Special area anti-crossing internet of things terminal security access method and device
By collecting access authentication information and communication traffic characteristics of IoT terminals, establishing device identity profiles, identifying certificate trust decay gradients, and performing collaborative management and control configuration, the risk of protocol degradation of IoT terminals and the problem of cross-device authentication trust transmission are solved. This enables the identification of low-intensity continuous drift attacks and the precise location of command links, ensuring the accuracy and coverage integrity of secure access decisions.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUANGDONG HUASHU TECH CO LTD
- Filing Date
- 2026-04-21
- Publication Date
- 2026-07-14
AI Technical Summary
The risks include protocol downgrade due to differences in IoT terminal firmware versions, chain security risks caused by cross-device authentication trust transmission, difficulty in accumulating and identifying low-intensity continuous drift attacks, and inability to locate the cause-and-effect break in the command link.
By collecting access authentication information and communication traffic characteristics of front-end devices, device identity profiles are established, certificate trust attenuation gradients are extracted, authentication benchmark domains are generated, authentication risk transmission analysis and collaborative management configuration are performed, authentication drift and communication anomalies are identified, command causal breaks are detected, and differentiated access decisions are implemented.
It achieves firmware-level degradation resistance verification for IoT terminals, identifies cross-device collaborative attacks, accurately locates causal breaks in the command chain, ensures the accuracy and coverage integrity of secure access decisions, and avoids false blocking and resource waste.
Smart Images

Figure CN122394886A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of Internet of Things (IoT) security technology, and in particular to a method and apparatus for secure access of IoT terminals in special areas to prevent cross-border access. Background Technology
[0002] IoT security is a core component of network protection systems in special areas. Front-end terminal firmware versions deployed in these areas vary significantly, and some terminals possess compatibility logic that allows them to fall back to lower-version authentication protocols. Attackers can exploit this to allow terminals to continuously access the network with a downgraded identity. Existing IoT security mechanisms generally lack the ability to proactively detect the boundaries of terminal firmware resistance, making it difficult to identify potential downgrade vulnerability carriers during the access phase. The authentication dependencies between devices form mutually coupled trust links under complex networking conditions. The continuous deterioration of the authentication status of a single terminal can affect adjacent devices through trust propagation, and the stability of the overall security boundary cannot be guaranteed solely by the independent static certificate verification of each device.
[0003] Existing access control schemes mostly rely on fixed admission rules to perform single-time authentication, lacking continuous tracking of the temporal evolution of terminal authentication behavior over multiple authentication cycles. Low-intensity, persistent drift attacks often remain outside the scope of access control because individual deviations do not exceed alarm thresholds. When attacks are launched in a cross-device coordinated manner, the correlation between abnormal cross-device communication behavior and authentication state drift cannot be jointly assessed, and there is a lack of dynamic verification methods to determine whether the causal link of commands has been interfered with. As a result, control responses struggle to complete targeted, coordinated blocking deployments before the attack pattern is clearly defined. Summary of the Invention
[0004] This invention discloses a method and device for secure access of IoT terminals in special areas to prevent cross-device attacks. It aims to solve problems such as protocol degradation risks caused by differences in firmware resistance of IoT terminals, chain security risks caused by cross-device authentication trust transmission, difficulty in accumulating and identifying low-intensity continuous drift attacks, and inability to locate causal breaks in command links. It achieves this by establishing firmware-level degradation resistance verification and authentication benchmark domain, analyzing cross-device risk transmission and constructing collaborative management and control configuration, identifying collaborative combination patterns of authentication drift and communication anomalies, detecting causal breaks in commands and defining the scope of linkage blocking, and finally outputting differentiated access decision results covering all devices in the region.
[0005] The first aspect of this invention proposes a method for secure access of IoT terminals in special areas to prevent cross-border access, comprising the following steps:
[0006] Collect access authentication information and communication traffic characteristics of front-end devices, and establish a device identity profile based on the device identifier associated with the access authentication information and the communication traffic characteristics;
[0007] The certificate trust attenuation gradient of the device identity file is extracted to form an authentication benchmark domain. The authentication benchmark domain is analyzed to generate a risk transmission matrix. The risk transmission matrix is used to define the control boundary linkage and establish a collaborative control configuration.
[0008] The access authentication information is processed to extract identity features to form an authentication sequence. The authentication sequence is then parsed to generate a drift vector. Based on the drift vector and the communication traffic features, collaborative anomaly combination pattern recognition is performed to generate an access risk benchmark.
[0009] The communication traffic characteristics are subjected to traffic rhythm anomaly detection to generate abnormal traffic parameters. Based on the communication traffic characteristics, time-series dynamic tracking is performed to generate a communication state sequence. According to the collaborative management and control configuration, the communication state sequence is subjected to instruction causal break detection to generate risk location results.
[0010] The risk location results are matched with the abnormal traffic parameters to identify risky devices based on threat features. The scope of the blocking is determined by linking the risky devices with the access risk benchmark to generate a security control value. Based on the security control value, a differentiated access policy is matched to generate an access decision result.
[0011] A second aspect of the present invention provides a secure access device for IoT terminals in special areas to prevent cross-border access, comprising:
[0012] The data acquisition module is used to collect access authentication information and communication traffic characteristics of the front-end device, and establish a device identity profile based on the device identifier associated with the access authentication information and the communication traffic characteristics.
[0013] The benchmark establishment module is used to extract the certificate trust attenuation gradient of the device identity file to form an authentication benchmark domain, perform authentication risk transmission analysis on the authentication benchmark domain to generate a risk transmission matrix, and use the risk transmission matrix to delineate the control boundary linkage and establish a collaborative control configuration.
[0014] The risk assessment module is used to extract identity features from the access authentication information to form an authentication sequence, perform role drift parsing on the authentication sequence to generate a drift vector, and perform collaborative abnormal combination pattern recognition based on the drift vector and the communication traffic features to generate an access risk benchmark.
[0015] The detection and analysis module is used to perform abnormal traffic rhythm detection on the communication traffic characteristics to generate abnormal traffic parameters, perform time-series dynamic tracking based on the communication traffic characteristics to generate a communication state sequence, and perform instruction causal break detection on the communication state sequence according to the collaborative management and control configuration to generate risk location results.
[0016] The decision output module is used to perform threat feature matching to identify risky devices based on the risk location results and the abnormal traffic parameters, define the linkage blocking range based on the risky devices and the access risk benchmark to generate security control values, and generate access decision results based on the security control values and differentiated access strategies.
[0017] The beneficial effects of this invention are reflected in the following points: First, by actively initiating authentication protocol downgrade induction and combining it with multi-round progressive failure analysis of rejection behavior in communication traffic, a precise positioning mechanism for firmware-level resistance boundaries is established. This solves the blind spot in traditional solutions that cannot distinguish between devices with genuine resistance and those with hidden downgrade vulnerabilities based solely on a single authentication result. Furthermore, the difference in resistance levels is transformed into a certificate trust decay gradient and expanded into an authentication benchmark domain in network topology coordinates. The diffusion intensity of trust drop across devices to neighboring devices is quantified through a transmission influence coefficient, enabling a structured description of cross-device authentication trust link risks before the establishment of collaborative management and control configuration. This fundamentally solves the limitation of existing solutions in lacking quantitative modeling of authentication coupling relationships between devices. Second, low-intensity continuous drift attacks, which evade detection for extended periods due to single deviations not exceeding alarm thresholds, are one of the core challenges in protecting IoT access in special areas. By introducing drift acceleration critical point identification and cross-device drift timing convergence detection, the synchronous drift surges of multiple devices occurring at similar times are identified as a timing coordination feature of coordinated attacks. Furthermore, the weighted integration of convergence critical points highlights the dominant contribution of the post-critical acceleration phase to the combined risk coefficient, creating a quantifiable difference in risk level between coordinated attack devices and ordinary drifting devices. This addresses the identification deficiency in existing solutions where cross-device coordinated drift attacks are underestimated due to weak individual signals. Finally, existing solutions generally lack targeted blocking capabilities after the command link is attacked. This invention precisely locates the command breakpoint to a specific causal pair through causal chain reverse penetration verification. Combined with the identification of the minimum truncation node in the propagation path graph and blocking reachability verification, it avoids false blocking of devices outside the propagation path while completely blocking the infection propagation path. The penetration weakness location of inter-layer gradient sequences and cross-layer collaborative compensation analysis further bridge the gap in blocking strength in inter-layer transition sections, ensuring that the coordinated blocking range at the topological level has neither path omissions nor resource waste, achieving coordinated protection of blocking accuracy and coverage integrity. Attached Figure Description
[0018] Figure 1 This is a flowchart illustrating a method for secure access to IoT terminals in a special area to prevent cross-border access, as proposed by the present invention.
[0019] Figure 2 This is a structural block diagram of a special area anti-crossing IoT terminal security access device according to the present invention. Detailed Implementation
[0020] In the following description, specific details such as particular system architectures and techniques are set forth for illustrative purposes and not for limitation, in order to provide a thorough understanding of the embodiments of this application. However, those skilled in the art will understand that this application may also be implemented in other embodiments without these specific details. In other instances, detailed descriptions of well-known systems, apparatuses, circuits, and methods have been omitted so as not to obscure the description of this application with unnecessary detail.
[0021] References to "one embodiment" or "some embodiments" as described in this specification mean that one or more embodiments of this application include a specific feature, structure, or characteristic described in connection with that embodiment. Therefore, the phrases "in one embodiment," "in some embodiments," "in other embodiments," "in still other embodiments," etc., appearing in different parts of this specification do not necessarily refer to the same embodiment, but rather mean "one or more, but not all, embodiments," unless otherwise specifically emphasized. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless otherwise specifically emphasized.
[0022] The technical solutions of the embodiments of this application will be described below.
[0023] like Figure 1 As shown, this embodiment of the invention provides a method for secure access of IoT terminals in special areas to prevent cross-border access, including the following steps S11-S15:
[0024] Step S11: Collect access authentication information and communication traffic characteristics of the front-end device, and establish a device identity profile based on the device identifier associated with the access authentication information and communication traffic characteristics.
[0025] Specifically, the system collects access authentication information and communication traffic characteristics from front-end devices. Access authentication information collection begins with verifying the integrity of device certificates, extracting information layer by layer along the version negotiation record and identity credential response sequence during the authentication protocol handshake process. Front-end devices deployed in different security level areas exhibit significant differences in authentication protocol versions and handshake interaction depth. High-security level front-end devices typically enforce two-way certificate verification, while some terminals in lower-security levels only support one-way authentication due to firmware version limitations. During the collection phase, the protocol version identifier and handshake interaction hierarchy must be fully preserved to distinguish the authentication modes of devices at different security levels. Communication traffic characteristics are collected based on the message interaction sequence of the front-end device during the access establishment phase. The collection window extends from the moment the device initiates the access request to the initial communication stabilization period after authentication. Traffic characteristics during the stabilization period reflect the baseline communication behavior of the device under normal authentication conditions. Front-end devices in the same physical location exhibit differentiated authentication interaction modes due to different firmware versions. During the collection phase, access authentication information and communication traffic characteristic records for each device must be established separately, indexed by the device identifier, to prevent individual differences from being masked during data merging of similar devices. After the access authentication information and communication traffic characteristics are collected, the two data streams are aligned on a unified time axis with the device identifier as the association key. If the alignment deviation exceeds half of the authentication handshake cycle, re-collection must be triggered instead of forced alignment.
