was flagged as an abnormal device status. Alternatively, another IoT SIM card's terminal device status information reported that its International Mobile Equipment Identity (IMEI) changed three times within a day. Frequent IMEI changes were also flagged as an abnormal device status. All these flagged traffic surge patterns, unauthorized access attempts, abnormal resource consumption, and abnormal device statuses collectively constitute a set of suspected abnormal behavior features extracted from a multi-dimensional behavioral data set.

[0081] In one embodiment of the present invention, see [reference] Figure 2 An isolated forest model is constructed, comprising multiple isolated trees, each built based on suspected anomalous behavior features. When constructing a single isolated tree, feature selection is guided by an inherent periodic pattern. Specifically, features with high sensitivity to periodic changes within the inherent periodic pattern are prioritized from suspected anomalous behavior features as the segmentation features. For the selected segmentation feature dimension, the range of segmentation points is determined based on the statistical distribution of historical normal behavior data within that dimension, excluding normal value intervals within the periodic pattern. A value is randomly selected within this range as the segmentation point for the current node. Based on this segmentation point, the sample data input to the current node is divided into two child nodes. The feature selection and segmentation process is recursively executed until a preset tree depth limit is reached or the number of samples in a node meets a preset condition, completing the construction of the isolated tree. All isolated trees in the isolated forest model are traversed, and the path length of each suspected anomalous behavior feature in each isolated tree is calculated. An anomalous score is calculated based on the average path length, and deep anomaly identification is performed based on this score.

[0082] In practical implementation, the algorithm processes a set of suspected abnormal behavior features extracted from a multi-dimensional behavioral data set and initially screened. These features may include numerical representations of traffic mutation pattern markers, frequency of illegal access attempts, resource consumption rate ratios, and device status anomaly markers. An isolated forest model containing multiple isolated trees is constructed, each built based on the aforementioned set of suspected abnormal behavior features to identify samples that deviate significantly from historical normal behavior patterns. The improvement in constructing a single isolated tree lies in the optimization of feature selection and segmentation point determination. When constructing a single isolated tree, feature selection is guided by the inherent periodicity pattern of IoT card service behavior. This inherent periodicity pattern is pre-extracted from periodic components and includes knowledge of traffic peak-valley time regularity and traffic fluctuation baseline. From the set of suspected abnormal behavior features to be processed at the current node, the algorithm prioritizes features with high sensitivity to periodic changes within the inherent periodicity pattern as the features to be segmented. For example, in the context of shared bicycle IoT cards, the "hourly traffic residual" and "number of access requests during a specific time period" are features with high sensitivity due to their inherent periodic patterns. These features have a higher probability of being selected when constructing split nodes in an isolated tree. Regarding the selected feature dimension to be segmented, such as the "traffic residual at 8 AM," the algorithm determines the segmentation point range based on the statistical distribution of historical normal behavior data within this dimension. Historical normal behavior data refers to sample data marked as normal behavior over a long historical window. The statistical distribution shows that the values ​​of historical normal behavior data in this dimension are concentrated in the interval [-3σ, +3σ], where σ is the standard deviation of the historical residual. This interval is considered to be within the normal value range of the periodic pattern. It can be understood that the improved random segmentation strategy sets the segmentation point range to exclude the aforementioned normal value range. Within the determined segmentation point range, the algorithm randomly selects a value as the segmentation point for the current node.

[0083] In some embodiments, based on the aforementioned split point, the sample data input to the current node is divided into two child nodes. The sample data with feature values ​​less than the split point is assigned to the left child node, and those greater than or equal to the split point are assigned to the right child node. The feature selection and splitting process is executed recursively. For each newly generated child node, the steps of "selecting features to be split based on inherent periodic patterns," "determining the range of split points based on historical normal data statistical distribution," and "randomly selecting split points within the range" are repeated until a preset tree depth limit is reached or the number of samples in the node decreases to 1. At this point, the isolated tree construction is complete. All pre-built isolated trees in the entire isolated forest model are traversed. For each input suspected anomalous behavior feature sample, its path length in each isolated tree is calculated. The path length refers to the number of edges traversed from the root node to the isolated leaf node of the sample. Then, the corresponding anomalous score is calculated based on the average path length of the sample in all isolated trees. A higher anomalous score indicates a greater likelihood that the sample is an anomalous point. The improved isolated forest algorithm uses anomaly scores. The calculation formula is:

[0084]

[0085] in: This represents a sample vector of suspected abnormal behavior features to be evaluated. This indicates the number of isolated trees in an isolated forest. It is a sample Path length in a single isolated tree It is a sample The expected (i.e. average) value of the path length across all isolated trees. It is an isolated tree containing The average path length for each sample is used for standardization. Deep anomaly identification is performed based on the calculated anomaly score. When the anomaly score exceeds a preset threshold, the corresponding IoT card behavior is determined to be a deep anomaly. Optionally, the output of deep anomaly identification can be used to generate subsequent anomaly event alarms.

