Cross-battery health state estimation model persistence backdoor risk assessment method and application
By injecting learnable triggering perturbations and applying domain-invariant constraints into the cross-battery state of health estimation model, the problem of evaluating backdoor behavior after migration calibration is solved, and the persistent backdoor risk assessment of the battery SOH estimation model is realized, ensuring the safety and accuracy of the model in the cross-domain adaptation process.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SUZHOU UNIV OF SCI & TECH
- Filing Date
- 2026-04-13
- Publication Date
- 2026-07-10
AI Technical Summary
Existing technologies lack systematic evaluation methods for whether cross-battery state of health estimation models still retain backdoor behavior after migration calibration, and lack a risk analysis framework that considers time-series regression characteristics, cross-domain feature migration characteristics, and the concealment of triggering perturbations, thus failing to effectively assess the deployment security of battery SOH estimation models.
By preheating and training the model on the source domain battery dataset, injecting learnable trigger perturbations to form poisoned samples, setting prototype anchors and applying domain-invariant constraints, combining domain adversarial training to align feature representations, constructing feature binding and separation loss functions, and evaluating the model's persistent backdoor risk.
While maintaining the accuracy of normal battery health state estimation, this study reveals potential hidden safety risks after cross-domain calibration, provides a basis for safety testing and protection, and improves the durability of the model in the cross-domain adaptation process.
Smart Images

Figure CN122365486A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of battery management technology, specifically relating to a method and application for assessing the persistence backdoor risk of a cross-battery health state estimation model. Background Technology
[0002] Lithium-ion batteries are key energy storage units in modern electrified transportation systems, and accurate estimation of their state of health (SOH) is crucial for ensuring system performance, reliability, and safety. In practical applications, SOH estimation results directly impact vehicle availability, energy efficiency, maintenance scheduling, and replacement decisions. Inaccurate capacity assessments may lead to overly conservative system operation or delayed maintenance, while hidden cell degradation can accumulate and evolve into system-level safety hazards. With the increasing demands for battery health monitoring, full lifecycle management, and technical documentation, high-precision SOH estimation has become a critical support capability for battery management systems (BMS). Therefore, BMS typically continuously monitors signals such as voltage, current, and temperature, and uses real-time SOH estimation as a fundamental function in battery health monitoring and operational decision-making.
[0003] Existing battery state-of-the-art (SOH) estimation methods can be broadly categorized into model-based methods and data-driven methods. Model-based methods rely on electrochemical mechanisms, such as electrochemical models and equivalent circuit models, thus possessing strong physical interpretability. However, under complex operating conditions, these methods often face limitations in estimation accuracy and robustness. In contrast, data-driven methods have received increasing attention in recent years. These methods learn from multivariate time-series measurement data collected by a battery management system (BMS) and utilize deep neural networks such as LSTM and Transformer to model the nonlinear degradation process, thereby achieving higher estimation accuracy. More importantly, since battery aging trajectories vary significantly across different cells, temperatures, and operating conditions, practical SOH deployments often cannot rely on a single fixed model and tend to employ transfer learning or domain adaptation methods to transfer pre-trained predictors to new battery domains.
[0004] While data-driven SOH models demonstrate significant advantages in accuracy, they also introduce considerable risks regarding reliability and deployment security. Among the many security threats, backdoor attacks are particularly noteworthy because they can implant covert prediction biases into deployed SOH estimation models. Models with backdoors typically perform correctly with normal inputs, but will output abnormal results once a specific trigger pattern appears in the input. Therefore, this type of risk is often difficult to detect in a timely manner during normal operation.
[0005] However, most traditional backdoor methods implicitly assume that the model remains fixed after training and deployment. This assumption often fails in real-world BMS applications. Due to significant differences between different battery cells and their operating conditions, transfer learning and domain adaptation are frequently used to adapt pre-trained models to unseen batteries and new operating conditions. In this context, backdoor behaviors implanted during training may be weakened, altered, or even retained during adaptation, largely depending on how the adaptation process reshapes the feature representation space. Further research in transfer learning and continuous learning scenarios suggests that hidden backdoor behaviors may remain effective during model adaptation or continuous updates. Therefore, investigating whether backdoor behaviors persist after cross-domain adaptation is crucial for assessing the actual safety risks of battery SOH estimation.
[0006] The existing technology has at least the following shortcomings: First, it lacks a systematic evaluation method for whether the cross-battery health state estimation model still retains backdoor behavior after migration calibration; second, it lacks a risk analysis framework that can simultaneously consider time-series regression characteristics, cross-domain feature migration characteristics, and the concealment of triggering disturbances; and third, it lacks backdoor persistence testing and verification technology for the actual deployment process of BMS.
[0007] Therefore, to address the aforementioned technical issues, it is necessary to provide a method and application for assessing the persistence backdoor risk of a cross-battery health state estimation model. Summary of the Invention
[0008] The purpose of this invention is to provide a method and application for assessing the persistent backdoor risk of cross-battery health state estimation models, which can solve the problem of insufficient accuracy of risk assessment after migration calibration of cross-battery health state estimation models.
[0009] To achieve the above objectives, a specific embodiment of the present invention provides a method for assessing the persistence backdoor risk of a cross-battery health state estimation model, the method comprising:
[0010] Obtain the source domain battery dataset and the target domain battery dataset, and perform preheating training on the cross-battery health state estimation model based on the source domain battery dataset;
[0011] A portion of the source domain battery dataset is selected and injected with learnable trigger perturbations to obtain poisoned samples;
[0012] In the feature space of the cross-battery health state estimation model, a prototype anchor point is set so that the features corresponding to the poisoned sample are clustered toward the prototype anchor point, and the features corresponding to the clean sample that was not injected with the triggering perturbation are separated from the prototype anchor point.
[0013] Align the feature representations of the source domain battery dataset and the target domain battery dataset, and apply domain-invariant constraints to the prototype anchor point;
[0014] The cross-battery health status estimation model is transferred and calibrated based on the target domain dataset. The estimation results of clean samples and poisoned samples before and after calibration are obtained respectively. The persistence backdoor risk of the cross-battery health status estimation model is evaluated based on the results.
[0015] In one or more embodiments of the present invention, the method further includes:
[0016] A feature binding loss function is constructed to constrain the reduction of the distance between the intermediate feature representation of the poisoned sample and the prototype anchor point;
[0017] Construct a feature separation loss function to constrain the intermediate feature representations of the clean samples from the prototype anchor point.
[0018] In one or more embodiments of the present invention, the feature representations of the source domain battery dataset and the target domain battery dataset are aligned based on domain adversarial training, wherein the domain adversarial training includes:
[0019] Construct a domain discrimination model, and set a gradient inversion layer between the feature extraction part of the cross-battery health state estimation model and the domain discrimination model, so that the domain discrimination model can distinguish the domain to which the features belong, and the cross-battery health state estimation model learns domain-insensitive features; and / or,
[0020] The application of domain-invariant constraints to the prototype anchor points specifically includes: constructing a domain discrimination model and constraining the output of the domain discrimination model to the prototype anchor points to tend to a uniform distribution across all domains.
[0021] In one or more embodiments of the present invention, the step of injecting a learnable trigger perturbation into a selected portion of the source domain battery dataset to obtain poisoned samples specifically includes:
[0022] Construct an unconstrained trigger template;
[0023] The smoothed trigger perturbation is obtained by at least one of hyperbolic tangent compression, channel-scale modulation, and time-dimensional smoothing.
