Industrial internet edge security autonomy method and apparatus

By constructing an autonomous architecture for multi-source time-series security data perception and knowledge graph reasoning, the problem of industrial internet edge security protection relying on the cloud is solved. It realizes a closed loop for security policy generation and execution in weak network or resource-constrained scenarios, ensuring the real-time performance and security of edge nodes.

CN122394851APending Publication Date: 2026-07-14HUAZHONG UNIV OF SCI & TECH RES INST SHENZHEN

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HUAZHONG UNIV OF SCI & TECH RES INST SHENZHEN
Filing Date
2026-04-13
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing industrial internet edge security protection technologies are highly dependent on the cloud, making it difficult to form an effective security policy generation and execution closed loop in weak network or network outage scenarios. Edge node resources are limited, making it difficult to guarantee real-time performance and security, and there is a lack of collaborative mechanisms among multiple edge nodes.

Method used

Construct an autonomous architecture that integrates multi-source temporal security data perception, knowledge graph reasoning, policy generation, service flow orchestration, task offloading, and on-site execution. By acquiring multi-source temporal security data, constructing a temporal security knowledge graph for situation assessment, generating security policies, and performing task division and resource allocation, a closed-loop security autonomy is achieved.

Benefits of technology

In scenarios with weak networks or limited resources, core business operations are ensured to remain uninterrupted. This represents a comprehensive upgrade to edge security protection for the industrial internet, enhancing the targeted nature of security decisions and the efficiency of resource scheduling, while reducing the impact of business latency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394851A_ABST
    Figure CN122394851A_ABST
Patent Text Reader

Abstract

The application discloses an industrial internet edge security autonomous method and device, and belongs to the technical field of network security. The method comprises the following steps: constructing a time sequence security knowledge graph based on a window feature matrix, performing time sequence correlation reasoning based on the time sequence security knowledge graph, obtaining a regional security situation result, generating a security policy based on the regional security situation result, and mapping the security policy into an executable security service flow through policy analysis; dividing and cooperatively arranging the security service flow to obtain a divided security service flow; generating an unloading decision and a resource allocation scheme based on a resource occupation prediction model, executing the divided security service flow on the edge side of an industrial internet system based on the unloading decision and the resource allocation scheme, obtaining execution effect feedback, updating the time sequence security knowledge graph based on the execution effect feedback, and obtaining an updated time sequence security knowledge graph, so as to realize a security autonomous closed loop. The method improves the security and reliability of the industrial internet system.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application belongs to the field of network security technology, and in particular relates to an industrial internet edge security autonomous method and device. Background Technology

[0002] Industrial control systems exhibit significantly different constraints from traditional IT systems in terms of availability, real-time performance, and security, necessitating a security protection system adapted to their operational characteristics. Industrial control system security guidelines stipulate that security controls, risk management, and countermeasures deployment should be implemented while balancing performance and reliability. Simultaneously, zero-trust architecture emphasizes continuous verification, least privilege, and dynamic policy enforcement, providing general principles for identity and access control in distributed scenarios. Regarding engineering security in industrial systems, the ISA / IEC 62443 series of standards proposes systematic requirements for the security of industrial automation and control systems, employing concepts such as partitioning and channels to support the design of protection boundaries and security levels. However, industrial internet edge nodes commonly face challenges such as limited computing power / memory, network instability, diverse field protocols, and limited maintenance windows. This makes the traditional "centralized cloud detection—policy distribution" approach insufficient in terms of timeliness and availability, especially lacking sustainable protection capabilities when the cloud is unreachable.

[0003] Existing industrial internet edge security assessment methods are highly dependent on the cloud. In situations of weak network connectivity or network outages, the security policy generation and execution loop is directly interrupted. Most edge-side solutions only possess single-point detection or single-point blocking capabilities, making it difficult to form a complete autonomous closed loop of "perception-reasoning-policy-execution-feedback". In addition, existing solutions lack a joint resource allocation mechanism for task offloading decisions and computing and communication based on the execution dependency constraints of security service flows, making it impossible to achieve an effective balance between security protection strength and business continuity.

[0004] Existing industrial internet edge security technologies generally suffer from an over-reliance on cloud-based policy computation and distribution, making it difficult to quickly establish a closed-loop "detection-response" capability in extreme scenarios such as weak or outage networks. Simultaneously, edge nodes themselves have limited resources, making it difficult to simultaneously guarantee the real-time requirements of industrial control operations and the computational resource demands of security detection and response. Furthermore, existing solutions lack effective mechanisms to transform situational awareness results into executable security services and to achieve collaborative orchestration, task offloading, and optimized resource allocation across multiple edge nodes. This often leads to problems such as "risks can be detected but are difficult to handle" or "security handling causes performance fluctuations in business operations." Summary of the Invention

[0005] This application aims to address at least one of the technical problems existing in the prior art. To this end, this application proposes an autonomous method and device for industrial internet edge security. By constructing a full-process autonomous architecture encompassing multi-source temporal security data perception, knowledge graph reasoning, policy generation, service flow orchestration, task offloading, and on-site execution, it reduces the reliance on cloud links and response delays inherent in traditional cloud center solutions. It also compensates for the weak adaptability and coarse decision-making of rule-based edge solutions. Furthermore, it introduces a degraded autonomous mode, ensuring uninterrupted core business operations even in weak network / network outage or resource-constrained scenarios. This achieves a comprehensive upgrade of industrial internet edge security protection in terms of real-time performance, reliability, and resilience. It is applicable to industrial control network security protection, edge computing security scheduling, industrial IoT anomaly detection, and critical infrastructure security autonomous systems. It enables edge nodes to complete a verifiable and achievable secure autonomous closed loop even under unstable network and resource-constrained conditions.

[0006] To address the aforementioned problems, according to a first aspect of the present invention, an industrial internet edge security autonomous method is provided, applied to at least one edge node in an industrial internet system, the method comprising: Acquire multi-source time-series security data from the edge of an industrial internet system throughout the entire process of data flow and control closed loop; The multi-source temporal security data is preprocessed and edge feature modeled to obtain a window feature matrix; A temporal security knowledge graph is constructed based on the window feature matrix. Temporal association reasoning is performed based on the temporal security knowledge graph to obtain regional security situation results. The regional security situation results include situation score, risk label set and confidence level. Based on the regional security situation results, a security policy is generated, and the security policy is mapped into an executable security service flow through policy parsing; The security service flow is divided into tasks and coordinated for orchestration to obtain the divided security service flow; Based on the resource occupancy prediction model, an offloading decision and resource allocation scheme are generated. Based on the offloading decision and resource allocation scheme, the partitioned security service flow is executed at the edge of the industrial internet system to obtain execution effect feedback. Based on the execution effect feedback, the temporal security knowledge graph is updated to obtain the updated temporal security knowledge graph, so as to realize the security self-governance closed loop.

[0007] According to one embodiment of this application, the preprocessing and edge feature modeling of the multi-source temporal security data to obtain a window feature matrix includes... The multi-source time-series security data is cleaned by using a sliding window mean filter to obtain cleaned multi-source time-series security data. Linear interpolation is used to fill in the missing data of the cleaned multi-source time-series security data to obtain the completed multi-source time-series security data. Based on Z-score standardization, the completed multi-source temporal security data is standardized to obtain standard multi-source temporal security data. Time-series alignment is performed on standard multi-source time-series security data to obtain a window feature matrix.

