Multi-agent trusted interaction and cloud-edge collaborative security calculation method for power scenario

By combining a closed-loop defense strategy view and a decentralized identifier protocol stack, secure computation is performed in multi-agent power scenarios. This solves the topological coupling problem of data interaction and collaborative reasoning among multiple agents in power scenarios, realizes the spatial continuity and physical consistency of power features, and improves the accuracy of power equipment fault identification and power grid security.

CN122339813APending Publication Date: 2026-07-03STATE GRID HENAN INFORMATION & TELECOMM CO

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
STATE GRID HENAN INFORMATION & TELECOMM CO
Filing Date
2026-04-29
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing technologies cannot effectively perceive the electrical topology coupling and physical influence between nodes in cross-domain data interaction and collaborative reasoning tasks among multiple agents in power scenarios. This leads to the diffusion of model contributions from polluting nodes, affecting the accuracy of power equipment fault identification and disrupting the spatial continuity and physical consistency of power features in the whole network model.

Method used

A closed-loop defense strategy is adopted for multi-dimensional feature extraction and credential issuance. Zero-knowledge proof verification is performed by combining a decentralized identifier protocol stack. The encrypted sandbox is unlocked for low-rank adaptation network training. Orthogonal projection compensation and fusion of the low-rank adapter matrix are performed in the cloud to generate a global aggregated security weight matrix. The contribution of polluted nodes is eliminated and the impact of forgetting operations on the global model is suppressed.

Benefits of technology

Accurately eliminate the contribution of polluting nodes, ensure the spatial continuity and physical consistency of power characteristics in the whole network model, improve the accuracy of power equipment fault identification, prevent the spread of malicious parameters, and protect the safe and stable operation of the power grid.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122339813A_ABST
    Figure CN122339813A_ABST
Patent Text Reader

Abstract

This application discloses a multi-agent trusted interaction and cloud-edge-device collaborative secure computing method for power scenarios. First, based on the access reputation baseline of a closed-loop defense strategy view, multi-dimensional feature extraction and credential issuance are performed on edge agents, and a forgetting trigger signal is generated simultaneously. Next, a privacy-free session authorization is achieved through a decentralized identifier protocol stack and zero-knowledge proofs, unlocking the encrypted sandbox of the trusted execution environment. Within the sandbox, decoupled incremental training is performed on the low-rank adapter network initialized by the frozen backbone network bypass. Based on this, the cloud performs physical blocking and destruction of the low-rank adapter matrix of the marked nodes based on the forgetting trigger signal, and orthogonally projects and compensates for the remaining healthy nodes to obtain a global aggregated security weight matrix. This accurately eliminates the contributions of polluted nodes while suppressing the impact of forgetting operations on the accuracy of the global model, ensuring the spatial continuity and physical consistency of power features in the entire network model.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of secure computing, and more specifically, to a method for secure computing through multi-agent trusted interaction and cloud-edge-device collaborative computing in power scenarios. Background Technology

[0002] As new power systems advance towards digitalization and intelligence, heterogeneous intelligent agents such as substation monitoring terminals, distribution network smart gateways, and edge computing units of inspection drones have been deployed on a large scale in the power Internet of Things (IoT), forming a cloud-edge-device collaborative computing system covering the entire process of power generation, transmission, transformation, distribution, and consumption. The high-frequency cross-domain data interaction and collaborative reasoning tasks among multiple agents place stringent requirements on trusted identity authentication, privacy data protection, and secure aggregation of distributed models. If an agent's identity is forged or a poisoned data is injected into an edge node, malicious parameters will spread to the global model via the federated aggregation link, causing a deterioration in the accuracy of power equipment fault identification and even widespread misjudgments, directly threatening the safe and stable operation of the power grid. Therefore, constructing a trusted multi-agent interaction and cloud-edge-device collaborative secure computing solution for power scenarios is an urgent engineering need.

[0003] Existing solutions typically use decentralized identifiers and verifiable credentials for agent identity management, combined with a trusted execution environment to provide isolated computing space for edge nodes, and employ a federated learning framework in the cloud to aggregate the model parameters trained locally on each node. When data poisoning or privacy violations are detected on a node, a machine forgetting mechanism is introduced to revoke and destroy that node's model contribution, and then the parameters of the remaining healthy nodes are weighted and aggregated to reconstruct the global model. However, existing federated aggregation strategies after machine forgetting only calculate weighting coefficients based on two dimensions: node reputation score and local data size. They treat all healthy nodes as independent contributors of equal status in the feature space, performing a simple tensor linear addition on them, completely ignoring the objectively existing electrical topological coupling and physical influence transmission relationships between nodes in the power physical network. When a contaminated node is physically blocked and destroyed, the characteristic perception of its local power grid area forms a spatial hole in the global model. The aggregation mechanism cannot perceive which healthy nodes are most closely coupled with the forgotten hole area in the electrical topology, and cannot prioritize the use of the highly correlated local power grid characteristics contained in the neighboring nodes for accurate filling. As a result, nodes that are far away in the topology and physically unrelated receive excessive weight due to their large data volume or high reputation, injecting interfering features into the hole area. Ultimately, this causes a significant decrease in the accuracy of fault identification in the forgotten area, and the model prediction of adjacent substations shows non-physical jumps that violate the laws of electrical conduction, destroying the spatial continuity and physical consistency of power characteristics in the whole network model.

[0004] Therefore, we look forward to an optimized method for trusted multi-agent interaction and cloud-edge-device collaborative secure computing in power scenarios. Summary of the Invention

[0005] To address the aforementioned technical issues, this application provides a method for trusted multi-agent interaction and cloud-edge-device collaborative secure computing in power scenarios.

[0006] According to one aspect of this application, a method for multi-agent trusted interaction and cloud-edge-device collaborative secure computing in power scenarios is provided, comprising: S1: Based on the access reputation baseline in the closed-loop defense strategy view, multi-dimensional feature extraction and credential issuance processing are performed on the raw perception data stream and firmware hardware basic information of the edge agent to obtain the agent identity credentials, local power business dataset and forgetting trigger signal. S2: Based on the decentralized identifier protocol stack, zero-knowledge proof verification and session authorization processing are performed on the encrypted commitment data in the agent's identity credentials to obtain the session authorization identifier; S3: Unlock the encrypted sandbox of the edge trusted execution environment through the session authorization identifier, inject the local power business dataset and the global frozen basic model into the encrypted sandbox, and perform decoupled incremental training on the lightweight low-rank adapter network initialized by the frozen backbone network to obtain the low-rank adapter matrix. S4: Receive the low-rank adapter matrix uploaded by each edge node in the cloud federated aggregation center. After physically blocking and destroying the corresponding low-rank adapter matrix of the marked node based on the forgetting trigger signal, perform orthogonal projection compensation fusion on the low-rank adapter matrix of the remaining healthy nodes to obtain the global aggregation security weight matrix. S5: Spatial alignment detection is performed between the parameter distribution deviation of the global aggregated security weight matrix and the node behavior graph in the training audit log to obtain potential threat patterns; S6: Perform resilience assessment and collaborative defense strategy generation on the identified potential threat patterns to obtain a closed-loop defense strategy view.

[0007] Compared with existing technologies, this application provides a multi-agent trusted interaction and cloud-edge-device collaborative secure computing method for power scenarios. First, based on the access reputation baseline of the closed-loop defense strategy view, it performs multi-dimensional feature extraction and credential issuance for edge agents and simultaneously generates a forgetting trigger signal. Next, a privacy-free session authorization is achieved through a decentralized identifier protocol stack and zero-knowledge proofs, unlocking the encrypted sandbox of the trusted execution environment. Within the sandbox, decoupled incremental training is performed on the low-rank adapter network initialized by the frozen backbone network bypass. Based on this, the cloud performs physical blocking and destruction of the low-rank adapter matrix of the marked nodes based on the forgetting trigger signal, and orthogonally projects and compensates the remaining healthy nodes to obtain a global aggregated security weight matrix. This accurately eliminates the contributions of polluted nodes while suppressing the impact of forgetting operations on the accuracy of the global model, ensuring the spatial continuity and physical consistency of power features in the entire network model. Attached Figure Description

[0008] The above and other objects, features, and advantages of this application will become more apparent from the more detailed description of the embodiments of this application in conjunction with the accompanying drawings. The drawings are provided to further illustrate the embodiments of this application and form part of the specification. They are used together with the embodiments of this application to explain this application and do not constitute a limitation thereof. In the drawings, the same reference numerals generally represent the same components or steps.

[0009] Figure 1 This is a flowchart of a multi-agent trusted interaction and cloud-edge-device collaborative secure computing method for power scenarios according to an embodiment of this application; Figure 2 This is a data flow diagram illustrating the multi-agent trusted interaction and cloud-edge-device collaborative secure computing method for power scenarios according to an embodiment of this application. Figure 3 This is a flowchart of step S2 in the multi-agent trusted interaction and cloud-edge-device collaborative secure computing method for power scenarios according to an embodiment of this application; Figure 4 This is a flowchart of step S4 in the multi-agent trusted interaction and cloud-edge-device collaborative secure computing method for power scenarios according to an embodiment of this application. Detailed Implementation

[0010] Hereinafter, exemplary embodiments according to this application will be described in detail with reference to the accompanying drawings. Obviously, the described embodiments are merely some embodiments of this application, and not all embodiments of this application. It should be understood that this application is not limited to the exemplary embodiments described herein.