[0026] In some embodiments, establishing a device identity profile based on the access authentication information and the device identifier associated with the communication traffic characteristics includes: performing authentication protocol downgrade induction on the access authentication information to generate a downgrade response feature set; extracting downgrade rejection behavior differences from the communication traffic characteristics to generate rejection behavior tags; performing firmware-level downgrade resistance verification on the downgrade response feature set and the rejection behavior tags to generate resistance verification records; and establishing a device identity profile based on the device identifier associated with the resistance verification records.
[0027] The authentication protocol downgrade is induced and a downgrade response feature set is generated based on the access authentication information. A downgrade negotiation command is inserted into the normal authentication handshake sequence to induce a downgrade of the authentication protocol. This actively tests the front-end device's acceptance of lower-version authentication protocols. If backward compatibility logic exists in the device firmware, the downgrade inducement command will trigger the device to switch to a lower version of the authentication protocol and re-initiate the handshake. This switching behavior is presented in the access authentication information as a mutation in the protocol version field. The execution of the downgrade inducement starts with the initial protocol version of each device in the access authentication information and attempts the next lower protocol version sequentially. After each downgrade attempt, the device's response latency, response message structure, and protocol field filling method are extracted. These three types of response features together constitute the original observations for this round of inducement. If any of the three features is missing, the corresponding round's downgrade response record is marked as incomplete. Incomplete records are retained in the downgrade response feature set but do not participate in the subsequent main determination of the resistance level. Devices with different firmware versions exhibit distinguishable differences in their response characteristics to the same downgrade command. A video surveillance terminal, when accepting a TLS 1.2 downgrade, showed a shorter response latency and complete protocol field filling. However, when facing a TLS 1.0 downgrade, the response message exhibited specific field truncation. The truncation location highly coincided with a known compatibility defect in the device's firmware version. This response characteristic was recorded in the downgrade response feature set, linked to the firmware version, providing a basis for firmware version tracing during the resistance verification recording phase. The downgrade response feature set summarizes the response feature sequences of each device across all downgrade attempt rounds, with one feature record corresponding to each device. This record includes the response latency distribution induced by each downgrade round. The completeness of the downgrade response feature set determines whether firmware-level downgrade resistance verification can cover the resistance boundaries of each device at different protocol layers.
[0028] Denial behavior labels are generated by extracting differences in downgrade rejection behavior from communication traffic characteristics. The protocol version field of traffic packets before and after downgrade induction is compared device-by-device to extract differences in rejection behavior. Devices with unchanged field values and continuous handshake sequences are considered to have actively rejected the downgrade, while those with changed field values or interrupted / restarted handshake sequences are considered to have accepted the downgrade. These two types of results are distinguished by rejection level in the rejection behavior label. The strength of the rejection behavior is not a binary judgment. Some devices reject the initial downgrade induction but switch protocols after multiple downgrade attempts. This gradual rejection failure shows a weakening trend in rejection behavior as the number of induction rounds increases during multi-round comparisons of communication traffic characteristics. For example, an access control terminal kept its protocol version field unchanged in the first three rounds of TLS downgrade attempts. After the fourth attempt, the handshake sequence restarted and switched to a lower version protocol. The rejection behavior label marked the fourth round as the critical failure round for this device. This label is used in the resistance verification recording stage to assess the actual firmware resistance boundary of the device under continuous attack pressure. Using only a single round of rejection results as the resistance judgment would overestimate the true protection capability of such devices. The ratio of devices that actively refuse to accept degradation in the rejection behavior label reflects the overall protocol degradation resistance level of the front-end devices in the current area. The failure critical round and rejection level are the core fields of the rejection behavior label, which together characterize the actual resistance strength and failure critical position of each device under continuous degradation pressure.
[0029] The degradation response feature set and rejection behavior labels are used to perform firmware-level degradation resistance verification to generate resistance verification records. The degradation response feature set characterizes the device's response pattern to degradation commands from an active testing perspective, while the rejection behavior labels record the strength of the device's rejection behavior in actual traffic from a passive observation perspective. The two mutually corroborate each other in firmware-level degradation resistance verification. Relying on either one alone may lead to misjudgments due to differences between test conditions and the actual environment. The verification process cross-compares the response latency distribution of each device in the degradation response feature set with the rejection level of the corresponding device in the rejection behavior labels. Device combinations with shorter response latency and higher rejection levels indicate that the firmware has a strong ability to identify and reject lower version protocols. Device combinations with longer response latency and progressive failure indicate that the firmware has lower version compatibility logic that has not been effectively disabled. The verification results are written into the resistance verification record in the form of resistance levels. Resistance levels are categorized into three types: complete resistance, conditional resistance, and lack of resistance. Complete resistance corresponds to devices that maintain active rejection and stable response characteristics throughout all downgrade rounds. Conditional resistance corresponds to devices that experience progressive failure in specific rounds. Lack of resistance corresponds to devices that switch protocols immediately upon the first downgrade induction. The resistance verification record simultaneously marks the firmware resistance boundary position of each device. The boundary position indicates the lowest downgrade protocol version that the device can still maintain a rejection state. Downgrade attempts below this version will trigger a protocol switch rather than continuous rejection. When the resistance boundary of a video capture terminal in a certain area is located at TLS 1.1, it means that the device will lose protocol protection capabilities when facing a TLS 1.0 downgrade attack. This boundary information is used during the device identity profile establishment phase to determine the lower limit of the device's authentication protocol security.
[0030] Device identity profiles are established based on the device identifier associated with the resistance verification records. After the resistance verification records are completed, the resistance level of each device is written into the risk attribute layer of the device identity profile according to the device identifier. The firmware resistance boundary position limits the lower limit of the protocol that each device can resist downgrade attacks. The progressive failure critical round quantifies the protection durability of each device under continuous attack pressure. Devices with different resistance levels correspond to differentiated risk attribute labels in the device identity profile. The risk attribute label of the device lacking resistance is written in the profile with the highest risk weight, the device with full resistance is written with the baseline risk weight, and the device with conditional resistance is assigned a value between the two based on the progressive failure critical round. The certificate trust level of each device in the device identity profile is initialized according to the resistance level in the resistance verification records. The initial certificate trust level of the device with full resistance is taken as the baseline upper limit value. The initial certificate trust level of the device with conditional resistance and the device lacking resistance is assigned a value that is downgraded according to the reciprocal relationship of the failure critical round. The numerical difference between the three initial values forms a quantifiable attenuation difference when each device enters the authentication baseline domain, so that the trust level attenuation trajectory of devices with different resistance levels presents a distinguishable gradient distribution from the initial moment. In a certain area, the resistance verification records of multiple devices all show that when progressive failure occurs in the same degradation round, the device identity file adds a batch firmware defect association label to the risk attributes of the corresponding device group. This label explicitly identifies the low version compatibility vulnerability risk of the group firmware version at the file level. The risk attributes of the batch associated devices have group-level identifiability in addition to individual labels.
[0031] Step S12: Extract the certificate trust attenuation gradient of the device identity file to form the authentication benchmark domain, perform authentication risk transmission analysis on the authentication benchmark domain to generate a risk transmission matrix, and use the risk transmission matrix to delineate the control boundary linkage and establish collaborative control configuration.
[0032] Specifically, the certificate trust decay gradient extracted from the device identity profile forms the authentication baseline domain. The certificate trust decay gradient characterizes the rate at which the initial certificate trust of each device decreases over time or due to the accumulation of abnormal authentication behavior. Devices with high decay rates constitute weak links in the authentication chain, and their rapid decline in certificate trust can easily have a transmission effect on the authentication status of adjacent devices. The extraction of the decay gradient starts from the initial certificate trust of each device in the device identity profile. Combined with the asymptotic failure critical rounds marked in the resistance verification records of the device identity profile and the firmware resistance boundary positions, the trust decay rate of each device is modeled. The decay gradient of fully resistant devices is initialized with a lower value, the decay gradient of conditionally resistant devices is set according to the reciprocal of the failure critical rounds, and the decay gradient of devices lacking resistance takes the highest initial value. The differentiated initial values of these three types of gradients reflect the physical differences in the decline of trust of each device under authentication pressure. The certificate trust attenuation gradient of each device in the same network area is not uniformly distributed in space. When multiple conditionally resistant terminals are deployed in the access control subnet of a certain special area, the local attenuation gradient of the subnet is generally high. However, when the video surveillance subnet is mainly composed of fully resistant devices, the attenuation gradient curve of the corresponding area is flat. The authentication benchmark domain expands the attenuation gradient of each device in the entire domain under the network topology coordinates, forming a spatial distribution of trust attenuation covering all front-end devices. High gradient areas are marked as authentication weak zones in the authentication benchmark domain. Continuous high gradient zones form spatial clustering characteristics in the authentication benchmark domain. The distribution pattern and spatial span of high gradient areas are preserved in the authentication benchmark domain in the form of a locatable topology marker.
[0033] A risk transmission matrix is generated by performing authentication risk transmission analysis on the authentication baseline domain. The transmission analysis starts with the attenuation gradient values of each device in the authentication baseline domain, and combines this with the authentication dependencies between devices recorded in the device identity profile. It evaluates the effect on the trust level of directly dependent devices after a device's trust level falls below a threshold. The extent to which the trust level of directly dependent devices is lowered depends on the strength of the dependency relationship and the attenuation gradient of the triggered device; the stronger the dependency relationship and the higher the attenuation gradient of the triggering device, the more significant the transmission effect. The risk transmission matrix uses device identifiers as row and column indices. Matrix element T_ij = α × D_ij × G_i records the transmission impact coefficient of device j in column j when the trust level of device i in row falls below the threshold. Here, D_ij is the normalized value of the authentication dependency relationship strength from device i to device j, G_i is the normalized value of the attenuation gradient of device i, and α is the transmission attenuation coefficient, calibrated based on the average hop count of authentication dependency links in the regional network topology. A higher T_ij indicates that the authentication risk of device i is more likely to trigger a chain reaction of trust level declines at device j. The access control server in a certain area simultaneously serves as the authentication dependency anchor for multiple front-end devices. The T_ij values for the rows corresponding to this server are generally high, meaning that if the server's trust level drops, all dependent devices it supports face significant transmission risks. Devices corresponding to rows with a high concentration of high T_ij values in the risk transmission matrix are prioritized for identification as critical transmission nodes during the control boundary linkage delineation phase. After the risk transmission matrix is generated, elements in the matrix whose T_ij values exceed a set transmission threshold constitute the effective transmission edge set. The density of the effective transmission edge set reflects the overall risk diffusion capability of the authentication baseline domain. Regions with high density correspond to the spatial clustering of high-value T_ij elements in the risk transmission matrix. The connectivity strength of the local transmission network in this region forms a quantifiable identification feature in the matrix structure.