[0008] According to one embodiment of this application, the step of constructing a temporal security knowledge graph based on the window feature matrix, and performing temporal correlation reasoning based on the temporal security knowledge graph to obtain regional security situation results includes: Construct a node set and an edge set based on the window feature matrix; Construct a node attribute matrix based on the node set, and construct an edge weight matrix based on the edge set; Construct a time-series security knowledge graph based on node set, edge set, node attribute matrix, and edge weight matrix; Temporal correlation reasoning based on temporal security knowledge graphs yields regional security situation results. The temporal correlation reasoning includes at least one of rule-based reasoning, graph embedding reasoning, and temporal prediction reasoning.

[0009] According to one embodiment of this application, the step of generating a security strategy based on the regional security situation result includes: Based on the regional security situation results, an attack set and a defense set are obtained; Calculate the utility function based on the attack set and the defense set; Security policies are generated based on utility functions.

[0010] According to one embodiment of this application, mapping the security policy to an executable security service flow through policy resolution includes: The security policy is mapped to a set of security services through policy parsing; Construct a service dependency graph based on a set of security services; Based on the service dependency graph, configure resource profiles to obtain executable and secure service flows.

[0011] According to one embodiment of this application, the step of performing task partitioning and collaborative orchestration on the security service flow to obtain the partitioned security service flow includes: The security service flow is partitioned using a heuristic binary search strategy to obtain the initial partitioned security service flow. Based on task real-time requirements, task dependencies, and edge node capability constraints, the initially partitioned security service flow is collaboratively orchestrated to obtain the partitioned security service flow.

[0012] According to one embodiment of this application, the step of generating an unloading decision and resource allocation scheme based on a resource occupancy prediction model includes: The resource status and link status of candidate execution nodes are predicted based on the resource occupancy prediction model, and the prediction results are obtained. The unloading decision is obtained by modeling the prediction results using Markov modeling. Based on the unloading decision, a resource allocation scheme that satisfies the convex optimization objective is found.

[0013] According to a second aspect of the present invention, an industrial internet edge security autonomous device is provided, the device comprising: The acquisition module is used to acquire multi-source time-series security data from the edge of the industrial internet system throughout the entire process of data flow and control closed loop. The first processing module is used to preprocess and model edge features of the multi-source time-series security data to obtain a window feature matrix; The second processing module is used to construct a temporal security knowledge graph based on the window feature matrix, perform temporal association reasoning based on the temporal security knowledge graph, and obtain regional security situation results. The regional security situation results include situation score, risk label set and confidence level. The third processing module is used to generate a security policy based on the regional security situation results, and to map the security policy into an executable security service flow through policy parsing. The fourth processing module is used to perform task division and collaborative orchestration on the security service flow to obtain the divided security service flow; The fifth processing module is used to generate offloading decisions and resource allocation schemes based on resource occupancy prediction models, execute the partitioned security service flow on the edge side of the industrial internet system based on the offloading decisions and resource allocation schemes, obtain execution effect feedback, update the temporal security knowledge graph based on the execution effect feedback, and obtain the updated temporal security knowledge graph to achieve a security self-governance closed loop.

[0014] According to a third aspect of the present invention, an electronic device is provided, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, implements the Industrial Internet Edge Security Autonomous Method as described in the first aspect above.

[0015] According to a fourth aspect of the present invention, a non-transitory computer-readable storage medium is provided, on which a computer program is stored, which, when executed by a processor, implements the Industrial Internet edge security autonomous method as described in the first aspect above.

[0016] According to a fifth aspect of the present invention, a chip is provided, the chip including a processor and a communication interface, the communication interface being coupled to the processor, the processor being used to run programs or instructions to implement the industrial internet edge security autonomous method as described in the first aspect.

[0017] According to a sixth aspect of the present invention, a computer program product is provided, comprising a computer program that, when executed by a processor, implements the Industrial Internet Edge Security Autonomous Method as described in the first aspect above.

[0018] Additional aspects and advantages of this application will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of this application.

[0019] The industrial internet edge security autonomous method provided by this invention has the following advantages over existing technologies: (1) This invention constructs a full-process autonomous architecture encompassing multi-source temporal security data perception, knowledge graph reasoning, policy generation, service flow orchestration, task offloading, and on-site execution. This reduces dependence on cloud links and compensates for the weak adaptability and coarse decision-making of rule-based edge solutions. By introducing a degraded autonomous mode, it ensures uninterrupted core business operations even in scenarios with weak networks, network outages, or limited resources. It achieves a comprehensive upgrade of industrial internet edge security protection in terms of real-time performance, reliability, and resilience. It is applicable to industrial control network security protection, edge computing security scheduling, industrial IoT anomaly detection, and critical infrastructure security autonomous systems.

[0020] (2) This invention designs a time-series security knowledge graph and a distributed resource perception mechanism to associate and model assets, identities, events, security zones and channels. Combined with the global synchronization of resource status of edge nodes, it realizes more accurate source tracing of security risks and real-time perception of resource status. It provides a quantitative basis for security policy generation and task unloading decisions, significantly improves the pertinence of security decisions and the efficiency of resource scheduling, and enables the edge side to have independent situational reasoning, policy generation and execution capabilities, reducing protection interruptions caused by cloud unavailability.

[0021] (3) By adopting a secure service flow DAG orchestration and joint resource allocation scheme, the present invention decomposes the abstract security strategy into executable sequential dependency services, and combines edge node resource constraints to complete task offloading and resource allocation. This not only ensures the integrity and traceability of the security handling process, but also achieves the optimized utilization of computing and communication resources. While meeting security protection requirements, it minimizes the impact on business latency. Through offloading decision and joint resource allocation, multiple edge nodes can achieve capability gains through collaboration, and support degraded autonomy to obtain minimum available security protection. Attached Figure Description

[0022] The above and / or additional aspects and advantages of this application will become apparent and readily understood from the description of the embodiments taken in conjunction with the following drawings, in which: Figure 1 This is one of the flowcharts of the industrial internet edge security autonomous method provided in the embodiments of this application; Figure 2 This is a schematic diagram of the overall architecture of the Industrial Internet Edge Security Autonomous System provided in the embodiments of this application; Figure 3 This is the second flowchart illustrating the industrial internet edge security autonomous method provided in this application embodiment; Figure 4 This is a schematic diagram of the temporal security knowledge graph structure provided in an embodiment of this application; Figure 5 This is a diagram of the industrial internet edge security policy generation and service flow mapping architecture provided in the embodiments of this application; Figure 6 This is a schematic diagram of a security service flow DAG provided in an embodiment of this application; Figure 7 This is a schematic diagram of distributed perception and unloading decision-making in the unloading environment provided in an embodiment of this application; Figure 8 This is a schematic diagram of joint resource allocation and degraded autonomous mode switching provided in the embodiments of this application; Figure 9 These are comparative experimental analysis tables and graphs provided in the embodiments of this application; Figure 10 This is a schematic diagram of the structure of the industrial internet edge security autonomous device provided in the embodiments of this application; Figure 11 This is a schematic diagram of the structure of the electronic device provided in the embodiments of this application. Detailed Implementation

[0023] The technical solutions of the embodiments of this application will be clearly described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this application. All other embodiments obtained by those skilled in the art based on the embodiments of this application are within the scope of protection of this application.