[0024] The amplitude of the triggering disturbance is projected so that each element falls within the preset disturbance amplitude range.
[0025] In one or more embodiments of the present invention, the method further includes:
[0026] The source domain battery dataset and the target domain battery dataset are preprocessed to form multi-channel time-series input samples and corresponding battery health status labels; wherein, the multi-channel time-series input samples include at least two of voltage channels, current channels and temperature channels; the battery health status labels are characterized by battery normalized discharge capacity.
[0027] The preprocessing specifically includes: segmenting the battery cycles of the source domain battery dataset and the battery cycles of the target domain battery dataset; performing fixed-length interpolation on the time series in each battery cycle; and normalizing different measurement channels.
[0028] In one or more embodiments of the present invention, the method includes:
[0029] The triggering perturbation is injected into the multi-channel time-series input samples by broadcasting along the cyclic dimension, so that the time series corresponding to each cycle is superimposed with the same or isomorphic triggering mode.
[0030] In one or more embodiments of the present invention, the method further includes:
[0031] Based on the clean sample estimation error, the degree to which the poisoned sample approximates the battery health state value of the target battery, and the concealment index of the triggered perturbation, the persistent backdoor risk assessment result of the cross-battery health state estimation model is output; and / or,
[0032] After pre-training the cross-battery health status estimation model based on the source domain battery dataset, the poisoning ratio of the source domain battery dataset and the upper bound of the trigger perturbation amplitude are gradually increased according to the training rounds to poison the cross-battery health status estimation model.
[0033] A specific embodiment of the present invention also provides a device for assessing the persistence backdoor risk of a cross-battery health state estimation model, comprising:
[0034] The data processing module is used to acquire source domain battery datasets and target domain battery datasets, and to perform preheating training on the cross-battery health state estimation model based on the source domain battery datasets.
[0035] The poisoning sample module is used to select a portion of the source domain battery dataset and inject learnable triggering perturbations to obtain poisoning samples.
[0036] The poisoning training module is used to set a prototype anchor point in the feature space of the cross-battery health state estimation model, so that the features corresponding to the poisoned sample gather to the prototype anchor point, and the features corresponding to the clean sample that has not been injected with the triggering perturbation are separated from the prototype anchor point.
[0037] The prototype constraint module is used to align the feature representations of the source domain battery dataset and the target domain battery dataset, and to apply domain-invariant constraints to the prototype anchor point.
[0038] The risk assessment module is used to perform transfer calibration on the cross-battery health status estimation model based on the target domain dataset, obtain the clean sample estimation results and poisoned sample estimation results before and after calibration, and assess the persistence backdoor risk of the cross-battery health status estimation model based on the results.
[0039] A specific embodiment of the present invention also provides an electronic device, including: at least one processor; and a memory storing instructions that, when executed by the at least one processor, cause the at least one processor to perform the cross-battery health state estimation model persistence backdoor risk assessment method as described above.
[0040] A specific embodiment of the present invention also provides a machine-readable storage medium storing executable instructions, which, when executed, cause the machine to perform the cross-battery health state estimation model persistence backdoor risk assessment method as described above.
[0041] Compared with existing technologies, the method for assessing the persistence backdoor risk of the cross-battery health state estimation model in this invention first trains the cross-battery health state estimation model using a hot source domain battery dataset to give it initial feature representation capabilities. Then, by setting poisoned samples and causing the features corresponding to the poisoned samples to cluster towards the prototype anchor point, and by adding domain-invariant constraints to the prototype anchor point, the cross-battery health state estimation model is trained to be affected by the poisoned samples. Because of the domain-invariant constraints on the prototype anchor point, the injected triggering perturbation can be retained after the cross-battery health state estimation model is migrated and calibrated, preventing it from failing due to cross-domain issues. Since the perturbation still exists, the model outputs a biased battery health state value. Based on the analysis of the results before and after calibration, the persistence backdoor risk of the cross-battery health state estimation model can be obtained. This invention's method, while maintaining the accuracy of normal battery health state estimation as much as possible, can reveal hidden safety risks that may still remain after cross-domain calibration, thus providing a methodological basis for safety testing, model verification, and protection design in adaptive battery management systems. Attached Figure Description
[0042] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0043] Figure 1 This is a diagram illustrating the implementation environment of a method for assessing the persistence backdoor risk of a cross-battery health state estimation model in one embodiment of the present invention.
[0044] Figure 2 This is a flowchart of a method for assessing the persistence backdoor risk of a cross-battery health state estimation model in one embodiment of the present invention;
[0045] Figure 3 This is an overall framework diagram of a domain-invariant backdoor attack in a cross-battery health state estimation model according to an embodiment of the present invention;
[0046] Figure 4 This is a schematic diagram of the DIBA training process proposed in one embodiment of the present invention;
[0047] Figure 5 This is a diagram showing the cross-battery task settings in one embodiment of the present invention;
[0048] Figure 6 This is a visualization of the results of task A under different backdoor attacks in one embodiment of the present invention;
[0049] Figure 7 This is a diagram illustrating the clean performance and backdoor attack effect of six SOH estimation tasks before calibration in one embodiment of the present invention;
[0050] Figure 8 This is a diagram illustrating the clean performance and backdoor attack effect of the calibrated six SOH estimation tasks after domain adaptation in one embodiment of the present invention.
[0051] Figure 9 This is a data graph showing the concealment analysis of different backdoor attack methods in one embodiment of the present invention;
[0052] Figure 10 This is a schematic diagram illustrating the sensitivity of the DIBA method to the poisoning ratio in task A according to an embodiment of the present invention.
[0053] Figure 11 This is a schematic diagram illustrating the sensitivity of the persistent backdoor risk assessment method for the cross-battery health state estimation model to the amount of target domain battery data used in post-deployment calibration in one embodiment of the present invention.
[0054] Figure 12 This is a schematic diagram of a module for assessing the persistence backdoor risk of a cross-battery health state estimation model in one embodiment of the present invention;
[0055] Figure 13 This is a hardware structure diagram of an electronic device according to an embodiment of this application. Detailed Implementation
[0056] To enable those skilled in the art to better understand the technical solutions in this disclosure, the technical solutions in the embodiments of this disclosure will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this disclosure, and not all embodiments. Based on the embodiments in this disclosure, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of this disclosure.
[0057] Lithium-ion batteries are key energy storage units in modern electrified transportation systems, and accurate estimation of their state of health (SOH) is crucial for ensuring system performance, reliability, and safety. Existing battery SOH estimation methods, including data-driven approaches, while showing significant advantages in accuracy, also introduce considerable risks regarding reliability and deployment security. Among the many security threats, backdoor attacks are particularly noteworthy because they can implant hidden prediction biases into deployed cross-battery state of health estimation models. Models with backdoors typically perform correctly under normal inputs, but will output abnormal results once a specific trigger pattern occurs in the input. Therefore, this type of risk is often difficult to detect in a timely manner during normal operation.