[0011] As indicated in this application and claims, unless the context clearly indicates otherwise, the words "a," "an," "an," and / or "the" are not specifically singular and may include plural forms. Generally speaking, the terms "comprising" and "including" only indicate the inclusion of explicitly identified steps and elements, which do not constitute an exclusive list, and the method or apparatus may also include other steps or elements.

[0012] While this application makes various references to certain modules of the systems according to embodiments of this application, any number of different modules can be used and run on user terminals and / or servers. The modules described are merely illustrative, and different aspects of the systems and methods may use different modules.

[0013] Flowcharts are used in this application to illustrate the operations performed by the system according to embodiments of this application. It should be understood that the preceding or following operations are not necessarily performed in exact order. Instead, various steps can be processed in reverse order or simultaneously as needed. Furthermore, other operations can be added to these processes, or one or more steps can be removed from them.

[0014] In the technical solution of this application, a method for multi-agent trusted interaction and cloud-edge-device collaborative secure computing for power scenarios is proposed. Figure 1 This is a flowchart of a multi-agent trusted interaction and cloud-edge-device collaborative secure computing method for power scenarios, according to an embodiment of this application. Figure 2 This is a system architecture diagram of a multi-agent trusted interaction and cloud-edge-device collaborative secure computing method for power scenarios, according to an embodiment of this application. Figure 1 and Figure 2 As shown, the multi-agent trusted interaction and cloud-edge-device collaborative secure computing method for power scenarios according to an embodiment of this application includes the following steps: S1, based on the access reputation baseline in the closed-loop defense strategy view, perform multi-dimensional feature extraction and credential issuance processing on the original perception data stream and firmware hardware basic information of the edge agent to obtain the agent identity credential, the local power business dataset, and the forgetting trigger signal; S2, based on the decentralized identifier protocol stack, perform zero-knowledge proof verification and session authorization processing on the encrypted commitment data in the agent identity credential to obtain the session authorization identifier; S3, unlock the encryption sandbox of the edge trusted execution environment through the session authorization identifier, and inject the local power business dataset and the global frozen basic model into the encryption sandbox. The process involves: S4, decoupling and incrementally training a lightweight low-rank adapter network initialized by bypassing the frozen backbone network to obtain a low-rank adapter matrix; S5, receiving the low-rank adapter matrices uploaded by each edge node at the cloud-based federated aggregation center, physically blocking and destroying the corresponding low-rank adapter matrices of marked nodes based on a forgetting trigger signal, and then orthogonally projecting and compensating the low-rank adapter matrices of the remaining healthy nodes to obtain a global aggregated security weight matrix; S6, spatially aligning the parameter distribution deviation of the global aggregated security weight matrix with the node behavior graph in the training audit log to obtain potential threat patterns; and S7, performing resilience assessment and generating collaborative defense strategies for the identified potential threat patterns to obtain a closed-loop defense strategy view.

[0015] Specifically, S1, based on the access reputation baseline in the closed-loop defense strategy view, performs multi-dimensional feature extraction and credential issuance processing on the raw perception data stream and firmware hardware basic information of the edge agents to obtain agent identity credentials, local power business datasets, and forgetting trigger signals. It should be understood that in the cloud-edge-device collaborative architecture of the power Internet of Things, a large number of heterogeneous edge agents (such as substation monitoring terminals, distribution network smart gateways, and edge computing units of inspection drones) continuously generate massive amounts of raw perception data streams, and use their respective firmware hardware basic information as physical identity anchors to access the multi-agent system. However, before these edge agents access the collaborative computing system, their identity authenticity has not been rigorously verified at the cryptographic level. The raw perception data stream is mixed with high-frequency sampling noise and asynchronous clock offsets, and it is impossible to determine whether a node has been marked as having security risks such as data poisoning or privacy violations. If the unprocessed raw data and unverified agent identities are directly input into the subsequent trusted execution environment training and federated aggregation process, the pollution parameters of malicious nodes will spread to the global model through the aggregation link, and it will be impossible to accurately locate and remove the model contributions of polluted nodes during the forgetting stage. Therefore, in the technical solution of this application, at the forefront of the collaborative computing process, based on the access reputation baseline in the closed-loop defense strategy view, multi-dimensional feature extraction and credential issuance processing are performed on the raw perception data stream and firmware hardware basic information of the edge agent, and three key outputs are generated simultaneously: agent identity credentials, local power business dataset, and forgetting trigger signal, which lay the data foundation and trust anchor for trusted interaction, isolated training and secure aggregation in subsequent steps.

[0016] In specific implementation, in S1.1, transient power feature filtering and spatiotemporal structure alignment are performed on the transient power physical features in the original sensing data stream and the device clock stamp and physical location information in the firmware hardware basic information to obtain the local power business dataset. In this process, firstly, transient power feature filtering is performed on the transient power physical features in the original sensing data stream. This filtering process targets transient power physical feature signals such as voltage sag waveforms, harmonic distortion components, load power curves, and transient overvoltage pulses contained in the original sensing data stream. It employs a combination of bandpass filtering and adaptive threshold denoising to filter out high-frequency noise components and low-frequency baseline drift components that exceed the frequency bands of interest for power business, retaining effective feature components that can characterize the instantaneous operating state of the power system.

[0017] Furthermore, the device clock stamp and physical location information of the edge agent are extracted from the firmware hardware basic information. The filtered transient power features are then subjected to spatiotemporal structure alignment processing to eliminate the timestamp offset caused by the difference in the accuracy of the local clock source between edge agents. The physical location information (such as GPS coordinates or grid topology addressing) is embedded in the data structure as a spatial dimension label, so that the power business data from different agents are comparable and fusionable under a unified spatiotemporal coordinate system.

[0018] In S1.2, based on the access reputation baseline in the closed-loop defense strategy view, hardware anti-counterfeiting hash calculation and reputation certificate issuance are performed on the firmware hardware basic information to obtain the agent's identity certificate. In this process, firstly, hardware anti-counterfeiting hash calculation is performed on the firmware hardware basic information. Specifically, the edge agent's unique hardware serial number, firmware version hash digest, secure boot chain metric, and other hardware layer identification information are used as input. A cascaded hash operation is performed using a collision-resistant cryptographic hash function to generate the agent's hardware anti-counterfeiting hash value, which serves as an unforgeable anchor point for its physical identity.

[0019] Furthermore, based on the access reputation baseline in the closed-loop defense strategy view, a reputation credential is issued to the agent. Specifically, the access reputation baseline value corresponding to the edge agent is read from the closed-loop defense strategy view. This value comprehensively reflects the compliance level of the node's behavior and the stability of data quality throughout the historical interaction cycle. The hardware anti-counterfeiting hash value, the access reputation baseline value, and the agent's node identifier are jointly encapsulated, and digitally signed using the private key of the credential issuing authority to generate the agent's identity credential.

[0020] In S1.3, based on the node identifier in the agent's identity credentials, risk marking addressing and matching are performed in the closed-loop defense strategy view to obtain the matching result. The matching result is then amplified and encoded using a risk penalty metric to obtain a forgetting trigger signal. In this process, the node identifier is first extracted from the agent's identity credentials. Using this node identifier as the addressing key, risk marking addressing and matching operations are performed in the risk marking record table of the closed-loop defense strategy view. Specifically, all entries in the risk marking record table are traversed to check if a matching risk marking record exists, and the matching result is output. The matching result is a combination of a binary indicator value and a risk level. When the node identifier matches in the risk marking record table, the matching result contains the risk level scalar corresponding to that node; when no match is found, the matching result indicates that the node is in a safe state.

[0021] Furthermore, the matching results are amplified and encoded using a risk penalty metric to generate a forgetting trigger signal. Here, the risk penalty metric is a preset amplification coefficient. Its function is to amplify and encode the risk level scalar in the risk labeling matching results from a normalized weak signal level into a strong control signal with a clear physical blocking instruction meaning. This ensures that the cloud-based federated aggregation center can unambiguously execute physical blocking and destruction operations upon receiving the signal. Specifically, a scalar multiplication operation is performed on the binary risk hit indicator value, the risk penalty metric, and the risk level scalar. That is, the forgetting trigger signal equals the binary risk hit indicator value multiplied by the risk penalty metric and then multiplied by the risk level scalar. When the binary risk hit indicator value is 0, regardless of the values ​​of the risk penalty metric and the risk level scalar, the forgetting trigger signal is 0, indicating that the node has not been marked as a risk node and no forgetting operation needs to be triggered. When the binary risk hit indicator value is 1, the forgetting trigger signal equals the product of the risk penalty metric and the risk level scalar, and its magnitude reflects the amplified control strength of the node's risk severity.