[0024] The terms "first," "second," etc., used in the specification and claims of this application are used to distinguish similar objects and not to describe a specific order or sequence. It should be understood that such use of data can be interchanged where appropriate to allow embodiments of this application to be implemented in orders other than those illustrated or described herein, and the objects distinguished by "first," "second," etc., are generally of the same class and the number of objects is not limited; for example, a first object can be one or more. Furthermore, in the specification and claims, "and / or" indicates at least one of the connected objects, and the character " / " generally indicates that the preceding and following objects are in an "or" relationship.

[0025] The following description, in conjunction with the accompanying drawings, details the industrial internet edge security autonomous method, industrial internet edge security autonomous device, electronic device, and readable storage medium provided in this application through specific embodiments and application scenarios.

[0026] Among them, the industrial internet edge security autonomous method can be applied to the terminal, specifically executed by the hardware or software in the terminal.

[0027] The terminal includes, but is not limited to, portable communication devices such as mobile phones or tablets with touch-sensitive surfaces (e.g., touchscreen displays and / or touchpads). It should also be understood that, in some embodiments, the terminal may not be a portable communication device, but rather a desktop computer with touch-sensitive surfaces (e.g., touchscreen displays and / or touchpads).

[0028] The following embodiments describe a terminal including a display and a touch-sensitive surface. However, it should be understood that the terminal may include one or more other physical user interface devices such as a physical keyboard, mouse, and joystick.

[0029] The industrial internet edge security autonomous method provided in this application embodiment can be executed by an electronic device or a functional module or functional entity in an electronic device that can implement the industrial internet edge security autonomous method. The electronic devices mentioned in this application embodiment include, but are not limited to, mobile phones, tablets, computers, cameras and wearable devices. The industrial internet edge security autonomous method provided in this application embodiment is described below using an electronic device as the execution subject.

[0030] Figure 1 This is one of the flowcharts illustrating the industrial internet edge security autonomous method provided in this application embodiment, such as... Figure 1 As shown, the Industrial Internet edge security autonomous method includes steps 110, 120, 130, 140, 150 and 160.

[0031] Step 110: Obtain multi-source time-series security data from the edge of the industrial internet system throughout the entire process of data flow and control closed loop; It is easy to understand that an industrial internet system includes a cloud-based security orchestration center, an industrial communication network, and multiple edge nodes.

[0032] Multi-source time-series security data includes at least two of the following: network communication time-series data, asset and identity time-series data, host and application behavior time-series data, industrial protocol and control command time-series data, and process quantity / sensor quantity time-series data, and all of them carry timestamps.

[0033] Network communication timing data includes at least one of the following: five-tuple flow statistics, session establishment / disconnection events, bandwidth utilization, packet loss rate, latency, retransmission rate, connection failure rate, and abnormal port scan count.

[0034] Asset and identity time-series data includes at least one of the following: device fingerprint, certificate status, number of failed account logins, session risk score, and permission change records.

[0035] Industrial protocol and control command timing data includes at least one of the following: function code statistics of protocols such as OPCUA, frequency of write register commands, abnormal command sequences, and control channel replay characteristics.

[0036] Step 120: Preprocess the multi-source temporal security data and perform edge feature modeling to obtain a window feature matrix; In some embodiments, the preprocessing and edge feature modeling of the multi-source temporal security data to obtain a window feature matrix includes... The multi-source time-series security data is cleaned by using a sliding window mean filter to obtain cleaned multi-source time-series security data. Linear interpolation is used to fill in the missing data of the cleaned multi-source time-series security data to obtain the completed multi-source time-series security data. Based on Z-score standardization, the completed multi-source temporal security data is standardized to obtain standard multi-source temporal security data. Time-series alignment is performed on standard multi-source time-series security data to obtain a window feature matrix.

[0037] For example, standard multi-source time-series security data is sampled with a uniform sampling interval. Using a time frame of 0.1s to 5s, a sliding window length L of 8 to 256, and a window step size h of 1 to 64, the expression for the aligned window feature matrix is ​​as follows: in, For feature dimension, This is the window feature matrix.

[0038] Optionally, a missing mask can be introduced to identify interpolated or padded data, avoiding the misuse of low-quality evidence during the inference phase. The expression for the missing mask is as follows: when This indicates that the point is a missing completion value or an unreachable sample value, which is used to reduce its confidence weight as evidence of risk.

[0039] Step 130: Construct a temporal security knowledge graph based on the window feature matrix, perform temporal association reasoning based on the temporal security knowledge graph, and obtain regional security situation results. The regional security situation results include situation score, risk label set, and confidence level. In some embodiments, the step of constructing a temporal security knowledge graph based on the window feature matrix, and performing temporal correlation reasoning based on the temporal security knowledge graph to obtain regional security situation results includes: Construct a node set and an edge set based on the window feature matrix; Construct a node attribute matrix based on the node set, and construct an edge weight matrix based on the edge set; Construct a time-series security knowledge graph based on node set, edge set, node attribute matrix, and edge weight matrix; Temporal correlation reasoning based on temporal security knowledge graphs yields regional security situation results. The temporal correlation reasoning includes at least one of rule-based reasoning, graph embedding reasoning, and temporal prediction reasoning.

[0040] For example, the edge-side temporal security knowledge graph is as follows: in, A set of nodes, containing at least asset nodes, identity nodes, security zone nodes, channel nodes, and event nodes. The set of edges must contain at least communication-related edges, access control edges, control-dependent edges, and cross-regional channel edges. This is a node attribute matrix (including time-series statistics, device importance, service level, historical baseline, etc.). This is the edge weight matrix.

[0041] For any candidate edge e = (u, v), calculate the combined weight: in, For the normalization function, make , For measuring temporal correlation within a window, As a measure of risk contribution, To the degree of deviation from the baseline, ,and .

[0042] Optionally, for the first Class of risk evidence definition local risk score Confidence of evidence (Determined by missing mask, link reachability, log integrity, etc.), and fused using the following formula: in, A multi-source fusion situation score is given.

[0043] And output the risk level: in, It is classified as a risk level.

[0044] This fusion approach has the property of rapidly increasing risk due to strong evidence superposition and limited disturbance to the results due to weak evidence, making it suitable for limited perception conditions at the edge.

[0045] Step 140: Generate a security policy based on the regional security situation results, and map the security policy into an executable security service flow through policy parsing; In some embodiments, the generation of security policies based on the regional security situation results includes: Based on the regional security situation results, an attack set and a defense set are obtained; Calculate the utility function based on the attack set and the defense set; Security policies are generated based on utility functions.

[0046] Let the attack set be defined. Protection collection Define the utility function: The formula for calculating the selection strategy is as follows: in, To select a strategy.

[0047] In some embodiments, mapping the security policy to an executable security service flow through policy resolution includes: The security policy is mapped to a set of security services through policy parsing; Construct a service dependency graph based on a set of security services; Based on the service dependency graph, configure resource profiles to obtain executable and secure service flows.