[0034] In some embodiments, the step of using the risk transmission matrix to define the control boundary linkage and establish a collaborative control configuration includes: determining the degree of transmission isolation of each device based on the risk transmission matrix to generate a device isolation table; performing isolation gradient classification calibration on the device isolation table to generate a linkage rule table; configuring cross-device collaborative control triggering conditions based on the linkage rule table to form a triggering condition set; and aggregating and binding multi-device triggering strategies based on the triggering condition set to establish a collaborative control configuration.
[0035] Based on the risk transmission matrix, the degree of transmission isolation for each device is determined, generating a device isolation table. The degree of transmission isolation characterizes the reciprocal of the sum of the influence coefficients of other devices on a device in the risk transmission matrix. The lower the sum of the influence coefficients, the weaker the authentication dependency coupling between the device and other devices, the more marginal its position in the overall risk transmission link, and the higher its isolation level. Devices with high sums of influence coefficients are located at the core of the transmission network, have low isolation levels, and their authentication status changes are most tightly coupled with the overall transmission link. The device isolation table extracts the column sum of the influence coefficients of each device from the risk transmission matrix, S_j = ΣT_ij, where S_j is the column sum of the column containing device j, representing the total intensity of the transmission influence of other devices in the entire network on device j. The isolation metric is defined as I_j = 1 / (1+S_j). When I_j approaches 1, it indicates that the device is almost unaffected by transmission from other devices and is at the edge of the network topology; when I_j approaches 0, it indicates that the device is strongly dependent on and covered by multiple devices with high attenuation gradients and is at the core of the transmission. Devices with higher isolation metric values are marked as highly isolated nodes in the device isolation table. Highly isolated nodes are explicitly marked in the device isolation table with an isolation quantification value close to 1. An independent sensing terminal in a certain special area has an authentication dependency relationship with only a single aggregation node, so S_j is extremely low, causing I_j to approach 1. The device isolation table marks this terminal as a highly isolated node. The isolation quantification values of highly isolated nodes and lowly isolated nodes in the device isolation table form a polarization in numerical distribution. This distribution provides a quantifiable classification basis for subsequent isolation gradient classification.
[0036] An isolation degree gradient classification is implemented on the device isolation degree table to generate a linkage rule table. The isolation degree gradient classification divides the isolation degree quantification values of each device in the isolation degree table into three gradients: high, medium, and low. The classification boundaries are determined based on the global isolation degree distribution statistics of the device isolation degree table. A high isolation degree gradient corresponds to devices whose I_j is higher than the global mean plus one standard deviation; a low isolation degree gradient corresponds to devices whose I_j is lower than the mean minus one standard deviation; and devices between the two boundaries are classified as medium isolation degree gradient. The three isolation degree gradients correspond to differentiated linkage trigger logic in the linkage rule table. Low isolation degree gradient devices are at the core of the transmission network; when their trust degree falls below the threshold, the linkage rule table configures a broadcast trigger logic for them, simultaneously notifying all adjacent devices with valid transmission edges to enter a risk warning state. Medium isolation degree gradient devices are configured with directional trigger logic, sending linkage signals only to adjacent devices whose T_ij exceeds the transmission threshold. High isolation degree gradient devices are configured with self-trigger logic; abnormal events only trigger control responses at the device level and do not propagate linkage signals outwards. Each triggering logic in the linkage rule table also includes a triggering delay parameter. The broadcast triggering delay of low isolation gradient devices is set to the minimum value to ensure rapid diffusion response, while the self-triggering delay of high isolation gradient devices is set to a larger value to filter false triggers caused by short-term jitter. The triggering delay parameter is calibrated according to the progressive failure critical round of each device in the device identity file. The triggering delay of devices with low failure critical rounds is shortened accordingly. The differentiated triggering delay settings of the three types of isolation gradient devices enable the linkage rule table to form a response speed stratification between fast failure devices and high isolation devices.
[0037] Based on the linkage rule table, cross-device collaborative control trigger conditions are configured to form a trigger condition set. When the trigger logic of each device in the linkage rule table is converted into a trigger condition, the trigger source is locked by the trigger device identifier, the response range is determined by the set of linkage target devices, and the activation condition is defined by the trigger threshold. All three elements must be complete to be included in the trigger condition set. The trigger thresholds corresponding to devices with different trigger logic types in the linkage rule table have structural differences from the set of linkage target devices. Conditions with any missing element are marked as incomplete in the trigger condition set and are suspended from activation. The trigger threshold is determined jointly based on the attenuation gradient and isolation gradient of each device in the risk transmission matrix. Devices with high attenuation gradients and low isolation have lower trigger thresholds, meaning that a slight decline in the trust level of the device will trigger a linkage response. Devices with low attenuation gradients and high isolation have higher trigger thresholds to avoid unnecessary large-scale linkages caused by normal authentication fluctuations of such devices. The configuration of cross-device collaborative control trigger conditions must consider the risk of mutual activation between trigger conditions. If the broadcast trigger condition of a low-isolation device simultaneously includes multiple medium-isolation devices in the linkage target, and the directional trigger conditions of these medium-isolation devices point to the same batch of high-isolation devices, the cascading trigger may trigger a large-scale control response in a short period of time. The trigger condition set adds a maximum cascading depth constraint to the combination of conditions with cascading paths. When the cascading depth exceeds the constraint value, the subsequent level triggers are automatically downgraded to early warning notifications instead of active control. The maximum depth constraint of the cascading trigger path is embedded in the cascading path record of each condition in the form of annotations. The trigger condition set fully presents the cascading propagation link control characteristics of each condition at the structural level.
[0038] Multi-device trigger policy aggregation and binding is used to establish collaborative management and control configuration based on trigger condition sets. This aggregation and binding merges multiple trigger conditions covering the same set of linked target devices into a single aggregated trigger policy. The triggering logic of the aggregated policy is determined by the intersection of the most stringent trigger thresholds among the merged conditions. That is, the linkage response is only activated when all trigger devices covered by the aggregated policy meet their respective trigger thresholds. If a single device's trigger threshold is met while others are not, the aggregated policy enters a preparatory state instead of being executed directly. Aggregation binding avoids duplicate or conflicting control instructions from multiple independent trigger conditions on the same batch of target devices. When the trigger conditions of three access control terminals in a certain area all target the same access control server, the aggregation policy binds the trigger conditions of the three terminals into a joint trigger group. Only when all three terminals simultaneously meet their respective trigger thresholds will the server execute the highest level of access restriction. If a single terminal malfunctions, only the local downgraded authentication policy of that terminal is activated. This hierarchical activation mechanism effectively prevents single-point jitter from being amplified into a global response at the collaborative management and control configuration level. The collaborative management and control configuration is based on an ordered set of aggregation triggering strategies. Each strategy is arranged in descending order of the size of the target device set and the number of coverage transmission edges. Aggregation strategies with larger scale and more coverage of high-T_ij transmission edges are ranked first to ensure that the linkage response of high-risk transmission nodes completes parameter loading first. Each strategy in the collaborative management and control configuration is accompanied by a maximum cascading depth constraint. The constraint value is calibrated based on the average isolation quantification value of the triggering devices covered by each strategy. Strategies with low isolation correspond to the core device group of transmission, and the cascading depth constraint takes a smaller value to prevent the cascading response triggered by the core node from spreading infinitely.
[0039] Step S13: Extract identity features from access authentication information to form an authentication sequence; perform role drift parsing on the authentication sequence to generate a drift vector; and perform collaborative anomaly combination pattern recognition based on the drift vector and communication traffic features to generate an access risk benchmark.
[0040] Specifically, identity features are extracted from access authentication information to form an authentication sequence. Static feature values at a single authentication moment cannot reflect the gradual changes in the device certificate issuing authority level, authentication credential type, and credential validity remaining time between different authentication moments. The construction of the authentication sequence arranges the identity feature values of multiple authentication moments of the same device in chronological order, allowing the temporal variation patterns of various identity feature dimensions to be fully preserved in the sequence structure. Identity feature extraction is based on the authentication handshake records of each device in the access authentication information. The device certificate level code, credential type identifier, and normalized value of validity remaining time are extracted at each authentication moment. These three types of feature values are combined at the same moment to form the identity feature vector for that moment. The dimensions of the identity feature vector remain consistent across all devices to support cross-device comparisons for subsequent role drift analysis. In a certain region, the certificate level coding of environmental monitoring terminals remained stable in continuous authentication records. However, the normalized value of the remaining validity period of the certificates showed a continuous downward trend at recent authentication times. This trend was clearly presented as a diagonally changing feature vector sequence in the authentication sequence. In contrast, the authentication sequence of normally operating equipment typically showed a sawtooth pattern of periodic updates and rebounds in the remaining validity period dimension. The difference between these two patterns constitutes an important criterion for distinguishing between normal certificate aging and abnormal identity status drift during the role drift analysis stage. The authentication sequence is established in the form of a set of temporal identity feature vectors for each device. The sequence length covers all authentication times since the establishment of the device's identity file. When the sequence length is insufficient, the role drift analysis may have a short window for judging the drift trend. Therefore, the sequence must be extended after supplementary authentication information is collected before analysis.
[0041] Role drift analysis is performed on the authentication sequence to generate drift vectors. The core judgment of role drift analysis is whether the identity feature vectors of each device in the authentication sequence show a continuous displacement deviating from the initial role state in time sequence. The essential difference between drift and random fluctuation is that drift has a cumulative effect with consistent direction, while random fluctuation cancels each other out at multiple moments. The analysis process uses the mean of the identity feature vectors of each device in the authentication sequence at several initial authentication moments as the role reference point. The difference between the identity feature vector and the role reference point at each subsequent moment is calculated moment by moment. The continuity of the direction of the difference vector is measured by the cosine similarity of the difference vectors at adjacent moments. The time interval where the cosine similarity is continuously higher than the set direction consistency threshold is determined as the drift interval. The cumulative sum of the difference vectors at each moment within the drift interval constitutes the main direction and amplitude of the drift vector. The drift vector is described by three attributes: the main drift direction, the cumulative drift amplitude, and the drift start time for each device. The main drift direction reflects the feature dimension in which the identity feature vector has continuously shifted. For example, the main drift direction of a certain access control terminal is concentrated in the credential type identifier dimension, indicating that the authentication credential type of the device has continuously changed in recent authentications. The drift of the credential type from two-way certificate authentication to one-way authentication is a typical identity downgrade signal. For devices with a large drift vector amplitude and a start time that closely matches the firmware update time recorded in the device identity file, a firmware change association label is added to the drift vector. The firmware change association label distinguishes the drift features before and after the firmware update in the form of time markers in the drift vector, making the reasonable changes in identity features caused by normal firmware upgrades and the abnormal drifts induced by attacks distinguishable time boundaries at the drift vector level.
