A data behavior anomaly identification method and system for a coal interaction platform

By intercepting write-ahead logs and generating reverse compensation scripts at the database level, and combining this with a directed acyclic graph to block the flow of dirty data, the cascading pollution problem caused by data tampering in multi-source concurrent systems is solved, achieving system-level adaptive blocking and self-healing.

CN122387718APending Publication Date: 2026-07-14安徽恒源煤电股份有限公司

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
安徽恒源煤电股份有限公司
Filing Date
2026-04-08
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

In multi-source concurrent distributed interactive systems, existing technologies struggle to identify state machine logic anomalies in the multi-level flow of underlying data objects, cannot generate complete evidence packages in real time, and lack adaptive recovery mechanisms, leading to cascading pollution of dirty data and affecting system consistency and robustness.

Method used

By acquiring key data objects from interactive business processes, performing time-series alignment and cross-node logic verification, and triggering alarms, the database intercepts write-ahead logs at the underlying level, extracts pre- and post-transaction images and global call chain identifiers, generates transient dirty data slices, and uses a directed acyclic graph to determine downstream dependency topology paths, issues read/write blocking instructions to downstream microservice nodes, and simultaneously generates a reverse compensation script to roll back data status.

Benefits of technology

It enables precise blocking of data tampering in concurrent environments, adaptive recovery of system state, improved accuracy of data anomaly identification and system self-healing capability, and ensures data consistency and robustness.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122387718A_ABST
    Figure CN122387718A_ABST
Patent Text Reader

Abstract

The present application relates to the technical field of data processing, in particular to a data behavior anomaly identification method and system for a coal interaction platform.The present application acquires key data objects of an interaction service, performs time sequence alignment and cross-node logic verification, triggers an alarm if a state logic mutation occurs, responds to the alarm, intercepts the corresponding pre-written log in a database bottom layer engine in real time, extracts transaction front and back images and global call chain identifiers, encapsulates them as transient dirty data slices, analyzes the identifiers, determines a downstream dependent topology path using a directed acyclic graph, and issues a read-write blocking instruction downwardly.Meanwhile, a reverse compensation script is generated according to the transaction front image and executed at the bottom layer to roll back the physical data state to the initial state.The present application effectively solves the cascading pollution problem caused by bottom layer data tampering in a concurrent environment, and realizes adaptive and accurate blocking and system-level non-inductive self-healing.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of data processing technology, specifically to a method and system for identifying abnormal data behavior in a coal interaction platform. Background Technology

[0002] With the rapid development of large-scale distributed interactive platforms (such as online commodity trading platforms), these systems typically need to support cross-node collaborative interactions among multiple entities. In such high-concurrency architectures, the underlying data faces a complex environment with multiple systems writing data. To ensure the security and accuracy of interactive data, platforms usually introduce anomaly detection mechanisms. Existing anomaly detection technologies mostly employ feature-based machine learning models to predict and classify user entities and transaction data features, or perform time-series synchronization and timestamp standardization on discrete data streams to parse and generate upstream and downstream global transaction chains, thereby performing inter-node monetary permissions and high-frequency concurrency detection.

[0003] However, the aforementioned existing technologies generally suffer from the following technical shortcomings when facing complex distributed interaction environments with multiple concurrent sources: First, most existing systems focus on detecting isolated data thresholds, making it difficult to effectively identify state machine logic anomalies in the multi-level flow of underlying data objects. Since each business module in the entire interaction chain is often independent and autonomous, the underlying data chain is fragmented, and abnormal mutations can usually only be captured at a single point. When concurrent write conflicts or logical tampering occur between heterogeneous nodes, it is highly likely to cause the state machine of the underlying data object to lose synchronization. Second, when the underlying system captures abnormal behavior pulses, it often cannot generate complete, system-level auditable underlying evidence packages in real time. The system struggles to accurately track and record the source node, timestamp, terminal identifier, and differences in underlying field-level version iterations of concurrent calls, and it is even more difficult to determine how these mutations will affect downstream calculations and settlement methods. Finally, after triggering an anomaly alarm, the system typically relies on macro-level interception by upper-layer business or manual review, generally lacking underlying adaptive recovery mechanisms such as database state-level freeze write-back, compensation recalculation, work order write-back, or automated reversal. The lack of such a low-level automated blocking and recovery mechanism will cause "dirty data" that has been tampered with or whose state has changed to spread uncontrollably along the highly coupled call chain, ultimately seriously polluting the downstream complex settlement system and risk control model, and damaging the overall data consistency and operational robustness of the system.

[0004] In summary, in multi-source concurrent distributed interactive systems, how to achieve adaptive blocking and recovery of the problem of dirty data cascading pollution caused by sudden changes in the state logic of underlying data objects is a technical problem that urgently needs to be solved in this field.

[0005] To address this, a method and system for identifying abnormal data behavior in a coal interaction platform are proposed. Summary of the Invention

[0006] The purpose of this invention is to provide a method and system for identifying data behavior anomalies in a coal interaction platform. This invention acquires key data objects from the interaction business, performs time-series alignment and cross-node logical verification, and triggers an alarm if a sudden change in state logic is detected. In response to the alarm, the underlying database engine intercepts the corresponding write-ahead logs in real time, extracts the pre- and post-transaction images and global call chain identifiers, and encapsulates them into transient dirty data slices. The identifiers are parsed, and a directed acyclic graph is used to determine the downstream dependent topology path, and read / write blocking instructions are sent downwards. Simultaneously, a reverse compensation script is generated based on the pre-transaction image and executed at the underlying level to roll back the physical data state to its initial state. This invention effectively solves the cascading pollution problem caused by underlying data tampering in concurrent environments, achieving adaptive and precise blocking and system-level seamless self-healing.

[0007] To achieve the above objectives, the present invention provides the following technical solution: A method for identifying data behavior anomalies in a coal interaction platform includes: Obtain the key data object corresponding to the business instruction of the coal interaction platform, perform time sequence alignment and cross-node logic verification on the key data object, and if it is determined that the key data object has a state logic change, trigger a logic change alarm. In response to the logical mutation alarm, the write-ahead logs corresponding to the key data objects that triggered the alarm are intercepted in real time in the underlying database engine; the corresponding pre-transaction image, post-transaction image and global call chain identifier are extracted from the write-ahead logs and encrypted and encapsulated into a transient dirty data slice that locks the coal quality and price tampering site; The global call chain identifier contained in the transient dirty data slice is parsed, and the downstream dependency topology path of the transient dirty data slice in the system architecture is determined using a pre-constructed directed acyclic graph. Read and write blocking instructions are then issued to downstream microservice nodes along the downstream dependency topology path. At the same time, a reverse compensation script is generated based on the pre-transaction image, and the reverse compensation script is executed in the underlying database engine to roll back the physical data state of the key data object to its initial state.