[0048] It is easy to understand that the security service flow is represented by a directed acyclic dependency graph, and a resource profile is configured for each security service.

[0049] Abstract strategy Mapped to a collection of security services Build a service dependency graph: For each service Configuration resource profile: in, These are CPU requirements, memory requirements, bandwidth requirements, and maximum tolerable latency.

[0050] Security services include at least one of the following: strong authentication, access control, deep inspection of industrial protocols, rate limiting, isolation / segmentation, honeypot redirection, read-only degradation, and remote maintenance session re-authentication.

[0051] Step 150: Perform task partitioning and collaborative orchestration on the security service flow to obtain the partitioned security service flow; In some embodiments, the step of dividing and orchestrating the security service flow to obtain the divided security service flow includes: The security service flow is partitioned using a heuristic binary search strategy to obtain the initial partitioned security service flow. Based on task real-time requirements, task dependencies, and edge node capability constraints, the initially partitioned security service flow is collaboratively orchestrated to obtain the partitioned security service flow.

[0052] It is easy to understand that, based on the real-time nature of the task and the constraints of the security zone or channel, the task is divided into local tasks and unloadable tasks. The resource status and link status of the candidate execution node set are obtained through distributed perception of the unloading environment in edge-to-edge or edge-to-cloud collaboration, and the divided security service flow is obtained.

[0053] Step 160: Generate an offloading decision and resource allocation scheme based on the resource occupancy prediction model; execute the partitioned security service flow on the edge side of the industrial internet system based on the offloading decision and resource allocation scheme, obtain execution effect feedback, update the temporal security knowledge graph based on the execution effect feedback, and obtain the updated temporal security knowledge graph to achieve a security self-governance closed loop.

[0054] In some embodiments, generating an offloading decision and resource allocation scheme based on a resource occupancy prediction model includes: The resource status and link status of candidate execution nodes are predicted based on the resource occupancy prediction model, and the prediction results are obtained. The unloading decision is obtained by modeling the prediction results using Markov modeling. Define state: in, This is a resource state matrix / vector representing the set of candidate nodes. Assess the security situation.

[0055] action: in, The amount of available CPU resources on the node. This represents the amount of available bandwidth resources for the node.

[0056] Reward function: in, This model can be used to learn offloading strategies that are "low latency, low business impact, and more significant risk reduction" online.

[0057] Based on the unloading decision, a resource allocation scheme that satisfies the convex optimization objective is found.

[0058] Given the unloading map, solve for the joint resource allocation: Security / Channel Constraints: Cross-region unloading must meet the preset allowed list and channel mandatory control items, CPU: ;bandwidth: Delay: ; This form can be solved using fast convex optimization or approximation on the edge side to meet real-time requirements.

[0059] In some embodiments, the degraded autonomous mode is entered when any of the following conditions are met: (1) the cloud unreachability duration exceeds a threshold or the link quality index is below a threshold; (2) the local CPU availability is below a threshold.

[0060] Entering local autonomous mode: 1) Action space is pruned to "execute only locally or uninstall only in the same area"; 2) "read-only degradation / secondary confirmation / session re-authentication" is enabled for critical control write operations; 3) The weight of business impact items is increased to prioritize the availability of control links.

[0061] In some embodiments, for the "cloud-edge-device" architecture of the Industrial Internet, an edge security autonomous closed loop consisting of three modules is constructed: (1) Edge security deployment: resource demand analysis is performed based on security capabilities, and an edge optimization deployment scheme is formed under multilateral collaborative constraints. (2) Edge security situation awareness: multi-source heterogeneous information is integrated, a time-series knowledge graph is constructed offline, multi-source security elements are perceived online, and the security situation is analyzed and predicted through knowledge reasoning. (3) Multi-party collaborative real-time security response: security strategies are generated based on attack and defense game theory, converted into security service flows through strategy refinement, and closed-loop response is achieved by combining heuristic binary partitioning and reinforcement learning unloading decision and convex optimization resource adaptive allocation.

[0062] Figure 2 This is a schematic diagram of the overall architecture of the Industrial Internet Edge Security Autonomous System provided in the embodiments of this application, such as... Figure 2 As shown, the system includes a cloud-based security orchestration center 1, an industrial communication network 2, multiple edge nodes 3, and industrial field devices 4. Edge nodes 3 include at least: an acquisition module 31 for acquiring multi-source time-series security data; a preprocessing and alignment module 32 for performing cleaning, completion, standardization, alignment, and windowing to generate a window feature matrix and a missing mask; a graph construction and reasoning module 33 for constructing a time-series security knowledge graph and outputting a multi-source fusion situational assessment score and a risk label set; a policy generation module 34 for generating selection policies based on situational and business constraints; a service flow parsing and orchestration module 35 for generating a service dependency graph and resource profiles; an offloading decision module 36 for outputting offloading mappings based on distributed perception and prediction; a resource allocation module 37 for solving joint resource allocation; and an execution and feedback module 38 for executing service flows and providing feedback to update the graph and policy library.

[0063] Figure 3 This is the second flowchart illustrating the industrial internet edge security autonomous method provided in this application embodiment, as shown below. Figure 3 As shown, execute steps S1 through S6. The detailed parameters and steps for implementation are given below: Example parameters (preferred): , , Threshold , This is the lower limit of link quality (obtained by weighting packet loss rate / latency). .

[0064] S1 (Data Acquisition): Network: Session establishment / disconnection events, 5-tuple statistics, packet loss / latency; Identity: Certificate status, number of login failures, session risks; Industrial Control: Protocol function code statistics, register write frequency, remote maintenance sessions; Process: Abnormal scores of key process variables.

[0065] S2 (Preprocessing): Cleaning: Mean / Median filtering; Completion: Short missing values ​​are linearly interpolated, long missing values ​​are forward-padded and masked with 0; Normalization: Z-score; Alignment: Windowed after unifying the sampling frequency. .

[0066] S3 (Graph + Reasoning): Construct nodes: assets / identities / events / regions / channels; construct edges: communication / access / control dependencies / channels; calculate weights. Evidence fusion yields a situation score. Output a set of risk type labels .

[0067] S4 (Policy + Service Flow): Calculates the utility function, generates selection policies, parses them into a service flow DAG (e.g., "session re-authentication → access control → protocol deep inspection → anomaly clustering → isolation / read-only degradation"), and generates a resource profile for each service.

[0068] S5 (Task Allocation and Awareness): If the maximum tolerable latency of a task... Small tasks containing critical control links are marked as local tasks; other tasks are classified according to the set of candidate execution nodes. Select nodes within the same region or those that allow cross-region selection; swap the perception vectors of candidate nodes. Complete distributed sensing.

[0069] S6 (Unload + Resource Allocation + Execution Feedback): Predicts resource availability and filters infeasible nodes; MDP / RL outputs unload mapping; optimizes the amount of CPU resources available for output nodes through convex optimization. Available node bandwidth resources Execute service flows and record interception rate, false alarm rate, end-to-end latency, and business impact metrics; update graph weights and policy thresholds.

