Regional safety monitoring method and system based on multi-modal wireless signal fusion analysis
By using multimodal wireless signal fusion analysis, the high cost and discontinuous coverage of existing technologies for regional wireless signal security monitoring have been solved. This enables low-cost, automated continuous monitoring and reliable threat situation presentation, improving the automation level of monitoring and the comprehensiveness of data collection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHENGDU KANGTE NETWORK TECH CO LTD
- Filing Date
- 2026-05-06
- Publication Date
- 2026-07-10
AI Technical Summary
Existing regional wireless signal security monitoring relies on specialized equipment and manual inspections, which presents challenges such as high costs, discontinuous coverage, data silos, lack of intelligent analysis and multi-source signal fusion, and the inability to achieve low-cost, automated continuous monitoring and reliable threat situation presentation.
A multimodal wireless signal fusion analysis method is adopted. By deploying multiple probe devices in the monitoring area to perform multi-protocol polling scans, multimodal signal packets are obtained. The raw data is formed by combining MAC addresses and timestamps, encrypted and uploaded to the server, and decrypted, fused and risk-assessed to generate spatiotemporal trajectories and heat maps.
It achieves low-cost, automated 24/7 monitoring, with comprehensive and reliable data collection, accurate risk assessment, and intuitive situation presentation, reducing false alarms and missed alarms and improving response efficiency.
Smart Images

Figure CN122372985A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of wireless network security monitoring technology, specifically relating to a regional security monitoring method and system based on multimodal wireless signal fusion analysis. Background Technology
[0002] In existing technologies, regional wireless signal security monitoring mainly relies on manual inspections by professionals using portable spectrum analyzers or protocol analysis equipment. This method has the following drawbacks: (1) High cost: Specialized equipment is expensive and requires professional training; (2) Discontinuous coverage: It can only achieve instantaneous and local detection, and cannot provide continuous monitoring; (3) Data silos: Collected data is difficult to correlate in time and space, making it impossible to form behavioral trajectories or risk profiles; (4) Lack of intelligent judgment: It is unable to perform unified strategy matching and risk classification for heterogeneous signals such as hotspots, terminals, and drones; (5) Although there are some fixed probe deployment schemes, they usually only support a single communication protocol (such as WiFi only), and have not solved the problem of data loss caused by incomplete sampling of low-cost probes, nor have they achieved reliable satellite identification and visualization under multi-source signal fusion. Summary of the Invention
[0003] To address the aforementioned shortcomings in existing technologies, the regional security monitoring method and system based on multimodal wireless signal fusion analysis provided by this invention solves the problem that existing security monitoring methods using handheld devices or traditional network management systems struggle to obtain reliable signal feature data for security assessment under low-cost, automated probe network deployment, and also struggle to present complex spatiotemporal threat situations.
[0004] To achieve the aforementioned objectives, the present invention employs the following technical solution: a regional security monitoring method based on multimodal wireless signal fusion analysis, applied to wireless device control areas, comprising the following steps: S100. Deploy multiple probe devices within the monitoring area to perform multi-protocol polling scans and acquire multi-modal signal messages from the monitoring devices, including drone broadcast signals, other access terminal signals, and terminal signals. S200: The wireless signal transmitter address, signal type, signal strength and specific capability information corresponding to the message are obtained, and the original data is formed by combining it with the MAC address of the probe device that obtained the message. After adding timestamp and category identification information, the data is encrypted and sent to the server. S300. On the server side, the received encrypted data is evenly distributed to the thread pool according to the time sequence for decryption. S400 adopts the latest effective data overlay mechanism to merge decrypted data to form effective data. Based on the MAC address, it performs hash merging on the effective data of the same monitoring device to build a device profile. Based on the device profile, it calculates the comprehensive risk score of the corresponding device and determines the corresponding risk level to form an alarm event. S500: Based on the pre-registered geographical location information of the probe devices, the alarm events of the same monitoring device on different probe devices are sorted by time and automatically generated spatiotemporal trajectory lines and dwell heat maps.
[0005] Furthermore, in S200, the signal categories for acquiring messages include Bluetooth signals, conventional WiFi terminal signals, WiFi AP signals, and drone signals; The drone signal is a signal whose specific capability information in the AP WiFi signal message contains the drone model.