[0008] Preferably, the key data object is composed of a quality inspection data package representing the physical and chemical indicators of coal, a batch identifier representing the physical delivery status, and settlement parameters representing the quality-price linkage rules, which together constitute a multimodal transaction structure. The key data object undergoes temporal alignment and cross-node logic verification. If a state logic mutation is determined to have occurred in the key data object, the specific steps include: extracting the coal calorific value and ash / sulfur content detection values, dynamic penalty ratio parameters, operation terminal identifiers, and timestamp data from the key data object, and concatenating and mapping them into a multi-dimensional temporal vector, using a dynamic time warping algorithm to unify the time axis; inputting the aligned multi-dimensional temporal vector into a pre-constructed state space embedding model for vector inner product calculation to obtain the current actual state node vector and the expected transition target node vector; in the pre-construction stage, using a contrastive learning loss function to train historical legal flow samples, and statistically analyzing the maximum value of the Euclidean distance between adjacent legal state vectors on the validation set or setting a quantile threshold to obtain the boundary threshold of the legal transition subspace; during actual verification, if the Euclidean distance between the current actual state node vector and the expected transition target node vector is greater than the boundary threshold, then the key data object is determined to have undergone a state logic mutation.

[0009] Preferably, intercepting the write-ahead logs corresponding to the key data objects that trigger alarms and extracting transient dirty data slices specifically includes: mounting an asynchronous bypass listening component on the log writing end of the underlying database engine, capturing binary write-ahead log streams containing state logic mutations through the asynchronous bypass listening component; parsing the internal data structure of the binary write-ahead log stream, separating the coal quality price and / or delivery physical line snapshot before the execution of the data change statement as the pre-transaction image, and the coal quality price and / or delivery physical line snapshot after the execution of the data change statement as the post-transaction image; extracting the distributed tracing request identifier passed across microservice nodes from the extended request header of the binary write-ahead log stream as the global call chain identifier; serializing the pre-transaction image, the post-transaction image, and the global call chain identifier into continuous data blocks, and performing digest calculation on the data blocks using a chain hash algorithm, and then digitally signing the digest using a private key to generate transient dirty data slices.

[0010] Preferably, a downstream dependency topology path is determined using a directed acyclic graph (DAG), and read / write blocking instructions are issued to downstream microservice nodes along the downstream dependency topology path. Specifically, this includes: obtaining service call configuration data from the coal interaction platform; initializing and constructing the DAG with microservice nodes as graph nodes and the data flow direction between microservice nodes as directed edges; wherein the microservice nodes include coal storage and logistics services, quality inspection and testing services, weighbridge settlement services, and supply chain credit services; locating the source microservice node in the DAG based on the global call chain identifier as the starting point of topology traversal; executing a breadth-first search algorithm to extract the set of contaminated associated microservice nodes; defining the sequence of directed edges connecting the set of associated microservice nodes as the downstream dependency topology path; and pushing an isolation list containing the contaminated data primary key to the circuit breaker components of each microservice node in the set of associated microservice nodes along the downstream dependency topology path to intercept subsequent access requests targeting the contaminated data primary key.

[0011] Preferably, a reverse compensation script is generated based on the pre-transaction image, and the reverse compensation script is executed to roll back the physical data state of the key data object to its initial state. Specifically, this includes: extracting the pre-transaction image from the transient dirty data slice, identifying the table structure information, row primary key, and original field value set before the change corresponding to the pre-transaction image; automatically constructing update and / or delete statements to overwrite the currently polluted data using an abstract syntax tree reverse parsing component, and using these as the reverse compensation script; starting a background compensation transaction independent of the main business system logic in the underlying database engine; and submitting and executing the reverse compensation script in the background compensation transaction to forcibly overwrite the physical row data of the key data object on the database disk to the pre-transaction image state before the logical change in state.

[0012] Preferably, while executing the reverse compensation script for rollback, the process also includes data isolation and traffic cleaning steps based on multi-version concurrency control: converting the transient dirty data slices into coal transaction anomaly audit events and persistently saving them to a physically isolated side-channel audit repository in an append-only manner; triggering the read-write separation gateway to update the dynamic routing table and intercepting all data read traffic for the critical data objects currently being rolled back; forcibly routing the data read traffic to a historical security version snapshot provided by the cache server node that is completely consistent with the pre-transaction image content; and after the underlying database engine completes the physical data state rollback, revoking the forced routing rules in the dynamic routing table and restoring the original read link from the read-write separation gateway to the main database.

[0013] A data behavior anomaly identification system for a coal interaction platform, comprising: Mutation identification module: acquires key data objects corresponding to business instructions on the coal interaction platform, performs time-series alignment and cross-node logic verification on the key data objects, and triggers a logic mutation alarm if it is determined that the key data object has undergone a state logic mutation. Dirty data solidification module: In response to the logical mutation alarm, the module intercepts the write-ahead logs corresponding to the key data objects that trigger the alarm in real time in the underlying database engine; extracts the corresponding pre-transaction image, post-transaction image and global call chain identifier from the write-ahead logs, and encrypts and encapsulates them into a transient dirty data slice that locks the coal quality and price tampering site. The self-healing blocking module parses the global call chain identifier contained in the transient dirty data slice, uses a pre-built directed acyclic graph to determine the downstream dependency topology path of the transient dirty data slice in the system architecture, and issues read / write blocking instructions to downstream microservice nodes along the downstream dependency topology path; at the same time, it generates a reverse compensation script based on the pre-transaction image, and executes the reverse compensation script in the underlying database engine to roll back the physical data state of the key data object to the initial state.

[0014] Compared with the prior art, the beneficial effects of the present invention are as follows: 1. This invention deeply integrates quality inspection data packages representing physicochemical indicators, batch identifiers representing physical delivery status, and settlement parameters representing quality-price linkage rules in coal trading. Based on a pre-built state-space embedding model, it maps physical flow nodes such as coal shipment, initial inspection, laboratory grading, and weighbridge settlement into a finite set of states. Through dynamic alignment of multi-dimensional time-series vectors and inner product calculation of state vectors, the system can sensitively detect cross-domain time-series discrepancies between changes in coal quality inspection data and physical delivery flow. This deep "business-technology" coupling model can accurately identify deep-seated logical tampering behaviors disguised as normal operations, improving the accuracy of data anomaly identification on the interactive platform and the depth of business security defense.

[0015] 2. This invention decentralizes anomaly detection to the underlying database engine, using an asynchronous bypass monitoring component to intercept write-ahead logs containing logical mutations in real time. This mechanism, without interfering with the main business read / write process, ensuring high system concurrency throughput, and with reasonable hardware resource allocation, can accurately extract the before-and-after images of data changes at the physical row level and the global call chain identifier with microsecond-level precision. Combined with a chained hash signature encryption algorithm, the system can instantly generate transient dirty data slices that pinpoint the site of coal quality and price tampering. This provides irrefutable underlying digital evidence for subsequent complex cross-enterprise trade disputes, audit accountability, and source tracing.