[0070] Figure 4 This is a schematic diagram of the temporal security knowledge graph structure provided in the embodiments of this application, such as... Figure 4 As shown, asset information, identity credentials, security event logs, security zone division rules, and channel configurations from the industrial edge platform are collected and instantiated into corresponding node types. Based on communication logs, access policies, and event tracing results, four types of edges are established according to linear rules, and edge weights are uniformly assigned. This forms the initial graph. The node states and edge weights are updated in real-time within a preset time window (e.g., 5 minutes). When a new alarm event is added, an event node is instantiated and a control dependency edge is established; when communication traffic changes, the weights of the communication association edge and the cross-regional channel edge are updated; when permissions change, the weights of the access control edge are updated.

[0071] When the event node "Unauthorized access to PLC" is triggered: Locate the associated identity node (operator account A) and asset node (PLC-01) along the control dependency edge; Query the security zones and channel nodes accessible to account A along the access control edge to identify the scope of permissions; Assess the possibility of risk spreading to other security zones through the cross-zone channel along the communication association edge and cross-zone channel edge; Output a situation score and risk label based on the assessment results to provide decision-making basis for the security policy generation module.

[0072] Figure 5 This is an industrial internet edge security policy generation and service flow mapping architecture diagram provided in the embodiments of this application. The diagram shows the complete autonomous process from security situation awareness to executable security service flow, including the following core modules: Security policy generation module: taking situation score and risk label set as input, generating the optimal security policy based on utility function; Policy-service mapping module: parsing and mapping the abstract security policy into an executable security service flow DAG.

[0073] Security Service Flow DAG: Arranges four types of security services in sequence: authentication, access control, deep protocol inspection, and isolation policy, and marks the resource requirement profile of each service.

[0074] Deploy the security policy generation module and configure the input interface to receive situational assessments from the time-series security knowledge graph. With risk label set.

[0075] The deployment strategy—service mapping module predefines security service libraries and resource requirement templates, establishing mapping rules from policy semantics to security services. It defines a utility function to quantitatively evaluate the overall effectiveness of security policies under executed actions. When a risk event of "unauthorized access to production PLC" is detected, the security policy generation module obtains the current situation score and risk label set.

[0076] The system iterates through the candidate security policy set, calculates the comprehensive utility value of each policy based on a utility function, and selects the policy with the highest utility value as the optimal security policy. For example, the optimal policy might be: "Perform authentication → access control → deep protocol inspection → isolation and disposal on the target PLC." The policy-to-security service flow mapping module receives the optimal security policy, parses its semantics, and matches it with the corresponding service instances in the security service library: authentication, access control, deep protocol inspection, and isolation policy. A security service flow DAG is constructed according to the disposal logic order, clarifying the dependencies between services: authentication must be completed first, then access control, followed by deep protocol inspection, and finally, isolation policy execution.

[0077] Bind a predefined resource requirement profile to each service: Authentication: Low CPU, Low Memory, Medium Latency; Access Control: Medium CPU, Medium Memory, Low Bandwidth; Protocol Deep Inspection: High CPU, High Memory, High Bandwidth, High Latency; Isolation Policy: Low CPU, Low Memory, Extremely Low Bandwidth. The generated security service flow DAG is output to the edge resource scheduling module. The scheduling module generates offloading decisions and resource allocation schemes based on the resource demand profiles of each service and the real-time resource status of edge nodes, thus completing the autonomous execution of the security policy.

[0078] Figure 6 This is a schematic diagram of a security service flow DAG provided in an embodiment of this application, such as... Figure 6 As shown, the service node contains five security services executed sequentially: authentication, access control, protocol detection, intrusion prevention, and data encryption, forming a directed acyclic graph (DAG). Subsequent services can only be started after the preceding services are completed.

[0079] Resource profile: Each service node is associated with four types of resource requirements: CPU requirements, memory requirements, bandwidth requirements, and maximum tolerable latency.

[0080] The security service flow DAG is constructed based on security policy semantics, decomposing abstract handling logic into sequentially dependent security service instances to form a complete security handling chain. For example, when an "unauthorized access" risk is detected, the security policy is mapped as follows: first perform authentication, then access control, followed by protocol detection and intrusion prevention, and finally perform data encryption to ensure data security. The services strictly follow the sequential execution logic.

[0081] Resource requirements are predefined and quantified for each security service, forming a clear resource profile: Authentication: low CPU, low memory, low bandwidth, medium latency tolerance; Access control: medium CPU, medium memory, medium bandwidth, medium latency tolerance; Protocol detection: high CPU, medium memory, low bandwidth, medium latency tolerance; Intrusion prevention: low CPU, low memory, low bandwidth, high latency tolerance; Data encryption: low CPU, low memory, low bandwidth, medium latency tolerance. Resource constraint propagation is based on the sequential dependency relationship of DAG, which summarizes the resource requirements and latency constraints of each service and propagates them to the edge resource scheduling module: Aggregate the CPU, memory, and bandwidth requirements of all services to form the overall resource requirements of the security service flow; The maximum tolerable latency of each service is summed to obtain the end-to-end global latency constraint, which serves as the core basis for resource scheduling.

[0082] The resource scheduling and execution edge resource scheduling module generates reasonable offloading decisions and resource allocation schemes based on overall resource requirements and latency constraints, combined with the real-time resource status of edge nodes: scheduling services with high CPU requirements (such as protocol detection) to edge nodes with sufficient computing power; scheduling services with high bandwidth requirements (such as access control) to link nodes with sufficient bandwidth; ensuring that the execution latency of a single service does not exceed its maximum tolerable latency, while satisfying end-to-end global latency constraints, and ultimately completing the autonomous execution of the secure service flow.

[0083] Figure 7 This is a schematic diagram of distributed perception and unloading decision-making in the unloading environment provided in an embodiment of this application, such as... Figure 7 The diagram illustrates the complete process of edge node resource awareness, information interaction, and offloading decision-making: Edge nodes: There are 3 edge nodes (3a, 3b, 3c). Each node perceives its own resource status in real time, forms resource perception information, and realizes information exchange between nodes through distributed perception.

[0084] Unloading Decision Module: Based on the resource awareness information reported by each edge node, the Markov Decision Process / Reinforcement Learning (MDP / RL) method is used to generate unloading task allocation and execution instructions, which are then sent to the corresponding edge nodes.

[0085] Interaction relationship: Edge nodes report resource status to the decision module, the decision module issues unload commands to edge nodes, and at the same time, edge nodes share resource information to achieve distributed perception.

[0086] Edge node resource awareness: Each edge node collects and generates its own resource awareness information in real time, including the following core dimensions: CPU availability, memory availability, bandwidth availability; task queuing latency, link transmission latency; node trustworthiness (characterizing the node's reliability and security status).

[0087] For example, edge node 3a perceives that its CPU availability is high, queuing latency is short, and trustworthiness is good, thus forming a complete resource status description.

[0088] Distributed sensing information exchange: Edge nodes share their own resource sensing information through point-to-point communication. Edge nodes 3a and 3b, and 3b and 3c exchange resource states with each other to achieve distributed synchronization of the global resource view; Only necessary resource dimensions are synchronized between nodes (e.g., node 3c mainly synchronizes bandwidth and latency information to 3b, and node 3a mainly synchronizes CPU, memory and trust information to 3b), reducing communication overhead.

[0089] Resource awareness information reporting: Each edge node reports its complete resource awareness information, or key dimension information extracted as needed, to the offloading decision module: edge nodes 3a and 3c report full resource awareness information; edge node 3b only reports core computing resource information such as CPU availability and memory availability; the reported information together constitutes the global status input of the decision module.