[0086] In one embodiment of the present invention, see [reference] Figure 3The system analyzes the anomaly type tags in abnormal event alarms, which include traffic theft, malicious registration, botnet control, and billing fraud. Based on these tags, a multi-level index query is performed in the automated handling strategy library to match the first-level strategy category, and then the second-level strategy subclass is matched based on the anomaly confidence score. From the matched strategy subclasses, a basic handling operation instruction set is extracted, which includes the instruction operation object, instruction triggering conditions, and instruction execution actions. Based on the number of IoT cards, geographical distribution, and customer level involved in the impact scope assessment, the instruction triggering conditions in the basic handling operation instruction set are subject to scope constraint correction. Combining the current system load and the availability of handling resources, the execution priority of the instruction execution actions in the basic handling operation instruction set is sorted to form a preliminary handling operation instruction set.

[0087] The initial handling operation command set is dynamically adjusted based on the anomaly confidence score. The anomaly confidence score from the anomaly event alarm is obtained and input into a preset linear mapping function. This linear mapping function defines the correspondence between the confidence score interval and the handling intensity adjustment coefficient interval. The handling intensity adjustment coefficient corresponding to the current alarm is calculated using the linear mapping function. Numerical command parameters that need dynamic adjustment are extracted from the initial handling operation command set. These numerical command parameters include traffic rate limiting thresholds, connection frequency limits, and temporary shutdown durations. The handling intensity adjustment coefficient is multiplied by the original value of the corresponding numerical command parameter to obtain the dynamic parameter value scaled by the handling intensity adjustment coefficient. The original numerical command parameters in the initial handling operation command set are replaced with the dynamic parameter values.

[0088] In practice, an IoT SIM card anomaly alarm is generated. This alarm includes the anomaly type tag "traffic theft," an anomaly confidence score of 85, and impact assessment information: "Number of IoT SIM cards involved: 1, Customer level: Gold." After parsing the anomaly type tag "traffic theft" in the alarm, a multi-level index query is performed in a predefined automated handling strategy library, which is a structured strategy knowledge base. Based on the anomaly type tag "traffic theft," the primary strategy category "traffic control" is matched. Under the primary strategy category "traffic control," based on the anomaly confidence score of 85 falling within the range of "80-100," the secondary strategy subcategory "strict rate limiting" is matched. From the matched "strict rate limiting" strategy subcategory, a basic handling operation instruction set is extracted. The basic handling operation instruction set is represented by structured data, including the instruction operation object "target IoT SIM card identifier," the instruction trigger condition "immediate," and the instruction execution actions "set temporary traffic limit to 10MB / hour" and "add target card to low-speed access list."

[0089] In practical implementation, the number of IoT cards, their geographical distribution, and their respective customer levels are used to adjust the triggering conditions of the basic handling operation instruction set. Since the impact assessment shows that only one IoT card is involved and the customer level is "Gold," the scope constraint adjustment changes the triggering condition from "immediately" to "execute immediately, but automatically lift the rate limit if traffic returns to normal within one hour." This adjustment provides a more lenient recovery strategy for Gold customers. Combining the current system load and the availability of handling resources, the execution priority of the instructions in the basic handling operation instruction set is ranked. Given the low current system load and sufficient handling resources, the instruction "set temporary traffic limit to 10MB / hour" is given high priority, and the instruction "add target card to low-speed access list" is given medium priority, forming the initial handling operation instruction set.