[0016] 3. When an anomaly is triggered, this invention utilizes a directed acyclic graph to accurately parse the downstream dependency topology and issues a primary key-based isolation list to the circuit breakers of specific microservice nodes, achieving precise blocking and effectively isolating contaminated coal delivery and fund transfer data. Simultaneously, the system automatically generates a reverse compensation script through abstract syntax tree reverse parsing to force data overwriting and rollback at the physical layer. It also cleverly integrates a multi-version concurrency control mechanism, smoothly diverting front-end read traffic to historical security snapshots via a read-write separation gateway. This mechanism not only completely eliminates the source of data contamination at the physical level but also ensures high read concurrency availability for front-end businesses such as coal spot listings or auctions during the recovery period, achieving system-level seamless self-healing. Attached Figure Description

[0017] Figure 1 A flowchart of a data behavior anomaly identification method for a coal interaction platform provided in an embodiment of the present invention; Figure 2 This is a schematic diagram of a data behavior anomaly identification system for a coal interaction platform provided in an embodiment of the present invention; Figure 3 This is a schematic diagram of the downstream dependency topology and blocking mechanism based on a directed acyclic graph provided in an embodiment of the present invention. Detailed Implementation

[0018] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0019] Please see Figures 1 to 3 This invention provides a method and system for identifying abnormal data behavior in a coal interaction platform. The technical solution is as follows: A method for identifying data behavior anomalies in a coal interaction platform includes: Obtain the key data object corresponding to the business instruction of the coal interaction platform, perform time sequence alignment and cross-node logic verification on the key data object, and if it is determined that the key data object has a state logic change, trigger a logic change alarm. In response to the logical mutation alarm, the write-ahead logs corresponding to the key data objects that triggered the alarm are intercepted in real time in the underlying database engine; the corresponding pre-transaction image, post-transaction image and global call chain identifier are extracted from the write-ahead logs and encrypted and encapsulated into a transient dirty data slice that locks the coal quality and price tampering site; The global call chain identifier contained in the transient dirty data slice is parsed, and the downstream dependency topology path of the transient dirty data slice in the system architecture is determined using a pre-constructed directed acyclic graph. Read and write blocking instructions are then issued to downstream microservice nodes along the downstream dependency topology path. At the same time, a reverse compensation script is generated based on the pre-transaction image, and the reverse compensation script is executed in the underlying database engine to roll back the physical data state of the key data object to its initial state.

[0020] Example 1: This embodiment addresses the background problem of cross-domain data logic tampering and cascading contamination of dirty data caused by concurrent writes from multiple heterogeneous subsystems (such as quality inspection, logistics, and fund settlement systems) in coal trading platforms, and provides a specific implementation method. In existing online bulk coal transactions, there exists a "quality-price linkage" rule that strongly binds shipment volume, testing indicators (such as calorific value and ash / sulfur content), and settlement amount. However, when there is concurrent unauthorized tampering of data at a certain stage (for example, modifying the ash content indicator before the weighbridge is generated to fraudulently obtain a lower penalty amount), traditional risk control often fails to detect it due to the fragmented links between various business subsystems, ultimately leading to the generation of false settlement invoices and contaminating the downstream supply chain's financial and credit models.

[0021] As one embodiment of the present invention, refer to Figure 1 A flowchart of a data behavior anomaly identification method for a coal interaction platform, referring to... Figure 3 A schematic diagram of downstream dependency topology and blocking mechanism based on directed acyclic graph.

[0022] Furthermore, the key data object is composed of a quality inspection data package representing the physical and chemical indicators of coal, a batch identifier representing the physical delivery status, and settlement parameters representing the quality-price linkage rules, which together constitute a multimodal transaction structure. The multimodal transaction structure is preferably defined to include at least the following fields: Quality inspection data package fields include coal calorific value, coal ash content value, coal sulfur content value, corresponding test timestamp, and test institution identifier; Batch identifier field: includes unique batch number, shipping point identifier, destination identifier, and transportation mode identifier; Settlement parameter fields include: calorific value of quality-price linkage benchmark, ash and sulfur content of quality-price linkage benchmark, dynamic penalty ratio parameter, and settlement currency identifier.

[0023] The key data object undergoes time-series alignment and cross-node logic verification. If a state logic mutation is determined to have occurred in the key data object, the specific steps include: extracting the coal calorific value and ash / sulfur content detection values, dynamic penalty ratio parameters, operation terminal identifiers, and timestamp data from the key data object, and concatenating and mapping them into a multi-dimensional time-series vector, using a dynamic time warping algorithm to unify the time axis; inputting the aligned multi-dimensional time-series vector into a pre-constructed state space embedding model for vector inner product calculation to obtain the current actual state node vector and the expected transition target node vector; the state space embedding model maps the business physical flow state nodes representing coal shipment, initial inspection upon arrival, laboratory grading, and weighbridge settlement, obtaining the current actual state node vector and the expected transition target node vector of the key data object; if the vector distance in the state space exceeds the boundary limit of the legal transition subspace, the key data object is determined to have experienced a state logic mutation.

[0024] In a preferred embodiment, the legal transition subspace boundary threshold is denoted as D_th. When the distance of the state vector calculated in a single operation is greater than D_th, the system first marks the batch as a "suspected logical mutation" and accumulates the number of occurrences within a preset time window. When the accumulated number of occurrences reaches a preset threshold (e.g., 3 times), a logical mutation alarm is triggered. This combination mechanism of "distance threshold + time window counting" can reduce the false alarm rate while maintaining anomaly sensitivity.

[0025] The pre-built state-space embedding model is constructed and mapped as follows: using historical, legitimate coal transaction time-series data as the training set, a multilayer perceptron is used as the feature encoder. In one specific embodiment, the multilayer perceptron includes 2 to 4 hidden layers, with each hidden layer having 64 to 256 neurons. The activation function can be ReLU or LeakyReLU, and the dimension of the output state feature vector is preferably 64 or 128. The above parameter configuration can be adjusted within the above range according to the actual business scale to ensure a balance between training convergence and computational performance.

[0026] Discrete physical flow state nodes (such as shipment, initial inspection, laboratory grading, and weighbridge settlement) are encoded using one-hot encoding and concatenated with corresponding physicochemical indicators and timestamps before being input into a feature encoder. The output is a fixed-dimensional state feature vector. In the pre-construction stage, a contrastive learning loss function is used to shorten the spatial distance between adjacent legal state vectors in the same normal flow batch and to widen the spatial distance between discontinuous or logically conflicting state vectors, ultimately forming a pre-trained embedding model and legal transition subspace boundary thresholds. During actual verification, the currently input temporal vector is transformed into the current actual state node vector through the feature encoder and its inner product is calculated with the cached expected transition target node vector.

[0027] In a preferred implementation, the contrastive learning loss function can take the form of a triplet loss. That is, for each sample sequence, a triplet is constructed containing an "anchor state vector", an "adjacent legal state vector", and a "non-continuous or logically conflicting state vector". The distance between the anchor and the adjacent legal state vector is minimized, while the distance between the anchor and the logically conflicting state vector is maximized.