[0022] Specifically, in step S2, based on a decentralized identifier protocol stack, zero-knowledge proof verification and session authorization processing are performed on the encrypted commitment data in the agent's identity credential to obtain a session authorization identifier. It should be understood that holding an identity credential is not equivalent to obtaining legitimate authorization to participate in collaborative computing. In the multi-agent interaction scenario of the power IoT, each edge agent needs to unlock the encrypted sandbox of the trusted execution environment in the subsequent step S3 and execute model training tasks within it. This operation involves access to highly sensitive computing resources of the globally frozen basic model and the local power business dataset. If agents are allowed to access the encrypted sandbox solely based on the possession of an identity credential, then if the credential is intercepted or copied during transmission, attackers can impersonate legitimate agents to illegally access model parameters and business data in the trusted execution environment, resulting in model theft and privacy leaks. More critically, traditional identity verification methods require the verifier to directly inspect the plaintext attribute information (such as reputation score, capability level, etc.) in the credential. This inevitably exposes the agent's sensitive attributes to the verifier, violating the core principle of minimizing data disclosure in the self-sovereign identity concept. Therefore, in the technical solution of this application, an identity verification and session authorization step based on zero-knowledge proof is introduced between credential issuance and sandbox unlocking. This enables the agent to prove the legality of its credentials and the compliance of its attributes to the verifier without disclosing any plaintext attribute information. After the verification is passed, a time-sensitive and unique session authorization identifier is negotiated and generated as the key control credential for unlocking the encrypted sandbox.

[0023] Figure 3 This is a flowchart of step S2 in the multi-agent trusted interaction and cloud-edge-device collaborative secure computing method for power scenarios according to an embodiment of this application. Figure 3 The S2 includes: S2.1, based on the decentralized identifier protocol stack, performing decentralized identifier parsing and encrypted commitment extraction on the agent's identity credential to obtain a hidden attribute encrypted commitment; S2.2, loading the hidden attribute encrypted commitment into a zero-knowledge proof verification circuit to perform zero-knowledge proof non-interactive verification and key negotiation to obtain a session authorization identifier.

[0024] Specifically, in step S2.1, based on the decentralized identifier protocol stack, decentralized identifier parsing and cryptographic commitment extraction are performed on the agent's identity credentials to obtain a hidden attribute cryptographic commitment. In this process, the agent's identity credentials are first input into the identifier parsing layer of the decentralized identifier protocol stack. This parsing layer extracts the node identifier from the credentials, maps it to the corresponding decentralized identifier, and dereferences the decentralized identifier through a distributed ledger or verifiable data registry to retrieve the decentralized identifier document associated with the agent. The decentralized identifier document contains the agent's public key materials, server endpoint address, authentication method declaration, and a decentralized identifier reference from the credential issuing authority. Specifically, using the node identifier as the query key, the identifier parsing operation is performed in the verifiable data registry. The registration status of the identifier and the integrity of the associated document are confirmed through the consensus mechanism of the distributed ledger, and finally, a decentralized identifier document uniquely corresponding to the node identifier is output.

[0025] Secondly, the verifiable credential processing layer of the decentralized identifier protocol stack extracts the public key of the credential issuing authority from the decentralized identifier document and verifies the digital signature of the agent's identity credential to confirm that the credential has not been tampered with and was indeed issued by a legitimate issuing authority. Specifically, it uses the public key of the credential issuing authority to perform asymmetric cryptographic verification operations on the digital signature attached to the credential, comparing the hash digest of the credential payload with the signature value. If the two are mathematically consistent, a boolean value indicating successful signature verification is output; otherwise, a boolean value indicating verification failure is output. The protocol stack continues to execute subsequent cryptographic commitment extraction operations only if the signature verification is successful; if the signature verification fails, the session authorization process for the agent is terminated and the abnormal event is reported to the closed-loop defense strategy view.

[0026] After signature verification is successful, the verifiable credential processing layer parses and extracts the hidden attribute encrypted commitment from the credential payload. Specifically, for each sensitive attribute, the plaintext value of the attribute and a randomly generated blinding factor are used as the exponents of two common generators, and modular exponentiation and modular multiplication are performed to generate the commitment value of the attribute. Specifically, the plaintext value of the attribute is used as the exponent of the first generator to perform modular exponentiation to obtain the first intermediate value, the random blinding factor is used as the exponent of the second generator to perform modular exponentiation to obtain the second intermediate value, and the two intermediate values ​​are then modularly multiplied to obtain the final commitment value. This commitment scheme is based on the discrete logarithm difficulty assumption. Its binding property guarantees that the plaintext value of the attribute cannot be tampered with once committed, and its concealment property guarantees that no third party without the random blinding factor can deduce the plaintext attribute value from the commitment value. Each sensitive attribute generates an independent commitment value, and the commitment values ​​of all attributes converge to form a complete hidden attribute encrypted commitment data structure. This data structure will serve as the core common input of the zero-knowledge proof verification circuit in the subsequent sub-step S2.2.

[0027] Specifically, in step S2.2, the hidden attribute encrypted commitment is loaded into a zero-knowledge proof verification circuit for non-interactive zero-knowledge proof verification and key negotiation to obtain a session authorization identifier. In this process, firstly, the edge agent acts as the prover, using the hidden attribute encrypted commitment as public input and the corresponding set of plaintext attribute values ​​and a set of random blinding factors as private witnesses, loading them into a pre-compiled zero-knowledge proof verification circuit. This verification circuit internally encodes the attribute constraints required by the access control policy, including but not limited to a reputation score not lower than a preset threshold and a capability level belonging to the authorized set. The circuit execution process consists of two phases: The first phase is commitment consistency verification. Its computational logic involves re-executing the Pedersen commitment operation for each sensitive attribute using the plaintext attribute value from the private witness and a random blinding factor. The recalculated commitment value is then compared one by one with the corresponding commitment value in the public input to confirm complete consistency, thus proving that the prover indeed possesses the correct plaintext attribute value and blinding factor corresponding to the public commitment value. The second phase is attribute constraint verification. The verified consistent plaintext attribute values ​​are compared numerically with preset constraint thresholds to confirm that all attributes satisfy the access control policy constraints. Based on the complete execution trajectory of the circuit, the prover generates a concise zero-knowledge proof using a non-interactive zero-knowledge proof generation algorithm (based on the Fiat-Shamir heuristic to transform the interactive protocol into a non-interactive protocol, using a cryptographic hash function to simulate the prover's random challenge).

[0028] Subsequently, the edge agent sends the zero-knowledge proof along with the cryptographic commitment regarding hidden attributes to the verifier (i.e., the session authorization service node). The verifier uses the public reference string and verification key generated during the system initialization phase to perform non-interactive verification of the zero-knowledge proof. Specifically, the verifier inputs the public input, the zero-knowledge proof data, and the verification key into the verification algorithm. It checks the mathematical consistency between the polynomial commitment in the proof and the public input using elliptic curve bilinear pairing operations. If the pairing equation holds, it outputs a boolean value indicating successful verification; otherwise, it outputs a boolean value indicating verification failure. Only when the zero-knowledge proof verification is successful does the verifier and the prover enter the key negotiation phase. The key negotiation process is performed based on the elliptic curve Diffie-Hellman protocol. Specifically, the verifier generates a pair of temporary elliptic curve key pairs (temporary private key and temporary public key) and sends the temporary public key to the prover. The verifier uses its own temporary private key and the prover's public key (extracted from the decentralized identifier document) to perform an elliptic curve dot product operation to obtain a shared elliptic curve point. The prover simultaneously uses its own private key and the verifier's temporary public key to perform the same elliptic curve dot product operation to obtain the same shared elliptic curve point. Subsequently, both parties input the coordinates of the shared elliptic curve point into the key derivation function, which converts them into a fixed-length shared session key through cryptographic hashing and truncation operations.

[0029] Finally, based on the shared session key, the verifier concatenates the current timestamp, authorization validity period, authorization scope descriptor, instruction control word, and one-time random number into a bit string. The concatenated plaintext data is then encrypted and its integrity protected using a symmetric encryption algorithm based on the shared session key (such as AES-256-GCM authentication encryption) to generate a session authorization identifier.

[0030] Specifically, in S3, the encrypted sandbox of the edge trusted execution environment is unlocked through a session authorization identifier. The local power business dataset and the globally frozen basic model are injected into the encrypted sandbox to perform decoupled incremental training on the lightweight low-rank adaptation network initialized by the frozen backbone network bypass, thereby obtaining the low-rank adapter matrix. It should be understood that obtaining the session authorization identifier only means that the agent has passed the trusted verification at the identity level and the compliance review at the permission level; it has not yet entered the actual model training and parameter update stage. In the cloud-edge-device collaborative computing architecture of the power Internet of Things, each edge agent needs to use locally collected power business data to perform personalized adaptation training on the global basic model, so that the model can learn local power characteristics unique to the local power grid area, such as voltage sag patterns, harmonic distortion characteristics, and load power curve patterns. However, this training process faces two core security challenges: First, the local power business dataset contains a large amount of sensitive information related to grid operation status, equipment health indicators, and user load distribution. If training is performed in a normal computing environment, attackers with access rights, such as the operating system kernel, virtualization management programs, or even physical access, could steal training data and model parameters through memory snooping, side-channel attacks, and other means. Second, the global base model, as the core asset of cloud-based federated aggregation, faces the risk of model theft and reverse engineering if its complete parameters are exposed in the insecure environment of the edge nodes. Furthermore, fine-tuning all parameters of the global base model not only incurs computational costs far exceeding the computing power of the edge nodes, but also results in a massive amount of parameter updates uploaded by each node, causing severe communication bandwidth bottlenecks and aggregation computation burdens during the federated aggregation phase. In the technical solution of this application, the encrypted sandbox of the edge trusted execution environment is unlocked by the session authorization identifier. The local power business dataset and the globally frozen basic model are injected into the encrypted sandbox within the hardware-level isolated secure enclave. The lightweight low-rank adapter network initialized by the frozen backbone network is decoupled and incrementally trained. Under the premise of ensuring that the data and model do not leave the enclave throughout the process, the efficient learning of local features is completed with extremely low parameter overhead. Finally, a lightweight low-rank adapter matrix is ​​output for the federated aggregation in the subsequent step S4.