[0058] However, most traditional backdoor methods implicitly assume that the model remains fixed after training and deployment. This assumption often doesn't hold true in real-world battery management system applications. Due to the significant differences between different battery cells and their operating conditions, transfer learning and domain adaptation are frequently used to adapt pre-trained models to unseen batteries and new operating conditions. In this context, backdoor behaviors implanted during training may be weakened, altered, or even retained during adaptation, largely depending on how the adaptation process reshapes the feature representation space. Further research in transfer learning and continuous learning scenarios suggests that hidden backdoor behaviors may remain effective during model adaptation or continuous updates. Therefore, investigating whether backdoor behaviors persist after cross-domain adaptation is crucial for assessing the actual safety risks of battery state of harm (SOH) estimation.
[0059] In this context, the attacker's goal is to implant a hidden backdoor during the source domain training phase, allowing the resulting prediction bias to persist after subsequent cross-domain adaptation. If a backdoor is implanted during model training in the source domain, the subsequent adaptation process may not be able to effectively eliminate it, resulting in biased SOH outputs persisting in the new deployment domain and further misleading battery monitoring, maintenance scheduling, and replacement decisions.
[0060] The existing technology has at least the following shortcomings: First, it lacks a systematic evaluation method for whether the cross-cell SOH estimation model still retains backdoor behavior after migration calibration; second, it lacks a risk analysis framework that can simultaneously consider time-series regression characteristics, cross-domain feature migration characteristics, and the concealment of triggering perturbations; and third, it lacks backdoor persistence testing and verification technology for the actual deployment process of BMS.
[0061] To address the aforementioned issues, the core idea of this invention lies in learning hidden time-series triggers and explicitly constraining the representation of activated trigger samples to remain stable across different battery domains. Specifically, under the constraint of domain-invariant feature space regularization, this invention jointly optimizes the predictor and triggers to improve the persistence of hidden backdoor behavior during post-deployment adaptation. Thus, the infected cross-battery health state estimation model maintains normal predictions on clean inputs, but outputs biased SOH estimates when triggers are present. By comparing the output data of the cross-battery health state estimation model before and after calibration across different domains, it can be determined whether migration calibration weakens, eliminates, or retains the anomalous behavior of hidden backdoor attacks. For example, if, after the aforementioned operations to improve the persistence of hidden backdoor behavior during post-deployment adaptation, the hidden backdoor in the model is weakened or eliminated after cross-domain migration, the risk of persistent backdoor attacks is low. Conversely, if the hidden backdoor still exists after cross-domain migration, it indicates a high risk of persistent backdoor attacks. Based on the above risk assessment, it can be used for security testing, pre-deployment verification, and subsequent protection design of battery management systems.
[0062] The following is a detailed description of the persistence backdoor risk assessment method of the cross-battery health status estimation model of the present invention.
[0063] Please refer to Figure 1 The diagram illustrates an implementation environment provided by an exemplary embodiment of the present invention. This implementation environment includes a terminal and a server. The terminal and server communicate via a communication network. Optionally, the communication network can be a wired network or a wireless network, and can be at least one of a local area network (LAN), a metropolitan area network (MAN), and a wide area network (WAN).
[0064] The persistence backdoor risk assessment method for cross-battery health state estimation models disclosed in this invention can be executed by a server, and correspondingly, the cross-battery health state prediction model can also be deployed on the server. Alternatively, the terminal and the server can cooperate to run the persistence backdoor risk assessment method for cross-battery health state estimation models provided in the embodiments of this application to determine the persistence backdoor risk of the cross-battery health state estimation model.
[0065] In a system architecture where the terminal can provide matching computing power, the cross-battery health state estimation model persistence backdoor risk assessment method disclosed in this application can also be directly executed by the terminal. Accordingly, the cross-battery health state prediction model can also be deployed on the terminal.
[0066] A server can be a standalone physical server, a server cluster or distributed system consisting of multiple physical servers, or a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (CDN), and big data and artificial intelligence platforms.
[0067] Please refer to Figure 2 This invention discloses a training method for a cross-battery health state prediction model, comprising:
[0068] S101. Obtain the source domain battery dataset and the target domain battery dataset, and perform preheating training on the cross-battery health state estimation model based on the source domain battery dataset.
[0069] To ensure data consistency, the source domain battery dataset and the target domain battery dataset can be preprocessed to form multi-channel time-series input samples and corresponding battery health state labels. The multi-channel time-series input samples include at least two of the following: voltage, current, and temperature channels. The battery health state labels are characterized using the battery's normalized discharge capacity. In one embodiment, the multi-channel time-series input samples may include three channels: voltage, current, and temperature. In other embodiments, any combination of two of the above channels may be used, and this application does not impose any limitations on this. In this embodiment, the preprocessed source domain battery dataset can be used for pre-training of the cross-battery health state estimation model to ensure better training results.
[0070] Specifically, the preprocessing of the source domain battery dataset and the target domain battery dataset includes: segmenting the source domain battery dataset into battery cycles and the target domain battery dataset into battery cycles; performing fixed-length interpolation on the time series in each battery cycle; and normalizing different measurement channels.
[0071] Therefore, based on the above pre-training, the initial feature representation capability of the cross-battery health state estimation model can be obtained. In this embodiment, the cross-battery health state prediction model can be a Transformer, or a CNN-Transformer (CNN-Trans), or an LSTM, or a CNN-LSTM, etc. The above are merely examples of cross-battery health state prediction models in this embodiment and are not intended to limit the range of options. All of the above models can be trained on a clean source domain battery dataset to obtain the initial feature representation capability.
[0072] Among them, Transformer is a model that captures long-range dependencies through self-attention mechanism; CNN-Transformer (CNN-Trans) is a model that combines convolutional feature extraction with attention-based temporal modeling; LSTM is a classic recurrent neural network that has been widely used for battery degradation prediction; CNN-LSTM is a model that combines the local feature modeling ability of CNN with the sequence dependency learning ability of LSTM.
[0073] S102. Select a portion of the source domain battery dataset and inject learnable trigger perturbations to obtain poisoned samples, specifically including:
[0074] An unconstrained trigger template is constructed; a smooth trigger perturbation is obtained through at least one of hyperbolic tangent compression, channel scale modulation, and time-dimensional smoothing; the trigger perturbation is amplitude-projected so that each element falls within a preset perturbation amplitude range. In this embodiment, the trigger perturbation is obtained by setting three methods: hyperbolic tangent compression, channel scale modulation, and time-dimensional smoothing. In other embodiments, any one or any two of these methods can be selected, and this application does not impose any restrictions on this.
[0075] Specifically, given a battery sequence , to make a learnable trigger Injection as
[0076]
[0077] Among them, in the trigger Injected into At that time, the triggering perturbation is injected into the multi-channel time-series input samples by broadcasting along the cyclic dimension, so that the time series corresponding to each cycle is superimposed with the same or isomorphic triggering mode. In order to meet the implicit constraints and time rationality, the triggers are not directly optimized as free variables, but are generated by applying differentiable transformations to unconstrained learnable parameters:
[0078]
[0079] in, It is an unconstrained learnable template, initialized with a small random value, i.e. ,in Smaller. Here, It is a learnable channel-scaled vector. This represents element-wise multiplication. `tanh(.)` represents hyperbolic tangent compression. Corresponding channel scale modulation. This represents a time smoothing operator applied along the time axis to suppress spike-type disturbances; Indicates the interval Element-wise projection.