[0028] Specifically, in actual business operations, the timestamp on the mine shipment weighbridge typically originates from the front-end mobile terminal, while the calorific value (e.g., benchmark of 5500 kcal) and sulfur content (e.g., 0.8%) data returned by third-party testing institutions are transmitted via asynchronous API callbacks. These physicochemical indicators, dynamic penalty parameters (e.g., a deduction of 10 yuan / ton for every 100 kcal decrease below the benchmark calorific value), and the timestamp are concatenated into a multi-dimensional time-series vector. To eliminate time-series deviations caused by networks in remote mining areas, a dynamic time warping algorithm is used to align the time axis to a benchmark. Subsequently, the aligned multi-dimensional time-series vector is input into a pre-constructed state-space embedding model for vector inner product calculation. This model pre-maps nodes representing the physical flow status of business operations such as "shipment, initial inspection, testing and grading, and weighbridge settlement" into high-dimensional feature vectors. Obtain the current actual state node vector and the expected transition target node vector of the key data object; if the calculated Euclidean distance or cosine distance between the actual transition trajectory and the expected legal trajectory of the current batch in the state space exceeds the set legal transition subspace boundary limit (for example, the physical vector feature shows that the "initial inspection" has not been completed, but the vector features of its test indicators and penalty parameters in the database have been updated and written by the system without authorization), it is determined to be a cross-domain state logic mutation.

[0029] This invention deeply integrates quality inspection data packages representing physicochemical indicators, batch identifiers representing physical delivery status, and settlement parameters representing quality-price linkage rules in coal trading. Based on a pre-built state-space embedding model, it maps physical flow nodes such as coal shipment, initial inspection, laboratory grading, and weighbridge settlement into a finite set of states. Through dynamic alignment of multi-dimensional time-series vectors and inner product calculation of state vectors, it accurately detects cross-domain time-series discrepancies between changes in coal quality inspection data and physical delivery flow. This deep "business-technology" coupling model can accurately identify deep-seated logical tampering behaviors disguised as normal operations, effectively filling the technical blind spots of traditional data threshold-based early warning systems, and improving the accuracy of data anomaly identification and the depth of business security defense in complex concurrent environments.

[0030] Extracting coal calorific value and ash / sulfur content detection values, dynamic penalty ratio parameters, operation terminal identifiers, and timestamp data from the key data objects specifically includes: collecting the original current pulse characteristics of sensors characterizing the hardware fingerprint of physical devices through a trusted execution environment deployed on IoT edge devices; fusing the original current pulse characteristics, primary physicochemical indicators, and local monotonic timestamps to generate an edge-side local signature with time monotonicity; in a weak network environment, caching offline data packets through a micro-state machine on the IoT edge devices; and after network recovery, using a store-and-forward asynchronous reconciliation mechanism to push offline data packets carrying the edge-side local signature to the coal interaction platform in batches; in the process of unifying the time axis using a dynamic time warping algorithm, introducing a time window tolerance compensation algorithm to prioritize consistency verification of the edge-side local signature and the original current pulse characteristics of sensors, removing source dirty data forged by man-in-the-middle attacks, and then performing multi-dimensional time-series vector splicing.

[0031] The introduced time window tolerance compensation algorithm is specifically manifested as follows: a maximum network latency tolerance time threshold is preset; the local monotonic timestamp recorded in the offline data packet and the timestamp of the data packet actually received by the platform are extracted, and the absolute value of the time difference between the two timestamps is calculated; when the absolute value of the time difference is not greater than the preset maximum network latency tolerance time threshold, the asymmetric decryption verification logic of the local signature on the edge side is activated; if the cosine similarity between the decrypted current pulse feature and the baseline feature pre-registered by the device is greater than the set fingerprint confidence threshold, the data packet is considered to be genuine and valid, and the timing deviation caused by network latency is actively compensated, and the data packet is included in the subsequent multi-dimensional timing vector splicing sequence.

[0032] Specifically, in scenarios where IoT devices, such as remote coal washing plants or mine weighbridges, operate in highly unstable networks, traditional timestamps are easily tampered with. In the trusted execution environment of laboratory probes or weighing sensors, the underlying analog current pulse characteristics during device operation are directly captured as an unforgeable physical fingerprint. When the device loses network access, a miniature state machine packages, signs, and temporarily stores these fingerprints along with laboratory indicators and a locally monotonically increasing timestamp. Once the network is restored, these data packets are asynchronously pushed in batches to the central platform. The central platform allows for a reasonable network latency window when aligning the timeline, but it strongly verifies this local signature based on the physical fingerprint. If a signature mismatch is detected or the pulse characteristics are found to be forged by the simulator, the batch of critical data objects is intercepted at the source and marked as dirty data.

[0033] This invention solves the problem of source data anti-counterfeiting in remote mining areas with weak network environments in coal logistics by introducing a trusted execution environment and hardware-level current pulse feature fusion signature on the IoT edge, combined with an asynchronous store-and-forward mechanism and a time window tolerance compensation algorithm. This technical approach effectively defends against physical hijacking and man-in-the-middle attacks targeting edge IoT devices, ensuring that the data entering the complex state machine for processing and verification in the backend possesses absolute authenticity and immutability, thereby enhancing the security level of the underlying data link of the entire interactive platform.

[0034] Furthermore, intercepting the write-ahead logs corresponding to the key data objects that trigger alarms and extracting transient dirty data slices specifically includes: mounting an asynchronous bypass listening component on the log writing end of the underlying database engine, capturing binary write-ahead log streams containing state logic mutations through the asynchronous bypass listening component; parsing the internal data structure of the binary write-ahead log stream, separating the coal quality price and / or delivery physical line snapshot before the execution of the data change statement as the pre-transaction image, and the coal quality price and / or delivery physical line snapshot after the execution of the data change statement as the post-transaction image; extracting the distributed tracing request identifier passed across microservice nodes from the extended request header of the binary write-ahead log stream as the global call chain identifier; serializing the pre-transaction image, the post-transaction image, and the global call chain identifier into continuous data blocks, and using a chain hash algorithm (e.g., SHA-256 algorithm) to perform digest calculation on the data blocks, and then using a private key to digitally sign the digest, generating transient dirty data slices with non-repudiation and tamper-proof characteristics.

[0035] Specifically, at the log writing end of the underlying database engine (e.g., MySQL), an asynchronous bypass listening component is non-intrusively mounted to capture binary write-ahead log streams containing logical mutations in real time with millisecond-level latency. After parsing the internal data structure of this log stream, a physical row snapshot of coal quality and price before the execution of the data modification statement (e.g., the normal unit price record before tampering is 800 yuan / ton) is separated as the pre-transaction image, and a physical row snapshot after the modification (e.g., the abnormal unit price after unauthorized modification is 900 yuan / ton) is separated as the post-transaction image. Subsequently, the distributed tracing request identifier (e.g., a standard 64-bit UUID format string) passed across microservice nodes is extracted from the extended request header of the log stream as a global call chain identifier. The above pre-transaction image, post-transaction image, and global call chain identifier are serialized into continuous data blocks, and a chain hash algorithm (e.g., SHA-256 algorithm) is used to calculate the digest of the data blocks. Then, the digest is digitally signed using a private key to generate a transient dirty data slice with non-repudiation and tamper-proof characteristics.