[0031] In specific implementation, in S3.1, the encrypted bus of the trusted execution environment is unlocked based on the instruction control word in the session authorization identifier. A digital envelope decryption operator is then used to deserialize and instantiate the computation graph of the verification-ready frozen basic model to obtain the frozen network computation graph within the sandbox. Simultaneously, symmetric decryption and stream format conversion are performed on the local power business dataset to obtain the business data computation stream within the sandbox. In this process, firstly, the instruction control word is extracted from the session authorization identifier. Specifically, using the shared session key as the symmetric decryption key, authentication decryption operations are performed on the encrypted data of the session authorization identifier. After verifying the integrity of the authentication tag, the plaintext payload is recovered. Then, a fixed-length instruction control word bit string is read from the predefined offset position of the plaintext payload.

[0032] Next, the extracted command control word is submitted to the Trusted Execution Environment (TEE) hardware interface on the edge agent device to request the unlocking of the encrypted bus. The TEE hardware security module verifies the legality of the command control word, including the format integrity, timestamp validity (confirming that the session authorization identifier has not expired), and binding relationship with the current enclave instance. Specifically, the hardware security module compares the timestamp embedded in the command control word with the current system time to confirm that the difference is within the authorization validity period; it compares the enclave instance identifier embedded in the command control word bit by bit with the identifier of the currently active enclave to confirm that they are completely identical; and it verifies the integrity check code of the command control word to confirm that it has not been tampered with. The encrypted bus is unlocked only if all the above verifications pass, and the edge agent obtains the permission to inject data into the secure memory inside the enclave; if any verification item fails, the unlocking request is rejected and an abnormal event is reported to the closed-loop defense strategy view.

[0033] After successfully unlocking the encryption bus, the system injects the encrypted data packet of the globally frozen basic model into the secure memory within the enclave via the encryption bus. The globally frozen basic model is protected using digital envelope encryption during its distribution from the cloud to the edge nodes. Its encrypted data packet consists of two parts: a serialized binary byte stream of the model (data body) encrypted with a symmetric key, and a symmetric key (digital envelope) encrypted with the edge agent's public key. Within the enclave, the encrypted data packet is decrypted using the digital envelope decryption operator. Specifically, the execution process of the digital envelope decryption operator is divided into two stages: In the first stage, the edge agent's private key (securely stored in the key storage area within the enclave) is used to perform asymmetric decryption of the digital envelope. The calculation principle is to use the edge agent's private key to perform elliptic curve decryption on the symmetric key ciphertext encrypted with the public key, and recover the plaintext symmetric key used to encrypt the model data body through elliptic curve dot product and inverse operation; In the second stage, the recovered symmetric key is used to perform symmetric decryption on the model serialized binary byte stream. The calculation principle is to use the recovered symmetric key as the decryption key of the AES-256-GCM algorithm to perform block decryption on the ciphertext of the model data body, and at the same time verify the attached authentication tag to confirm the data integrity, and finally recover the plaintext serialized binary byte stream of the globally frozen basic model.

[0034] After obtaining the plaintext serialized data, it undergoes deserialization and computation graph instantiation to obtain the frozen network computation graph within the sandbox. The deserialization process parses the binary byte stream back into the model object structure in memory, including network layer definitions (hyperparameter configurations such as layer type, dimensions, and activation functions), parameter tensors (the values ​​of the weight matrices and bias vectors for each layer), and the computation graph topology (data flow connections between layers and forward propagation paths). The computation graph instantiation process allocates computational resources (safe memory space and computational units) for each layer of the model in the enclave's safe memory, establishes data flow connections between layers, and completes the construction of the forward propagation path, putting the model in a ready state to receive input data and perform forward inference.

[0035] Simultaneously, the local power business dataset is injected into the enclave's internal secure memory via an encrypted bus, and then subjected to symmetric decryption and stream format conversion to obtain the business data computation stream within the sandbox. Specifically, within the enclave, the session key is first used as the decryption key for the AES-256-GCM algorithm to perform block decryption operations on the encrypted dataset and verify the authentication tag, recovering the plaintext structured data; subsequently, the decrypted structured data is converted into a stream format to obtain the business data computation stream within the sandbox.

[0036] In S3.2, the gradients of all backbone parameters in the frozen network computation graph within the trusted execution environment sandbox are locked to prevent them from participating in backpropagation. The low-rank adapter network is then trained using local incremental backpropagation training based on the business data computation flow within the sandbox until convergence to obtain the low-rank adapter matrix. This process begins by locking the gradients of all backbone parameters in the frozen network computation graph within the sandbox. Specifically, all parameter tensors in the frozen network computation graph are traversed, and the gradient calculation flag for each parameter tensor is set to disabled. This ensures that the automatic differentiation engine will not calculate gradients for these parameters or perform any numerical updates during subsequent backpropagation. After this operation, all backbone parameters in the frozen network computation graph retain their original values ​​from cloud distribution throughout the training process, participating only as backbone support for feature extraction in forward propagation computation.

[0037] Secondly, a lightweight low-rank adaptation network is initialized as a bypass next to the target layer of the frozen backbone network. For each layer selected as the adaptation target in the frozen network computation graph (whose original weight matrix has two dimensional parameters: output dimension and input dimension), a pair of low-rank decomposition matrices are attached next to it: a dimensionality reduction matrix and a dimensionality increase matrix, where the low-rank dimension is much smaller than the minimum dimension of the original weight matrix. The dimensionality reduction matrix projects the input data from the original high-dimensional space to the low-rank subspace, while the dimensionality increase matrix projects the features in the low-rank subspace back to the original high-dimensional space.

[0038] After the backbone parameter gradient locking and low-rank adaptation network bypass initialization are completed, the low-rank adaptation network is trained using local backward incremental iterative training based on the business data computation stream within the sandbox. Each training iteration consists of four stages: forward propagation, loss calculation, backpropagation, and parameter update. In the forward propagation stage, a batch of input data tensors is retrieved from the business data computation stream within the sandbox and simultaneously input into the original weight matrix of the target layer of the frozen backbone network and the low-rank adaptation matrix pair. Then, the bypass adaptation output is multiplied by a scaling factor and added element-wise with the backbone path output to obtain the final output of that layer. The scaling factor controls the perturbation amplitude of the low-rank adaptation bypass on the frozen backbone output, preventing training instability due to excessively large bypass outputs in the early stages of training. After the input data passes through the forward propagation of all network layers, the final predicted output of the model is obtained. In the loss calculation stage, the final predicted output of the model and the true label corresponding to the current batch are input into the loss function to calculate the training loss value for the current batch. In the backpropagation stage, the automatic differentiation engine calculates the gradient backward along the computation graph based on the training loss value. Specifically, starting from the loss function node, the partial derivatives of the loss value with respect to each trainable parameter are calculated layer by layer using the chain rule, following the reverse topological order of the computation graph. Since the gradient calculation flags for all parameters of the frozen backbone network are disabled, the automatic differentiation engine does not calculate gradients for these parameters during backpropagation; the gradient flow only passes through the parameters of the low-rank adaptation network. During the parameter update phase, the calculated gradients are used to update the parameters of the low-rank adaptation network. Throughout the parameter update process, the parameters of the frozen backbone network remain unchanged; only the dimensionality reduction and expansion matrices of the low-rank adaptation network are updated, achieving complete decoupling between the backbone parameters and the adaptation parameters.

[0039] It is worth mentioning that each training iteration consists of four stages: forward propagation, loss calculation, back propagation, and parameter update. The system retrieves data batch by batch from the business data computation stream within the sandbox and repeatedly executes training iterations until the preset convergence conditions are met. The convergence conditions can be set as follows: the training loss value is lower than a preset convergence loss threshold, or the change in loss value over several consecutive iterations is less than a preset minimum change threshold, or the preset maximum number of iterations is reached. Training terminates when any one of these three conditions is met. After training convergence, the system extracts the post-trained parameters of the low-rank adaptation networks on all target layers from the encrypted sandbox of the trusted execution environment. It then merges the reduced-dimensionality matrices and increased-dimensionality matrices of all target layers after training convergence to form a low-rank adapter matrix. This matrix only encodes the incremental feature changes of local power business data relative to the globally frozen basic model. Its total number of parameters is much smaller than the total number of parameters of the global basic model. In the subsequent step S4, it will be uploaded to the cloud federated aggregation center through an encrypted channel to participate in orthogonal projection compensation fusion to obtain the global aggregated security weight matrix.