[0006] Furthermore, in S400, the latest valid data overlay mechanism is used to fuse the decrypted data to form valid data, including: For the decrypted data corresponding to the same monitoring device, the valid fields of different types of messages are merged, and the default values are not used to overwrite the valid fields until the valid data required to build the device profile is obtained. The valid data includes the manufacturer identifier, wireless name, channel, signal strength, and device address of the AP and terminal in the wireless management frame; The wireless management frame corresponds to the raw data in S200.
[0007] Furthermore, in S400, hash merging of valid data from the same monitoring device based on MAC address includes: The first 24 bits of valid MAC data are hashed to obtain the corresponding hash value, which is then passed to the corresponding hash value marking thread. The hash value marking thread stores the data in the associated database to accelerate subsequent query display and trajectory path drawing.
[0008] Furthermore, in S400, the data in the device profile includes device type, manufacturer, signal strength, frequency of occurrence, time, and associated reporting device; The device types include Bluetooth devices, WiFi devices, AP devices, and drones.
[0009] Furthermore, in S400, a comprehensive risk score is calculated. The calculation formula is: In the formula, For equipment risk types, This is the inverse value of manufacturer credibility. For protocol-signal coupling, To score based on frequency of occurrence, For time violation factors, As a spatial anomaly factor, Trajectory mutation factor, , , , , , and They are respectively , , , , , and The weighting coefficients.
[0010] Furthermore, in the formula for calculating the comprehensive risk score: Regarding the equipment risk type, when it is a drone... When it is an access point (AP) device, When it is another Bluetooth terminal device, When it is another WiFi terminal, ; Regarding the reverse value of vendor trustworthiness, when the monitoring device is on the whitelist... When the monitoring device is on the blacklist, When the monitoring device is unknown, ; For the protocol-signal coupling term, when the monitoring device uses the WiFi protocol... When the monitoring device uses the Bluetooth protocol, , For the frequency score , The number of times it appears within 30 minutes; Regarding the time-related violation factor, when the monitoring device occurs during the authorized time period... Otherwise, it is 0; For spatial anomalies, when the monitoring device appears within a preset sensitive geofence... Otherwise, it is 0; Regarding trajectory abrupt change factors, if the same monitoring device crosses a set distance within a set time, .
[0011] Furthermore, in S400, the risk level includes low risk, medium risk, high risk, and emergency risk; When the risk level is low, only the risk assessment log is recorded; When the risk level is medium, a level 3 alarm event is generated and an alarm is triggered. When the risk level is high, a level 2 alarm event is generated, and trajectory tracking is initiated. When an emergency risk is detected, a Level 1 alarm event is generated, trajectory tracking is initiated, and a coordinated response is triggered.
[0012] A regional security monitoring system based on multimodal wireless signal fusion analysis includes several probe devices and a server that is communicatively connected to the probe devices; The probe device is deployed within the monitoring area and is used to obtain the message data of the monitoring device through multi-protocol polling scan, and upload it to the server after classification and encryption. The server is configured with a message processing queue, a data fusion module, a dynamic risk assessment module, a policy configuration interface, and a visual alarm module. The message processing queue is used to receive encrypted data uploaded by each probe device and start a thread pool to complete decoding and data distribution; The data fusion module is used to fuse and hash the decrypted valid data to construct a complete device profile. The dynamic risk assessment module is used to conduct comprehensive risk assessment and risk level determination based on equipment profiles. The strategy configuration interface is used to dynamically adjust the model parameters during comprehensive risk assessment. The visualization alarm module is used to generate spatiotemporal trajectory lines and stationary heat maps of monitoring equipment, present risk alarm information of different levels, and provide query portals for raw data and risk lists.
[0013] Furthermore, the dynamic risk assessment module performs a comprehensive risk assessment based on set risk factors; The risk factors include equipment type risk, manufacturer credibility inverse value, protocol-signal coupling term, occurrence frequency score, time violation factor, spatial anomaly factor, and trajectory mutation factor.
[0014] The beneficial effects of this invention are as follows: (1) The present invention uses embedded hardware devices and open-source protocol stacks, eliminating the need for dedicated spectrum devices and reducing the cost of regional security monitoring.
[0015] (2) This invention can realize 24 / 7 unattended monitoring with a high degree of automation.