[0036] An asynchronous bypass listening component is mounted on the log writing end of the underlying database engine. This component captures binary write-ahead log streams containing state logic mutations. Specifically, this involves: deploying the asynchronous bypass listening component using a ring buffer architecture that decouples kernel and user modes; copying the binary write-ahead log stream by data block using a lightweight probe at the operating system kernel layer, and mapping the copied binary write-ahead log stream directly to an independent memory space in user mode based on zero-copy technology; in the independent memory space, calling a parallel parsing operator independent of the main business process to perform internal data structure separation and global call chain identifier extraction on the binary write-ahead log stream; through the aforementioned ring buffer architecture and zero-copy technology that decouples kernel and user modes, the lightweight probe only performs data block copying in the kernel, while the CPU-intensive binary structure separation and tracking identifier extraction are offloaded to an independent operator in user mode. This effectively avoids the security listening component from preempting the core computing resources of the main database, ensuring high throughput and stability of the interactive platform when performing low-level microsecond-level anti-tampering interception.

[0037] Specifically, to address the stringent performance requirements of high-concurrency commodity trading on the underlying database, instead of deploying high-latency triggers within the database, a decoupled architecture based on a circular buffer was constructed. Lightweight network or file probes at the operating system kernel layer are only responsible for "bypassively copying" the generated binary write-ahead log stream containing logical mutations as data blocks, and directly mapping it to a user-space dedicated memory area outside the main business process using zero-copy technology. Subsequently, an independent parallel parsing operator deployed in this user space securely disassembles these complex internal database data structures, separating the pre-transaction and post-transaction images. This approach ensures that even during peak trading periods, the underlying secure bypass monitoring will not slow down the placement speed of any normal coal order.

[0038] This invention decentralizes anomaly detection to the underlying database engine, using an asynchronous bypass monitoring component to intercept write-ahead logs containing logical mutations in real time. This core mechanism, without interfering with the main business's normal read / write processes and fully ensuring the high concurrency throughput of large-scale distributed interactive systems, can accurately extract the before-and-after images of data changes at the physical row level and the global call chain identifier with microsecond-level precision. Combined with a high-strength chained hash signature encryption algorithm, it instantly generates transient dirty data slices that pinpoint the site of coal quality and price tampering, solving the problem of missing underlying audit evidence in concurrent calls. This provides highly reliable and non-repudiable underlying digital credentials for subsequent complex cross-enterprise trade disputes, high-precision audit accountability, and end-to-end traceability.

[0039] Furthermore, a downstream dependency topology path is determined using a directed acyclic graph (DAG), and read / write blocking instructions are issued to downstream microservice nodes along the downstream dependency topology path. Specifically, this includes: obtaining service call configuration data from the coal interaction platform; using microservice nodes as graph nodes and the data flow direction between microservice nodes as directed edges; initializing and constructing the DAG, where the microservice nodes include coal storage and logistics services, quality inspection and testing services, weighbridge settlement services, and supply chain credit services; locating the source microservice node in the DAG based on the global call chain identifier as the starting point of topology traversal; executing a breadth-first search algorithm to extract the set of contaminated associated microservice nodes; defining the sequence of directed edges connecting the set of associated microservice nodes as the downstream dependency topology path; and pushing an isolation list containing the contaminated data primary key to the circuit breaker components of each microservice node in the set of associated microservice nodes along the downstream dependency topology path to intercept subsequent access requests targeting the contaminated data primary key.

[0040] Specifically, the system first acquires the service call configuration data of the current version of the coal interaction platform and initializes a directed acyclic graph (DAG). Each node in this DAG covers coal storage and logistics services, quality inspection and testing services, weighbridge settlement services, and supply chain credit services. The actual data flow direction between microservice nodes is defined as directed edges. When the anomaly monitoring system is triggered, based on the global call chain identifier in the transient dirty data slice generated in the previous steps, the source microservice node is precisely located in the constructed DAG (e.g., determining that the anomaly originated from the unauthorized modification of the quality inspection and testing node) and used as the starting point for topology traversal. Then, a breadth-first search algorithm is executed to quickly extract the set of contaminated associated microservice nodes (such as weighbridge settlement service and supply chain credit service nodes) along the data flow direction, forming an accurate downstream dependency topology path. Along this path, an isolation list containing the contaminated data primary key (e.g., the unique transaction number of a batch that experienced an anomaly) is directly pushed to the circuit breaker components configured on each associated microservice node, thereby immediately intercepting all subsequent read, modify, or settlement requests for that primary key at the application layer.

[0041] This invention, upon triggering an anomaly alarm, abandons the traditional approach of relying on macro-level interception or indiscriminate shutdown by upper-layer business processes. Instead, it utilizes a directed acyclic graph (DAG) to precisely analyze the complex downstream dependency topology between microservices. By issuing isolation lists based on specific primary keys to the circuit breaker components of specific microservice nodes, it achieves precise blocking of contaminated data streams. This not only effectively isolates contaminated coal delivery and fund transfer data but also limits the cascading contamination of dirty data to the smallest possible microservice, effectively ensuring data consistency and overall operational robustness of complex commodity settlement systems and risk control models.

[0042] The process involves pushing an isolation list containing tainted primary keys to the circuit breaker components of each microservice node in the associated microservice node set, intercepting subsequent access requests targeting the tainted primary keys. Specifically, this includes: maintaining a dynamic high-risk primary key pool based on a Bloom filter in the circuit breaker component, synchronizing the tainted primary keys in the isolation list to the dynamic high-risk primary key pool; when a subsequent access request is received, performing a fast match using the dynamic high-risk primary key pool; if a match is found, further querying a local, precise high-risk primary key hash table for secondary verification; if the secondary verification confirms a match, injecting a taint label into the context of the matching request, implementing fine-grained traffic bypass isolation based on memory state coloring; parsing the access request type carrying the taint label; if it is a read request, forcibly routing to a historical security version snapshot for a read-only degradation response; if it is a write or settlement request, directly discarding it and returning an exception status code carrying retry signaling, ensuring that the read / write throughput of other untainted primary keys on the microservice node remains unaffected.

[0043] Specifically, if the entire affected "pound slip settlement service" node were directly circuit-broken when an anomaly occurs, it would paralyze the settlement of all other normal customers on that node. Therefore, a highly efficient Bloom filter is integrated into the memory circuit breaker of each microservice node. Once a specific transaction batch number (i.e., the tainted primary key) is identified as having been tampered with, only that batch number is pushed to the high-risk primary key pool of the filter. When a massive influx of concurrent requests arrives, the circuit breaker matches requests at microsecond speeds. Once an access to the tampered batch number is detected, a special "taint tag" is added to the context of that request. For read requests with taints, they are redirected to a shadow library that caches secure snapshots to read older but safe data; for write requests that want to continue settlement, they are discarded and the client is asked to retry later. In this way, only the tampered transaction is frozen on a server, while tens of thousands of other normal transactions continue to be processed.