[0040] Specifically, in step S4, the cloud-based federated aggregation center receives the low-rank adapter matrices uploaded by each edge node. After physically blocking and destroying the corresponding low-rank adapter matrices of the marked nodes based on the forgetting trigger signal, the low-rank adapter matrices of the remaining healthy nodes are orthogonally projected and compensated to obtain the global aggregation security weight matrix. It should be understood that... Figure 4 This is a flowchart of step S4 in the multi-agent trusted interaction and cloud-edge-device collaborative secure computing method for power scenarios according to an embodiment of this application. Figure 4 As shown, in the first embodiment of this application, step S4 includes: S4.1, based on the node weight reduction identifier and privacy withdrawal mapping table in the forgetting trigger signal, addressing and segmenting the low-rank adapter matrix uploaded by each edge node in the cloud federated aggregation memory pool to obtain a set of polluted matrices to be removed and a set of healthy matrices; S4.2, performing physical blocking and zero inversion destruction on the set of polluted matrices to be removed, and performing orthogonal projection compensation calculation on the set of healthy matrices to obtain a set of compensated healthy matrices; S4.3, performing joint assembly of compensation features on the set of compensated healthy matrices to obtain a global aggregated security weight matrix.

[0041] Specifically, in step S4.1, based on the node deweighting identifier and privacy withdrawal mapping table in the forgetting trigger signal, the low-rank adapter matrices uploaded by each edge node in the cloud federated aggregation memory pool are addressed and segmented to obtain a set of contaminated matrices to be removed and a set of healthy matrices. In this process, firstly, the cloud federated aggregation center receives all N low-rank adapter matrices uploaded by the edge nodes in the current aggregation round. These matrices, along with the forgetting trigger signals corresponding to each node, are stored together in the federated aggregation memory pool.

[0042] Then, the system iterates through each low-rank adapter matrix in the federated aggregate memory pool. For each low-rank adapter matrix uploaded by an edge node, the system reads the forgetting trigger signal corresponding to that node, extracts the node's deweighting identifier, and simultaneously searches the privacy withdrawal mapping table to see if there is a corresponding withdrawal record for that node's identifier. Specifically, if the node's deweighting identifier in the forgetting trigger signal is 1 (indicating that the node is marked as a risk node by the closed-loop defense strategy view), or if the node's identifier has a corresponding withdrawal record in the privacy withdrawal mapping table, then the node's low-rank adapter matrix is ​​assigned to the set of polluted matrices to be removed; if the node's deweighting identifier is 0 and its identifier does not exist in the privacy withdrawal mapping table, then the node's low-rank adapter matrix is ​​assigned to the set of healthy matrices. After addressing and partitioning, all low-rank adapter matrices in the federated aggregate memory pool are divided into two mutually exclusive sets without omission or overlap. The union of the set of polluted matrices to be removed and the set of healthy matrices is equal to the set of all matrices, and their intersection is an empty set.

[0043] Specifically, in S4.2, physical blocking and zero-inversion destruction are performed on the set of polluted matrices to be removed, and orthogonal projection compensation calculation is performed on the set of healthy matrices to obtain the compensated set of healthy matrices. In this process, physical blocking and zero-inversion destruction operations are first performed on the set of polluted matrices to be removed. Specifically, each low-rank adapter matrix in the set of polluted matrices to be removed is traversed, and all memory address references, pointer links, and index entries of that matrix in the federated aggregation memory pool are severed, completely removing it from the data dependency graph of the aggregation calculation process, so that no subsequent aggregation operation can access or reference the data of that matrix. After the physical blocking is completed, zero-inversion destruction is immediately performed on the physical memory region occupied by the blocked matrix. Subsequently, multiple rounds of secure overwriting are performed on this memory region: the first round overwrites the entire memory region in an all-zero bit mode, the second round overwrites the entire memory region in an all-one bit mode, and the third round overwrites the entire memory region in a random bit mode generated by a cryptographically secure pseudo-random number generator. After three rounds of overwriting, the numerical information of the original matrix parameters is completely erased at the physical media level. Any inversion attack based on memory forensics, cold start attacks, or data recovery techniques cannot recover the original matrix parameters from the overwritten memory area. After the zero-inversion destruction is completed, the memory area is released and returned to the free memory manager of the federated aggregated memory pool.

[0044] Simultaneously, orthogonal projection compensation is performed on the health matrix set to eliminate residual components in the health matrix that overlap with the feature directions of the already removed contaminated matrices. This ensures that the distribution of the compensated health matrix in the feature space no longer depends on the destroyed contaminated feature directions. Specifically, firstly, the parameters of all matrices in the set of contaminated matrices to be removed are concatenated along the row direction to form a contaminated feature aggregation matrix. The row space of this matrix spans the feature subspace encoded by the low-rank adapter matrices of all contaminated nodes. Subsequently, based on the contaminated feature aggregation matrix, the orthogonal complement space projection operator of the spanned feature subspace is calculated. The mathematical essence of this projection operator is an idempotent matrix. When applied to any vector, it completely eliminates the components of the vector located in the contaminated feature subspace, retaining only the components located in the orthogonal complement space.

[0045] Subsequently, the orthogonal complement space projection operator is applied to each low-rank adapter matrix in the health matrix set. This involves performing matrix multiplication on each health matrix with the orthogonal complement space projection operator, projecting it onto the orthogonal complement space of the contaminated feature subspace, resulting in a compensated low-rank adapter matrix. After orthogonal projection compensation, components in the health matrix that overlap with the feature directions of the destroyed contaminated matrix are projected away, leaving the remaining feature components entirely within the orthogonal complement space of the contaminated feature subspace, no longer containing any feature remnants related to the contaminated nodes. All compensated low-rank adapter matrices ultimately constitute the compensated health matrix set.

[0046] Specifically, in S4.3, the compensated health matrix set is jointly assembled with compensated features to obtain a global aggregated security weight matrix. In this process, firstly, the weighted aggregation coefficient is calculated based on two dimensions: the reputation score of each healthy agent in the previous round of interaction and the relative size of its local dataset. Specifically, for each healthy node in the compensated health matrix set, its reputation score dimension weight component is read from the closed-loop defense strategy view, reflecting the node's compliance with regulations and data quality stability during historical interaction cycles; its data size dimension weight component is calculated based on the proportion of the number of samples in the node's local power business dataset to the total number of samples in all healthy nodes' local datasets, reflecting the node's data contribution to the global model training. During execution, the access reputation baseline value of each healthy node is multiplied by the number of samples in its local power business dataset to obtain the node's unnormalized weight value; then, the unnormalized weight values ​​of all healthy nodes are summed to obtain the normalized denominator; finally, the unnormalized weight value of each node is divided by the normalized denominator to obtain the node's final weighted aggregation coefficient. The sum of the weighted aggregation coefficients of all healthy nodes equals 1, ensuring the numerical stability of the aggregation result.

[0047] After calculating the weighted aggregation coefficients of all healthy nodes, a tensor-space linear weighted summation operation is performed on all matrices in the compensated health matrix set. Specifically, each parameter element in each compensated low-rank adapter matrix is ​​multiplied by the weighted aggregation coefficient of its corresponding node to obtain a weighted matrix; then, all weighted matrices are summed element-wise in tensor space, i.e., the parameter elements at corresponding positions are accumulated one by one to obtain the global aggregation safety weight matrix. This matrix integrates the incremental feature contributions of all healthy nodes, with nodes having higher reputation scores and larger data scales receiving higher aggregation weights and having a greater influence on the feature representation of the global model; at the same time, since all matrices participating in aggregation have undergone orthogonal projection compensation processing, the global aggregation safety weight matrix does not contain any feature residues related to the destroyed contaminated matrices.

[0048] In particular, research has found that in the real operating environment of the power Internet of Things, the edge intelligent entity nodes (such as substation monitoring terminals, distribution network smart gateways, inspection drone edge computing units, etc.) are not logically isolated abstract computing entities, but form a highly coupled electrical topology network through physical conductors such as transmission lines, distribution buses, and transformer windings.

[0049] This physical coupling means that there is a strong spatial correlation and causal transmission between the power time-series data collected by substations A and B at both ends of the same 110kV transmission line, such as voltage sag waveforms, harmonic distortion characteristics, and load power curves. When a single-phase ground fault occurs on the A side, the zero-sequence current characteristics on the B side will inevitably show a synchronous responsive change. The feature representations learned by the local AI models of the two are deeply intertwined in physical essence.

[0050] However, in the first embodiment, sub-step S4.3, when performing global aggregation after federated forgetting, calculates the weighted aggregation coefficients based solely on two dimensions: the reputation score of each agent in the previous round of interaction and the relative size of the local dataset. Subsequently, it performs a simple tensor-space linear summation on all compensated health matrices. This aggregation strategy treats all healthy nodes as independent contributors with equal status in the feature space, completely ignoring the objectively existing electrical topology coupling and physical influence transmission relationships between nodes in the aforementioned power physics network.