[0090] In some embodiments, the initial handling operation instruction set is dynamically adjusted based on the anomaly confidence score. The anomaly confidence score from the anomaly event alarm is obtained, with a value of 85. The anomaly confidence score is input into a preset linear mapping function, which defines the correspondence between the confidence score interval [0, 100] and the handling intensity adjustment coefficient interval [0.5, 2.0]. The handling intensity adjustment coefficient corresponding to the current alarm is calculated using the linear mapping function, the formula of which is:

[0091]

[0092] in: The representative factor is the adjustment coefficient for the intensity of the response. This represents the anomaly confidence score. The anomaly confidence score will be... Substituting into the formula, the treatment intensity adjustment coefficient is calculated. Table 1 shows the fragments and matching process of the automated handling strategy library.

[0093] Table 1: Matching Table of Disposal Strategies

[0094] Anomaly type label (primary category) Anomaly confidence score interval Second-level strategy subclass Basic handling operation instruction set Data theft [0,60) Observe and alert Log entries and increase monitoring frequency Data theft [60,80) General traffic restriction Set the temporary bandwidth limit to 20MB / hour. Data theft [80,100] Strict traffic control Set a temporary bandwidth limit of 10MB / hour and add it to the low-speed access list.

[0095] Referring to Table 1, the numerical command parameters requiring dynamic adjustment are extracted from the matched preliminary handling operation command set, including the flow rate limit threshold "10MB / hour". It can be understood that the handling intensity adjustment coefficient is multiplied by the original value of the corresponding numerical command parameter to obtain the dynamic parameter value scaled by the handling intensity adjustment coefficient. The original value of the flow rate limit threshold is 10MB / hour, and the handling intensity adjustment coefficient is 1.775, resulting in a calculated dynamic parameter value of 10 * 1.775 = 17.75MB / hour. The original numerical command parameter "10MB / hour" in the preliminary handling operation command set is replaced with the dynamic parameter value "17.75MB / hour". Optionally, if the initial handling operation instruction set includes a connection frequency limit of "60 times per minute" and a temporary shutdown duration of "30 minutes," it is also linearly scaled using a handling intensity adjustment coefficient. The connection frequency limit is dynamically adjusted to 60 * 1.775 = 106.5 times / minute, and the temporary shutdown duration is dynamically adjusted to 30 * 1.775 = 53.25 minutes. The dynamic parameter values ​​after scaling by the handling intensity adjustment coefficient, together with the instruction triggering conditions after range constraint correction and the instruction execution actions after priority sorting, constitute the dynamically optimized handling operation instruction set.

[0096] In one embodiment of the present invention, the command parameters in the handling operation command set are dynamically optimized based on the anomaly confidence score and the impact range assessment. A handling intensity adjustment coefficient positively correlated with the anomaly confidence score is set. This coefficient is used to linearly scale numerical parameters in the commands involving traffic rate limiting thresholds, connection frequency limits, or temporary shutdown durations. Based on the geographical distribution involved in the impact range assessment, corresponding regionalized strategy templates are retrieved from the geofencing strategy library to limit the execution scope of the handling action to the high-risk areas identified by the geographical distribution. Based on the anomaly confidence score, the execution mode of the handling action is dynamically selected: for high-confidence anomalies, an immediate execution mode is selected; for medium-to-low-confidence anomalies, an observation-based execution or phased gray-scale execution mode is selected. The handling intensity adjustment coefficient, the regionalized strategy template, and the selected execution mode are applied to the initial handling operation command set, uniformly adjusting the numerical parameters, scope of action, and execution sequence of all commands to generate the final execution control command adapted to the current alarm.

[0097] The final execution control command is encapsulated into a standardized network management protocol command message. Based on the operator network and geographical location of the target IoT SIM card, the command message is routed to the corresponding IoT SIM card management gateway. The IoT SIM card management gateway receives and parses the command message, locating the specific target IoT SIM card based on the command operation object identifier. The IoT SIM card management gateway executes the actions according to the command, applying control to the target IoT SIM card. Control operations include adjusting the target IoT SIM card's access point name configuration, setting temporary traffic limits, adding it to a low-speed access list, or initiating a temporary shutdown command. After executing the control, the IoT SIM card management gateway generates a command execution receipt, which includes the execution result status code, the effective time of the action, and a real-time status snapshot of the target card.