[0016] (3) The present invention uses a server to perform effective data filtering and data fusion, which allows information from probe devices at multiple locations to corroborate each other, especially devices at adjacent locations; in addition, the probe devices collect multiple types of data packets (which has an inherent advantage over conventional devices that only collect broadcast signals), which can also improve the overall picture of the data; furthermore, the present invention combines the signal sending end address and signal type corresponding to the packet with the MAC address of the probe device itself to form the original data, and only performs the collection and sending actions to minimize the blind zone of the probe device; at the same time, the probe device scanning strategy in the present invention takes into account the 802.11 Beacon frame broadcast period and channel switching overhead, maximizes the device acquisition probability, overcomes the defects of single-point sampling, and obtains highly reliable data.
[0017] (4) This invention combines a three-level strategy with dynamic scoring to simplify the user’s identification difficulty and make it more intuitive, and ensures that all collectable signal factors are covered, reducing false alarms and missed alarms, and realizing safe and intelligent judgment.
[0018] (5) Based on the proposed risk factors, a comprehensive risk assessment of the monitoring equipment is conducted. The proposed risk factors cover all factors required for human decision-making, which solves the technical problem of high-precision threat identification in a low-cost probe environment. Furthermore, based on the risk assessment results, trajectory maps and heat maps are generated to assist decision-making. The risk level is intuitively indicated by color points, and the path of risk occurrence is depicted by line segments, making the situation intuitive and visual, and improving response efficiency.
[0019] (6) The probe device used for data acquisition in this invention is not allowed to be controlled by external signals after being added to the system, nor does it respond to any requests for external transmission. It also adopts one-way transmission to prevent the probe device from being maliciously controlled by external signals. Attached Figure Description
[0020] Figure 1 The present invention provides a process flow for a regional security monitoring method based on multimodal wireless signal fusion analysis.
[0021] Figure 2 A block diagram of a regional security monitoring system based on multimodal wireless signal fusion analysis provided by the present invention. Detailed Implementation
[0022] The specific embodiments of the present invention are described below to enable those skilled in the art to understand the present invention. However, it should be understood that the present invention is not limited to the scope of the specific embodiments. For those skilled in the art, various changes are obvious as long as they are within the spirit and scope of the present invention as defined and determined by the appended claims. All inventions utilizing the concept of the present invention are protected. Example 1:
[0023] This invention provides a regional security monitoring method based on multimodal wireless signal fusion analysis. It is a method that integrates multi-source heterogeneous data acquisition, reliability enhancement, and dynamic risk assessment of WiFi, Bluetooth, and drone broadcast signals. It is applicable to the automated security situation awareness and alarm response of wireless device behavior in specific wireless device control areas (such as schools where students are prohibited from bringing mobile phones, control areas where wireless signals are prohibited, or conference rooms during specific time periods).
[0024] refer to Figure 1 A regional security monitoring method based on multimodal wireless signal fusion analysis, applied to wireless device control areas, includes the following steps: S100. Deploy multiple probe devices within the monitoring area to perform multi-protocol polling scans and acquire multi-modal signal messages from the monitoring devices, including drone broadcast signals, other access terminal signals, and terminal signals. S200: The wireless signal transmitter address, signal type, signal strength and specific capability information corresponding to the message are obtained, and the original data is formed by combining it with the MAC address of the probe device that obtained the message. After adding timestamp and category identification information, the data is encrypted and sent to the server. S300. On the server side, the received encrypted data is evenly distributed to the thread pool according to the time sequence for decryption. S400 adopts the latest effective data overlay mechanism to merge decrypted data to form effective data. Based on the MAC address, it performs hash merging on the effective data of the same monitoring device to build a device profile. Based on the device profile, it calculates the comprehensive risk score of the corresponding device and determines the corresponding risk level to form an alarm event. S500: Based on the pre-registered geographical location information of the probe devices, the alarm events of the same monitoring device on different probe devices are sorted by time and automatically generated spatiotemporal trajectory lines and dwell heat maps.
[0025] In S100 of this embodiment of the invention, multiple probes deployed in the monitoring area perform polling scans with a period of 6 seconds; wherein, the WiFi module stays on 2.4G channels 1 / 6 / 11 and 5G channels 36 / 52 / 149 for 1 second each; the Bluetooth module performs active scanning for 6 seconds simultaneously; this scanning strategy takes into account the 802.11 Beacon frame broadcast period (usually 100ms) and channel switching overhead, maximizing the device capture probability.