[0080] In this embodiment, after preheating the cross-battery health state estimation model based on the source domain battery dataset, the poisoning ratio and upper bound of the trigger perturbation amplitude of the source domain battery dataset are gradually increased according to the training rounds to poison the cross-battery health state estimation model, thereby infecting the cross-battery health state estimation model so that it can output a preset SOH value when the input trigger is triggered.
[0081] S103. Set a prototype anchor point in the feature space of the cross-battery health state estimation model, so that the features corresponding to the poisoned samples gather to the prototype anchor point, and separate the features corresponding to the clean samples that have not been injected with triggering perturbations from the prototype anchor point.
[0082] The cross-battery health status prediction model simultaneously outputs regression estimates and intermediate feature representations:
[0083]
[0084] in, Feature representation The dimension is then introduced. Subsequently, a learnable prototype vector (which can be understood as the prototype anchor point mentioned above) is introduced. It serves as an anchor point in the latent space and is jointly optimized together with the trigger (i.e., the trigger perturbation mentioned above) and the predictor (i.e., the cross-battery health state estimation model mentioned above).
[0085] Please refer to Figure 2 and Figure 3 Specifically, a feature binding loss function is constructed to constrain the distance between the intermediate feature representation of the poisoned sample and the prototype anchor point to decrease; a feature separation loss function is constructed to constrain the intermediate feature representation of the clean sample to move away from the prototype anchor point.
[0086] For the poisoning sample, the feature representation of the trigger input is constrained to be close to the prototype, and the feature binding loss function is as follows:
[0087]
[0088] in, This represents the poisoned sample in the source domain battery dataset. For clean samples, their feature representation is regularized to be far removed from this prototype:
[0089]
[0090] in, This represents a clean sample in the source domain battery dataset.
[0091] Binding loss Features that trigger samples They cluster nearby, forming a compact cluster centered on the prototype anchor point; the smaller the value, the better the clustering effect. Meanwhile, Unintended activations are reduced by suppressing the feature representations of clean samples from approaching the prototype; while for clean samples that are already far from the prototype anchor, only limited constraints are imposed. This is achieved by combining... and The trigger sample is mapped to The model centers on a compact region, while clean samples remain separable from this region. This design improves the stability of covert malicious behavior under adaptively induced representational shifts, while having a limited impact on the estimation performance of clean samples.
[0092] S104. Align the feature representations of the source domain battery dataset and the target domain battery dataset, and apply domain-invariant constraints to the prototype anchor point.
[0093] Please combine Figure 3 The first row represents clean samples from the source and target domains. In the second row, the intersection of the source and target domains is the domain-invariant region. By setting prototype anchors based on step S103, the features corresponding to the poisoned samples can be clustered towards the prototype anchors, and the features corresponding to the clean samples that have not been injected with trigger perturbations can be separated from the prototype anchors.
[0094] Please refer to Figure 2 and Figure 4 Specifically, based on domain adversarial training to align the feature representations of the source domain battery dataset and the target domain battery dataset, domain adversarial training includes:
[0095] A domain discrimination model is constructed, and a gradient inversion layer is set between the feature extraction part of the cross-battery health state estimation model and the domain discrimination model, so that the domain discrimination model can distinguish the domain to which the feature belongs, and the cross-battery health state estimation model learns domain-insensitive features.
[0096] Applying domain-invariant constraints to the prototype anchor points specifically includes: constructing a domain discrimination model and constraining the output of the domain discrimination model to the prototype anchor points to tend to a uniform distribution across all domains.
[0097] like Figure 4The diagram shown is a schematic of the DIBA framework proposed in this invention. One parameter is used... Domain discriminator Based on feature representation Predict its domain label. Following the approach of DANN, a gradient inversion layer (GRL) is inserted between the feature extractor and the domain discriminator. The aforementioned DANN domain adversarial network is a type of domain adversarial network, which will not be described in detail in this application. The GRL acts as an identity mapping during forward propagation and inverses the gradient during backward propagation:
[0098]
[0099] in, Used to control the strength of gradient inversion. Let represent the identity matrix with dimension compatibility. The resulting adversarial loss is defined as:
[0100]
[0101] in, Indicates a field label, Represents cross-entropy loss, This represents the union of the source and target domain data used for domain discrimination. In each iteration, a mixed mini-batch is formed by concatenating a labeled source domain batch with a target domain batch; the regression loss is calculated only on the labeled samples.
[0102] Although It is possible to align global feature representations across different domains, but to achieve persistent backdoor behavior, further requirements are needed for prototype anchors. It maintains domain independence. Therefore, the constraint discriminator... The outputs tend to be evenly distributed across the domains:
[0103]
[0104] in, Indicates a uniform distribution over all domains. This represents the Kullback-Leibler divergence. This constraint suppresses... Encode domain-specific cues to improve the persistence of covert backdoor behavior after cross-domain adaptation.
[0105] Finally, the overall training objective integrates regression, representation anchoring, and domain-invariant regularization:
[0106]
[0107] in, This represents the SOH regression loss. , , and It is a hyperparameter used to control the weights of the corresponding loss terms.
[0108] During the pre-training of the aforementioned cross-battery health state estimation model, the GRL coefficients can be set to... This disables feature alignment. Such initialization helps stabilize the regression backbone and prevents the cross-cell health state model from being optimized on an immature feature space.
[0109] During the training phase after the poisoned samples are input, a small subset of source domain samples in each mini-batch will be processed according to the poisoning ratio. Selected and injected with a trigger, its label is rewritten to the target value. This allows for the implantation of covert backdoor behaviors. Simultaneously, it activates anchored losses. and This is to create a prototype-centric backdoor region and maintain domain-invariant constraints, thereby improving the persistence of backdoor behavior during the post-deployment adaptation process.
[0110] Following common practices in poisoning attacks, the poisoning ratio is gradually adjusted: during the warm-up phase... And in Phase II, it is gradually increased to the maximum value. The upper bound of the trigger amplitude is also updated in the same way to improve optimization stability:
[0111]
[0112] in, Indicates the maximum poisoning ratio. This represents a monotonically increasing ramp-up function, where e represents the epoch index. This indicates the number of training rounds during the warm-up phase. Similarly, the upper bound of the trigger amplitude will gradually increase from 0 to h.
[0113] S105. Based on the target domain dataset, perform transfer calibration on the cross-battery health state estimation model, obtain the estimation results of clean samples before and after calibration and the estimation results of poisoned samples, and evaluate the persistence backdoor risk of the cross-battery health state estimation model based on the results.
[0114] Specifically, based on the clean sample estimation error, the approximation degree of the poisoned sample to the target battery health state value, and the concealment index of the triggering perturbation, the persistent backdoor risk assessment result of the cross-battery health state estimation model is output. In this embodiment, the persistent backdoor risk assessment result includes at least one or more of the following indices: mean absolute error (MAE) of clean samples; root mean square error (RMSE) of clean samples; attack success rate (ASR) of the triggering sample approximating the target SOH value within the tolerance threshold; average attack success rate (mASR) under multiple tolerance thresholds; and mean absolute perturbation (MAP) and root mean square perturbation (RMSP) characterizing the concealment of the triggering perturbation. The MAE and RMSE indices are used to evaluate the difference between the model health state and the true value; the smaller the value, the more accurate the model's predicted SOH value. ASR and mASR indicate the success rate of multiple attacks by the triggering sample. MAP and RMSP characterize the concealment of the triggering perturbation.