[0098] In practice, an IoT SIM card anomaly alert includes the anomaly type label "malicious registration," an anomaly confidence score of 72, and impact range assessment information: "Geographical location distribution: Base station cluster in Area B, City A, East China; Number of IoT SIM cards involved: 15." Based on the anomaly confidence score of 72, a handling intensity adjustment coefficient positively correlated with the anomaly confidence score is set. This coefficient is used for numerical parameters in linear scaling instructions related to traffic rate limiting thresholds, connection frequency limits, or temporary shutdown durations. Based on the geographic location distribution "Base station cluster in Area B, City A, East China" in the impact range assessment, the corresponding regionalized policy template is retrieved from the geofence policy library. This template defines that the handling action only applies to base stations located within the specified geofence polygon coordinate range, thus limiting the execution scope of the handling action to the high-risk area identified by the geographic location distribution. Based on the anomaly confidence score, the execution mode of the handling action is dynamically selected. An anomaly confidence score of 72 falls within the medium confidence range. For anomalies with medium to low confidence, either observation followed by execution or phased gray-scale execution is selected. In this example, the phased gray-scale execution mode is selected.

[0099] In implementation, the handling intensity adjustment coefficient, regional strategy template, and selected execution mode are applied to the initial handling operation instruction set. The initial handling operation instruction set includes a list of instruction operation objects, an instruction trigger condition (triggering upon meeting geographical location conditions), and instruction execution actions (setting the connection frequency limit to 5 times per minute) and (pausing the new service registration function). The handling intensity adjustment coefficient is calculated using a linear mapping function, with the following formula:

[0100]

[0101] in: The coefficient representing the adjustment of the handling intensity in the current scenario. This represents the anomaly confidence score. The anomaly confidence score will be... Substituting into the formula, the treatment intensity adjustment coefficient is calculated. The handling intensity adjustment coefficient of 1.42 was multiplied by the numerical parameter "5 times per minute" in the initial handling operation instruction set to obtain the dynamic parameter value "7.1 times per minute". The regional strategy template was integrated, and the instruction triggering condition was specified from "triggering when the geographical location condition is met" to "triggering when the target IoT card accesses the B area base station group". A phased gray-scale execution mode was applied to adjust the execution sequence of the instruction execution actions, forming the steps of "the first phase executes 'set the connection frequency limit to 7.1 times per minute' on 5 cards, and if the abnormality continues after 24 hours, the second phase executes 'suspend the new service registration function' on the remaining 10 cards". See Table 2 for a comparison table before and after the dynamic optimization of the handling parameters.

[0102] Table 2: Parameter Optimization Table for Disposal Commands

[0103] Parameters Original value of the initial handling operation instruction set Optimization basis and calculation Final execution control command parameter values Connection frequency limit 5 times / minute The adjustment coefficient for the treatment intensity is α = 1.42, and 5 * 1.42 = 7.1. 7.1 times / minute Scope of execution All 15 cards Regionalization Strategy Template (B Area Base Station Cluster) Cards accessed by the B area base station group Execution mode Execute immediately Medium confidence level selection for phased gray-scale execution It will be divided into two phases, with a 24-hour interval.

[0104] In some embodiments, after generating the final execution control command adapted to the current alarm, the command issuance and execution process begins. The final execution control command is encapsulated into a standardized network management protocol command message, such as using the LwM2M protocol format. The message includes a list of operation object identifiers, the optimized parameter value of 7.1 times / minute, the geofence information, the phased execution schedule, and the specific operation code. Based on the operator network and region to which the target IoT card belongs (China Mobile East China Region), the command message is routed to the corresponding China Mobile IoT card management gateway. The IoT card management gateway receives and parses the LwM2M command message, and locates the specific 15 target IoT cards based on the operation object identifier in the message. The IoT card management gateway executes the action according to the command, applying control to the target IoT cards. In the first phase, it applies the control of "setting the connection frequency limit to 7.1 times per minute" to the 5 target IoT cards that first access the B area base station; in the second phase after 24 hours, it applies the control of "suspending the new service registration function" to the remaining 10 target IoT cards that still exhibit abnormal access behavior. It is understandable that after executing each stage of control, the IoT card management gateway will generate an instruction execution receipt. The receipt is returned as a structured message, which includes the execution result status code "200 - Success", the effective time of the disposal "2025-07-15 10:30:00", and the target card real-time status snapshot "Current connection frequency: 3 times / minute, service registration status: disabled".