[0042] In some embodiments, the step of generating an access risk benchmark by performing collaborative anomaly combination pattern recognition based on the drift vector and the communication traffic features includes: extracting the degree of role deviation of the drift vector to establish a deviation feature set; performing role identity reverse spoofing recognition on the deviation feature set and the communication traffic features to generate associated anomaly patterns; performing low-intensity continuous drift accumulation assessment on the associated anomaly patterns to generate a combined risk coefficient; and performing risk level gradient mapping based on the combined risk coefficient to establish an access risk benchmark.
[0043] A deviation feature set is established by extracting the role deviation degree from the drift vector. The role deviation degree is comprehensively quantified from two dimensions: the cumulative amplitude of the drift vector and the main drift direction. The cumulative amplitude directly reflects the distance of the identity feature vector from the role's baseline point, while the main drift direction reveals which identity feature dimension the deviation occurs in. The two together constitute the deviation feature record of each device in the deviation feature set. The quantification of the deviation degree is calculated by weighting the normalized value of the cumulative amplitude of the drift vector and the feature dimension sensitivity of the main drift direction. The impact of the drift in the certificate level encoding dimension on the device's identity security level has a higher weight than that in the credential validity period remainder dimension. Therefore, the quantified deviation degree value of each device in the deviation feature set reflects the severity of the deviation in terms of security impact rather than pure geometric distance. Devices with high deviation quantification values in the deviation feature set indicate that their identity and role have undergone substantial shifts. If the drift vector of a video capture terminal accumulates beyond a set sensitivity threshold in the certificate-level encoding dimension, the deviation feature set marks this terminal as a high-deviation device. The deviation feature records of high-deviation devices are distinguished in the deviation feature set by a significant deviation marker. The deviation quantification values of each device in the deviation feature set, together with the feature dimension identifier of the main drift direction, constitute the input basis for identifying reverse spoofing behavior. Deviation records lacking feature dimension identifiers are marked as incomplete records in the deviation feature set because the direction of the deviation cannot be determined.
[0044] Role-based reverse spoofing is used to identify and generate associated abnormal patterns based on deviation feature sets and communication traffic features. Role-based reverse spoofing refers to a systematic reverse deviation between the identity and role presented by a device at the authentication level and the actual behavioral permissions executed at the communication traffic level. Specifically, the identity feature vector in the authentication sequence drifts towards lower permissions, while the types of instructions and access scope actually initiated by the device in the communication traffic features expand towards higher permissions. This reverse combination is the core feature that distinguishes spoofing attacks from normal identity evolution. The identification process pairs and compares the main drift direction of each device in the deviation feature set with the direction of traffic behavior change in the communication traffic features during the same period. Pairs where the main drift direction points to the lower permission feature dimension and the direction of traffic behavior change points to the higher permission access mode are identified as reverse spoofing candidates. The strength of the candidate pair is quantified by the product of the deviation degree quantification value of the corresponding device in the deviation feature set and the deviation magnitude of the traffic behavior. Recent authentication sequences of sensor aggregation nodes in a certain region show a shift in credential type towards one-way authentication. During the same period, the number of cross-subnet commands initiated by this node in the communication traffic characteristics increased significantly. The pairing of these two forms a typical reverse spoofing candidate. The correlation anomaly pattern quantifies the spoofing degree of each reverse spoofing candidate by the pairing strength. Records with higher pairing strength indicate a significant reverse deviation between the identity downgrade at the authentication level and the permission expansion at the traffic level. The difference in pairing strength among devices in the correlation anomaly pattern allows for quantitative differentiation of devices with different spoofing degrees in subsequent evaluations.
[0045] For example, the step of performing low-intensity continuous drift accumulation assessment on the associated anomaly pattern to generate a combined risk coefficient includes: extracting the drift time span of each device from the associated anomaly pattern to establish a drift persistence distribution; performing cross-device drift time series convergence detection on the drift persistence distribution to generate a convergence feature set; identifying drift acceleration critical points through the convergence feature set to generate critical trigger markers; and performing convergence critical weighted integration based on the critical trigger markers and the drift persistence distribution to generate a combined risk coefficient.
[0046] A drift duration distribution is established by extracting the drift time span of each device for associated anomaly patterns. The drift time span is based on the interval from the drift start time to the current evaluation time of each device, combined with the length of the non-zero continuous segment of the pairing strength at each time in the associated anomaly pattern to determine the actual effective drift time span. Interruption intervals in the associated anomaly pattern where the pairing strength is zero for multiple consecutive times are not included in the effective drift time span. The existence of interruption intervals indicates that the reverse spoofing behavior of the device has intermittent pauses, which may be an active operation by the attacker to evade detection. When the interruption duration exceeds the set window threshold, the drift start time of the corresponding device is reset to the first non-zero pairing strength time after the interruption ends. The drift persistence distribution is unfolded on a time-series coordinate system based on the effective drift time span of each device. Flat sections of the distribution curve correspond to stable drift behavior within that period, while steep rise sections correspond to a sudden acceleration in the drift rate. The drift persistence distribution of a certain access control terminal shows a significant steep rise after a long period of flatness in the early stage. The starting position of the steep rise is marked as a convergence candidate region during the cross-device drift time-series convergence detection phase. The larger the steep rise, the higher the concentration and intensity of drift behavior at that position. The timing of the steep rise position of each device in the drift persistence distribution is the core clue for identifying cross-device collaborative drift convergence characteristics. Devices that only show a monotonically gradual rise without a significant steep rise section are not considered as convergence candidates for cross-device time-series alignment during the convergence detection phase, but their drift persistence is still included in the drift persistence distribution for background reference in the weighted integration phase.
[0047] A convergence feature set is generated by performing cross-device drift time series convergence detection based on the drift persistence distribution. Convergence detection extracts the steep rise times of each device from the drift persistence distribution and calculates the temporal density distribution of all device steep rise times. High-density time intervals correspond to concentrated outbreaks of drift behavior from multiple devices. The smaller the standard deviation of each device's steep rise time within this interval, the higher the degree of temporal convergence. Time intervals with standard deviations below a set convergence threshold are identified as convergence events. The list of participating devices in a convergence event and the standard deviation of the convergence time are jointly written into the convergence feature set. A single device's drift steep rise is considered an individual anomaly, while multiple devices synchronously steepening at similar times indicates a coordinated temporal attack. The distinction between the two is based on whether the number of participating devices exceeds the local peak threshold of the density distribution. Isolated steep rise positions that do not reach the threshold are recorded in the convergence feature set as single-device anomalies rather than convergence events. In a certain area, the drift duration distribution of multiple sensor terminals showed a synchronous sharp increase within the same time window. The time difference between the sharp increases of each terminal was within a few minutes. The convergence feature set recorded this event as a high convergence intensity event. All participating devices were nodes of the environmental monitoring subnet. Convergence events in which participating devices spanned multiple subnets were marked with cross-domain convergence labels in the convergence feature set. The cross-domain convergence labels and single-domain convergence events formed a distinguishable convergence range hierarchy in the convergence feature set. The distribution of participating devices in cross-domain convergence events was explicitly recorded in the convergence feature set with subnet affiliation identifiers.
[0048] Critical trigger markers are generated by identifying drift acceleration critical points through a convergence feature set. Critical point identification starts from the participating devices in each convergence event within the convergence feature set, extracting the drift rate sequence of each device before and after the convergence moment. Abrupt points in the rate sequence near the convergence moment are located using a slope change detection algorithm. Positions where the slope changes from negative to positive or from a small positive value to a large positive value are marked as candidate critical points. The confidence level of a candidate critical point is determined by both the magnitude of the slope change and the proportion of candidate points appearing among the participating convergence devices. When both indicators are high, the candidate critical point is upgraded to a critical trigger marker. Drift acceleration critical points signify the transition of drift behavior from a low-intensity latent phase to a high-intensity acceleration phase. A higher ratio of drift rates before and after the critical point indicates a more severe acceleration. Accurate location of the critical point is a key temporal characteristic for determining the transition of attack behavior from the build-up phase to the execution phase. If the location deviation exceeds one authentication cycle, the timing accuracy of the critical trigger marker is insufficient to support the starting benchmark correction for the weighted integration phase. In a convergence event, five of the six participating devices experienced abrupt changes in drift rate slope at similar times. The critical trigger marker was written with high confidence at the corresponding time. The other device was recorded separately as an asynchronous critical candidate in the critical trigger marker because the time of the slope change deviated from the convergence threshold. The asynchronous critical candidate did not participate in the weighted starting point correction of the high confidence critical point, but was retained in the convergence feature set for subsequent path tracing reference.
[0049] The convergent critical weighted integration is performed based on the critical trigger marker and drift persistence distribution to generate the combined risk coefficient. The convergent critical weighted integration jointly weights the confidence level of the critical trigger marker with the drift rate increment of each device after the critical point in the drift persistence distribution. The higher the confidence level of the critical trigger marker and the larger the drift rate increment after the critical point, the higher the weighted contribution of the combined risk coefficient of the corresponding device. The weighting method reflects the dominant role of the drift acceleration phase after the critical point in the overall risk accumulation. In the drift persistence distribution, the low-speed drift phase before the critical point is assigned a lower weight in the weighted integration, while the acceleration phase after the critical point is assigned a higher weight. The integration formula is R_combo=w1×A_pre+w2×A_post+w3×C_mark, where R_combo is the quantified value of the combined risk coefficient, A_pre is the normalized value of the drift amplitude before the critical point, A_post is the normalized value of the drift amplitude after the critical point, and C_mark is the confidence level of the critical trigger mark. All three are dimensionless normalized values. w1 is taken as a smaller value, while w2 and w3 are taken as larger values to highlight the weight contribution of the acceleration phase and the convergence event after the critical point. The three weight coefficients are calibrated according to the contribution of each component in the regional historical attack data to the final risk judgment accuracy. Devices that participate in convergence events and exhibit significant acceleration after the critical point have a significantly higher R_combo than devices with the same drift amplitude but no critical trigger record. This differentiation enables the risk level gradient mapping of the access risk benchmark to effectively distinguish cooperative attack devices from ordinary drifting devices in terms of risk level. For devices that record asynchronous critical candidates in the convergence feature set, C_mark is substituted with a low confidence value instead of being set to zero during weighted integration. This ensures that the combined risk coefficient of asynchronous critical devices is not completely ignored because they do not meet the high confidence critical standard, and their risk contribution is still appropriately reflected in the risk level gradient mapping of the access risk benchmark.