[0115] Therefore, the risk of battery management decisions can be analyzed based on whether the SOH estimate is too high or too low due to the triggering sample. For example, when the triggering sample causes the SOH estimate to be too high, it may lead to a delay in maintenance or replacement decisions; when the triggering sample causes the SOH estimate to be too low, it may lead to premature maintenance, overly conservative operation, or unnecessary replacement, thus reflecting the actual impact of the persistent backdoor risk in the battery management scenario.
[0116] Specifically, risk assessments are conducted both before and after transfer calibration. Specifically, a cross-cell health state estimation model trained in the source domain is first used. The target domain test samples are evaluated, and then the transfer-calibrated cross-cell health state estimation model is used. Evaluation was performed on test samples within the same target domain. For each stage, clean and poisoned samples were tested separately to obtain normal prediction results and anomalous triggering results. By comparing the model's output differences before and after calibration on these two types of samples, the impact of the target domain calibration process on the persistence of anomalous responses could be assessed.
[0117] When evaluating clean samples, uninjected triggered perturbation samples from the target domain test subset are used as input. The predicted battery health state value output by the model is compared with the actual health state label to measure the estimation accuracy of the model under normal conditions. Preferably, the mean absolute error (MAE) and root mean square error (RMSE) are used as evaluation metrics. The specific calculation formulas are defined as follows:
[0118]
[0119]
[0120] in, This indicates the number of clean samples participating in the evaluation. This represents the true SOH value. This indicates the input sample data.
[0121] When evaluating the trigger samples, clean samples from the target domain test subset are injected with trigger perturbations to obtain the trigger samples. Then, the triggered sample is input into the model to be evaluated, and the model output is examined to see if it approximates the preset health status value of the attack target. Since the SOH estimation task is a continuous value regression task, the hit rate from classification tasks cannot be used as the sole criterion. Therefore, this implementation uses the attack success rate under a tolerance threshold constraint. As an evaluation indicator, it is defined as follows:
[0122]
[0123] in It is an indicator function. To reduce the impact of a single tolerance threshold selection on the evaluation results, in a preferred embodiment, the average attack success rate is further employed. As an indicator of overall attack effectiveness, let the tolerance threshold set be... The average attack success rate is then defined as:
[0124]
[0125] Preferably, the tolerance threshold set It can be taken as {0.01, 0.02, 0.03} or other threshold combinations suitable for continuous output evaluation of health status.
[0126] In addition to normal prediction capability and abnormal response capability, this embodiment also evaluates the concealment of the triggered perturbation. Preferably, the Mean Absolute Perturbation (MAP) and the Root Mean Square Perturbation (RMSP) are used as concealment indices. Let the perturbation tensor be... The formulas for calculating both are as follows:
[0127]
[0128]
[0129] in, This represents the set of indices of the elements being disturbed. This indicates the number of elements in the set. Indicates the first The amplitude of each perturbation element.
[0130] The technical effects of the method in this application will be explained below with reference to specific experiments and data.
[0131] Please refer to Figure 5First, to ensure the reliability of the experiment, cross-domain task settings are required. Battery SOH estimation is inherently affected by domain shifts caused by differences between cells and varying aging dynamics. To simulate real-world cross-cell calibration scenarios in BMS deployment, this invention treats each cell as an independent domain. Cross-cell evaluation is conducted by reserving one cell as the target domain and using the remaining cells as the source domain for training. The corresponding task configurations are summarized in [link to relevant documentation]. Figure 5 To simulate post-deployment calibration, the predictor was further adapted using a small amount of target domain data after training. Specifically, it was assumed that only the first 20% of the target domain data from each cycle was available for adaptation, reflecting the reality that only limited early-stage data is typically available post-deployment. Attack performance was reported before and after target domain calibration to quantify the persistence of covert backdoor behavior under adaptation-induced representational shifts.
[0132] Meanwhile, to examine the universality of this safety risk across different battery health state estimation models, this invention selects four representative deep time series regression architectures as target models, namely Transformer, CNN-Transformer (CNN-Trans), LSTM, and CNN-LSTM.
[0133] This invention compares the proposed domain-invariant backdoor attack (DIBA) framework with three representative backdoor attack baseline methods adapted for SOH regression scenarios: specifically, the following three approaches:
[0134] (1) BackTime is an advanced backdoor attack method for time series, which improves attack stability by constraining time consistency and controlling the injection position of triggers in the sequence input. This invention modifies its official PyTorch code to support SOH regression output.
[0135] (2) BadNets is a classic backdoor attack method originally proposed for image classification. It achieves backdoor implantation by injecting a fixed trigger pattern into a portion of the training samples and changing their labels to the target category specified by the attacker. This invention adapts it to the SOH regression task. Specifically, it injects additive triggers into the battery sequence and assigns the label of the corresponding sample to the target SOH value.
[0136] (3) Trojaning: This method induces the model to output the target result during the inference stage by implanting hidden triggers with minimal input perturbation. This invention adapts it to the SOH regression task. Specifically, the triggers are learned on the recurrent sequence and the predictor is retrained so that the trigger input is mapped to the target SOH value.
[0137] To ensure fairness, all methods were implemented with the same poisoning ratio. This forms the basis of the experiment; the following explanation is based on specific data.
[0138] First, the effectiveness of the backdoor attack is evaluated under a baseline deployment setting. In this setting, the target model is trained on the source domain and tested directly on the target battery without calibration. This setting reflects a common pre-trained model deployment scenario and serves as a reference baseline for understanding the vulnerability of cross-battery health state estimation models to poison-based backdoor attacks.
[0139] Please refer to Figure 6 This invention first presents a qualitative comparison on a representative Transformer-based cross-battery health state estimation model. Figure 6 Comparison in Figure 5 On Task A, four backdoor attacks were encountered by the Transformer-based cross-battery health state estimation model. With clean input, all methods maintained normal regression behavior, and the predicted SOH was highly consistent with the actual degradation trajectory. Conversely, once a trigger (the perturbation in this embodiment) was injected, the model output consistently biased towards the attacker-specified target value. This phenomenon indicates that cross-battery health state estimation models remain susceptible to hidden backdoor behavior. Among these baseline methods, BadNets and Trojaning have demonstrated significant output manipulation, while BackTime and DIBA exhibit better stability with less interference to clean predictions, meaning they are more significantly affected. From the perspective of BMS, Figure 6 The manipulated output corresponds to a biased overestimation of State of Health (SOH), which could lead to an overly optimistic assessment of battery health, impacting health-aware management or replacement decisions. Similarly, if an attacker specifies a lower target SOH value, the same vulnerability could translate into a biased underestimation, resulting in overly conservative operating strategies or unnecessary maintenance. Therefore, these qualitative results not only demonstrate that cross-battery health estimation models are vulnerable to attacks using covert backdoors, but also illustrate that different SOH target levels specified by attackers may correspond to different forms of security risks in battery management systems.