[0105] Optionally, another example involves a high-confidence anomaly with an anomaly confidence score of 92. For high-confidence anomalies, the system selects the immediate execution mode, and the handling intensity adjustment coefficient α is calculated as 0.7 + 0.01 * 92 = 1.62. If the initial handling instruction is "temporary shutdown for 24 hours," the dynamic parameter value becomes 24 * 1.62 = 38.88 hours after coefficient scaling. It can be understood that after the final execution control instruction is encapsulated and issued, the IoT card management gateway will immediately initiate a temporary shutdown instruction to the target card, with a shutdown duration of approximately 38.9 hours, and return a receipt containing the specific shutdown deadline after execution.

[0106] In one embodiment of the present invention, during implementation, after triggering the automated handling action, an enhanced monitoring task for the target IoT card is initiated. This enhanced monitoring task collects behavioral feedback data from the target IoT card at a higher frequency than regular monitoring. The collected behavioral feedback data is analyzed to calculate an abnormal behavior fading index, which quantifies the overlap between the target IoT card's behavioral characteristics and historical normal behavior patterns. The abnormal behavior fading index is compared with a preset handling success threshold. If, within a preset tracking time window, the abnormal behavior fading index remains above the handling success threshold, the automated handling is deemed successful. If, at the end of the tracking time window, the abnormal behavior fading index has not reached the handling success threshold, a poor handling effect alarm is generated, and this alarm, along with the behavioral feedback data, is used as feedback information.

[0107] In the specific implementation, the detailed implementation method of the synchronous initiation of the handling effect tracking process is described. After triggering the automated handling action on the target IoT card, the system immediately starts the enhanced monitoring task for the target IoT card. The IoT card with the identifier ICCID_12345 was subject to handling control with a temporary traffic limit of 10MB / hour due to abnormal traffic theft. The enhanced monitoring task for this target IoT card is then started. The enhanced monitoring task collects behavioral feedback data of the target IoT card at a higher frequency than the regular monitoring. The regular monitoring frequency is to collect communication traffic time-series data and network access behavior logs every 5 minutes, while the enhanced monitoring task increases the collection frequency to once per minute, continuously collecting uplink traffic, downlink traffic, and access request count behavioral feedback data of the target IoT card after the handling takes effect.

[0108] In practice, the collected behavioral feedback data is analyzed, and an abnormal behavior fading index is calculated. This index quantifies the overlap between the behavioral characteristics of the target IoT card and its historical normal behavior patterns. The historical normal behavior patterns are statistically derived from the behavioral data of the IoT card's ICCID_12345 during the same time period in the 7 days prior to the effective date of the action. For example, its historical average uplink traffic from 9:00 AM to 10:00 AM on weekdays is 1.2 MB, with a standard deviation of 0.3 MB. The actual uplink traffic value η collected per minute is compared with the historical average μ and standard deviation σ to calculate the overlap component for each monitoring point. The formula for calculating the abnormal behavior fading index δ is:

[0109]

[0110] in: This represents the indicator of the decline of abnormal behavior within the current monitoring window. This represents the number of behavioral data sample points collected within the monitoring window. Representing the The actual observed values ​​of each sample point Representatives and sample points Historical average of normal behavior over the same period This represents the corresponding historical standard deviation of normal behavior. This is a coefficient used to control the tolerance range. The fractional part of the formula calculates the degree of deviation of a single-point observation from the historical normal range. The function ensures that when the deviation exceeds 100%, it is calculated as 100%. The average deviation is obtained by summing and averaging. The abnormal behavior extinction index δ, which characterizes the degree of overlap, is obtained by subtracting the average deviation from 1. The closer the value of δ is to 1, the higher the degree of overlap between the behavior and the historical normal pattern.

[0111] Understandably, the abnormal behavior regression index is compared with a preset successful handling threshold. The preset tracking time window is 24 hours after the handling takes effect, and the preset successful handling threshold is 0.85. Within the 24-hour tracking time window, the system calculates the abnormal behavior regression index δ for minute-level data from the past hour every hour. If the calculated δ value is consistently greater than 0.85, the automated handling is considered successful. For example, during the first to the 24th hour of tracking, the hourly calculated δ value sequence is [0.70, 0.80, 0.88, 0.90, 0.92, 0.93, 0.91, 0.94, 0.95, 0.95, 0.96, 0.96, 0.95, 0.97, 0.96, 0.98, 0.97, 0.99, 0.99, 0.97, 0.98, 0.99, 0.99]. Starting from the 3rd hour, the δ value is consistently better than the successful handling threshold of 0.85, and the system determines that the automated handling was successful at the end of the 24-hour window.