[0026] In this invention, the aforementioned specific channel cyclic scanning strategy is designed to ensure maximum coverage of air interface packets per unit time while fully considering the algorithm complexity and inherent characteristics of wireless packets (beacon will be sent through all supported channels in turn, and other management packets will be sent on specific channels of the connection). After capturing as much data as possible, the data is handed over to the server for calculation to obtain a better result.
[0027] In S200 of this embodiment of the invention, the signal categories for acquiring messages include Bluetooth signals, conventional WiFi terminal signals, WiFi AP signals, and drone signals; wherein, drone signals are signals whose specific capability information in the message corresponding to the AP WiFi signal contains the drone model.
[0028] Specifically, for Bluetooth signals, the acquired address information includes the source address of the scan response and the source address of the broadcast packet pair; for WiFi AP signals, the acquired address information includes the beacon source address, the unicast destination address of the probe request, the destination address of the association request, the destination address of the reassociation request, the source address of the probe response, the source address of the association response, and the source address of the reassociation response; for regular WiFi terminal signals, the acquired address information includes the source address of the probe request, the source address of the association request, the source address of the reassociation request, the destination address of the probe response, the destination address of the association response, the destination address of the reassociation response, and the source address of the unassociation.
[0029] In S300 of this embodiment of the invention, considering that there are many messages reported concurrently by multiple devices, it is necessary to start a thread pool for processing; since the message interfaces are similar and the processing time is close, the data reported by each probe device is placed into the configured thread pool in sequence according to the time order for decryption processing; after decryption, it is handed over to the subsequent core algorithm pool for element extraction and result calculation.
[0030] In S400 of this embodiment of the invention, the latest valid data overlay mechanism is used to fuse the decrypted data to form valid data, including: For the decrypted data corresponding to the same monitoring device, the valid fields of different types of messages are merged, and the default values are not used to overwrite the valid fields until the valid data required to build the device profile is obtained. The valid data includes the manufacturer identification, wireless name, channel, signal strength, and device address of the AP and terminal in the wireless management frame; furthermore, the wireless management frame corresponds to the raw data in S200.
[0031] In this embodiment, because the data packets collected by the probe device do not contain all the specific elements required for subsequent device profiling according to the corresponding standard, the latest valid data overlay mechanism is used to merge the data carrying information with the same MAC address to obtain a complete profile. Furthermore, the aforementioned "latest valid data overlay" mechanism addresses the inherent incompleteness of data reported by low-cost probes and the inability to fully capture data from aerial radio objects. It also solves the problem of incomplete data required by management frames, necessitating the aggregation of multiple data sets to obtain a complete set of data, thus making the subsequently fused data more valuable for manual judgment.
[0032] Specifically, the system merges the valid content of different types of messages (such as filling the missing broadcast requests by receiving request / response message payloads from the same address), and refuses to overwrite existing valid fields with default values (such as vendor ID=FF:FF:FF). The system gradually fills in the complete device profile as the number of reports increases (if there are missing parameters when the captured device is collected for the first valid data, the default parameters will be filled in according to the existing type. As the number and types of captures increase, it will help to improve the data required to complete the entire profile).
[0033] In this embodiment, during the formation of valid data, for special drone signals, the beacon frames in the WiFi AP signal are potential targets. If they do not carry this special data, it means that only a regular AP device has been captured, which is a high level of danger. If they carry this special data, it means that a drone with specific information has intruded into the area, which is a very high level of danger. When determining the result, in addition to displaying the corresponding danger level, the collected special data will also be presented to facilitate users to intuitively determine the risk.
[0034] Therefore, when parsing the reported data to form valid data, it is necessary to further identify relevant information for the drone signal and provide it to the administrator, including additional parsing of the drone's RID (signal name), serial number, latitude and longitude, barometric altitude, ground altitude, flight altitude, horizontal speed, vertical speed, flight status, flight direction, pilot information, and other publicly available message information.
[0035] In S400 of this embodiment of the invention, hash merging of valid data from the same monitoring device based on MAC address includes: The first 24 bits of valid MAC data are hashed to obtain the corresponding hash value, which is then passed to the corresponding hash value marking thread. The hash value marking thread stores the data in the associated database to accelerate subsequent query display and trajectory path drawing.