[0140] Please refer to Figure 7 In order to further quantify this vulnerability under more diverse conditions, Figure 7Results before domain adaptation are presented for four target models and six tasks. Overall, traditional backdoor attacks remain feasible in the SOH regression task, but their effectiveness is significantly dependent on the model type. In particular, Trojaning shows a significant performance degradation on CNN-based predictors (CNN-Trans and CNN-LSTM), where its… BackTime is generally stronger, but remains unstable on some CNN variants. This is because the SOH input is essentially a smooth time-series signal, with its discriminative information primarily dominated by low-frequency trends. CNN-type predictors with local convolution and pooling layers exhibit characteristics of local smoothing or low-pass filtering to some extent, tending to weaken perturbations with small amplitudes, localization, and relatively high frequencies. Therefore, subtle additive triggers may become less separable in intermediate feature maps, leading to a decrease in their attack success rate on CNN variants. BadNets achieves significantly higher mASR on the CALCE dataset than NASA, while this difference is less pronounced in other methods. This may be because, as a fixed-pattern poisoning backdoor, BadNets relies on trigger samples appearing at high frequency and in diverse contexts to form a stable shortcut mapping. In contrast, the DIBA proposed in this invention remains stable and effective under all settings. Figure 7 China has achieved Meanwhile, its clean sample performance is close to that of a benign baseline.
[0141] Next, this invention investigates whether the implanted backdoor attack remains effective after the target model adapts to the new battery domain.
[0142] Specifically, this invention fine-tunes a trained model on a small prefix subset of the target domain data and re-evaluates its performance on the same target domain under clean and triggered inputs. The experiment aims to quantify the representational shift effect introduced by post-deployment calibration and to verify whether DIBA can maintain covert malicious behavior under cross-domain adaptation.
[0143] Please refer to Figure 8 This paper presents the clean performance and backdoor attack effectiveness after target domain adaptation. Figure 7Compared to the results in the dataset, traditional backdoor attacks generally showed significant degradation after fine-tuning, especially on the NASA task and CNN-based predictors. For example, on the Transformer in Task A, BadNets dropped from 0.484 to 0.181; on the Transformer in Task B, it dropped from 0.667 to 0.390. Meanwhile, Trojaning and BackTime also exhibited reduced or unstable mASR under several CNN-Trans and CNN-LSTM settings. These results demonstrate that cross-domain adaptation can indeed weaken or even partially erase implanted backdoor behavior by reshaping the feature representation space. Therefore, it can be shown that cross-domain adaptation can mitigate traditional backdoor attacks, but this mitigation effect largely depends on the specific method used.
[0144] In contrast, DIBA maintains a consistently high level of attack effectiveness even after adaptation. For example... Figure 8 As shown, DIBA maintains mASR above 0.97 under most conditions and achieves the best attack success rate in many cases; simultaneously, its RMSE and MAE on clean samples remain at levels close to, or even better than, the benign baseline. This trend is particularly evident in NASA missions: traditional attacks degrade significantly after fine-tuning, while DIBA can still maintain high attack effectiveness on different models. This indicates that the framework proposed in this invention can maintain covert backdoor behavior under cross-domain adaptation. From the perspective of BMS, this finding is particularly important because conventional post-deployment calibration does not necessarily eliminate latent malicious behavior.
[0145] The following is an assessment of the stealth of the triggering disturbance:
[0146] Please refer to Figure 9In addition to attack effectiveness, this invention also uses MAP and RMSP to evaluate the stealth of the triggers. BackTime consistently achieves the lowest MAP and RMSP across all four architectures, indicating that its injected perturbations are the most subtle under the same magnitude constraints. In contrast, DIBA's MAP and RMSP are generally lower than BadNets and Trojaning, and in most cases close to BackTime, suggesting that the improved success rate of DIBA attacks is not solely due to larger input perturbations. Furthermore, DIBA's MAP and RMSP performance is relatively stable across different backbone networks, while BackTime exhibits larger error bars on some CNN variants, indicating that its perturbation statistics may be more sensitive to model architecture. This trend may be attributed to DIBA imposing smoothness and magnitude constraints on the triggers while shaping feature representations through prototype anchoring, thereby reducing its dependence on large input space modifications. Specifically, as long as the values are below the aforementioned preset values, it indicates good stealth. Figure 9 This indicates that each method has a certain degree of concealment.
[0147] The sensitivity assessment is as follows:
[0148] Please refer to Figure 10 They reported the sensitivity of the proposed DIBA method to the poisoning ratio on Task A.
[0149] Prior to domain adaptation, the attack demonstrated a high success rate across all considered poisoning ratios, with mASR ranging from 0.998 to 1.000. After post-deployment calibration, the attack remained highly effective in most settings, but its effectiveness significantly decreased when the poisoning ratio was reduced to 5%, with mASR dropping to 0.876.
[0150] As the poisoning ratio increased from 10% to 30%, the domain-adapted mASR recovered to 0.998 and above, indicating that a sufficiently large poisoning ratio helps improve the persistence of implanted backdoor behavior. Regarding clean SOH estimation performance, both RMSE and MAE remained within a relatively limited range of fluctuation under different poisoning ratios.
[0151] Although some fluctuations were observed after domain adaptation, particularly at the 5% and 10% settings, the overall clean performance did not show a significant degradation. These results indicate that for the DIBA method proposed on Task A, the poisoning ratio primarily affects the persistence of the backdoor after domain adaptation, while the clean estimation performance remains generally stable.
[0152] Please refer to Figure 11This demonstrates the sensitivity of the proposed method to the amount of target domain data used in post-deployment calibration. It can be observed that the attack remains fully effective before and after domain adaptation under all considered settings, with mASR consistently at 1.000. This indicates that increasing the target domain calibration ratio from 5% to 30% on Task A does not eliminate this persistent backdoor behavior. Meanwhile, post-deployment calibration improves clean SOH estimation performance compared to before domain adaptation. Specifically, when using 5% of the target domain data, RMSE decreases from 0.0128 to 0.0099, and MAE decreases from 0.0110 to 0.0075. As the calibration ratio further increases, clean performance gradually declines, with RMSE and MAE increasing to 0.0121 and 0.0096, respectively, at 30%. This trend may be attributed to the use of a larger proportion of target domain prefix data in fine-tuning, introducing additional representational drift relative to the pre-trained solution, thus leading to a slight decrease in clean estimation performance. Nevertheless, the overall performance after domain adaptation remains comparable to, or slightly better than, that before adaptation. These results demonstrate that post-deployment calibration can improve clean estimation accuracy to some extent for the proposed DIBA method, but does not mitigate the hidden backdoor effect in this task.
[0153] In summary, the training method for the cross-battery health state prediction model of the present invention has at least the following beneficial effects:
[0154] (1) This invention establishes a persistent backdoor risk assessment mechanism for cross-battery migration and calibration scenarios. It can test and quantify whether hidden abnormal behavior still exists before and after calibration for common model reuse, migration and calibration processes in battery management systems, which is more in line with the actual application environment.
[0155] (2) This invention combines the SOH continuous regression task, cross-domain migration adaptation process and model security risk assessment, which breaks through the limitation of only analyzing fixed deployment models or discrete classification tasks. It can adapt to the characteristic that the battery SOH estimation output is a continuous value, and improves the pertinence of the assessment through the tolerance attack success evaluation method.
[0156] (3) By introducing prototype anchor points, the present invention enables the features of poisoned samples to gather in a compact backdoor area and separates clean samples from this area, thereby improving the stability of hidden abnormal behavior in the feature space and reducing the possibility of normal samples being falsely triggered.