[0050] Access risk benchmarks are established based on risk level gradient mapping using combined risk coefficients. Risk level gradient mapping discretizes the continuous values of the combined risk coefficients into actionable risk level labels. The mapping boundaries are determined based on the R_combo distribution corresponding to confirmed attack events in historical authentication data. Typically, three gradients are set: low-risk, medium-risk, and high-risk. Each gradient corresponds to a different access policy trigger condition in the access risk benchmark. The high-risk gradient triggers the strictest access restrictions, the low-risk gradient maintains the normal access process, and the medium-risk gradient triggers enhanced verification rather than direct blocking. Devices with combined risk coefficients near the gradient boundaries have an additional boundary uncertainty label added to the access risk benchmark. This boundary uncertainty label triggers a more conservative access strategy for that device during the access decision-making stage to cover potential minor errors in risk level judgment at the boundaries. The coverage of the boundary uncertainty label is determined based on the historical variance of the R_combo distribution at each gradient boundary; the larger the variance, the wider the boundary uncertainty interval. The risk level distribution of each device in the access risk benchmark reveals the overall access security situation of the current area. When high-risk devices are concentrated in a certain subnet, it indicates the possibility of coordinated drift attacks in that subnet. The access risk benchmark adds subnet-level risk labels to high-risk concentrated areas. During the joint blocking scope delineation phase, the subnet-level risk-labeled areas are used as the priority blocking assessment scope to ensure that the mapping from individual device risk to the overall regional risk is fully reflected at the access risk benchmark level. The access risk benchmark is based on the mapping relationship between device identifiers and corresponding risk levels. The original R_combo value of each device is retained in the access risk benchmark alongside the risk level label. Devices near the level boundary can be distinguished by their distance from the boundary through the original value, so that the risk assessment at the boundary has continuous numerical level accuracy support.
[0051] Step S14: Perform traffic rhythm anomaly detection on the communication traffic characteristics to generate abnormal traffic parameters, perform time-series dynamic tracking based on the communication traffic characteristics to generate a communication state sequence, and perform command causal break detection on the communication state sequence according to the collaborative management and control configuration to generate risk location results.
[0052] Specifically, abnormal traffic parameters are generated by performing traffic rhythm anomaly detection on communication traffic characteristics. The communication behavior of IoT terminals in special areas is driven by task scheduling, forming their own inherent rhythmic patterns in terms of transmission cycle stability, message length concentration, and burst traffic amplitude control. Environmental monitoring terminals report sensor data at fixed sampling intervals, while access control terminals generate short-term burst traffic under event-driven conditions. These two types of rhythmic patterns exhibit clearly distinguishable temporal morphologies in communication traffic characteristics. Traffic rhythm anomaly detection uses the normal rhythm baseline extracted from the historical communication traffic characteristics of each device as a reference, calculating the deviation between the current communication traffic characteristics and the rhythm baseline at each time step. The deviation quantification value is calculated independently in three dimensions: transmission cycle, message length distribution, and burst amplitude. The magnitude of the three-dimensional deviation vector is calculated using the formula... The calculation is performed, where M is the comprehensive quantized value of rhythm deviation, δ_p is the normalized value of transmission period deviation, δ_l is the normalized value of message length distribution deviation, and δ_b is the normalized value of burst amplitude deviation. When M exceeds the set rhythm abnormality threshold, the corresponding time is marked as a rhythm abnormality event. The normal rhythm of a certain video acquisition terminal is based on the message length distribution of a continuous stream at a fixed bit rate. When a large number of short messages replace the normal bit rate stream in the communication traffic characteristics of this terminal, the quantized value of the deviation in the message length distribution dimension significantly exceeds the threshold, and a rhythm abnormality event is generated and written into the abnormal traffic parameters at the corresponding time. The abnormal traffic parameters summarize the time annotation and abnormal dimension identifier of all rhythm abnormal events of each device. The abnormal dimension identifier distinguishes three categories: transmission period abnormality, message length abnormality, and burst amplitude abnormality. Different combinations of abnormal dimensions correspond to different types of potential attack behaviors. Events with multiple dimensions simultaneously abnormal are distinguished from single-dimensional abnormal events in the abnormal traffic parameters by a combined abnormality marker.
[0053] In some embodiments, the step of generating a communication state sequence by performing time-series dynamic tracking based on the communication traffic characteristics includes: extracting the communication initiation direction between devices based on the communication traffic characteristics to establish a communication direction baseline map; performing dependent direction reversal anomaly detection on the communication direction baseline map to generate a direction reversal distribution; identifying instruction link tampering time windows based on the direction reversal distribution to generate a tampering time window set; and performing state evolution annotation on the tampering time window set and the direction reversal distribution to generate a communication state sequence.
[0054] A communication direction baseline map is established by extracting the communication initiation direction between devices based on communication traffic characteristics. The communication initiation direction is identified by the active initiator of message interaction between each device pair in the communication traffic characteristics. Under normal operating conditions, the communication initiation direction of the IoT network in a special area has strong stability. The aggregation node sends configuration commands to the sensor terminal, and the sensor terminal reports the collected data to the aggregation node. The two types of directions form a fixed directed dependency relationship in the long-term communication traffic characteristics. The communication direction baseline map records the historical stable communication initiation direction of each device pair in the form of a directed graph. Each directed edge in the graph carries the frequency of occurrence of that direction in the historical traffic and the distribution of message types as baseline attributes. The establishment of the communication direction baseline map must cover a sufficiently long historical communication traffic characteristic to filter temporary direction changes caused by events. Reverse communication that only occurs in a single event is not included in the directed edge correction of the baseline map. The corresponding edge direction of the baseline map is only updated when multiple consecutive independent events show the same reverse communication direction. In a certain area, the downlink command direction from the access control server to the authentication management node is recorded as a strongly dependent directed edge in the communication direction baseline graph. The baseline attributes of the directed edge include the length range of the normal command message and the distribution of the sending time window. Directed edges with missing baseline attributes are treated with a more lenient judgment threshold in the reversal detection because they lack a reference range for normal communication behavior. The completeness of the baseline attributes of each directed edge in the communication direction baseline graph is attached to the corresponding directed edge in the form of a completeness rate label.
[0055] Anomaly detection based on dependent direction reversal is performed on the communication direction baseline graph to generate a direction reversal distribution. Dependent direction reversal refers to an event in the communication traffic characteristics where the actual communication initiation direction of a device pair is opposite to the direction of the corresponding directed edge in the communication direction baseline graph. Direction reversals are occasional and brief during normal operation, but they are persistent and repetitive in attack scenarios. The core judgment of the detection is whether the direction reversal event at the current moment is isolated and occasional or has temporal clustering characteristics. The reversal detection extracts the actual communication initiation direction of each device pair from the communication traffic characteristics at each moment and compares it with the direction of the corresponding directed edge in the communication direction baseline graph. Moments with inconsistent directions are recorded as reversal candidate events. The duration and frequency of occurrence of the reversal candidate event jointly determine the reversal strength of the event. Candidate events whose duration exceeds the upper limit of the duration of occasional reverse communication obtained from the historical traffic statistics of the corresponding edge in the baseline graph and whose frequency of occurrence is higher than that of historical occasional baselines are judged as valid reversal events. Valid reversal events are written into the direction reversal distribution and accompanied by a quantified value of reversal strength. In the early stages of an attack, terminal devices in a certain access control subnet actively send query messages to the upper-layer server. This direction is opposite to the strongly dependent direction actively configured by the server in the communication direction baseline diagram. Reversal candidate events are recorded at the corresponding time. If the reversal continues to occur in multiple consecutive authentication cycles, the quantitative value of the reversal strength increases with the duration. The time series with continuous high reversal strength is identified as a continuous strong reversal segment in the direction reversal distribution. The mean value of the reversal strength at each time point in this segment and the duration together characterize the degree and stability of the device's shift in communication control.
[0056] Based on the direction reversal distribution, a set of tampering time windows is generated to identify the tampering time window of the command link. The command link tampering time window refers to the effective period during which an attack interferes with the normal command transmission link. The time series segment with consistently high reversal intensity in the direction reversal distribution is the main source of tampering time windows. However, the high-intensity segment of the direction reversal distribution may cover multiple independent tampering time windows rather than a single continuous window. The identification process must subdivide the reversal intensity fluctuations within the high-intensity segment. Time window identification extracts continuous time series segments with reversal intensity exceeding a set identification threshold from the direction reversal distribution. The location where the reversal intensity of the continuous segment has a significant trough is marked as the segmentation point within the window. When the depth of the trough exceeds a set proportion of the peak value, the time series segments on both sides of the segmentation point independently constitute tampering time windows. When the depth of the trough is insufficient, the entire continuous segment is treated as a single tampering time window. The tampering time window set summarizes all identified time windows. Each window carries the start and end times and the identifier of the involved device pair. The identifier of the involved device pair associates the tampering time window with the corresponding directed edge in the communication direction baseline graph, so that the state evolution label can determine the degree of deviation of communication behavior within the tampering time window based on the edge attributes of the baseline graph. When the same device pair has multiple independent windows in the tampering time window set, it indicates that the communication link of the device pair has undergone multiple rounds of tampering intervention. The time interval of multiple rounds of windows is completely preserved in the tampering time window set in the form of a combination of window number and start and end times.
[0057] A communication state sequence is generated by annotating the tampering time window set and the direction reversal distribution with state evolution. State evolution annotation divides the communication state of each device in the time-series coordinates into three categories: normal communication, direction reversal warning, and tampering window activation. The time-series distributions of these three states together constitute the backbone structure of the communication state sequence. The precise annotation of state transition times depends on the threshold crossing time of the reversal intensity in the direction reversal distribution and the start and end times of the tampering time window set. The normal communication state corresponds to a time-series segment in the direction reversal distribution where the reversal intensity is below the warning threshold and not within any tampering time window range. The direction reversal warning state corresponds to a time-series segment where the reversal intensity exceeds the warning threshold but the current time does not fall within any tampering time window range. The tampering window activation state corresponds to a time-series segment where the device's time falls within a certain window range of the tampering time window set. The state evolution annotation also records the transition characteristics of each device switching between different states. A switch path that jumps directly from normal communication to tamper window activation without a warning transition indicates that tampering is taking effect rapidly. When the normal event-driven window corresponding to the directed edge in the communication direction baseline diagram is wide, it can easily mask this type of rapid switch. The communication state sequence adds a sudden change annotation to the corresponding switch time for such direct jumps. The device communication state sequence of a certain access control subnet shows that it repeatedly switches between normal communication and tamper window activation within several consecutive authentication cycles, with dense sudden change annotations. These annotations accurately locate each direct jump event in the communication state sequence as switch time markers. The density of the sudden change annotations reflects the overall level of link stability of the device during the observation period.