[0036] Specifically, during the hash merging process, the number of threads depends on the amount of data reported in the actual operating environment, and an appropriate number of processing threads are started adaptively according to the corresponding amount; in this embodiment, it is set according to the capacity of one thousand records per thread per second.
[0037] In S400 of this embodiment of the invention, based on the aforementioned data processing process, the data obtained in the device profile includes device type, manufacturer, signal strength, frequency of occurrence, time, and associated reporting device; the device type includes Bluetooth device, WiFi device, AP device, and drone.
[0038] In this embodiment, the data required for the above-mentioned device profiling can all be collected by probe devices. The purpose of uploading the data to the server is to obtain multiple data sets, which can solve the trajectory verification required when moving from the collection range of a single probe device to the collection range of the next probe device.
[0039] In S400 of this embodiment of the invention, a comprehensive risk score is performed. The calculation formula is: In the formula, For equipment risk types, This is the inverse value of manufacturer credibility. For protocol-signal coupling, To score based on frequency of occurrence, For time violation factors, As a spatial anomaly factor, Trajectory mutation factor, , , , , , and They are respectively , , , , , and The weighting coefficients.
[0040] For example, , , , , , and The values are 0.2, 0.15, 0.2, 0.1, 0.15, 0.15 and 0.05.
[0041] In this embodiment, in the above formula for calculating the comprehensive risk score: Regarding the equipment risk type, when it is a drone... When it is an access point (AP) device, When it is another Bluetooth terminal device, When it is another WiFi terminal, ; Regarding the reverse value of vendor trustworthiness, when the monitoring device is on the whitelist... When the monitoring device is on the blacklist, When the monitoring device is unknown, ; For the protocol-signal coupling term, when the monitoring device uses the WiFi protocol... When the monitoring device uses the Bluetooth protocol, , For the frequency score , The number of times it appears within 30 minutes; Regarding the time-related violation factor, when the monitoring device occurs during the authorized time period... Otherwise, it is 0; For spatial anomalies, when the monitoring device appears within a preset sensitive geofence... Otherwise, it is 0; Regarding trajectory abrupt change factors, if the same monitoring device crosses a set distance within a set time, For example, when crossing 100 meters in 30 seconds, .
[0042] In S400 of this embodiment of the invention, the risk levels include low risk, medium risk, high risk and emergency risk; When the risk level is low, only the risk assessment log is recorded; When the risk level is medium, a level 3 alarm event is generated and an alarm is triggered. When the risk level is high, a level 2 alarm event is generated, and trajectory tracking is initiated. When an emergency risk is detected, a Level 1 alarm event is generated, trajectory tracking is initiated, and a coordinated response is triggered.
[0043] For example, The range [0.0, 0.3) represents low risk. The range [0.3, 0.6) represents medium risk. The range [0.6, 0.85) is considered high risk. The range [0.85, 1.0] represents an emergency risk.
[0044] In this embodiment, all behavioral data are processed every 10 minutes from the start of activity to generate trace data that can be checked. At the same time, the latest 10-minute data serves as the real-time latest situational data, ensuring that the risk score reflects the current true threat situation.
[0045] In this embodiment of the invention, based on the above-mentioned strategy matching, spatiotemporal visualization is automatically triggered, which upgrades discrete alarms into connected threat behavior analysis, so that the overall technical solution produces a technical effect of "1+1>2", directly improving the accuracy of strategy matching and the reliability of trajectory drawing.
[0046] In S500 of this embodiment of the invention, during the process of generating the spatiotemporal trajectory line and the dwell heat map, the probe device has been marked with its location on the map during installation, and the data generated after calculation corresponds to it. When the risk level is generated, the corresponding probe device point will be marked with the corresponding color, thereby forming the dwell heat map. For example, if a certain probe device point has 2 red, 3 orange, and 5 blue warnings, then the point of this device itself is marked as red because the highest level of risk it has is red, and the surrounding dot matrix aperture will generate color dots in the corresponding ratio of 2:3:5 to mark the area around the point.
[0047] Furthermore, for spatiotemporal trajectory lines, if the MAC of a monitoring device with an orange risk is captured by multiple probe devices, the trajectory is formed by connecting these devices with orange lines in chronological order of the last time they were collected by the probe devices.