[0112] In some embodiments, if the abnormal behavior fading indicator does not reach the successful handling threshold at the end of the tracking time window, a poor handling effect alarm is generated. IoT card identifier ICCID_67890 was subject to connection frequency restrictions due to malicious registration anomalies. Within the 24-hour tracking time window, the calculated hourly abnormal behavior fading indicator δ value sequence is [0.60, 0.65, 0.72, 0.68, 0.70, 0.71, 0.69, 0.73, 0.70, 0.68, 0.65, 0.67, 0.66, 0.64, 0.60, 0.58, 0.55, 0.52, 0.50, 0.48, 0.45, 0.43, 0.40, 0.38], all of which are below the successful handling threshold of 0.85. At the end of the tracking time window, the system determines that the abnormal behavior fading indicator has not reached the successful handling threshold and generates a poor handling effect alarm. Understandably, this poor handling effect alarm, along with the complete behavioral feedback data that triggered the alarm, is sent as feedback information to the handling strategy analysis module for potential analysis and handling strategy optimization. Optionally, the behavioral feedback data includes minute-level sequences of restricted connection frequencies, access failure log fragments, and intermediate results of corresponding abnormal behavior fading index calculations.

[0113] In practical implementation, the dimensions of behavioral feedback data collected by the enhanced monitoring task can be adjusted according to the anomaly type. For anomalies in tariff consumption, the enhanced monitoring task focuses on collecting minute-level tariff consumption rates and call logs of specific interfaces; for anomalies in device status, the enhanced monitoring task focuses on collecting terminal device status information such as device heartbeat intervals, signal strength sequences, and module temperatures. In some embodiments, the preset tracking time window and successful handling threshold can be differentiated based on anomaly type labels and customer levels. For high-risk anomalies such as "botnet control," the tracking time window may be shortened to 6 hours, and the successful handling threshold increased to 0.95; for high-value customers, the tracking time window may be extended to 48 hours, and the successful handling threshold slightly decreased to 0.80, to balance risk control and customer experience. Optionally, after determining that automated handling is successful, the enhanced monitoring task will automatically downgrade to a regular monitoring task, releasing system resources.

[0114] The above are merely preferred embodiments of the present invention and are not intended to limit the present invention in any other way. Any person skilled in the art may make changes or modifications to the above-disclosed technical content to create equivalent embodiments that can be applied to other fields. However, any simple modifications, equivalent changes, and modifications made to the above embodiments based on the technical essence of the present invention without departing from the scope of the present invention shall still fall within the protection scope of the present invention.

Claims

1. A method for real-time early warning and automated handling of abnormal scenarios of IoT cards, characterized in that, Includes the following steps: Collect a multi-dimensional behavioral data set generated by the IoT card during operation. The multi-dimensional behavioral data set includes communication traffic time-series data, network access behavior logs, tariff consumption rate and terminal device status information. The multi-dimensional behavioral data set is subjected to anomaly feature screening to extract suspected abnormal behavioral features; The improved Isolation Forest algorithm is invoked to perform deep anomaly identification on the suspected abnormal behavior features. The improved Isolation Forest algorithm optimizes the random segmentation strategy based on the inherent periodicity pattern of IoT card service behavior. Based on the results of deep anomaly identification, an IoT card anomaly event alarm is generated. The anomaly event alarm includes an anomaly type label, an anomaly confidence score, and an impact range assessment. The abnormal event alarm is matched with the handling strategy, and the handling operation instruction set corresponding to the abnormal type label is retrieved from the predefined automated handling strategy library; Based on the anomaly confidence score and the impact range assessment, the instruction parameters in the disposal operation instruction set are dynamically optimized to generate the final execution control instructions.