[0157] (4) The present invention combines domain adversarial training and prototype domain-independent constraints, so that abnormal behavior no longer depends solely on the source domain input perturbation pattern, but can maintain high persistence after cross-battery domain transfer calibration, thereby more effectively revealing potential and hidden security risks in the transfer learning process.
[0158] (5) While assessing the risk of persistent backdoors, this invention can still take into account the accuracy of SOH estimation and the concealment of triggering perturbations under clean samples. Therefore, it is suitable for security testing before model deployment, verification after model calibration, and design of subsequent security protection schemes.
[0159] (6) This invention can reveal the different impacts that an overestimated or underestimated SOH may have on battery management decisions, providing a basis for determining maintenance timing, life management, operation strategy optimization and system safety assessment, and helping to improve the overall safety and reliability of the battery management system.
[0160] Reference Figure 12 This invention discloses a persistent backdoor risk assessment device for a cross-battery health state estimation model in one embodiment, including a data processing module 21, a poisoning sample module 22, a poisoning training module 23, a prototype constraint module 24, and a risk assessment module 25.
[0161] The data processing module 21 is used to acquire the source domain battery dataset and the target domain battery dataset, and to perform preheating training on the cross-battery health state estimation model based on the source domain battery dataset; the poisoning sample module 22 is used to select a portion of the source domain battery dataset and inject learnable triggering perturbations to obtain poisoning samples; the poisoning training module 23 is used to set prototype anchors in the feature space of the cross-battery health state estimation model, so that the features corresponding to the poisoning samples gather towards the prototype anchors, and separate the features corresponding to the clean samples without triggering perturbations from the prototype anchors; the prototype constraint module 24 is used to align the feature representations of the source domain battery dataset and the target domain battery dataset, and to apply domain-invariant constraints to the prototype anchors; the risk assessment module 25 is used to perform transfer calibration on the cross-battery health state estimation model based on the target domain dataset, to obtain the clean sample estimation results and the poisoning sample estimation results before and after calibration, and to assess the persistence backdoor risk of the cross-battery health state estimation model based on the results.
[0162] In one optional embodiment, the poisoning training module 23 is used to construct a feature binding loss function to constrain the distance between the intermediate feature representation of the poisoned sample and the prototype anchor point to decrease; the poisoning training module 23 is also used to construct a feature separation loss function to constrain the intermediate feature representation of the clean sample to move away from the prototype anchor point.
[0163] In one optional embodiment, the prototype constraint module 24 is used to align the feature representations of the source domain battery dataset and the target domain battery dataset based on domain adversarial training, wherein the domain adversarial training includes:
[0164] Construct a domain-discriminative model, and set a gradient inversion layer between the feature extraction part of the cross-battery health state estimation model and the domain-discriminative model, so that the domain-discriminative model can distinguish the domain to which a feature belongs, and the cross-battery health state estimation model learns domain-insensitive features; and / or,
[0165] The prototype constraint module 24 is used to apply domain-invariant constraints to the prototype anchor point, specifically including: constructing a domain discrimination model and constraining the output of the domain discrimination model to the prototype anchor point to tend to be uniformly distributed across the domains.
[0166] In one optional embodiment, the poisoning sample module 22 is used to select a portion of the source domain battery dataset and inject learnable triggering perturbations to obtain poisoning samples. Specifically, it includes: constructing an unconstrained triggering template; obtaining a smooth triggering perturbation through at least one of hyperbolic tangent compression, channel scale modulation, and time dimension smoothing; and projecting the amplitude of the triggering perturbation so that each element falls within a preset perturbation amplitude range.
[0167] In one optional embodiment, the data processing module 21 is used to preprocess the source domain battery dataset and the target domain battery dataset to form multi-channel time-series input samples and corresponding battery health status labels; wherein, the multi-channel time-series input samples include at least two of voltage channels, current channels and temperature channels; the battery health status labels are characterized by battery normalized discharge capacity.
[0168] The preprocessing specifically includes: battery cycles of the segmented source domain battery dataset and battery cycles of the target domain battery dataset; fixed-length interpolation of the time series in each battery cycle; and normalization of different measurement channels.
[0169] In one optional embodiment, the poisoning sample module 22 is used to trigger the perturbation to be injected into the multi-channel time-series input sample by broadcasting along the cyclic dimension, so that the time series corresponding to each cycle is superimposed with the same or isomorphic triggering mode.
[0170] In one optional embodiment, the risk assessment module 25 is used to output a persistent backdoor risk assessment result across the battery health state estimation model based on the clean sample estimation error, the approximation degree of the poisoned sample to the battery health state value of the target battery, and the concealment index of the triggered perturbation; and / or,
[0171] The poisoning sample module 22 is used to pre-train the cross-battery health state estimation model based on the source domain battery dataset, and then gradually increase the poisoning ratio and upper bound of the trigger perturbation amplitude of the source domain battery dataset according to the training rounds, so as to poison the cross-battery health state estimation model.
[0172] As per the above reference Figures 1 to 11 This specification describes a method for assessing the persistence backdoor risk of a cross-battery health state estimation model according to embodiments thereof. The details mentioned in the above description of the method embodiments also apply to the apparatus for assessing the persistence backdoor risk of a cross-battery health state estimation model according to embodiments thereof. The above-described cross-battery health state prediction apparatus can be implemented in hardware, software, or a combination of hardware and software.
[0173] Please refer to Figure 13 In one embodiment of the present invention, an electronic device is also provided. The electronic device may include at least one processor 31, a memory 32 (e.g., non-volatile memory 32), a RAM 33, and a communication interface 34, and the at least one processor 31, memory 32, RAM 33, and communication interface 34 are connected together via a bus. At least one processor 31 executes at least one computer-readable instruction stored or encoded in the memory 32.
[0174] It should be understood that the computer-executable instructions stored in memory 32, when executed, cause at least one processor 31 to perform the above-described combinations in the various embodiments of this specification. Figures 1 to 11 The description includes various operations and functions.
[0175] In the embodiments of this specification, electronic devices may include, but are not limited to: personal computers, server computers, workstations, desktop computers, laptop computers, notebook computers, mobile electronic devices, smartphones, tablet computers, cellular phones, personal digital assistants (PDAs), handheld devices, messaging devices, wearable electronic devices, consumer electronic devices, etc.
[0176] In one embodiment of the present invention, a program product, such as a machine-readable medium, is also provided. The machine-readable medium may have instructions (i.e., the elements implemented in software as described above), which, when executed by a machine, cause the machine to perform the above-described combinations of the various embodiments of this specification. Figures 1 to 11 The various operations and functions described. Specifically, a system or apparatus equipped with a readable storage medium storing software program code that implements the functions of any of the embodiments described above, and enabling the computer or processor of the system or apparatus to read and execute the instructions stored in the readable storage medium.
[0177] In this case, the program code read from the readable medium itself can perform the functions of any of the above embodiments, and therefore the machine-readable code and the readable storage medium storing the machine-readable code constitute a part of this specification.
[0178] Examples of readable storage media include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD-RW), magnetic tapes, non-volatile memory cards, and ROMs. Alternatively, program code can be downloaded from a server computer or the cloud via a communication network.
[0179] Those skilled in the art will understand that the various embodiments disclosed above can be modified and varied without departing from the spirit of the invention. Therefore, the scope of protection of this specification should be defined by the appended claims.