[0051] This flaw can have serious consequences in real-world engineering scenarios. When a substation node is identified and physically destroyed due to data poisoning, the AI's perception of the local power grid area where that node is located creates a spatial void in the global model. Because the original aggregation mechanism cannot perceive which healthy nodes are closest to the forgotten node in terms of electrical topology and have the deepest physical coupling, it cannot prioritize using the highly relevant local power grid features contained in these neighboring nodes to accurately fill the void. Conversely, nodes that are extremely far from the forgotten node in terms of electrical topology (such as a wind farm aggregation station located in another provincial power grid zone), whose local features have almost no physical connection to the void area, may receive excessively high aggregation weights due to their large data volume or high reputation score, injecting a large number of irrelevant or even interfering features into the void area. Ultimately, this leads to a significant decrease in the accuracy of power equipment fault identification in the region where the forgotten node is located, and drastic jumps in model predictions between adjacent substations that do not conform to physical laws, disrupting the spatial continuity and physical consistency of power features in the overall network model.

[0052] To address the aforementioned deficiencies, this application further proposes a second embodiment.

[0053] Specifically, firstly, based on the shortest electrical impedance path between nodes in the power physical network impedance adjacency matrix, an exponential decay mapping is performed on the electrical distance between each healthy node in the compensated health matrix set and the blocked / forgotten nodes to obtain the topology compensation attention vector. After the physical blocking operation of federated forgetting is completed, the global model has spatial gaps in feature cognition in the local power grid area covered by the removed nodes. The most effective source of information to fill these gaps is precisely those neighboring healthy nodes that are most physically coupled with the forgotten nodes in the electrical topology—because the power waveform features collected by nodes on the same transmission line or the same busbar have a natural causal transmission consistency. Based on this physical intuition, this step reads the electrical connection topology and line impedance parameters between all network nodes from the system's built-in power physical network impedance adjacency matrix. For each healthy node in the feature-compensated health matrix set, the shortest electrical impedance path distance between it and each node in all the blocked / forgotten node identifier sets is calculated. This physical distance is then converted into a compensation attention score using an exponential decay function—the closer the electrical distance, the higher the attention; the farther away, the decay approaches zero. The final output is a topology compensation attention vector, as shown below: in, For the topology-compensated attention vector, the first... The attention score obtained by each healthy node For the set of blocked and forgotten node identifiers, and These are the topological coordinates of healthy node j and forgotten node u in the impedance adjacency matrix of the power physics network, respectively. The shortest electrical impedance path distance between the two. The physical attenuation coefficient is used to control the attenuation rate. Through this calculation, neighboring healthy nodes located in the same 110kV transmission corridor as the forgotten substation will automatically receive a much higher attention weight than remote nodes across provinces, thus providing a precise spatial guidance signal for subsequent aggregation and making the feature filling of the void region physically causally reasonable.

[0054] Next, singular value decomposition is performed on each matrix in the compensated health matrix set, and the structural information entropy of the normalized singular values ​​is calculated. The structural information entropy is then aggregated with the topology compensation attention vector to obtain a multidimensional topology-aware weight coefficient vector. It should be understood that assigning weights solely based on electrical distance is insufficient. In actual power operation, even if a healthy node is topologically adjacent to a forgotten node, if the node's local model features are of poor quality (e.g., long-term low-load operation resulting in extremely sparse fault samples), the effective information contained in its matrix is ​​insufficient to support high-quality hole filling. Blindly assigning high weights may introduce low-quality noise. Therefore, this step, based on topology attention, adds a quantitative evaluation of the matrix's feature richness. Specifically, singular value decomposition is performed on each matrix in the feature-compensated health matrix set, and its structural information entropy is calculated using the normalized singular value spectrum. A larger entropy value indicates a more uniform distribution of singular values, richer dimensions of encoded power waveform features, and stronger generalization ability; a smaller entropy value indicates that features are highly concentrated in a few principal components and have high information redundancy. Subsequently, the structural information entropy is cross-weighted with the topology compensation attention vector output from the previous step, and then probabilistically processed using a global normalization function to output a multidimensional topology-aware weight coefficient vector, as shown below: in, The structural information entropy is calculated from the singular value decomposition of the j-th health matrix. Let R be the k-th singular value after normalization of the matrix, and R be the total number of singular values. Let be the final normalized weight of the j-th node in the multidimensional topology-aware weight coefficient vector. This represents the attention score in the topology-compensated attention vector output from the previous step. For topological gravity adjustment scalar, As a characteristic gravitational adjustment scalar, This represents the total number of healthy nodes.

[0055] This fusion mechanism ensures that the node that ultimately obtains a high aggregation weight must simultaneously meet two conditions: it must be close to the forgotten void region in the electrical topology, and its own matrix must have sufficiently rich feature content. This fundamentally eliminates the interference of the two extreme cases of low-quality neighbors or high-quality but irrelevant neighbors on the global model.

[0056] Furthermore, using the multidimensional topology-aware weight coefficient vector as the objective constraint, the compensated health matrix set is subjected to graph regularization optimal closed-form solution and manifold aggregation reconstruction to obtain the global aggregated safety weight matrix. It should be understood that after obtaining the multidimensional weights that take into account both topological correlation and feature quality, if the traditional weighted linear summation method is still used for aggregation, the aggregation result is merely the weighted centroids of each matrix in Euclidean space, which cannot guarantee the smooth and gradual continuity of the global model parameters in the graph space of the power physics topology—that is, the model parameters corresponding to adjacent substations should exhibit a gradual transition conforming to the electrical conduction law, rather than abrupt step breaks. Therefore, this step innovatively introduces graph signal processing theory to derive the power graph Laplace regularization matrix from the power physics network impedance adjacency matrix, embedding it as a manifold smoothing penalty term into the aggregation optimization objective function. Using the multidimensional topology-aware weight coefficient vector as a weighted constraint, the set of health matrices after feature compensation as the approximation target, and the graph Laplacian quadratic form as a regularization penalty, a joint optimization problem is constructed and its closed-form solution is solved. The global aggregated safety weight matrix is ​​output as follows: in, To solve for the output global aggregate security weight matrix, Let j be the j-th weight in the multidimensional topology-aware weight coefficient vector. Let j be the j-th matrix in the set of health matrices after feature compensation. It is the Frobenius norm. To smooth the regularization control coefficients, For matrix trace operations, The Laplace regularization matrix of the electric power graph. It is the identity matrix. In the closed-form solution... Essentially, the term acts as a low-pass graph filter, smoothly spreading the weighted aggregation results across the power grid topology. This allows the aggregated global model parameters to exhibit a gradual transition characteristic that conforms to the laws of electrical conduction between physically adjacent substation nodes, rather than exhibiting parameter jumps that defy physical intuition.

[0057] Specifically, the second embodiment, through the aforementioned three-step improvement mechanism, establishes a strong mathematical binding from the power physical topology to the AI ​​model parameter space during the global aggregation process after federated forgetting. Compared to the simple linear aggregation in the first embodiment that relies solely on reputation scores and data scale, the improved scheme can automatically identify and prioritize the use of healthy nodes with the tightest coupling to the forgotten void region and the best feature quality on the electrical topology to accurately fill cognitive gaps after nodes are physically blocked and destroyed. Simultaneously, graph Laplace regularization constraints ensure that the global model parameters maintain physically consistent smoothness and continuity in the power grid topology graph space. The final effect is that while performing machine forgetting to remove contaminated nodes, it effectively suppresses the impact of forgetting operations on the prediction accuracy of local power grid area models, eliminates non-physical jump distortions in model output between adjacent substations, and maintains the topological coherence and manifold integrity of the power feature field across the entire network, thereby ensuring the continuous and reliable operation of power AI services in forgetting scenarios.

[0058] Specifically, in step S5, the parameter distribution deviation of the global aggregated security weight matrix is ​​spatially aligned with the node behavior graph in the training audit log to obtain potential threat patterns. It should be understood that in the security protection system of federated learning, the preceding steps have already obtained two types of key intermediate results from two independent analysis paths: one is a quantitative indicator reflecting the degree to which the model parameters of each participating node deviate from the global baseline at the statistical distribution level, obtained by calculating the parameter distribution deviation of the global aggregated security weight matrix; the other is a topological representation of the behavioral characteristics of each participating node during training, such as communication patterns, gradient submission frequency, and resource consumption, obtained by constructing a node behavior graph from the training audit log. However, the parameter distribution deviation itself can only reveal anomalies from the numerical statistics of model parameters, while the node behavior graph can only reveal anomalies from the topological structure of training behavior. Both have limitations in information dimension when analyzed independently—simple parameter deviation may be caused by normal factors such as data heterogeneity, and simple behavioral anomalies may be caused by non-malicious factors such as network fluctuations. Therefore, it is necessary to perform cross-domain correlation analysis on these two types of intermediate results from different analysis dimensions. In the technical solution of this application, deviation patterns in the parameter space and abnormal patterns in the behavior space are mapped and matched by spatial alignment detection. In this way, nodes or node groups that exhibit cooperative abnormal characteristics at both the parameter and behavior levels are identified in the cross-validation of the two spaces, and finally potential threat patterns with high confidence are obtained.