2. The method for real-time early warning and automated handling of abnormal scenarios of IoT cards according to claim 1, characterized in that, The multi-dimensional behavioral data set is subjected to initial screening for abnormal features to extract suspected abnormal behavioral features, including: The suspected abnormal behavior characteristics include traffic mutation patterns, unauthorized access attempts, abnormal resource consumption, and abnormal device status. The communication traffic time series data is periodically decomposed to separate the traffic sequence of long-term trend component, periodic component and residual component; Based on the periodic components, the inherent periodicity pattern of the IoT card service behavior is constructed, and the inherent periodicity pattern includes the traffic peak and valley time regularity and the baseline of traffic fluctuation amplitude. The residual component of the current period is compared with the residual component of the same period in history. If the deviation exceeds a preset threshold, it is marked as the traffic mutation mode. The network access behavior logs are analyzed to identify combinations of abnormal access time, sudden changes in access geographical location, and frequent switching of access base stations. Behaviors that do not conform to the normal roaming or dwell patterns are marked as illegal access attempts. The data consumption rate is calculated in real time and compared with the data consumption rate range predicted based on historical usage habits. Cases that continuously exceed the upper limit of the data consumption rate range are marked as abnormal resource consumption. Monitor the status information of the terminal device and mark situations such as abnormal device restart, sudden high traffic after long-term offline, or frequent changes in the International Mobile Equipment Identity (IMEI) as abnormal device status.

3. The method for real-time early warning and automated handling of abnormal scenarios of IoT cards according to claim 1, characterized in that, The improved isolated forest algorithm optimizes the random partitioning strategy based on the inherent periodicity pattern of IoT card service behavior. Its working principle includes: Construct an isolated forest model containing multiple isolated trees, each of which is built based on the suspected abnormal behavior features; When constructing a single isolated tree, feature selection is guided by the inherent periodicity pattern. Specifically, from the suspected abnormal behavior features, features with high sensitivity to periodic changes in the inherent periodicity pattern are preferentially selected as the features to be segmented. On the selected feature dimension to be segmented, the range of segmentation points is determined based on the statistical distribution pattern of historical normal behavior data on the feature dimension to be segmented. The range of segmentation points excludes the normal value interval within the periodic pattern. Randomly select a value within the range of the specified split points as the split point for the current node; Based on the split point, the sample data input to the current node is divided into two child nodes, and the feature selection and splitting process is recursively executed until the preset tree depth limit is reached or the number of samples in the node meets the preset condition, thus completing the construction of the isolated tree. Traverse all isolated trees in the isolated forest model, calculate the path length of each suspected abnormal behavior feature in each isolated tree, calculate the corresponding anomaly score based on the average path length, and complete deep anomaly identification based on the anomaly score.

4. The method for real-time early warning and automated handling of abnormal scenarios of IoT cards according to claim 1, characterized in that, The abnormal event alarm is matched with a handling strategy. The set of handling operation instructions corresponding to the abnormality type tag is retrieved from a predefined automated handling strategy library, including: The abnormal event alarm is analyzed to identify the abnormal type label, which includes traffic theft, malicious registration, botnet control, and billing fraud. Based on the anomaly type label, a multi-level index query is performed in the automated handling strategy library. First, the first-level strategy category is matched, and then the second-level strategy subclass is matched according to the anomaly confidence score. From the matched strategy subclasses, extract the basic handling operation instruction set, which includes the instruction operation object, instruction triggering condition, and instruction execution action; Based on the number of IoT cards, geographical distribution, and customer level involved in the impact scope assessment, the triggering conditions of the instructions in the basic handling operation instruction set are modified with range constraints. Based on the current system load and the availability of processing resources, the execution priority of the instruction execution actions in the basic processing operation instruction set is sorted to form a preliminary processing operation instruction set.

5. The method for real-time early warning and automated handling of abnormal scenarios of IoT cards according to claim 4, characterized in that, Set a handling intensity adjustment coefficient that is positively correlated with the anomaly confidence score. This handling intensity adjustment coefficient is used for numerical parameters in the linear scaling command that involve traffic rate limiting thresholds, connection frequency limits, or temporary shutdown durations, including: Obtain the anomaly confidence score from the anomaly event alarm; The abnormal confidence score is input into a preset linear mapping function, which defines the correspondence between the confidence score interval and the treatment intensity adjustment coefficient interval. The adjustment coefficient for the handling intensity corresponding to the current alarm is calculated using the linear mapping function. Extract the numerical command parameters that need to be dynamically adjusted from the initial set of handling operation instructions. The numerical command parameters include the traffic rate limit threshold, the connection frequency limit value, and the temporary shutdown duration. Multiply the treatment intensity adjustment coefficient by the original value of the corresponding numerical command parameter to obtain the dynamic parameter value scaled by the treatment intensity adjustment coefficient. Replace the original numerical instruction parameters in the initial processing operation instruction set with the dynamic parameter values.