[0048] In this embodiment, by clicking on the probe device points on the map, the administrator can find the complete risk list and the corresponding original data list of the risk data collected by the corresponding probe device. This can help the administrator to manually identify and judge, such as supporting security scenario analysis such as drone pilot tracking and suspicious person reconstruction. Example 2:
[0049] This embodiment is a further limitation based on Embodiment 1. Its purpose is to provide a regional security monitoring system based on multimodal wireless signal fusion analysis. It is implemented based on the regional security monitoring method in Embodiment 1. Other parts not mentioned refer to the description in Embodiment 1 or the prior art.
[0050] like Figure 2 As shown, a regional security monitoring system based on multimodal wireless signal fusion analysis includes several probe devices and a server that communicates with the probe devices. The probe device is deployed in the monitoring area to obtain the message data of the monitoring device through multi-protocol polling scan, and upload it to the server after classification and encryption; The server is configured with a message processing queue, a data fusion module, a dynamic risk assessment module, a policy configuration interface, and a visual alarm module. The system includes a message processing queue for receiving encrypted data uploaded by various probe devices, a thread pool for decoding and data distribution, a data fusion module for fusing and hashing the decrypted data, and a dynamic risk assessment module for conducting comprehensive risk assessments and determining risk levels based on the device profiles, a policy configuration interface for dynamically adjusting model parameters during comprehensive risk assessments, and a visualization alarm module for generating spatiotemporal trajectory lines and heatmaps of monitored devices, presenting risk alarm information at different levels, and providing query access for raw data and risk lists.
[0051] In this embodiment of the invention, the probe device is internally configured with a WiFi module, a Bluetooth module, and a management module. The WiFi module scans commonly used 2.4G WiFi channels and commonly used 5G WiFi channels within the monitoring area, saves key information of the scanned management frames, and transmits them. The Bluetooth module captures Bluetooth messages within the monitoring area, saves key information of the scanned management frames, and transmits them. The management module continuously scans the messages transmitted by the WiFi module and Bluetooth module, encrypts them, and transmits them. The management module categorizes the received messages into four types of signals: Bluetooth signals, conventional WiFi terminal signals, WiFi AP signals, and drone signals.
[0052] In this embodiment of the invention, for the message processing queue, considering that there are many messages reported concurrently by multiple monitoring devices, it is necessary to start a thread pool for processing. Since the message interfaces are similar and the processing time is close, the data reported by each probe device is placed into the configured thread pool in order of time for decryption processing.
[0053] In this embodiment of the invention, for the data fusion module, the latest valid data overlay mechanism is used to fuse the decrypted data to form valid data, including: For the decrypted data corresponding to the same monitoring device, the valid fields of different types of messages are merged, and the default values are not used to overwrite the valid fields until the valid data required to build the device profile is obtained. The valid data includes the manufacturer identification, wireless name, channel, signal strength and device address of AP and terminal in the wireless management frame.
[0054] Furthermore, valid data from the same monitoring device is hashed and merged based on MAC address, including: The first 24 bits of valid MAC data are hashed to obtain the corresponding hash value, which is then passed to the corresponding hash value marking thread. The hash value marking thread stores the data in the associated database to accelerate subsequent query display and trajectory path drawing.
[0055] In this embodiment of the invention, a comprehensive risk assessment is performed based on set risk factors in the dynamic risk assessment module; Among them, risk factors include equipment type risk, manufacturer credibility inverse value, protocol-signal coupling term, occurrence frequency score, time violation factor, spatial anomaly factor, and trajectory mutation factor.
[0056] Based on the above risk factors, a comprehensive risk score is calculated. The calculation formula is: In the formula, For equipment risk types, This is the inverse value of manufacturer credibility. For protocol-signal coupling, To score based on frequency of occurrence, For time violation factors, As a spatial anomaly factor, Trajectory mutation factor, , , , , , and They are respectively , , , , , and The weighting coefficients.
[0057] Specifically, regarding the type of equipment risk, when it is a drone, When it is an access point (AP) device, When it is another Bluetooth terminal device, When it is another WiFi terminal, ; Regarding the reverse value of vendor trustworthiness, when the monitoring device is on the whitelist... When the monitoring device is on the blacklist, When the monitoring device is unknown, ; For the protocol-signal coupling term, when the monitoring device uses the WiFi protocol... When the monitoring device uses the Bluetooth protocol, , For the frequency score , The number of times it appears within 30 minutes; Regarding the time-related violation factor, when the monitoring device occurs during the authorized time period... Otherwise, it is 0; For spatial anomalies, when the monitoring device appears within a preset sensitive geofence... Otherwise, it is 0; Regarding trajectory abrupt change factors, if the same monitoring device crosses a set distance within a set time, For example, when crossing 100 meters in 30 seconds, .