[0090] The unloading decision generation module makes decisions based on global resource status information and uses MDP / reinforcement learning methods. The resource status, latency, and reliability of each edge node are used as state inputs; Choose either "Execute the task locally" or "Unload the task to a specific edge node" as the action. Taking into account objectives such as resource utilization, task latency, and node reliability, the optimal unloading decision is output.

[0091] For example, tasks with high CPU requirements can be offloaded to edge nodes 3a with high CPU availability, and bandwidth-sensitive tasks can be offloaded to edge nodes 3c with ample bandwidth.

[0092] The uninstallation decision module sends the generated uninstallation task allocation and execution instructions to the corresponding edge nodes. The instructions specify the task to be uninstalled, the target execution node, and the resource allocation requirements. After receiving the instructions, the target edge node loads the task and allocates the required resources to complete the task execution. During the execution process, the resource status is updated in real time to provide a basis for the next round of perception and decision-making.

[0093] Figure 8 This is a schematic diagram of joint resource allocation and degraded autonomous mode switching provided in the embodiments of this application, such as... Figure 8 As shown, the resource allocation logic and mode switching mechanism of edge nodes in normal mode and degraded autonomous mode are illustrated: Normal mode: Centered on joint resource allocation, task scheduling and resource allocation are completed under node resource constraints.

[0094] Mode switching: When the preset trigger conditions are met, the system switches from normal mode to degenerate autonomous mode.

[0095] Degraded Autonomous Mode: Within the security zone, simplified service flows and degraded security mechanisms are employed to ensure the continuity of core business operations.

[0096] Normal Mode: The joint resource allocation system initially runs in normal mode, where the joint resource allocation module uniformly schedules the computing and communication resources of edge nodes 3a and 3b. Node resource constraints: Each node must meet the following constraints: The total CPU usage of all tasks does not exceed the node's CPU limit; The total bandwidth usage of all tasks does not exceed the node's bandwidth limit. The execution latency of a single task shall not exceed the maximum tolerable latency of that task.

[0097] Resource allocation execution: The joint resource allocation module allocates tasks to appropriate nodes based on task requirements and node status, ensuring that resource utilization and task latency are optimized while meeting constraints.

[0098] The mode switching trigger detection system monitors the operating status in real time. When any of the following trigger conditions are met, it automatically switches from normal mode to degraded autonomous mode: cloud connection remains unreachable for more than a preset duration; inter-node link quality is lower than the minimum threshold; node CPU availability is lower than the minimum threshold.

[0099] For example, when edge node 3a is disconnected from the cloud for more than a preset time, the system triggers a mode switch.

[0100] Degraded Autonomous Mode: After the core business security of the security zone enters the degraded autonomous mode, the system executes the following mechanisms within the security zone (nodes 3a and 3b in the same zone): Simplify service flow: retain only core security services and business processes, cut unnecessary security detection steps, and reduce resource consumption.

[0101] Degraded security mechanisms: Enable lightweight security mechanisms such as read-only degradation, two-factor authentication, and session re-authentication to minimize the impact on business continuity while ensuring basic security.

[0102] Local autonomous operation: All decisions and executions are completed within the secure zone, without relying on the cloud or cross-regional links, ensuring the continuous operation of core businesses in resource-constrained or network anomaly scenarios.

[0103] When the cloud becomes accessible again, link quality recovers, and node resources are sufficient, the system automatically switches back from the degraded autonomous mode to the normal mode, restoring complete federated resource allocation and full security service flow.

[0104] Industrial Internet / Industrial Control Systems (ICS) often face practical constraints under "cloud-edge-device" collaborative conditions, such as limited edge resources, link fluctuations (weak network / network outages), and regionalization and security level compliance requirements. To verify the advantages of the "edge security autonomy" of this invention compared to existing technologies under these constraints, this embodiment uses publicly available industrial datasets and benchmarks as references, conducting comparative verification focusing on solution feasibility, detection / response effects, and the continuity of weak network autonomy. Security and availability constraints for Industrial Control Systems can refer to NIST's engineering requirements for ICS security.

[0105] Deployment configuration: cloud-based secure orchestration / model training nodes + multiple edge nodes (industrial gateways / edge servers) + field devices / simulation sources.

[0106] Network conditions: Set two types of conditions: normal network and weak / disconnected network (e.g., through bandwidth limiting, packet loss and latency injection).

[0107] Data source: SWaT / WADI: A dataset for detecting multivariate temporal anomalies in typical industrial water treatment / distribution systems (used to verify the effectiveness of industrial control system anomaly / attack detection).

[0108] Edge-IIoTset: IIoT / Industrial Internet of Things Intrusion Detection Dataset (used to verify the effectiveness of network-side attack identification).

[0109] ToN_IoT: A multi-source intrusion detection dataset for IoT / IIoT in edge / fog / cloud environments (used to validate lightweight detection and generalization at the edge).

[0110] This embodiment selects three types of existing technologies for comparison with the method of the present invention: Existing technology A: Cloud-centralized security orchestration / centralized detection solution, which relies on cloud-generated strategies and unified distribution. The edge side mostly works as a fixed agent / rule executor, executing the strategies distributed from the cloud. It is suitable for scenarios with stable networks, reliable links, and insufficient edge resources to support detection inference.

[0111] Key drawbacks: Strong reliance on cloud-edge links; policy delivery and transmission are hindered during weak / outage network conditions, easily leading to unreachable detection or response, and insufficient autonomous continuity; under regionalized and security compliance requirements, unified cloud policies struggle to perceive heterogeneous edge resources and on-site constraints in real time, easily resulting in configurations that are "theoretically feasible but not practically feasible"; in industrial control systems, reliability and real-time performance must be balanced, and cloud dependence presents inherent uncertainty risks in high real-time closed-loop scenarios, which can be referenced in NIST's emphasis on ICS security and engineering constraints.

[0112] Existing technology B: Edge rule / threshold driven local protection solution, which realizes local detection and response through expert rules, thresholds, whitelists, fixed service chains, etc.; it is simple to implement, highly interpretable, and has low deployment cost; it can be quickly deployed under fixed working conditions with latency / throughput as the optimization goal, but it lacks the expression of regional domains and security level constraints, which may result in non-compliant and unusable solutions.

[0113] Core shortcomings: Thresholds / rules require manual maintenance and are difficult to update adaptively with situation and load; when faced with multiple constraints such as "resource capacity, link quality, regional compliance, and security level compliance", rule conflicts (e.g., both local closed loop and forced cloud migration) or false triggers are likely to occur; when complex industrial control timing anomalies (weak signals, slow drift) and multiple types of attacks coexist, simple rules may lead to false negatives / false positives, and there is a lack of cross-domain collaboration and degradation mechanisms.

[0114] Existing technology C: Performance-oriented offloading / scheduling scheme, which aims to offload tasks or schedule resources with the core objectives of "minimum latency, maximum throughput, and minimum energy consumption"; it can alleviate the lack of edge computing power to a certain extent and improve the response speed under peak load; the algorithm is mature and easy to integrate with edge computing frameworks.