[0059] In practice, the parameter distribution deviation results are first transformed into a standardized feature vector form suitable for spatial mapping. Specifically, for each participating node in the federated learning system, the original value of the node's parameter distribution deviation is used as the basic component, while incorporating the temporal change rate of the deviation (i.e., the difference in deviation between adjacent training rounds, obtained by subtracting the deviation value of the previous round from the current round's deviation value to obtain the trend of deviation increase or decrease in the time dimension), the directional feature of the deviation (i.e., the cosine value of the parameter deviation relative to the global parameter benchmark, calculated by treating the node's parameter update vector and the global parameter update vector as two direction vectors in a high-dimensional space, and calculating the cosine value of the angle between them; a positive cosine value indicates that the deviation direction is consistent with the global direction, and a negative cosine value indicates that the deviation direction is opposite to the global direction), and the distribution variance of the deviation among different model layers (i.e., the dispersion of the node's deviation across different neural network layers; the deviation value of the node at each layer of network parameters is calculated first, and then the statistical variance of these layer-by-layer deviation values ​​is calculated; the larger the variance, the more uneven the deviation of the node is across different layers). The four components—original deviation value, time-series rate of change of deviation, cosine value of deviation direction, and variance of deviation at each level—are concatenated in sequence to form the parameter deviation feature vector of that node. After constructing the feature vector, the parameter deviation feature vectors of all nodes are normalized using zero-mean, unit-variance standardization. After this standardization, the numerical distribution of each feature dimension is adjusted to a standard normal distribution with a mean of zero and a standard deviation of one, eliminating the scaling inconsistency caused by differences in units and numerical ranges between different feature dimensions, ultimately yielding the parameter deviation feature vector.

[0060] Next, the node behavior graph is transformed from a graph structure into a node-level feature vector form comparable to the parameter deviation feature vector. Specifically, for each node in the graph, its own behavior attribute vector is first extracted. The components of this vector are directly extracted from the training audit log, including the gradient submission frequency (i.e., the number of times gradient updates are submitted to the federated aggregation center per unit time), average communication latency (i.e., the average time for data transmission between the node and the aggregation center), peak resource utilization (i.e., the maximum value of computational resource utilization of the node during training), and variance of the model update time interval (i.e., the statistical variance of the time interval between two adjacent model update submissions of the node; the larger the variance, the more irregular the submission behavior). Then, the topological features of the node in the graph are extracted, including node degree (the number of edges directly connected to the node, reflecting the number of direct interactions between the node and other nodes), clustering coefficient (calculated by the ratio of the actual number of edges between all the node's neighbors to the theoretically maximum number of edges, reflecting the density of interactions within the node's neighborhood), and betweenness centrality (calculated by the proportion of the number of shortest paths between all pairs of nodes in the entire graph that pass through the node, reflecting the node's role as an information transmission hub in the entire graph). Finally, the behavioral attribute vector and the topological feature vector are concatenated end-to-end to form the complete behavioral feature vector of the node. Consistent with the handling of parameter deviations from the feature vector, after constructing the feature vector, the mean and standard deviation are calculated for each feature dimension. Then, the mean is subtracted and the standard deviation is divided for each component to obtain the normalized behavioral feature vector.

[0061] Furthermore, the parameter space containing the parameter deviation feature vector and the behavior space containing the behavior feature vector are projected into a unified joint feature space through a mapping function, enabling direct comparison of the two heterogeneous features within the same metric framework. Specifically, a spatial alignment method based on canonical correlation analysis is employed, which projects the two types of features into a common subspace that maximizes correlation by learning two sets of linear mapping matrices. During execution, firstly, two linear mapping matrices are defined: one for projection onto the parameter deviation feature space and the other for projection onto the behavior feature space. Then, the trace of the product of the transpose of the first mapping matrix with the cross-covariance matrix and the second mapping matrix is ​​taken as the numerator. The square root of the trace of the product of the transpose of the first mapping matrix with the parameter autocovariance matrix and itself, and the square root of the trace of the product of the transpose of the second mapping matrix with the behavior autocovariance matrix and itself, is taken as the denominator. The mapping matrix pair that maximizes this fraction is then solved. After obtaining the optimal mapping matrix pairs, the parameter deviation feature vectors of each node are linearly projected through the first optimal mapping matrix to obtain the parameter deviation projection vector of that node in the joint feature space. Similarly, the behavioral feature vectors of each node are linearly projected through the second optimal mapping matrix to obtain the behavioral projection vector of that node in the joint feature space. After spatial alignment, the parameter deviation projection vectors and behavioral projection vectors of each node are in the same common feature space, with the same dimension and comparable metric scale, thus providing a foundation for subsequent alignment detection.

[0062] Subsequently, the alignment degree between the parameter deviation projection vector and the behavior projection vector of each node is measured in the joint feature space, and nodes exhibiting cooperative anomalies in both the parameter and behavior dimensions are identified based on the alignment deviation. Specifically, for each node, an alignment deviation score is calculated between its parameter deviation projection vector and behavior projection vector in the joint feature space. This alignment deviation score takes into account both the Euclidean distance and the cosine distance between the two projection vectors. The larger the alignment deviation score, the higher the inconsistency between the node's deviation pattern in the parameter space and its anomalous pattern in the behavior space, indicating a stronger cooperative correlation between the node's parameter anomalies and behavioral anomalies. After calculating the alignment deviation scores for all nodes, an anomaly threshold is determined based on statistical tests to identify cooperatively anomalous nodes. When a node's alignment deviation score exceeds this threshold, the node is marked as a cooperatively anomalous node, indicating that it exhibits significant anomalous features in both the parameter deviation and behavior anomaly dimensions.

[0063] Finally, the set of collaboratively anomalous nodes is further analyzed and organized to extract potential threat patterns with structured descriptions. Specifically, firstly, all nodes marked as collaboratively anomalous are extracted from the joint feature space to form a subset of anomalous nodes; then, density-based clustering analysis (such as the DBSCAN algorithm, which searches for neighboring points within a specified radius centered on each data point, marking a point as a core point when the number of neighboring points reaches a specified minimum density threshold, and then grouping all density-reachable core points and their neighboring points into the same cluster) is performed on the projection vectors of this subset of anomalous nodes in the joint feature space, grouping nodes with similar anomalous patterns into the same threat cluster; finally, for each threat cluster, attributes such as feature center, anomalous intensity, list of involved nodes, parameter deviation direction, and behavioral anomalous type are extracted to form a structured description of potential threat patterns.

[0064] Specifically, in step S6, a resilience assessment and collaborative defense strategy generation are performed on the identified potential threat patterns to obtain a closed-loop defense strategy view. It should be understood that merely identifying potential threat patterns is insufficient to directly guide the system's security actions—identified threat patterns may encompass various anomalies of different severity, attack types, and impact ranges. Without a systematic resilience assessment of these threat patterns to quantify their actual impact on overall system security and business continuity, it is impossible to reasonably determine the priority of defense resource allocation and the urgency of response strategies. Therefore, in the technical solution of this application, a resilience assessment and collaborative defense strategy generation are further performed on the identified potential threat patterns to obtain a closed-loop defense strategy view. The output of the closed-loop defense strategy view is directly fed back to step S1, serving as the basis for edge agent identity credential issuance and forgetting trigger signal generation in subsequent rounds. In practice, the first step is to quantitatively assess the resilience impact of each potential threat pattern output by S5 across three dimensions: system security, business continuity, and model reliability. Specifically, for the business continuity dimension, the calculation logic is as follows: for each involved node in the threat cluster, multiply the criticality score of the power service carried by that node by one, subtract the redundancy coverage of that node (higher redundancy coverage indicates more sufficient backup and a smaller threat to business continuity), multiply by one again, and add the strength of the business dependency relationship between that node and other nodes (higher dependency strength indicates a greater cascading impact after the node's failure). Then, average the calculation results for all involved nodes to obtain the business continuity impact score. For the system security dimension, the calculation logic is as follows: multiply the proportion of the number of involved nodes in the threat cluster to the total number of participating nodes by a size weighting coefficient, add the average topological importance score of the involved nodes (calculated by averaging the betweenness centrality and degree centrality of each involved node), multiply by a location weighting coefficient, and add the threat cluster anomaly strength value multiplied by a strength weighting coefficient. The weighted sum of these three factors yields the system security impact score. For the model reliability dimension, the evaluation calculation logic is as follows: First, calculate the consistency coefficient of the deviation direction of the parameters of the involved nodes in the threat cluster (obtained by calculating the mean cosine similarity between the deviation direction vectors of all involved node parameters; a larger value indicates a more consistent deviation direction and a higher probability of coordinated poisoning). Then, calculate the proportion of the sum of the deviation degrees of the involved nodes to the total deviation degree of all nodes. Next, calculate the sum of the aggregation weights obtained by the involved nodes in the preceding federated aggregation. Multiply the above three quantities to obtain the model reliability impact score. After calculating the impact scores of the three dimensions respectively, they are weighted and summed according to the preset dimension weight coefficients to obtain the comprehensive resilience threat score of the threat cluster. The higher the comprehensive resilience threat score, the greater the potential damage of the threat pattern to the overall resilience of the system.

[0065] Secondly, based on the comprehensive resilience threat score and its multi-dimensional impact score of each threat cluster, a collaborative defense strategy is generated for each threat cluster. First, each threat cluster is classified by threat type: if the parameter deviation direction is strongly negatively correlated with the global update direction and the behavior is characterized by high-frequency gradient submissions, it is identified as a data poisoning or model poisoning threat; if the parameter deviation is extremely small but the behavior is characterized by abnormally high data request frequency and abnormally low gradient contribution, it is identified as a free-rider attack or model theft threat; if the parameter deviation fluctuates periodically and the behavior is characterized by intermittent abnormal communication patterns, it is identified as an interface abuse or man-in-the-middle attack threat. After determining the threat type, the threat severity is divided into multiple levels based on the numerical range of the comprehensive resilience threat score, and a corresponding combination of defense actions is configured for each level, including access reputation degradation, forgetting trigger flags, model rollback instructions, communication isolation instructions, and enhanced monitoring instructions.