[0058] In this embodiment of the invention, the model parameters configured for the strategy configuration interface include the weight coefficients of each risk factor during comprehensive risk assessment, the risk level determination threshold, the authorization period, sensitive geofencing, and other parameters.
[0059] In this embodiment of the invention, the risk levels for the visual alarm module include low risk, medium risk, high risk, and emergency risk. When the risk level is low, only the risk assessment log is recorded; When the risk level is medium, a level 3 alarm event is generated and an alarm is triggered. When the risk level is high, a level 2 alarm event is generated, and trajectory tracking is initiated. When an emergency risk is detected, a Level 1 alarm event is generated, trajectory tracking is initiated, and a coordinated response is triggered.
[0060] During the generation of spatiotemporal trajectory lines and dwell heatmaps, the aforementioned probe devices are marked with their locations on the map during installation. The data generated after calculation corresponds to these locations. Once a risk level is generated, the area around the corresponding probe device point will be marked with the corresponding color, thus forming a dwell heatmap. For example, if a probe device point receives 2 red, 3 orange, and 5 blue warnings, then the point itself will be marked red because it has the highest risk level of red. The surrounding dot matrix will generate color dots in the corresponding ratio of 2:3:5 and mark them around the point.
[0061] Furthermore, for spatiotemporal trajectory lines, if the MAC of a monitoring device with an orange risk is captured by multiple probe devices, the trajectory is formed by connecting these devices with orange lines in chronological order of the last time they were collected by the probe devices.
[0062] Specific embodiments have been used to illustrate the principles and implementation methods of this invention. The descriptions of the embodiments above are only for the purpose of helping to understand the method and core ideas of this invention. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of this invention. Therefore, the content of this specification should not be construed as a limitation of this invention.
[0063] Those skilled in the art will recognize that the embodiments described herein are intended to help the reader understand the principles of the invention, and should be understood that the scope of protection of the invention is not limited to such specific statements and embodiments. Those skilled in the art can make various other specific modifications and combinations based on the technical teachings disclosed in this invention without departing from the spirit of the invention, and these modifications and combinations are still within the scope of protection of this invention.
Claims
1. A regional security monitoring method based on multimodal wireless signal fusion analysis, characterized in that, Applied to wireless device control areas, the following steps are included: S100. Deploy multiple probe devices within the monitoring area to perform multi-protocol polling scans and acquire multi-modal signal messages from the monitoring devices, including drone broadcast signals, other access terminal signals, and terminal signals. S200: The wireless signal transmitter address, signal type, signal strength and specific capability information corresponding to the message are obtained, and the original data is formed by combining it with the MAC address of the probe device that obtained the message. After adding timestamp and category identification information, the data is encrypted and sent to the server. S300. On the server side, the received encrypted data is evenly distributed to the thread pool according to the time sequence for decryption. S400 adopts the latest effective data overlay mechanism to merge decrypted data to form effective data. Based on the MAC address, it performs hash merging on the effective data of the same monitoring device to build a device profile. Based on the device profile, it calculates the comprehensive risk score of the corresponding device and determines the corresponding risk level to form an alarm event. S500: Based on the pre-registered geographical location information of the probe devices, the alarm events of the same monitoring device on different probe devices are sorted by time and automatically generated spatiotemporal trajectory lines and dwell heat maps.
2. The regional security monitoring method based on multimodal wireless signal fusion analysis according to claim 1, characterized in that, In step S200, the signal types for acquiring messages include Bluetooth signals, regular WiFi terminal signals, WiFi AP signals, and drone signals; The drone signal is a signal whose specific capability information in the AP WiFi signal message contains the drone model.
3. The regional security monitoring method based on multimodal wireless signal fusion analysis according to claim 1, characterized in that, In S400, the latest valid data overlay mechanism is used to fuse the decrypted data to form valid data, including: For the decrypted data corresponding to the same monitoring device, the valid fields of different types of messages are merged, and the default values are not used to overwrite the valid fields until the valid data required to build the device profile is obtained. The valid data includes the manufacturer identifier, wireless name, channel, signal strength, and device address of the AP and terminal in the wireless management frame; The wireless management frame corresponds to the raw data in S200.