6. The method for real-time early warning and automated handling of abnormal scenarios of IoT cards according to claim 4, characterized in that, Based on the anomaly confidence score and the impact range assessment, the instruction parameters in the disposal operation instruction set are dynamically optimized, including: Set a handling intensity adjustment coefficient that is positively correlated with the anomaly confidence score. The handling intensity adjustment coefficient is used for numerical parameters in the linear scaling instruction that involve traffic rate limiting thresholds, connection frequency limits, or temporary shutdown durations. Based on the geographical distribution involved in the impact range assessment, the corresponding regional strategy template is called from the geofencing strategy library to limit the execution scope of the disposal action to the high-risk area identified by the geographical distribution. Based on the anomaly confidence score, the execution mode of the handling action is dynamically selected. For high-confidence anomalies, the immediate execution mode is selected, and for medium- and low-confidence anomalies, the observation-after-execution or phased gray-scale execution mode is selected. The aforementioned handling intensity adjustment coefficient, the regional strategy template, and the selected execution mode are applied to the preliminary handling operation instruction set. The numerical parameters, scope of action, and execution sequence of all instructions are uniformly adjusted to generate the final execution control instruction adapted to the current alarm.

7. The method for real-time early warning and automated handling of abnormal scenarios of IoT cards according to claim 6, characterized in that, The method further includes: The execution control command is sent to the corresponding IoT card management gateway to trigger an automated handling action on the target IoT card and simultaneously initiate the handling effect tracking process; The execution control command is sent to the corresponding IoT card management gateway to trigger automated processing actions on the target IoT card, including: The final execution control instructions are encapsulated into standardized network management protocol instruction messages; Based on the operator network and region to which the target IoT card belongs, the instruction message is routed to the corresponding IoT card management gateway; The IoT card management gateway receives and parses the instruction message, and locates the specific target IoT card based on the instruction operation object identifier therein; The IoT card management gateway executes actions according to instructions to exert control on the target IoT card. The control includes: adjusting the access point name configuration of the target IoT card, setting a temporary traffic limit, adding it to the low-speed access list, or initiating a temporary shutdown command. After executing the control, the IoT card management gateway generates an instruction execution receipt, which includes the execution result status code, the effective time of the action, and a real-time status snapshot of the target card.

8. The method for real-time early warning and automated handling of abnormal scenarios of IoT cards according to claim 7, characterized in that, The synchronous initiation of the treatment effect tracking process includes: After triggering the automated handling action, an enhanced monitoring task is started for the target IoT card. The enhanced monitoring task collects behavioral feedback data of the target IoT card at a higher frequency than regular monitoring. The collected behavioral feedback data is analyzed to calculate the abnormal behavior fading index, which is used to quantify the overlap between the behavioral characteristics of the target IoT card and its historical normal behavior patterns. The abnormal behavior fading index is compared with a preset successful handling threshold. If the abnormal behavior fading index continues to be better than the successful handling threshold within a preset tracking time window, the automated handling is determined to be successful. If the abnormal behavior regression index does not reach the successful handling threshold by the end of the tracking time window, an alarm for poor handling effect is generated, and this alarm, together with the behavior feedback data, is used as feedback information.

9. The method for real-time early warning and automated handling of abnormal scenarios of IoT cards according to claim 1, characterized in that, Before performing initial anomaly feature screening on the multi-dimensional behavioral data set, the process also includes data fusion and context enhancement steps: Obtain the static attribute information of the IoT card from the IoT card management platform. The static attribute information includes the package type, the enterprise to which the card belongs, and the business scenario identifier. Subscribe to the latest IoT security threat signature information from external threat intelligence sources; The static attribute information is associated with the multi-dimensional behavioral data set to tag the behavioral data with business scenario labels; The security threat feature information is matched in real time with the network access behavior log and the terminal device status information to identify behavioral fragments with known threat patterns; Behavioral data with business scenario tags and identified behavioral fragments with known threat patterns are used together as context-enhanced data and input into the subsequent anomaly feature initial screening process.

10. A real-time early warning and automated handling system for abnormal IoT card scenarios, comprising a memory, a processor, and a computer program stored in the memory and running on the processor, characterized in that, When the processor executes the computer program, it implements the steps of the real-time early warning and automated handling method for abnormal scenarios of IoT cards as described in any one of claims 1 to 9.