[0058] In some embodiments, the step of performing instruction causal break detection and generating risk location results on the communication state sequence according to the collaborative management and control configuration includes: extracting causal constraint rules for each device instruction based on the collaborative management and control configuration to establish a causal rule set; performing causal chain reverse penetration verification on the communication state sequence according to the causal rule set to generate break location markers; performing cross-device break synchronization degree assessment on the break location markers to generate break risk levels; and performing cross-device break topology aggregation annotation on the break risk levels and the break location markers to generate risk location results.
[0059] Based on the collaborative management and control configuration, causal constraint rules for each device's commands are extracted to establish a causal rule set. These command causal constraint rules describe the causal dependencies between command sending and response under normal operating logic. A configuration command issued by a device should trigger a status confirmation response from the target device within a set time delay. If the response does not appear within the time delay window or if a response type not defined by the rule appears, it is considered a violation of the causal constraint. The trigger condition sets and aggregation triggering strategies of each device in the collaborative management and control configuration implicitly represent the expected command transmission between devices. The extraction of causal constraint rules is based on the triggering logic of each device in the collaborative management and control configuration. The causal relationship between the triggering device and the linked target device in the trigger condition set is transformed into rule entries in the causal rule set. Rule entries use the identifiers of the initiating and responding devices in the causal pair to lock the constraint objects, define the timing compliance window for response arrival using the allowed response delay range, and limit the range of behavioral types of response messages using the set of legal response types. The set of legal response types is derived from the normal communication behavior records of each device in the device identity file. The completeness of the causal rule set directly affects the coverage of reverse penetration verification of the causal chain. In the collaborative management and control configuration, the triggering strategy with a deeper cascading depth corresponds to a multi-level causal constraint link. The causal rule set must establish rule entries for each level of the link separately, rather than just covering the two adjacent levels. If there is no corresponding rule entry for the causal break in the middle level of the link, it cannot be detected by reverse penetration verification. The coverage level of the rule entries of each level of the link in the causal rule set is marked by the deepest association level. The larger the marked value, the stronger the causal rule set's ability to trace deep breaks in the link.
[0060] A causal chain reverse penetration verification is performed on the communication state sequence according to the causal rule set to generate breakpoint markers. The reverse direction of the causal chain reverse penetration verification is opposite to the command propagation direction. Starting from the device marked as being in the tamper window active state in the communication state sequence, it traces upstream along the causal link, checking each causal pair's response at the corresponding time whether it meets the constraints of the causal rule set. Causal pairs that do not meet the conditions are marked as candidate breakpoints, and the candidate breakpoints are precisely located to a specific time in the time-series coordinates of the communication state sequence. The selection of the starting point for the reverse penetration verification has a significant impact on the coverage depth of the breakpoint markers. If only the terminal abnormal device is used as the starting point, early breakpoints in the upstream link may be missed because the terminal device has not yet entered the tamper window active state. The reverse penetration must also use devices in the communication state sequence whose direction reversal warning state duration exceeds a set threshold as supplementary starting points to expand the upstream coverage of the breakpoint markers. The fracture location marker distinguishes between complete fractures and partial fractures. A complete fracture refers to the complete absence of a causal response at the corresponding time, while a partial fracture refers to the presence of a response but the response type is not within the set of legal response types. After a certain aggregation node sends a sampling rate adjustment command to a sensor terminal, the reporting frequency of the sensor terminal does not change accordingly in the communication state sequence. This causal pair is marked as a complete fracture at the corresponding time. The composition ratio of complete fractures and partial fractures in the fracture location marker forms the difference in type weight. Devices with a higher proportion of complete fractures are marked as severely fractured in the fracture location marker to distinguish them from devices with a predominantly partial fracture.
[0061] Cross-device fracture synchronization assessment is performed on fracture location markers to generate fracture risk levels. Synchronization assessment extracts the temporal density distribution of the complete fracture moments of each device from the fracture location markers. High-density time intervals correspond to concentrated outbreaks of fracture behavior from multiple devices. The smaller the standard deviation of the fracture moments of each device within an interval, the higher the synchronization. The quantified synchronization value is calculated by normalizing the ratio of the density peak to the standard deviation; time intervals with higher ratios correspond to stronger cross-device coordinated fracture characteristics. Cross-device fracture synchronization quantification measures the temporal concentration of fracture location markers across multiple devices. High synchronization indicates that causal fractures from multiple devices occur in close proximity, suggesting coordinated intervention in the command link rather than random faults occurring independently of each device. Synchronization assessment records isolated fractures without triggering cross-device coordinated judgments in intervals where the density of a single device's fracture moment does not exceed the background level. The fracture risk level is a weighted composite of three indicators: the proportion of complete fractures in the fracture location markers, the quantified cross-device synchronization value, and the number of causal link levels involved. A higher proportion of complete fractures, stronger synchronization, and more link levels involved result in a higher fracture risk level. In a specific area, the access control link experienced a level-three causal break at the same time, involving more than half of the total number of devices in the subnet. The break risk level was mapped to the highest level under the combined effect of the three indicators, indicating that the command link at that moment had suffered systemic damage rather than a local anomaly. In contrast, in another subnet, although the isolated complete break of a single device was severe, the synchronization quantification value was close to zero, and the break risk level was only mapped to medium. There is a significant difference in the break risk level between the coordinated break scenario and the isolated break scenario. This polarization of break risk levels forms a distinguishable hierarchical level in the current assessment results.
[0062] Cross-device fracture topology aggregation annotation generates risk localization results by combining fracture risk levels with fracture location markers. This annotation unfolds the fracture locations of each device in the fracture location markers within the network topology coordinates, identifying spatial clustering patterns of fracture locations on the topology. Spatially clustered fracture locations indicate that attack interventions are concentrated in a specific topology segment rather than being randomly dispersed. Comparing the coverage of the topology clustered segment with the aggregation triggering strategy in the collaborative management configuration further determines whether the attack is targeting known high-risk propagation nodes. Aggregation annotation extracts the device identifier and network topology location of each fracture point from the fracture location markers, calculates the spatial density distribution of fracture points in the topology map, and marks topology areas with higher density as fracture clusters. The boundaries of fracture clusters are determined by the position where the density drops from high to low to the background level. When integrating the location information of each fracture point, aggregation annotation simultaneously introduces fracture risk levels to weight the severity of each fracture point within the cluster. This allows clusters with similar spatial density to form distinguishable levels in overall risk weight due to differences in fracture risk level composition. The average fracture risk level of the fracture points within a cluster serves as the overall risk weight for that cluster. The risk location results are based on the topological location identifiers of fracture clusters, the overall risk weights, and the distribution of fracture types at each fracture point within the clusters. Each fracture point carries time information and fracture type labels from the fracture location markers. The fracture type distribution reveals the proportion of complete fractures and partial fractures within the clusters. The difference in the overall risk weight between clusters dominated by complete fractures and clusters dominated by partial fractures allows the two types of command link damage to form distinguishable identification features at the risk location result level.
[0063] Step S15: Perform threat feature matching to identify risky devices based on the risk location results and abnormal traffic parameters; define the scope of linkage blocking based on the risky devices and access risk benchmark to generate security control values; and generate access decision results by matching differentiated access policies based on the security control values.
[0064] Specifically, threat feature matching is performed on risk location results and abnormal traffic parameters to identify risky devices. Risk location results and abnormal traffic parameters characterize abnormal device behavior from the perspectives of causal break topology at the command link level and message anomalies at the traffic rhythm level, respectively. Relying on either alone may lead to biased judgments due to a limited perspective. Joint matching aligns the two types of anomalies at the device identification dimension, allowing evidence of anomalies from the same batch of devices across different detection dimensions to corroborate each other, thus improving the confidence level of risky device identification. The matching process starts from the break clusters in the risk location results, extracting the device identifiers corresponding to each break point within the cluster. It then searches for rhythmic anomalies of the same device identifier at similar times in the abnormal traffic parameters. Device pairs whose time difference between the break time and the rhythmic anomaly time falls within a set matching window are considered to have a two-dimensional match hit. Devices with a two-dimensional match hit are marked as strong hits in the risk device candidate set. Simultaneously, a reverse scan is performed on the device identifiers of rhythmic anomalies in the abnormal traffic parameters. Devices without corresponding break markers in the risk location results, or those with break markers in the risk location results but no corresponding rhythmic anomalies in the abnormal traffic parameters, are marked as weak hits. A sensor aggregation node in an environmental monitoring subnet falls into a high-risk fault cluster area in the risk location results. At the same time, the abnormal traffic parameters of this node show rhythmic abnormal events in both the message length distribution dimension and the sending period dimension. After the two-dimensional matching is successful, the node is confirmed as a strongly hit risk device. Strongly hit devices are distinguished by a strong hit mark in the risk device set, and weakly hit devices are distinguished by a weak hit mark. The priority difference between the two types of marks forms a hierarchical basis for the blocking and handling intensity within the risk device set. Devices that do not hit are not included in the current risk device set.
[0065] In some embodiments, the step of defining the scope of the joint blocking based on the risk device and the access risk benchmark to generate a security control value includes: establishing a propagation path map based on the cross-device infection propagation path obtained from the risk device; identifying minimum path truncation nodes in the propagation path map to generate a truncation node set; sorting the truncation priority based on the truncation node set and the access risk benchmark to generate a blocking execution sequence; and verifying the blocking reachability of the blocking execution sequence to generate a security control value.
[0066] A propagation path map is established based on cross-device infection transmission paths obtained from risky devices. Starting from the set of risky devices, each risky device is used as the source node. The map extends outwards along the effective transmission edges of T_ij in the risk transmission matrix that exceed the transmission threshold. It traverses reachable devices hop-by-hop, recording the number of propagation hops and the cumulative transmission impact coefficient for each reachable device. A higher number of propagation hops corresponds to a longer infection path, and a higher cumulative transmission impact coefficient corresponds to a greater risk of infection for the terminal device of that path. The boundary of the propagation path map is truncated when the cumulative transmission impact coefficient falls to a set minimum credible propagation intensity threshold. Path extensions below the threshold are not included in the propagation path map to avoid over-extending and covering edge devices with extremely low actual infection risk. The threshold is set based on the statistical upper limit of the number of effective propagation hops in historical infection transmission events in the region. The threshold varies for different security levels; higher security levels use higher thresholds to narrow the effective coverage of the propagation path map. A high-risk device can reach three adjacent devices with medium transmission impact coefficients within two hops in the propagation path graph. One of these adjacent devices is simultaneously marked as medium-risk by the access risk benchmark. The propagation path graph adds a double risk label to this device. The double-labeled device has a higher priority than the device marked only by one side of the propagation path graph during the truncation node identification stage. The number of double-risk labeled devices in the propagation path graph reflects the degree of overlap between the current infection propagation situation and the access risk situation. The higher the degree of overlap, the more obvious the multi-dimensional deterioration trend of network security status. The topological distribution of double-risk labeled devices is superimposed on the propagation path structure as an independent label layer in the propagation path graph, so that the path density and risk concentration in the overlapping area form a quantifiable comparative feature in the same graph structure.