[0115] Key flaws: The lack of explicit expression and verification mechanisms for compliance constraints such as regional division and security level may lead to unusable solutions such as cross-domain communication and security level gaps; treating security services as ordinary tasks ignores the industrial constraint that critical security services must be local closed-loop, resulting in insufficient continuity under weak network / network outage conditions; even if the detector indicators are high, the overall protection may fail due to the infeasibility of the scheduling scheme.

[0116] The method of this invention: It unifies the modeling of regional domains, security levels, resource capacity, link quality, and key service closed-loop requirements into a set of constraints to form a feasible domain, and the output solution is feasible; in the deployment phase, it obtains edge security service deployment that meets the constraints through constraint processing (feasible domain guidance / penalty function idea); in the operation phase, it automatically switches to the minimum necessary security service set / summary reporting / downsampling and other actions when the network is weak / disconnected through collaborative offloading and degradation strategies, to ensure the continuity of autonomy; the advantage does not rely on a larger and heavier model, but is reflected in the improvement of system-level "feasibility, continuity and compliance".

[0117] Experimental Design 1) Comparison of detection / recognition performance: Representative baseline metrics (F1 or Accuracy) from publicly available literature are selected on public datasets as a reference to illustrate "baseline levels and differences on similar tasks".

[0118] 2) Feasibility Comparison Based on Constraints: For the deployment / unloading solutions output by each method, check whether they meet the requirements for resource capacity, link constraints, regional / security level compliance, and local closed-loop requirements for critical services in weak network conditions, and calculate the "Solution Feasibility Rate". (This section uses statistical results from engineering platforms or simulations for illustrative purposes.) 3) Comparison of Autonomous Continuity under Weak Network / Outage Conditions: Statistics are compiled on indicators such as the uninterrupted rate of critical security services or continuous runtime under weak network / outage conditions. (These values ​​are also from an example project and are used for illustration.) Figure 9 These are comparative experimental analysis tables and graphs provided in the embodiments of this application, such as... Figure 9As shown, at the level of public datasets, public research on SWaT / WADI reveals that invariant rule-based methods show a certain F1 improvement trend compared to strong baselines, with a more significant improvement in recall. Public results from Edge-IIoTset and ToN-IoT further demonstrate that the detector itself can achieve high accuracy or F1. However, in industrial internet implementation scenarios, detection metrics alone are insufficient to support "usable and compliant" online protection: cloud-centralized solutions lack autonomous continuity under weak network / network outage conditions, rule-based threshold solutions are prone to conflicts or false triggers due to resource and situational changes, and performance-oriented offloading solutions may output infeasible solutions such as out-of-domain or security level gaps. In contrast, this invention unifies resource capacity, link quality, partitioning and domaining, and security level into feasible domain constraints, and combines degradation triggering mechanisms and minimum closed-loop service sets to maintain a higher level of feasibility and weak network continuity, thereby demonstrating stronger engineering feasibility and autonomous stability.

[0119] In summary, based on the detection / identification capabilities referenced in publicly available datasets, this invention further enhances the system from the perspectives of system-level constraint satisfaction and the continuity of weak network autonomy: under a unified constraint set, the feasibility rate of the output scheme and the uninterrupted service rate of critical weak network services can both maintain higher levels (exemplary statistics are 0.92 and 0.90, respectively), thereby overcoming existing technical problems such as cloud dependence, rule conflicts, and lack of compliance constraints, and realizing a closed-loop edge security autonomy for the Industrial Internet. It can be deployed in edge gateways, edge computing boxes, industrial security isolation devices, industrial control firewalls / audit equipment, etc., to achieve on-site security autonomy and collaborative protection for the Industrial Internet, possessing broad industrial applicability.

[0120] The industrial internet edge security autonomous method provided in this application can be executed by an industrial internet edge security autonomous device. This application uses the execution of the industrial internet edge security autonomous method by an industrial internet edge security autonomous device as an example to illustrate the industrial internet edge security autonomous device provided in this application.

[0121] This application also provides an industrial internet edge security autonomous device, such as... Figure 10 As shown, the industrial internet edge security autonomous device includes: an acquisition module 1010, a first processing module 1020, a second processing module 1030, a third processing module 1040, a fourth processing module 1050, and a fifth processing module 1060.

[0122] The acquisition module 1010 is used to acquire multi-source time-series security data from the edge of the industrial internet system during the entire process of data flow and control closed loop. The first processing module 1020 is used to preprocess the multi-source time-series security data and model edge features to obtain a window feature matrix. The second processing module 1030 is used to construct a temporal security knowledge graph based on the window feature matrix, perform temporal association reasoning based on the temporal security knowledge graph, and obtain regional security situation results. The regional security situation results include situation score, risk label set and confidence level. The third processing module 1040 is used to generate a security policy based on the regional security situation results, and to map the security policy into an executable security service flow through policy parsing. The fourth processing module 1050 is used to perform task division and collaborative orchestration on the security service flow to obtain the divided security service flow; The fifth processing module 1060 is used to generate an offloading decision and resource allocation scheme based on a resource occupancy prediction model, execute the partitioned security service flow on the edge side of the industrial internet system based on the offloading decision and resource allocation scheme, obtain execution effect feedback, update the temporal security knowledge graph based on the execution effect feedback, and obtain the updated temporal security knowledge graph to achieve a security self-governance closed loop.

[0123] The industrial internet edge security autonomous method provided in this application constructs a full-process autonomous architecture encompassing multi-source temporal security data perception, knowledge graph reasoning, policy generation, service flow orchestration, task offloading, and on-site execution. This reduces dependence on cloud links and compensates for the weak adaptability and coarse decision-making of rule-based edge solutions. By introducing a degraded autonomous mode, it ensures uninterrupted core business operations even in weak network, network outage, or resource-constrained scenarios, achieving a comprehensive upgrade of industrial internet edge security protection in terms of real-time performance, reliability, and resilience. It is applicable to industrial control network security protection, edge computing security scheduling, industrial IoT anomaly detection, and critical infrastructure security autonomous systems.

[0124] The industrial internet edge security autonomous device provided in this application embodiment can achieve... Figures 1 to 9 The various processes implemented in the embodiment of the Industrial Internet edge security autonomous method will not be described in detail here to avoid repetition.

[0125] In some embodiments, such as Figure 11 As shown, this application embodiment also provides an electronic device 1100, including a processor 1101, a memory 1102, and a computer program stored on the memory 1102 and executable on the processor 1101. When the program is executed by the processor 1101, it implements the various processes of the above-described industrial internet edge security autonomous method embodiment and can achieve the same technical effect. To avoid repetition, it will not be described again here.

[0126] It should be noted that the electronic devices in the embodiments of this application include the mobile electronic devices and non-mobile electronic devices described above.

[0127] This application also provides a non-transitory computer-readable storage medium storing a computer program. When the computer program is executed by a processor, it implements the various processes of the above-described industrial internet edge security autonomous method embodiments and achieves the same technical effect. To avoid repetition, it will not be described again here.

[0128] The processor is the processor in the electronic device described in the above embodiments. The readable storage medium includes computer-readable storage media, such as computer read-only memory (ROM), random access memory (RAM), magnetic disk, or optical disk.

[0129] This application also provides a computer program product, including a computer program that, when executed by a processor, implements the above-described industrial internet edge security autonomous method.