4. The regional security monitoring method based on multimodal wireless signal fusion analysis according to claim 1, characterized in that, In S400, hash merging of valid data from the same monitoring device based on MAC address includes: The first 24 bits of valid MAC data are hashed to obtain the corresponding hash value, which is then passed to the corresponding hash value marking thread. The hash value marking thread stores the data in the associated database to accelerate subsequent query display and trajectory path drawing.
5. The regional security monitoring method based on multimodal wireless signal fusion analysis according to claim 1, characterized in that, In S400, the data in the device profile includes device type, manufacturer, signal strength, frequency of occurrence, time, and associated reporting device; The device types include Bluetooth devices, WiFi devices, AP devices, and drones.
6. The regional security monitoring method based on multimodal wireless signal fusion analysis according to claim 1, characterized in that, In S400, the comprehensive risk score The calculation formula is: In the formula, For equipment risk types, This is the inverse value of manufacturer credibility. For protocol-signal coupling, To score based on frequency of occurrence, For time violation factors, As a spatial anomaly factor, Trajectory mutation factor, , , , , , and They are respectively , , , , , and The weighting coefficients.
7. The regional security monitoring method based on multimodal wireless signal fusion analysis according to claim 6, characterized in that, In the formula for calculating the comprehensive risk score: Regarding the equipment risk type, when it is a drone... When it is an access point (AP) device, When it is another Bluetooth terminal device, When it is another WiFi terminal, ; Regarding the reverse value of vendor trustworthiness, when the monitoring device is on the whitelist... When the monitoring device is on the blacklist, When the monitoring device is unknown, ; For the protocol-signal coupling term, when the monitoring device uses the WiFi protocol... When the monitoring device uses the Bluetooth protocol, , For the frequency score , The number of times it appears within 30 minutes; Regarding the time-related violation factor, when the monitoring device occurs during the authorized time period... Otherwise, it is 0; For spatial anomalies, when the monitoring device appears within a preset sensitive geofence... Otherwise, it is 0; Regarding trajectory abrupt change factors, if the same monitoring device crosses a set distance within a set time, .
8. The regional security monitoring method based on multimodal wireless signal fusion analysis according to claim 1, characterized in that, In S400, the risk levels include low risk, medium risk, high risk, and emergency risk; When the risk level is low, only the risk assessment log is recorded; When the risk level is medium, a level 3 alarm event is generated and an alarm is triggered. When the risk level is high, a level 2 alarm event is generated, and trajectory tracking is initiated. When an emergency risk is detected, a Level 1 alarm event is generated, trajectory tracking is initiated, and a coordinated response is triggered.
9. A regional security monitoring system based on multimodal wireless signal fusion analysis, implemented based on the regional security monitoring method according to any one of claims 1 to 8, characterized in that, It includes several probe devices and a server that is communicatively connected to the probe devices; The probe device is deployed within the monitoring area and is used to obtain the message data of the monitoring device through multi-protocol polling scan, and upload it to the server after classification and encryption. The server is configured with a message processing queue, a data fusion module, a dynamic risk assessment module, a policy configuration interface, and a visual alarm module. The message processing queue is used to receive encrypted data uploaded by each probe device and start a thread pool to complete decoding and data distribution; The data fusion module is used to fuse and hash the decrypted valid data to construct a complete device profile. The dynamic risk assessment module is used to conduct comprehensive risk assessment and risk level determination based on equipment profiles. The strategy configuration interface is used to dynamically adjust the model parameters during comprehensive risk assessment. The visualization alarm module is used to generate spatiotemporal trajectory lines and stationary heat maps of monitoring equipment, present risk alarm information of different levels, and provide query portals for raw data and risk lists.
10. The regional security monitoring system based on multimodal wireless signal fusion analysis according to claim 9, characterized in that, In the dynamic risk assessment module, a comprehensive risk assessment is performed based on set risk factors; The risk factors include equipment type risk, manufacturer credibility inverse value, protocol-signal coupling term, occurrence frequency score, time violation factor, spatial anomaly factor, and trajectory mutation factor.