[0067] Minimum path truncation node identification is performed on the propagation path graph to generate a truncation node set. Truncation node identification identifies all valid propagation paths from the risky device to the boundary device in the propagation path graph. The node with the most covered paths on each path is selected as the primary truncation candidate. Paths covered by the primary truncation candidate are removed from the propagation path graph, and the coverage maximization localization is repeated for the remaining paths. This process iterates until all paths are covered, and the nodes selected in each iteration constitute the truncation node set. The truncation cost is quantified by a weighted combination of the cumulative propagation influence coefficient of each node in the propagation path graph and the resistance level in the device identity file. Nodes lacking resistance have a lower truncation cost, while nodes with full resistance have a higher truncation cost. Prioritizing the truncation of nodes lacking resistance can achieve a larger range of path blocking at a lower cost. When two candidate nodes have similar path coverage, the one with the lower truncation cost is selected first. When the number of nodes in the truncated node set is too large, it indicates that the topology of the propagation path graph is scattered, and there are multiple parallel paths for infection propagation. The blocking execution sequence must apply the blocking to all truncated nodes simultaneously rather than in batches. In a certain access control subnet, there are three independent parallel paths in the propagation path graph. The truncated nodes covering the three paths do not overlap with each other. The blocking execution sequence must set the three truncated nodes to be executed in the same batch rather than sequentially. Otherwise, the traffic at the node that is blocked first may continue to propagate on the unblocked parallel path, causing the infection to spread during the blocking window period.
[0068] A blocking execution sequence is generated by prioritizing truncation nodes based on the truncation node set and the access risk benchmark. The truncation priority is determined by combining the number of paths covered by each node in the truncation node set with the risk level of the corresponding node in the access risk benchmark. A higher number of paths covered indicates greater structural importance of the node in the propagation path graph, while a higher risk level in the access risk benchmark indicates a weaker authentication security status for the node. The product of these two factors is normalized and used as the priority score. Nodes with higher scores are ranked higher in the blocking execution sequence. Devices corresponding to areas with subnet-level risk labels in the access risk benchmark receive additional weighting on top of their priority scores. Nodes within the truncation node set belonging to subnet-level risk-labeled areas receive further priority scores, ensuring that blocking resources in collaborative attack scenarios are prioritized for the most risky topology segments. Nodes with similar priority scores in the blocking execution sequence are then ranked secondary based on topological distance in the propagation path graph. Closer topological distances result in more concentrated rankings of adjacent nodes, ensuring topological continuity in blocking execution when priorities are similar, and preventing isolated blocking points in the propagation path graph that leave unblocked propagation gaps at adjacent nodes. In a certain area, the two nodes with the highest priority scores in the blockade execution sequence are located in the same access control subnet and the topological distance is only one hop. The secondary sorting arranges the two to be executed in the same batch to avoid the infection traffic from being temporarily transferred to the second node in the same batch after the first node is blocked, which would cause local propagation. The batch label and priority score of each node in the blockade execution sequence jointly determine the integrity of the execution order of the blockade operation within the coverage of the propagation path graph.
[0069] For example, the step of verifying the accessibility of the blockade execution sequence to generate a security control value includes: determining the intensity gradient of adjacent blockade layers based on the blockade execution sequence to establish an inter-layer gradient sequence; locating weak points in the blockade penetration of the inter-layer gradient sequence to generate a set of weak point markers; performing cross-layer blockade collaborative compensation analysis on the set of weak point markers to generate compensation and reinforcement parameters; and performing collaborative correction and binding between the compensation and reinforcement parameters and the blockade execution sequence to generate a security control value.
[0070] Inter-layer gradient sequences are established based on the strength gradient of adjacent blockade layers determined by the blockade execution sequence. Blockade layers are divided according to the number of propagation hops of each node in the propagation path graph within the blockade execution sequence. Nodes with the same number of hops are grouped into the same blockade layer. The difference in blockade strength between adjacent blockade layers is quantified by the difference in the average priority scores of nodes within the layer. A larger difference indicates a more significant difference in blockade strength between adjacent layers, and adjacent blockade layers with excessively large strength differences are prone to forming weak zones in the strength transition section. The inter-layer gradient sequence uses adjacent blockade layer pairs as indices, recording the difference in blockade strength and the number of nodes between each pair. Layer pairs with blockade strength differences exceeding a set gradient threshold are marked as high-gradient layer pairs in the inter-layer gradient sequence. The more devices covered in the strength transition section of a high-gradient layer pair, the wider the potential penetration weakness. In a certain region, the difference in blocking intensity between the second and third blocking layers in the blocking execution sequence is significantly higher. This layer pair is marked as a high-gradient layer pair in the inter-layer gradient sequence. This layer pair covers a large number of sensor subnet nodes. The high-gradient marker triggers a fine-grained scan of the node distribution within this layer pair during the weak point localization stage. The difference between the first and second blocking layers is within the normal gradient range. The corresponding layer pair does not trigger a key scan for weak point localization. The inter-layer gradient sequence completely depicts the intensity transition pattern between all adjacent blocking layers. High-gradient layer pairs are distinguished from normal gradient layer pairs in the inter-layer gradient sequence by significant marking. The number and distribution of high-gradient layer pairs in the inter-layer gradient sequence together reflect the overall uniformity of the blocking execution sequence in terms of intensity connection.
[0071] A vulnerability marker set is generated by locating weak points in the inter-layer gradient sequence. Vulnerability location focuses on the set of nodes covered by high-gradient layer pairs in the inter-layer gradient sequence. Each node is evaluated for its coverage gap in the transition zone of high gradient intensity. The coverage gap is determined by the difference between the node's own coverage strength and the average coverage strength of adjacent layers. Nodes with a difference exceeding a set gap threshold are marked as potential weak points. Among the potential weak points, nodes that simultaneously meet the conditions of low path coverage and large coverage gap in the propagation path graph are upgraded to formal weak points and added to the vulnerability marker set. Low path coverage means that the node has fewer propagation paths covered by the truncated node set, and attack traffic may bypass the node and penetrate through adjacent incompletely blocked paths. Each weak point in the vulnerability marker set carries the identifier of its high-gradient layer pair, the quantification value of the coverage gap, and its topological position in the propagation path graph. Weak points located at the intersection of multiple propagation paths are distinguished from isolated weak points at the end of paths by multi-path intersection markings in the vulnerability marker set. The difference in the quantification value of the coverage gap between the two types of weak points forms the quantification basis for compensation priority at the vulnerability marker set level. The results of the weak point location of a certain access control subnet showed that there were two topologically adjacent weak points in the high gradient layer pair formed by the second and third blocking layers in the interlayer gradient sequence. Both points were located in the intersection area of three propagation paths, and the quantification values of the blocking gaps were both too high. The weak point label set added multi-path intersection labels to the two points. Based on this, the compensation analysis stage configured collaborative compensation for the two points instead of independent compensation to ensure that the overall blocking strength of the intersection area was improved synchronously.
[0072] Cross-layer blocking collaborative compensation analysis is performed on the vulnerability marker set to generate compensation reinforcement parameters. The compensation analysis targets the blocking gaps of each vulnerability in the vulnerability marker set, searching adjacent blocking layers for nodes capable of compensating and covering the vulnerability. Compensation coverage nodes must meet two conditions: their own blocking strength is higher than the current blocking strength of the vulnerability, and they have a direct or one-hop reachable path association with the vulnerability in the propagation path graph. If either condition is missing, the adjacent node is not included in the compensation candidate to avoid the compensation reinforcement parameters misidentifying weaker adjacent nodes as effective compensation sources. The compensation reinforcement method for eligible adjacent layer nodes is to increase the strength parameter of the blocking command corresponding to the blocking layer where the vulnerability is located. The strength increase is determined by the minimum value of the quantified value of the vulnerability's blocking gap and the remaining blocking strength of the compensation node. If the remaining strength is insufficient, the compensation reinforcement parameters take the upper limit of the remaining strength instead of fully compensating the gap. In cases of limited remaining strength, partial compensation annotations are added to the compensation reinforcement parameters. During the collaborative correction binding phase, vulnerability points with partial compensation annotations are simultaneously triggered for blocking obstruction warning path assessment. In the weak point marker set, weak points marked by multiple path intersections are simultaneously searched for compensation candidate nodes along multiple propagation paths during compensation analysis. The blocking strength margin of each candidate node in each direction is independently evaluated, and the maximum available margin is taken as the final upper limit of the compensation strength for that weak point. The synergistic effect of multi-directional compensation makes the blocking gap bridging ability of weak points at intersections higher than that of single-path weak points. The compensation reinforcement parameters summarize the strength enhancement amount corresponding to each weak point and the compensation node identifier. The strength enhancement amount of each weak point is precisely calibrated with the blocking gap quantification value as the upper limit. The compensation node identifier binds the strength enhancement amount to a specific blocking node, so that the compensation coverage is precisely limited to the gap location rather than spreading uniformly across the entire layer.
[0073] The compensation enhancement parameters and the blockade execution sequence are collaboratively corrected and bound to generate security control values. The collaborative correction binding precisely injects the strength enhancement amount of each weak point in the compensation enhancement parameters into the corresponding node's blockade strength configuration in the blockade execution sequence according to the compensation node identifier. After injection, the blockade strength of each node corresponding to a weak point is updated in the blockade execution sequence to the sum of the original configuration value and the strength enhancement amount. The updated strength must not exceed the upper limit of the node's rated blockade capacity. If it exceeds the upper limit, the strength enhancement amount is truncated to the difference from the upper limit. A compensation-limited label is added to the security control value in the truncated case, indicating that the blockade gap at the corresponding weak point has not been completely closed through collaborative compensation. After correction by the compensation enhancement parameters, the blockade strength distribution of each node in the blockade execution sequence is more uniform, and the strength difference between high-gradient layer pairs is narrowed. In a certain area, the inter-layer difference between the second and third blockade layers falls from the threshold level back to the normal gradient range after collaborative correction. The blockade gaps at two multi-path intersection weak points are effectively closed. The compensation label status of the corresponding node in the security control value is updated from partial compensation to full compensation, indicating that the penetration weakness zone of this layer pair has been sufficiently blocked. The security control value is based on the complete node blocking configuration of the blocking execution sequence after collaborative correction binding. Each node carries the final blocking strength and compensation labeling status. The final blocking strength of the compensation-limited labeled node is simultaneously labeled with the remaining quantitative value of the gap in the security control value. The remaining quantitative value of the gap and the compensation labeling status together represent the quantitative difference in the completeness of the blocking coverage of the node.