[0130] The processor is the processor in the electronic device described in the above embodiments. The readable storage medium includes computer-readable storage media, such as computer read-only memory (ROM), random access memory (RAM), magnetic disk, or optical disk.

[0131] This application also provides a chip, which includes a processor and a communication interface. The communication interface and the processor are coupled. The processor is used to run programs or instructions to implement the various processes of the above-described embodiments of the Industrial Internet Edge Security Autonomous Method, and can achieve the same technical effect. To avoid repetition, it will not be described again here.

[0132] It should be understood that the chip mentioned in the embodiments of this application may also be referred to as a device-level chip, device chip, chip device, or on-chip device chip, etc.

[0133] It should be noted that, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element. Furthermore, it should be noted that the scope of the methods and apparatuses in the embodiments of this application is not limited to performing functions in the order shown or discussed, but may also include performing functions substantially simultaneously or in the reverse order, depending on the functions involved. For example, the described methods may be performed in a different order than described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.

[0134] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, can be embodied in the form of a computer software product. This computer software product is stored in a storage medium (such as ROM / RAM, magnetic disk, optical disk), and includes several instructions to cause a terminal (which may be a mobile phone, computer, server, or network device, etc.) to execute the industrial internet edge security autonomous method of the various embodiments of this application.

[0135] In the description of this application, "first feature" and "second feature" may include one or more of the features.

[0136] In the description of this application, "multiple" means two or more.

[0137] The embodiments of this application have been described above with reference to the accompanying drawings. However, this application is not limited to the specific embodiments described above. The specific embodiments described above are merely illustrative and not restrictive. Those skilled in the art can make many other forms under the guidance of this application without departing from the spirit and scope of the claims, and all of these forms are within the protection scope of this application.

[0138] In the description of this specification, the references to terms such as "one embodiment," "some embodiments," "illustrative embodiment," "example," "specific example," or "some examples," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of this application. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples.

[0139] Although embodiments of this application have been shown and described, those skilled in the art will understand that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of this application, the scope of which is defined by the claims and their equivalents.

Claims

1. An industrial internet edge security autonomous method, applied to at least one edge node in an industrial internet system, characterized in that, The method includes: Acquire multi-source time-series security data from the edge of an industrial internet system throughout the entire process of data flow and control closed loop; The multi-source temporal security data is preprocessed and edge feature modeled to obtain a window feature matrix; A temporal security knowledge graph is constructed based on the window feature matrix. Temporal association reasoning is performed based on the temporal security knowledge graph to obtain regional security situation results. The regional security situation results include situation score, risk label set and confidence level. Based on the regional security situation results, a security policy is generated, and the security policy is mapped into an executable security service flow through policy parsing; The security service flow is divided into tasks and coordinated for orchestration to obtain the divided security service flow; Based on the resource occupancy prediction model, an offloading decision and resource allocation scheme are generated. Based on the offloading decision and resource allocation scheme, the partitioned security service flow is executed at the edge of the industrial internet system to obtain execution effect feedback. Based on the execution effect feedback, the temporal security knowledge graph is updated to obtain the updated temporal security knowledge graph, so as to realize the security self-governance closed loop.

2. The industrial internet edge security autonomous method according to claim 1, characterized in that, The preprocessing and edge feature modeling of the multi-source temporal security data to obtain a window feature matrix includes: The multi-source time-series security data is cleaned by using a sliding window mean filter to obtain cleaned multi-source time-series security data. Linear interpolation is used to fill in the missing data of the cleaned multi-source time-series security data to obtain the completed multi-source time-series security data. Based on Z-score standardization, the completed multi-source temporal security data is standardized to obtain standard multi-source temporal security data. Time-series alignment is performed on standard multi-source time-series security data to obtain a window feature matrix.

3. The industrial internet edge security autonomous method according to claim 2, characterized in that, The process of constructing a temporal security knowledge graph based on the window feature matrix, performing temporal correlation reasoning based on the temporal security knowledge graph, and obtaining regional security situation results includes: Construct a node set and an edge set based on the window feature matrix; Construct a node attribute matrix based on the node set, and construct an edge weight matrix based on the edge set; Construct a time-series security knowledge graph based on node set, edge set, node attribute matrix, and edge weight matrix; Temporal correlation reasoning based on temporal security knowledge graphs yields regional security situation results. The temporal correlation reasoning includes at least one of rule-based reasoning, graph embedding reasoning, and temporal prediction reasoning.

4. The industrial internet edge security autonomous method according to claim 3, characterized in that, The generation of security strategies based on the regional security situation results includes: Based on the regional security situation results, an attack set and a defense set are obtained; Calculate the utility function based on the attack set and the defense set; Security policies are generated based on utility functions.

5. The industrial internet edge security autonomous method according to claim 4, characterized in that, The step of mapping the security policy into an executable security service flow through policy parsing includes: The security policy is mapped to a set of security services through policy parsing; Construct a service dependency graph based on a set of security services; Based on the service dependency graph, configure resource profiles to obtain executable and secure service flows.

6. The industrial internet edge security autonomous method according to claim 5, characterized in that, The process of dividing and orchestrating the security service flow to obtain the divided security service flow includes: The security service flow is partitioned using a heuristic binary search strategy to obtain the initial partitioned security service flow. Based on task real-time requirements, task dependencies, and edge node capability constraints, the initially partitioned security service flow is collaboratively orchestrated to obtain the partitioned security service flow.

7. The industrial internet edge security autonomous method according to claim 6, characterized in that, The generation of unloading decisions and resource allocation schemes based on the resource occupancy prediction model includes: The resource status and link status of candidate execution nodes are predicted based on the resource occupancy prediction model, and the prediction results are obtained. The unloading decision is obtained by modeling the prediction results using Markov modeling. Based on the unloading decision, a resource allocation scheme that satisfies the convex optimization objective is found.

8. An industrial internet edge security autonomous device, implemented using the industrial internet edge security autonomous method according to any one of claims 1 to 7, characterized in that, The device includes: The acquisition module is used to acquire multi-source time-series security data from the edge of the industrial internet system throughout the entire process of data flow and control closed loop. The first processing module is used to preprocess and model edge features of the multi-source time-series security data to obtain a window feature matrix; The second processing module is used to construct a temporal security knowledge graph based on the window feature matrix, perform temporal association reasoning based on the temporal security knowledge graph, and obtain regional security situation results. The regional security situation results include situation score, risk label set and confidence level. The third processing module is used to generate a security policy based on the regional security situation results, and to map the security policy into an executable security service flow through policy parsing. The fourth processing module is used to perform task division and collaborative orchestration on the security service flow to obtain the divided security service flow; The fifth processing module is used to generate offloading decisions and resource allocation schemes based on resource occupancy prediction models, execute the partitioned security service flow on the edge side of the industrial internet system based on the offloading decisions and resource allocation schemes, obtain execution effect feedback, update the temporal security knowledge graph based on the execution effect feedback, and obtain the updated temporal security knowledge graph to achieve a security self-governance closed loop.

9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the Industrial Internet Edge Security Autonomous Method as described in any one of claims 1 to 7.

10. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the Industrial Internet Edge Security Autonomous Method as described in any one of claims 1 to 7.