[0180] It should be noted that not all steps and units in the above process and system structure diagrams are mandatory; some steps or units can be omitted according to actual needs. The execution order of each step is not fixed and can be determined as needed. The device structure described in the above embodiments can be a physical structure or a logical structure. That is, some units may be implemented by the same physical client, or some units may be implemented by multiple physical clients, or they may be jointly implemented by certain components in multiple independent devices.
[0181] In the above embodiments, the hardware units or modules can be implemented mechanically or electrically. For example, a hardware unit, module, or processor may include permanent dedicated circuitry or logic (such as a dedicated processor, FPGA, or ASIC) to perform the corresponding operation. The hardware unit or processor may also include programmable logic or circuitry (such as a general-purpose processor or other programmable processor), which can be temporarily configured by software to perform the corresponding operation. The specific implementation method (mechanical, dedicated permanent circuitry, or temporarily configured circuitry) can be determined based on cost and time considerations.
[0182] The specific embodiments described above with reference to the accompanying drawings are exemplary embodiments, but do not represent all embodiments that can be implemented or fall within the scope of the claims. The term "exemplary" as used throughout this specification means "serving as an example, instance, or illustration" and does not imply that it is "preferred" or "advantageous" compared to other embodiments. Specific details are included to provide an understanding of the described techniques. However, these techniques can be practiced without these specific details. In some instances, well-known structures and apparatuses are shown in block diagram form to avoid obscuring the concepts of the described embodiments.
[0183] The foregoing description of this disclosure is provided to enable any person skilled in the art to implement or use this disclosure. Various modifications to this disclosure will be apparent to those skilled in the art, and the general principles corresponding to this invention can be applied to other variations without departing from the scope of protection of this disclosure. Therefore, this disclosure is not limited to the examples and designs described herein, but is consistent with the widest scope of the principles and novel features disclosed herein.
Claims
1. A method for assessing the persistence backdoor risk of a cross-battery health state estimation model, characterized in that, The method includes: Obtain the source domain battery dataset and the target domain battery dataset, and perform preheating training on the cross-battery health state estimation model based on the source domain battery dataset; A portion of the source domain battery dataset is selected and injected with learnable trigger perturbations to obtain poisoned samples; In the feature space of the cross-battery health state estimation model, a prototype anchor point is set so that the features corresponding to the poisoned sample are clustered toward the prototype anchor point, and the features corresponding to the clean sample that was not injected with the triggering perturbation are separated from the prototype anchor point. Align the feature representations of the source domain battery dataset and the target domain battery dataset, and apply domain-invariant constraints to the prototype anchor point; The cross-battery health status estimation model is transferred and calibrated based on the target domain dataset. The estimation results of clean samples and poisoned samples before and after calibration are obtained respectively. The persistence backdoor risk of the cross-battery health status estimation model is evaluated based on the results.
2. The method for assessing the persistence backdoor risk of the cross-battery health state estimation model according to claim 1, characterized in that, The method further includes: A feature binding loss function is constructed to constrain the reduction of the distance between the intermediate feature representation of the poisoned sample and the prototype anchor point; Construct a feature separation loss function to constrain the intermediate feature representations of the clean samples from the prototype anchor point.
3. The method for assessing the persistence backdoor risk of the cross-battery health state estimation model according to claim 1, characterized in that, The feature representations of the source domain battery dataset and the target domain battery dataset are aligned based on domain adversarial training, which includes: Construct a domain discrimination model, and set a gradient inversion layer between the feature extraction part of the cross-battery health state estimation model and the domain discrimination model, so that the domain discrimination model can distinguish the domain to which the features belong, and the cross-battery health state estimation model learns domain-insensitive features; and / or, The application of domain-invariant constraints to the prototype anchor points specifically includes: constructing a domain discrimination model and constraining the output of the domain discrimination model to the prototype anchor points to tend to a uniform distribution across all domains.
4. The method for assessing the persistence backdoor risk of the cross-battery health state estimation model according to claim 1, characterized in that, The injection of learnable trigger perturbations into the selected portion of the source domain battery dataset to obtain poisoned samples specifically includes: Construct an unconstrained trigger template; The smoothed trigger perturbation is obtained by at least one of hyperbolic tangent compression, channel-scale modulation, and time-dimensional smoothing. The amplitude of the triggering disturbance is projected so that each element falls within the preset disturbance amplitude range.
5. The method for assessing the persistence backdoor risk of the cross-battery health state estimation model according to claim 1, characterized in that, The method further includes: The source domain battery dataset and the target domain battery dataset are preprocessed to form multi-channel time-series input samples and corresponding battery health status labels; wherein, the multi-channel time-series input samples include at least two of voltage channels, current channels and temperature channels; the battery health status labels are characterized by battery normalized discharge capacity. The preprocessing specifically includes: segmenting the battery cycles of the source domain battery dataset and the battery cycles of the target domain battery dataset; performing fixed-length interpolation on the time series in each battery cycle; and normalizing different measurement channels.
6. The method for assessing the persistence backdoor risk of the cross-battery health state estimation model according to claim 5, characterized in that, The method includes: The triggering perturbation is injected into the multi-channel time-series input samples by broadcasting along the cyclic dimension, so that the time series corresponding to each cycle is superimposed with the same or isomorphic triggering mode.
7. The method for assessing the persistence backdoor risk of the cross-battery health state estimation model according to claim 1, characterized in that, The method further includes: Based on the clean sample estimation error, the degree to which the poisoned sample approximates the battery health state value of the target battery, and the concealment index of the triggered perturbation, the persistent backdoor risk assessment result of the cross-battery health state estimation model is output; and / or, After pre-training the cross-battery health status estimation model based on the source domain battery dataset, the poisoning ratio of the source domain battery dataset and the upper bound of the trigger perturbation amplitude are gradually increased according to the training rounds to poison the cross-battery health status estimation model.
8. A device for assessing the persistence backdoor risk of a cross-battery health state estimation model, characterized in that, include: The data processing module is used to acquire source domain battery datasets and target domain battery datasets, and to perform preheating training on the cross-battery health state estimation model based on the source domain battery datasets. The poisoning sample module is used to select a portion of the source domain battery dataset and inject learnable triggering perturbations to obtain poisoning samples. The poisoning training module is used to set a prototype anchor point in the feature space of the cross-battery health state estimation model, so that the features corresponding to the poisoned sample gather to the prototype anchor point, and the features corresponding to the clean sample that has not been injected with the triggering perturbation are separated from the prototype anchor point. The prototype constraint module is used to align the feature representations of the source domain battery dataset and the target domain battery dataset, and to apply domain-invariant constraints to the prototype anchor point. The risk assessment module is used to perform transfer calibration on the cross-battery health status estimation model based on the target domain dataset, obtain the clean sample estimation results and poisoned sample estimation results before and after calibration, and assess the persistence backdoor risk of the cross-battery health status estimation model based on the results.
9. An electronic device, characterized in that, include: At least one processor; And a memory storing instructions that, when executed by the at least one processor, cause the at least one processor to perform the cross-battery health state estimation model persistence backdoor risk assessment method as described in any one of claims 1 to 7.
10. A machine-readable storage medium, characterized in that, It stores executable instructions that, when executed, cause the machine to perform the cross-battery health state estimation model persistence backdoor risk assessment method as described in any one of claims 1 to 7.