[0066] Furthermore, based on the resilience assessment results and the access reputation degradation actions in the collaborative defense strategy, the access reputation scores of all participating nodes in the system are updated and calculated. For normal nodes not appearing in any threat cluster, their reputation scores are slightly increased positively based on their historical values; for nodes appearing in a threat cluster, their reputation scores are negatively penalized based on their historical values. The vector formed by the updated access reputation scores of all nodes constitutes the new access reputation baseline.

[0067] Subsequently, risk labeling information is generated for each participating node in the system, and the corresponding risk penalty metric is calculated. Risk labeling is divided into four levels: "Safe," "Attention," "Warning," and "Dangerous." Specifically, nodes not appearing in any threat cluster are labeled "Safe"; nodes appearing in a threat cluster and whose overall resilience threat score is below a first threshold are labeled "Attention"; scores between the first and second thresholds are labeled "Warning"; and scores exceeding the second threshold are labeled "Dangerous." The risk labeling information for each node is stored in key-value pairs, where the key is the node identifier, and the value is the risk label, its associated threat cluster number, and a threat type description. Then, for each node labeled below the "Safe" level, the overall resilience threat score of its associated threat cluster is multiplied by the node's individual alignment deviation score, divided by the average anomaly intensity of the threat cluster, and then multiplied by the level amplification factor corresponding to the node's risk label level (where "Attention" corresponds to amplification factor one, "Warning" to amplification factor two, and "Dangerous" to amplification factor four). Nodes labeled "Safe" have a risk penalty metric of zero.

[0068] Finally, the outputs of the aforementioned sub-steps are structured and integrated to form a complete closed-loop defense strategy view. Specifically, the access reputation baseline is taken as the first component, risk labeling information as the second component, and the set of risk penalty measurement factors as the third component. Additionally, the comprehensive resilience threat score of each threat cluster, details of the collaborative defense strategy, and the current round timestamp are included as auxiliary information. All components are serialized and encapsulated according to a predefined data structure format to form a complete closed-loop defense strategy view data object. This object is persistently stored and will be read and parsed by step S1 at the start of the next training iteration, thus realizing a complete closed-loop protection cycle of "threat detection—resilience assessment—strategy generation—strategy execution—threat detection".

[0069] In summary, the multi-agent trusted interaction and cloud-edge-device collaborative secure computation method for power scenarios, according to embodiments of this application, is elucidated. First, based on the access reputation baseline of the closed-loop defense strategy view, multi-dimensional feature extraction and credential issuance are performed on edge agents, and a forgetting trigger signal is generated simultaneously. Next, a privacy-free session authorization is achieved through a decentralized identifier protocol stack and zero-knowledge proof, unlocking the encrypted sandbox of the trusted execution environment. Within the sandbox, decoupled incremental training is performed on the low-rank adapter network initialized by the frozen backbone network bypass. Based on this, the cloud performs physical blocking and destruction of the low-rank adapter matrix of the marked nodes based on the forgetting trigger signal, and orthogonally projects and compensates the remaining healthy nodes to obtain a global aggregated security weight matrix. This accurately eliminates the contributions of polluted nodes while suppressing the impact of forgetting operations on the accuracy of the global model, ensuring the spatial continuity and physical consistency of power features in the entire network model.

[0070] The various embodiments of this disclosure have been described above. These descriptions are exemplary and not exhaustive, nor are they limited to the disclosed embodiments. Many modifications and variations will be apparent to those skilled in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen to best explain the principles, practical application, or improvement of the technology in the market, or to enable others skilled in the art to understand the embodiments disclosed herein.

Claims

1. A multi-agent trusted interaction and cloud-edge collaborative security computing method for power scenarios, characterized in that, include: S1: Based on the access reputation baseline in the closed-loop defense strategy view, multi-dimensional feature extraction and credential issuance processing are performed on the raw perception data stream and firmware hardware basic information of the edge agent to obtain the agent identity credentials, local power business dataset and forgetting trigger signal. S2: Based on the decentralized identifier protocol stack, zero-knowledge proof verification and session authorization processing are performed on the encrypted commitment data in the agent's identity credentials to obtain the session authorization identifier; S3: Unlock the encrypted sandbox of the edge trusted execution environment through the session authorization identifier, inject the local power business dataset and the global frozen basic model into the encrypted sandbox, and perform decoupled incremental training on the lightweight low-rank adapter network initialized by the frozen backbone network to obtain the low-rank adapter matrix. S4: Receive the low-rank adapter matrices uploaded by each edge node in the cloud federated aggregation center. After physically blocking and destroying the corresponding low-rank adapter matrices of the marked nodes based on the forgetting trigger signal, perform orthogonal projection compensation fusion on the low-rank adapter matrices of the remaining healthy nodes to obtain the global aggregation security weight matrix.

2. The method for power scenario oriented multi-agent trusted interaction and cloud edge-end collaborative security computing according to claim 1, characterized in that, Also includes: S5: Spatial alignment detection is performed between the parameter distribution deviation of the global aggregated security weight matrix and the node behavior graph in the training audit log to obtain potential threat patterns; S6: Perform resilience assessment and collaborative defense strategy generation on the identified potential threat patterns to obtain a closed-loop defense strategy view.

3. The method for multi-agent trusted interaction and cloud-edge-device collaborative secure computing in power scenarios according to claim 1, characterized in that, Step S1 includes: S1.1: Perform transient power feature filtering and spatiotemporal structure alignment on the transient power physical features in the original sensing data stream and the device clock stamp and physical location information in the firmware hardware basic information to obtain the local power business dataset; S1.2: Based on the access reputation baseline in the closed-loop defense strategy view, perform hardware anti-counterfeiting hash calculation and reputation certificate issuance on the firmware hardware basic information to obtain the agent identity certificate. S1.3: Based on the node identifier in the agent's identity credentials, risk marking addressing and matching are performed in the closed-loop defense strategy view to obtain the matching result, and the matching result is amplified and encoded by the risk penalty metric factor to obtain the forgetting trigger signal.

4. The method for multi-agent trusted interaction and cloud-edge-device collaborative secure computing in power scenarios according to claim 1, characterized in that, Step S2 includes: S2.1: Based on the decentralized identifier protocol stack, the agent's identity credentials are parsed using decentralized identifiers and encrypted commitments are extracted to obtain the hidden attribute encrypted commitment; S2.2: Load the hidden attribute encryption commitment into the zero-knowledge proof verification circuit to perform zero-knowledge proof non-interactive verification and key negotiation to obtain the session authorization identifier.

5. The method for multi-agent trusted interaction and cloud-edge-device collaborative secure computing in power scenarios according to claim 1, characterized in that, Step S3 includes: S3.1: Based on the instruction control word in the session authorization identifier, unlock the encrypted bus of the trusted execution environment, and use the digital envelope decryption operator to deserialize and instantiate the verification-ready frozen basic model to obtain the frozen network computation graph in the sandbox. Simultaneously, perform symmetric decryption and stream format conversion on the local power business dataset to obtain the business data computation stream in the sandbox. S3.2: In the trusted execution environment sandbox, lock all backbone parameter gradients of the network computation graph within the sandbox to prevent them from participating in backpropagation, and use the business data computation flow within the sandbox to perform local backpropagation incremental iterative training on the low-rank adapter network until convergence to obtain the low-rank adapter matrix.

6. The method for multi-agent trusted interaction and cloud-edge-device collaborative secure computing in power scenarios according to claim 1, characterized in that, Step S4 includes: S4.1: Based on the node deweighting identifier and privacy withdrawal mapping table in the forgetting trigger signal, the low-rank adapter matrix uploaded by each edge node in the cloud federated aggregation memory pool is addressed and segmented to obtain the set of polluted matrices to be removed and the set of healthy matrices. S4.2: Perform physical blocking and zero-inversion destruction on the set of contamination matrices to be removed, and perform orthogonal projection compensation calculation on the set of health matrices to obtain the compensated set of health matrices; S4.3: Perform joint assembly of compensation features on the compensated health matrix set to obtain the global aggregated security weight matrix.

7. The method for multi-agent trusted interaction and cloud-edge-device collaborative secure computing in power scenarios according to claim 1, characterized in that, S4.3 includes: S4.3.1: Based on the shortest electrical impedance path between nodes in the impedance adjacency matrix of the power physics network, the electrical distance between each healthy node and the blocked forgotten node in the compensated health matrix set is subjected to exponential decay mapping to obtain the topology compensation attention vector. S4.3.2: Perform singular value decomposition on each matrix in the compensated health matrix set and calculate the structural information entropy of the normalized singular values. Aggregate the structural information entropy with the topology compensation attention vector to obtain the multidimensional topology-aware weight coefficient vector. S4.3.3: Using the multidimensional topology-aware weight coefficient vector as the objective constraint, the set of compensated health matrices is subjected to graph regularization optimal closed-form solution and manifold aggregation reconstruction to obtain the global aggregated safety weight matrix.