[0044] This invention abandons traditional, coarse-grained node-level or service-level downtime interception mechanisms, and introduces a dynamic primary key pool based on Bloom filters and memory state coloring technology to achieve ultra-fine-grained traffic isolation for individual polluted primary keys within a microservice. This approach not only precisely cuts off the cascading pollution paths of specific dirty data, but also cleverly utilizes traffic classification routing to redirect read requests for polluted data to historical security snapshots for seamless degradation. Simultaneously, it ensures that concurrent read and write operations for thousands of other normal business primary keys on the same node are completely unblocked, improving the overall high availability and disaster recovery experience of the distributed system.

[0045] Further, a reverse compensation script is generated based on the pre-transaction image, and the reverse compensation script is executed to roll back the physical data state of the key data object to its initial state. Specifically, this includes: extracting the pre-transaction image from the transient dirty data slice, identifying the table structure information, row primary key, and original field value set before the change corresponding to the pre-transaction image; automatically constructing update and / or delete statements to overwrite the currently polluted data using an abstract syntax tree reverse parsing component, and using these as the reverse compensation script; starting a background compensation transaction independent of the main business system logic in the underlying database engine; and submitting and executing the reverse compensation script in the background compensation transaction to forcibly overwrite the physical row data of the key data object on the database disk to the pre-transaction image state before the logical change in state.

[0046] The process of constructing update and / or delete statements through the abstract syntax tree reverse parsing component specifically includes: the component pre-subscribing to data dictionary change events in the master database and maintaining a real-time synchronized table structure metadata cache in a user-space independent memory space; when parsing the pre-transaction image, querying the metadata cache based on the table ID in the log header to obtain the corresponding column names, data types, and primary key constraints; based on this mapping relationship, instantiating the corresponding abstract syntax tree node, and finally rendering and generating a reverse compensation script in standard SQL format.

[0047] Specifically, the system deeply analyzes and extracts pre-transaction mirror data from transient dirty data slices, accurately identifying the corresponding database table structure information, data row primary keys (such as primary key ID), and the original set of field values ​​before the logical tampering (such as the original normal coal ash content ratio and the unaltered calorific value). Then, using an abstract syntax tree reverse parsing component, the above information is automatically converted into a standard SQL structure, constructing update or delete statements to overwrite the currently polluted data, generating an automated reverse compensation script. Next, a background compensation transaction, completely independent of the front-end main business system logic, is automatically started in the underlying database engine (such as the database transaction manager). Within the scope of this compensation transaction, the reverse compensation script is committed and executed, forcibly overwriting the physical row data of the polluted critical data objects on the database disk, precisely rolling them back to the pre-transaction mirror state before the logical state change.

[0048] This invention introduces an abstract syntax tree reverse parsing component to automatically construct a reverse compensation script and performs a physical-level forced overwrite and rollback in an independent underlying background transaction. This completely overturns the inefficient traditional system model that relies on manual review to generate work orders for write-back or upper-layer business applications for reversal. This mechanism directly rolls back critical data objects that have experienced state changes to a safe initial state within seconds at the database disk level, completely eliminating the source of data contamination at the physical level. This low-level automated blocking and recovery mechanism enhances the low-level fault tolerance and repair capabilities of large interactive platforms against concurrent conflicts or malicious tampering.

[0049] Furthermore, while executing the reverse compensation script for rollback, the process also includes data isolation and traffic cleaning steps based on multi-version concurrency control: the transient dirty data slices are converted into coal transaction anomaly audit events and persistently saved to a physically isolated side-channel audit repository in an append-only manner; the read-write separation gateway is triggered to update the dynamic routing table, intercepting all data read traffic for the critical data objects currently being rolled back; the data read traffic is forcibly routed to a historical security version snapshot provided by the cache server node that is completely consistent with the pre-transaction image content; after the underlying database engine completes the physical data state rollback, the forced routing rules in the dynamic routing table are revoked, and the original read link from the read-write separation gateway to the main database is restored.

[0050] Specifically, the generated transient dirty data slices are formatted and encapsulated as coal transaction anomaly audit events, and persistently archived in a side-channel audit repository physically isolated from the main business database for future reference, using a secure append-only write method. Simultaneously, a control signal is issued to trigger the read-write separation gateway at the architecture front end, causing it to update the dynamic routing table in real time, thereby precisely intercepting all front-end data read traffic targeting the critical data object currently undergoing background rollback. The gateway then forcibly routes this read traffic smoothly to a historical, secure snapshot, identical to the pre-transaction image, hosted by a cache server node (such as a Redis cluster). After the background process of the underlying database engine has completely completed the rollback and overwrite of the physical data state, the gateway automatically removes the aforementioned temporary forced routing rules in the dynamic routing table, seamlessly restoring the secure, original data read link directly between the read-write separation gateway and the main database.

[0051] This invention ingeniously integrates data isolation and traffic scrubbing mechanisms based on multi-version concurrency control principles, dynamically intervening in the routing and forwarding process of front-end read traffic through a read-write separation gateway. During the strong consistency physical rollback repair of the underlying database, front-end read traffic is smoothly diverted to historical security snapshots provided by a cache server, ensuring high availability of read concurrency for high-frequency front-end services such as coal spot market listing queries and real-time bidding during the system's self-healing process. This achieves system-level, seamless self-healing that is completely transparent to end users. Simultaneously, an independent side-channel append write auditing mechanism ensures the traceability and non-repudiation of underlying actions.

[0052] The data behavior anomaly identification method provided in this embodiment deeply integrates IoT-side hardware signatures and backend finite state machines, effectively preventing source data hijacking and accurately capturing cross-domain logical tampering. By employing a circular buffer and zero-copy technology, it parses write-ahead logs in the decoupled user-space space, achieving microsecond-level high-concurrency, seamless interception and completely eliminating performance bottlenecks. Simultaneously, it introduces a memory-based coloring routing mechanism based on Bloom filters to perform degradation isolation and physical-level automated rollback for specific polluted primary keys. This method eliminates the underlying data pollution source while ensuring high-concurrency read / write throughput and system-level seamless self-healing for globally unpolluted services.

[0053] Example 2: This embodiment provides a data behavior anomaly identification system for a coal interaction platform. This system is a physical hardware and software architecture carrier of the data behavior anomaly identification method described in Embodiment 1. The embodiment constructs a three-layer, in-depth collaborative defense architecture of "edge device - business routing - underlying database".

[0054] As one embodiment of the present invention, refer to Figure 2 A schematic diagram of a data behavior anomaly identification system for a coal interaction platform, referring to... Figure 3 A schematic diagram of downstream dependency topology and blocking mechanism based on directed acyclic graph.

[0055] Mutation identification module: acquires key data objects corresponding to business instructions on the coal interaction platform, performs time-series alignment and cross-node logic verification on the key data objects, and triggers a logic mutation alarm if it is determined that the key data object has undergone a state logic mutation.