[0074] Access decisions are generated based on differentiated access policies matched with security control values. The matching of differentiated access policies maps the final blocking strength and compensation label status of each device in the security control values to a pre-set access policy library. The policy library pre-sets four types of policies according to blocking strength from high to low: access disconnect, downgraded authentication, enhanced verification, and normal access. Devices with the highest blocking strength and no compensation-restricted label are matched with the access disconnect policy; devices with medium blocking strength are matched with the downgraded authentication policy; devices with blocking strength below medium but with a medium risk level in the access risk benchmark are matched with the enhanced verification policy; and other devices maintain the normal access process. The presence of compensation-restricted labels has a mandatory intervention effect on policy matching. Regardless of the blocking strength level, the policy matching result for devices carrying compensation-restricted labels is increased by one level from the corresponding level to compensate for the residual impact of unclosed blocking gaps on access security. In a certain area, a high-risk device with a strong hit rating in the security control value has a high blocking strength and no compensation-restricted label, so it is directly matched with an access disconnect policy. Its adjacent low-risk device has a medium blocking strength and carries a compensation-restricted label. After the policy is upgraded one level, the matching changes from downgraded authentication to access disconnect, ensuring that devices in the blocking gap segment do not receive overly lenient access permissions due to insufficient compensation. The main body of the access decision result consists of the mapping relationship between each device identifier and the corresponding access policy. Each decision record carries a policy matching basis field. Based on this field, it can be distinguished whether the decision mainly comes from the security control value blocking strength or the forced upgrade of the compensation-restricted label. Subsequent auditing and policy review can quickly locate the root cause of each device's access decision judgment based on this field. The coverage of the access decision results extends to all devices identified by threat feature matching. No device in the risk device set will be excluded from the access decision scope due to policy matching logic gaps.
[0075] To implement the above method embodiments, a special area anti-crossing IoT terminal secure access method is provided to achieve the corresponding functions and technical effects. See also... Figure 2 , Figure 2 This diagram illustrates a structural block diagram of a secure access device for IoT terminals in a special area to prevent cross-border access, according to an embodiment of this application. For ease of explanation, only the parts relevant to this embodiment are shown. The secure access device for IoT terminals in a special area to prevent cross-border access, according to an embodiment of this application, includes:
[0076] Data acquisition module 201 is used to collect access authentication information and communication traffic characteristics of front-end devices, and establish a device identity file based on the access authentication information and the communication traffic characteristics and the associated device identifier.
[0077] The baseline establishment module 202 is used to extract the certificate trust attenuation gradient of the device identity file to form an authentication baseline domain, perform authentication risk transmission analysis on the authentication baseline domain to generate a risk transmission matrix, and use the risk transmission matrix to delineate the control boundary linkage and establish a collaborative control configuration.
[0078] Risk assessment module 203 is used to extract identity features from the access authentication information to form an authentication sequence, perform role drift parsing on the authentication sequence to generate a drift vector, and perform collaborative abnormal combination pattern recognition based on the drift vector and the communication traffic features to generate an access risk benchmark.
[0079] The detection and analysis module 204 is used to perform abnormal traffic rhythm detection on the communication traffic characteristics to generate abnormal traffic parameters, perform time-series dynamic tracking based on the communication traffic characteristics to generate a communication state sequence, and perform instruction causal break detection on the communication state sequence according to the collaborative management and control configuration to generate risk location results.
[0080] The decision output module 205 is used to perform threat feature matching to identify risky devices based on the risk location results and the abnormal traffic parameters, define the linkage blocking range based on the risky devices and the access risk benchmark to generate security control values, and generate access decision results based on the security control values and differentiated access strategies.
[0081] The aforementioned special area anti-crossing IoT terminal security access device can implement the special area anti-crossing IoT terminal security access method of the above method embodiments. The options in the above method embodiments are also applicable to this embodiment, and will not be detailed here. The remaining content of this application embodiment can be referred to the content of the above method embodiments, and will not be repeated in this embodiment.
[0082] The purpose of the above embodiments is to reproduce and derive the technical solution of the present invention by way of example, and to fully describe the technical solution, purpose and effect of the present invention. The purpose is to enable the public to have a more thorough and comprehensive understanding of the disclosure of the present invention, and not to limit the scope of protection of the present invention.
Claims
1. A method for secure access of IoT terminals in a special area to prevent cross-border access, characterized in that, include: Collect access authentication information and communication traffic characteristics of front-end devices, and establish a device identity profile based on the device identifier associated with the access authentication information and the communication traffic characteristics; The certificate trust attenuation gradient of the device identity file is extracted to form an authentication benchmark domain. The authentication benchmark domain is analyzed to generate a risk transmission matrix. The risk transmission matrix is used to define the control boundary linkage and establish a collaborative control configuration. The access authentication information is processed to extract identity features to form an authentication sequence. The authentication sequence is then parsed to generate a drift vector. Based on the drift vector and the communication traffic features, collaborative anomaly combination pattern recognition is performed to generate an access risk benchmark. The communication traffic characteristics are subjected to traffic rhythm anomaly detection to generate abnormal traffic parameters. Based on the communication traffic characteristics, time-series dynamic tracking is performed to generate a communication state sequence. According to the collaborative management and control configuration, the communication state sequence is subjected to instruction causal break detection to generate risk location results. The risk location results are matched with the abnormal traffic parameters to identify risky devices based on threat features. The scope of the blocking is determined by linking the risky devices with the access risk benchmark to generate a security control value. Based on the security control value, a differentiated access strategy is matched to generate an access decision result.
2. The method according to claim 1, characterized in that, The step of establishing a device identity profile based on the access authentication information and the device identifier associated with the communication traffic characteristics includes: The access authentication information is processed to induce authentication protocol downgrade and generate a downgrade response feature set; The communication traffic characteristics are used to extract differences in downgraded rejection behavior and generate rejection behavior labels; The degradation response feature set and the rejection behavior label are used to perform firmware-level degradation resistance verification to generate resistance verification records; A device identity file is established based on the device identifier associated with the resistance verification record.
3. The method according to claim 1, characterized in that, The step of using the risk transmission matrix to delineate control boundaries and establish collaborative control configuration includes: Based on the risk transmission matrix, the degree of transmission isolation of each device is determined, and a device isolation table is generated. The isolation degree table of the equipment is subjected to isolation degree gradient classification calibration to generate a linkage rule table; Based on the aforementioned linkage rule table, cross-device collaborative management triggering conditions are configured to form a triggering condition set; Based on the aforementioned trigger condition set, multi-device trigger strategy aggregation and binding are performed to establish collaborative management and control configuration.
4. The method according to claim 1, characterized in that, The step of generating an access risk benchmark by performing collaborative anomaly combination pattern recognition based on the drift vector and the communication traffic features includes: Extract the degree of role deviation from the drift vector to establish a deviation feature set; The deviation feature set and the communication traffic features are used to perform role identity reverse spoofing identification to generate associated abnormal patterns; A combined risk coefficient is generated by performing a low-intensity, continuous drift accumulation assessment on the aforementioned associated anomaly patterns. Based on the combined risk coefficients, a risk level gradient mapping is performed to establish an access risk benchmark.
5. The method according to claim 1, characterized in that, The step of performing command causal break detection on the communication state sequence according to the collaborative management and control configuration to generate risk location results includes: Based on the aforementioned collaborative management and control configuration, extract the causal constraint rules of each device's instructions to establish a causal rule set; Perform causal chain reverse penetration verification on the communication state sequence according to the causal rule set to generate break location markers; A cross-device fracture synchronization assessment is performed on the fracture location markers to generate a fracture risk level; The risk level and the fracture location marker are combined across equipment fracture topology to generate risk location results.
6. The method according to claim 1, characterized in that, The step of generating a communication state sequence by performing time-series dynamic tracking based on the communication traffic characteristics includes: Based on the communication traffic characteristics extracted, a communication direction baseline map is established between the devices to determine the communication initiation direction. The communication direction baseline map is subjected to dependent direction reversal anomaly detection to generate a direction reversal distribution; Based on the aforementioned directional reverse distribution, identify the instruction link tampering time window and generate a tampering time window set; The state evolution labeling of the tampered time window set and the direction reversal distribution generates a communication state sequence.
7. The method according to claim 1, characterized in that, The step of defining the security control value based on the risk device and the access risk benchmark to jointly block the scope includes: Based on the risk devices, cross-device infection transmission paths are obtained, and a transmission path map is established; The propagation path graph is subjected to minimum path truncation node identification to generate a truncation node set; Based on the truncated node set and the access risk benchmark, a blocking execution sequence is generated by prioritizing the truncated nodes. The reachability of the block execution sequence is verified to generate a security control value.
8. The method according to claim 4, characterized in that, The step of performing a low-intensity, continuous drift accumulation assessment on the associated abnormal patterns to generate a combined risk coefficient includes: For the associated anomaly patterns, the drift time span of each device is extracted to establish a drift duration distribution; A convergence feature set is generated by performing cross-device drift time series convergence detection based on the drift persistence distribution; The convergence feature set is used to identify drift acceleration critical points and generate critical trigger markers. Based on the critical trigger marker and the drift duration distribution, a convergence critical weighted integration is performed to generate a combined risk coefficient.
9. The method according to claim 7, characterized in that, The step of performing reachability verification on the block execution sequence to generate a security control value includes: Based on the blockade execution sequence, the intensity gradient of adjacent blockade layers is determined to establish an inter-layer gradient sequence; The interlayer gradient sequence is used to locate weak points in the penetration and blockade process, generating a set of weak point markers. Perform cross-layer blocking collaborative compensation analysis on the weak point marker set to generate compensation and reinforcement parameters; The compensation enhancement parameters are coupled with the blocking execution sequence to generate a security control value through collaborative correction.
10. A special area anti-crossing IoT terminal security access device, characterized in that, include: The data acquisition module is used to collect access authentication information and communication traffic characteristics of the front-end device, and establish a device identity profile based on the device identifier associated with the access authentication information and the communication traffic characteristics. The benchmark establishment module is used to extract the certificate trust attenuation gradient of the device identity file to form an authentication benchmark domain, perform authentication risk transmission analysis on the authentication benchmark domain to generate a risk transmission matrix, and use the risk transmission matrix to delineate the control boundary linkage and establish a collaborative control configuration. The risk assessment module is used to extract identity features from the access authentication information to form an authentication sequence, perform role drift parsing on the authentication sequence to generate a drift vector, and perform collaborative abnormal combination pattern recognition based on the drift vector and the communication traffic features to generate an access risk benchmark. The detection and analysis module is used to perform abnormal traffic rhythm detection on the communication traffic characteristics to generate abnormal traffic parameters, perform time-series dynamic tracking based on the communication traffic characteristics to generate a communication state sequence, and perform instruction causal break detection on the communication state sequence according to the collaborative management and control configuration to generate risk location results. The decision output module is used to perform threat feature matching to identify risky devices based on the risk location results and the abnormal traffic parameters, define the linkage blocking range based on the risky devices and the access risk benchmark to generate security control values, and generate access decision results based on the security control values and differentiated access strategies.