[0056] Specifically, this module extends to the edge of the Internet of Things (IoT) at the forefront of the system architecture. For physical nodes such as testing probes and weighing sensors in remote mining areas or coal washing plants, the mutation identification module integrates a hardware feature extraction unit within its trusted execution environment. This unit is responsible for collecting raw current pulse features characterizing the hardware fingerprint of the physical devices, and deeply fusing these pulse features, primary coal calorific value and ash / sulfur content detection values, and local monotonic timestamps to generate a local edge-side signature with time monotonicity. When encountering weak or outage networks in the mining area, the module's built-in micro-state machine can temporarily store offline data packets. After the network is restored, the offline data packets carrying the local signature are pushed in batches to the interactive platform using a store-and-forward asynchronous reconciliation mechanism. After obtaining a multimodal transaction structure consisting of physicochemical indicators, delivery status, and dynamic penalty ratio parameters, the central processing unit of the mutation identification module uses a dynamic time warping algorithm to unify the time axis. In this process, the module specifically introduces a time window tolerance compensation algorithm, prioritizing high-intensity consistency verification of the local signatures on the edge side and the original current pulse characteristics of the sensors, thereby accurately eliminating source dirty data hijacked by man-in-the-middle or forged by physical devices at the source. Subsequently, the module inputs the aligned and verified multi-dimensional time-series vector into a pre-constructed deterministic finite state machine to perform vector inner product calculation. This state machine covers physical flow nodes unique to coal, such as shipment, initial inspection, laboratory grading, and weighbridge settlement. Once it is calculated that the vector distance between the current actual state node of the key data object and the expected transition target node in the state space exceeds the boundary limit of the legal subspace (e.g., the physical object has not yet undergone initial inspection, but the laboratory indicators have been written without authorization), the module immediately determines that cross-domain logical tampering has occurred and triggers a logical mutation alarm to the subsequent interception engine and audit link.

[0057] Dirty Data Solidification Module: In response to the logical mutation alarm, the module intercepts the write-ahead logs corresponding to the key data objects that trigger the alarm in real time in the underlying database engine; extracts the corresponding pre-transaction image, post-transaction image and global call chain identifier from the write-ahead logs, and encrypts and encapsulates them into a transient dirty data slice that locks the coal quality and price tampering site.

[0058] Specifically, to achieve seamless, microsecond-level interception of the underlying database in high-concurrency transaction scenarios with tens of millions of transactions on the platform, the dirty data solidification module adopts a ring buffer architecture that decouples kernel mode and user mode. At the operating system kernel level, this module deploys lightweight network protocol stack probes or file system probes. These probes do not intervene in the core transaction processing flow of the main database (such as the MySQL InnoDB engine), but passively copy the binary write-ahead log stream containing state logic mutations block by block, and map the copied raw data stream directly across the kernel boundary to an independent dedicated memory space in user mode based on zero-copy technology. Within this independent user-mode space, the dirty data solidification module calls a parallel parsing operator that is completely independent of the main business process to separate and decompose the binary write-ahead log stream with an extremely complex internal nested structure. The operator accurately separates the pre-transaction image before the execution of the data modification statement (such as the benchmark unit price of coal and the original ash content value before being modified without authorization) and the post-transaction image after the execution of the modification. Simultaneously, the operator precisely extracts the distributed tracing request identifier (such as a 64-bit UUID) passed across microservice nodes as a global call chain identifier by parsing the extended request header of the log stream. Finally, the module's encryption component uses a high-strength chained hash algorithm (such as SHA-256) to serialize and hash the pre-transaction image, post-transaction image, and global call chain identifier, instantly generating a transient dirty data slice with extremely high tamper-proof properties, which is then solidified as an unrepudiable underlying digital credential.

[0059] The self-healing blocking module parses the global call chain identifier contained in the transient dirty data slice, uses a pre-built directed acyclic graph to determine the downstream dependency topology path of the transient dirty data slice in the system architecture, and issues read / write blocking instructions to downstream microservice nodes along the downstream dependency topology path; at the same time, it generates a reverse compensation script based on the pre-transaction image, and executes the reverse compensation script in the underlying database engine to roll back the physical data state of the key data object to the initial state.

[0060] Specifically, upon receiving the solidified dirty data slices, the self-healing blocking module first abandons the traditional coarse-grained application-layer shutdown strategy and instead implements fine-grained traffic isolation. In a pre-built directed acyclic graph covering warehousing and logistics, quality inspection and testing, weighbridge settlement, and supply chain credit, the module executes a breadth-first search algorithm starting from the upstream source node to quickly extract the set of contaminated related microservice nodes, forming a precise downstream dependency topology path. Subsequently, the module pushes an isolation list containing tampered data primary keys (such as transaction numbers for specific batches) to the circuit breaker components of each related microservice node along this path. Within the circuit breaker components of each microservice, the module maintains a dynamic high-risk primary key pool based on a Bloom filter. The system synchronously injects dirty data primary keys from the isolation list into this pool. Faced with a massive influx of concurrent requests from the front end, the circuit breaker uses a Bloom filter for microsecond-level ultra-fast matching; if a contaminated primary key is matched, a "taint label" is injected into the request context at the memory level. For read requests carrying tainted tags, the blocking self-healing module, in conjunction with the read / write separation gateway at the front end of the architecture, forces a smooth routing to a historical, secure snapshot provided by caching nodes such as Redis, performing a safe and silent read-only degradation response. Write or settlement requests carrying this tag are simply discarded and a retry status code is returned. This ensures that the read / write throughput of thousands of other untainted primary keys on the same microservice node remains completely unblocked. While the front-end business implements seamless degradation based on memory-colored routing, the underlying recovery process of the blocking self-healing module utilizes an abstract syntax tree reverse parsing component to deeply deconstruct the pre-transaction image, automatically constructing update or delete statements to overwrite the currently tainted data, and generating an automated reverse compensation script. This module then initiates a background compensation transaction completely detached from the main business logic in the underlying database engine, commits and executes the script, and forcibly overwrites the tainted data rows at the physical sector level of the disk. After the underlying state is completely rolled back to the safe initial state, the module automatically cancels the temporary forced routing rules at the gateway, restores the original read link of the main database, and converts the dirty data slices into audit logs, which are then saved to the side channel audit database in an append-only manner. This completes the entire system-level seamless self-healing business loop.

[0061] The data behavior anomaly identification system provided in this embodiment constructs a three-layer defense-in-depth architecture of "edge terminal - business routing - underlying database". The mutation identification module relies on a trusted execution environment and state machine algorithm to move the defense line forward and ensure the absolute authenticity of multimodal time-series data. The dirty data solidification module uses kernel-level probes and independent operators to instantly extract and encrypt and solidify tampering evidence without infringing on the main database resources. The blocking and self-healing module combines a directed acyclic graph and a dynamic primary key pool to accurately implement fine-grained traffic coloring bypass, achieving seamless front-end traffic diversion when performing reverse physical rollback at the underlying level, completely cutting off the cascading pollution path of dirty data, and improving the data consistency and overall disaster recovery robustness of large-scale interactive systems.

[0062] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.

Claims

1. A method for identifying data behavior anomalies in a coal interaction platform, characterized in that, include: Obtain the key data object corresponding to the business instruction of the coal interaction platform, perform time sequence alignment and cross-node logic verification on the key data object, and if it is determined that the key data object has a state logic change, trigger a logic change alarm. In response to the aforementioned logical mutation alarm, the write-ahead logs corresponding to the key data objects that triggered the alarm are intercepted in real time in the underlying database engine. Extract the corresponding pre-transaction image, post-transaction image, and global call chain identifier from the write-ahead log, and encrypt and encapsulate them into a transient dirty data slice that locks the coal quality and price tampering site; The global call chain identifier contained in the transient dirty data slice is parsed, and the downstream dependency topology path of the transient dirty data slice in the system architecture is determined using a pre-constructed directed acyclic graph. Read and write blocking instructions are then issued to downstream microservice nodes along the downstream dependency topology path. At the same time, a reverse compensation script is generated based on the pre-transaction image, and the reverse compensation script is executed in the underlying database engine to roll back the physical data state of the key data object to its initial state.

2. The method for identifying abnormal data behavior in a coal interaction platform according to claim 1, characterized in that, The key data object consists of a multimodal transaction structure composed of a quality inspection data package representing the physical and chemical indicators of coal, a batch identifier representing the physical delivery status, and settlement parameters representing the quality-price linkage rules. The key data object undergoes time-series alignment and cross-node logic verification. If a state logic mutation is determined to have occurred in the key data object, the specific steps include: extracting the coal calorific value and ash / sulfur content detection values, dynamic penalty ratio parameters, operation terminal identifiers, and timestamp data from the key data object, and concatenating and mapping them into a multi-dimensional time-series vector, using a dynamic time warping algorithm to unify the time axis; inputting the aligned multi-dimensional time-series vector into a pre-constructed state space embedding model for vector inner product calculation, where the state space embedding model maps the business physical flow state nodes representing coal shipment, initial inspection upon arrival, laboratory grading, and weighbridge settlement, and obtaining the current actual state node vector and the expected transition target node vector of the key data object; if the vector distance in the state space exceeds the boundary limit of the legal transition subspace, then the key data object is determined to have experienced a state logic mutation.

3. The method for identifying abnormal data behavior in a coal interaction platform according to claim 1, characterized in that, Intercepting the write-ahead logs corresponding to the key data objects that trigger alarms and extracting transient dirty data slices specifically includes: mounting an asynchronous bypass listening component on the log writing end of the underlying database engine, capturing binary write-ahead log streams containing state logic mutations through the asynchronous bypass listening component; parsing the internal data structure of the binary write-ahead log stream, separating the coal quality price and / or delivery physical line snapshot before the execution of the data change statement as the pre-transaction image, and the coal quality price and / or delivery physical line snapshot after the execution of the data change statement as the post-transaction image; extracting the distributed tracing request identifier passed across microservice nodes from the extended request header of the binary write-ahead log stream as the global call chain identifier; serializing the pre-transaction image, the post-transaction image, and the global call chain identifier into continuous data blocks, and using a chain hash algorithm to perform digest calculation on the data blocks, and then using a private key to digitally sign the digest to generate transient dirty data slices.

4. The method for identifying abnormal data behavior in a coal interaction platform according to claim 1, characterized in that, The downstream dependency topology path is determined using a directed acyclic graph (DAG), and read / write blocking instructions are issued to downstream microservice nodes along the downstream dependency topology path. Specifically, this includes: obtaining service call configuration data from the coal interaction platform; initializing and constructing the DAG with microservice nodes as graph nodes and the data flow direction between microservice nodes as directed edges; wherein the microservice nodes include coal storage and logistics services, quality inspection and testing services, weighbridge settlement services, and supply chain credit services; locating the source microservice node in the DAG based on the global call chain identifier as the starting point of topology traversal; executing a breadth-first search algorithm to extract the set of contaminated associated microservice nodes; defining the sequence of directed edges connecting the set of associated microservice nodes as the downstream dependency topology path; and pushing an isolation list containing the contaminated data primary key to the circuit breaker components of each microservice node in the set of associated microservice nodes along the downstream dependency topology path to block subsequent access requests targeting the contaminated data primary key.

5. The method for identifying abnormal data behavior in a coal interaction platform according to claim 1, characterized in that, Generate a reverse compensation script based on the pre-transaction image, and execute the reverse compensation script to roll back the physical data state of the key data object to its initial state. Specifically, this includes: extracting the pre-transaction image from the transient dirty data slice, identifying the table structure information, row primary keys, and original field value set before the change corresponding to the pre-transaction image; automatically constructing update and / or delete statements to overwrite the currently polluted data using an abstract syntax tree reverse parsing component, and using these as the reverse compensation script; starting a background compensation transaction independent of the main business system logic in the underlying database engine; and submitting and executing the reverse compensation script in the background compensation transaction to forcibly overwrite the physical row data of the key data object on the database disk to the pre-transaction image state before the logical change in state.

6. The method for identifying abnormal data behavior in a coal interaction platform according to claim 1, characterized in that, While executing the reverse compensation script for rollback, the process also includes data isolation and traffic cleaning steps based on multi-version concurrency control: the transient dirty data slices are converted into coal transaction anomaly audit events and persistently saved to a physically isolated side-channel audit repository in an append-only manner; the read-write separation gateway is triggered to update the dynamic routing table, intercepting all data read traffic for the critical data objects currently being rolled back; the data read traffic is forcibly routed to a historical security version snapshot provided by the cache server node that is completely consistent with the pre-transaction image content; after the underlying database engine completes the physical data state rollback, the forced routing rules in the dynamic routing table are revoked, and the original read link from the read-write separation gateway to the main database is restored.

7. A data behavior anomaly identification system for a coal interaction platform, characterized in that, include: Mutation identification module: acquires key data objects corresponding to business instructions on the coal interaction platform, performs time-series alignment and cross-node logic verification on the key data objects, and triggers a logic mutation alarm if it is determined that the key data object has undergone a state logic mutation. Dirty data solidification module: In response to the logical mutation alarm, it intercepts the write-ahead logs corresponding to the key data objects that trigger the alarm in real time in the underlying database engine; Extract the corresponding pre-transaction image, post-transaction image, and global call chain identifier from the write-ahead log, and encrypt and encapsulate them into a transient dirty data slice that locks the coal quality and price tampering site; The self-healing blocking module parses the global call chain identifier contained in the transient dirty data slice, uses a pre-built directed acyclic graph to determine the downstream dependency topology path of the transient dirty data slice in the system architecture, and issues read / write blocking instructions to downstream microservice nodes along the downstream dependency topology path; at the same time, it generates a reverse compensation script based on the pre-transaction image, and executes the reverse compensation script in the underlying database engine to roll back the physical data state of the key data object to the initial state.