Power internet of things edge ai model quantization compression security verification method

By performing orthogonal projection separation and differential quantization on the edge AI model of the power Internet of Things, and combining it with a dynamic adversarial verification dataset, the robustness degradation problem caused by quantization compression is solved, and the edge model is deployed securely and reliably under malicious attacks.

CN122394914APending Publication Date: 2026-07-14STATE GRID HENAN INFORMATION & TELECOMM CO

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
STATE GRID HENAN INFORMATION & TELECOMM CO
Filing Date
2026-04-28
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

In existing technologies, edge AI models for the power Internet of Things fail to effectively distinguish between routine task features and robust defense features during the quantization and compression process, resulting in degradation of adversarial robustness. Furthermore, they lack targeted security breach assessment and vulnerability location mechanisms, which cannot guarantee the security and reliability of the model under malicious adversarial attacks.

Method used

By separating cloud model parameters based on orthogonal projection into regular task features and robust defense features, applying differentiated quantization strategies, and constructing a dynamic adversarial verification dataset for closed-loop inference and weak layer residual reinforcement, the precise location and targeted reinforcement of quantization loss are achieved.

Benefits of technology

While maintaining model volume compression, it significantly improves the adversarial robustness of the quantized compressed edge model, ensuring reliable deployment in critical power business scenarios.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure FT_1
    Figure FT_1
  • Figure FT_2
    Figure FT_2
  • Figure FT_3
    Figure FT_3
Patent Text Reader

Abstract

The application discloses a power Internet of Things edge AI model quantization compression security verification method, which decouples cloud model parameters into a regular task feature subspace and a robust defense feature subspace through feature space orthogonal projection separation, applies differential bit width quantization to the two subspaces to maintain the integrity of the defense feature structure while compressing the model volume, and constructs a dynamic adversarial verification data set to perform stimulated closed-loop reasoning on the quantized model to accurately locate the weak neuron layer section, and then implements directional repair based on low-rank adaptive residual reinforcement. Based on the above concept, the scheme can effectively avoid the indiscriminate damage of uniform quantization to the defense features, realize accurate positioning of quantization loss and targeted reinforcement of weak layers, significantly improve the adversarial robustness retention rate of the edge model after quantization compression, and thus guarantee the reliable deployment of edge intelligence in power key business scenarios.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of security verification, and more specifically, to a security verification method for the quantization and compression of edge AI models in the power Internet of Things. Background Technology

[0002] With the deepening application of the power Internet of Things (IoT) in key business scenarios such as substation inspection, transmission line status monitoring, and distribution network fault diagnosis, the demand for real-time AI inference at the edge is becoming increasingly urgent. However, edge terminals are generally limited by the computing power and storage resources of microcontroller chips, and high-precision floating-point pre-trained models in the cloud must undergo extreme quantization compression to complete edge deployment. While quantization compression significantly reduces model size and inference power consumption, it inevitably introduces a loss of parameter accuracy. As a critical national infrastructure, if the edge AI models of the power system suffer from adversarial robustness degradation due to quantization, they may produce misjudgments under malicious adversarial attacks and threaten the safety of power grid operation. Therefore, it is urgent to construct a systematic security verification method for the quantization compression process.

[0003] In existing technologies, model quantization compression typically employs a uniform, full-channel, low-bit-width quantization strategy, applying the same bit-width reduction and truncation operation to all network parameters. This fails to distinguish the functional differences between feature parameters responsible for routine inference tasks and robust feature parameters maintaining adversarial defense capabilities. This indiscriminate quantization process, when compressing the model to extremely low bit widths, simultaneously destroys the defensive feature structure embedded in high-precision floating-point weights, causing a significant shrinkage of the classification decision boundary when facing adversarial perturbation inputs. Furthermore, existing solutions lack targeted security lapse assessment and vulnerability location mechanisms after quantization, failing to accurately identify specific neuron layers whose defense capabilities have deteriorated due to quantization operations, and unable to implement targeted reinforcement and repair of exposed security vulnerabilities. These technical deficiencies prevent the effective verification and assurance of the security and reliability of quantized and compressed edge AI models in real-world adversarial environments within the power IoT, hindering the large-scale, reliable deployment of edge intelligence in critical power operations.

[0004] Therefore, we look forward to an optimized method for quantizing and compressing security verification of edge AI models in the power Internet of Things. Summary of the Invention

[0005] To address the aforementioned technical issues, this application provides a method for security verification of edge AI model quantization and compression in the power Internet of Things.

[0006] According to one aspect of this application, a method for security verification of quantization compression of edge AI models in the power Internet of Things is provided, comprising: Step 1: Based on the three-phase current sampling sequence, temperature time series matrix and partial discharge pulse signal in the original power scenario data stream, perform forward activation inference and orthogonal projection separation on the high-precision floating-point pre-trained model in the cloud to obtain mutually orthogonal sets of conventional task feature parameters and robust defense feature parameters. Step 2: Perform differential feature quantization and recombination based on orthogonal separation on the conventional task feature parameter set and the robust defense feature parameter set to obtain the edge initial quantization model; Step 3: Perform high-frequency adversarial perturbation synthesis on the extreme operating condition boundary vectors extracted from the original power scenario data stream, and superimpose the obtained adversarial perturbation noise back into the original data stream to obtain a dynamic adversarial verification dataset; Step 4: Inject the dynamic adversarial verification dataset into the edge initial quantization model to perform edge-side stimulated closed-loop inference and security loss assessment to obtain the quantization loss distribution matrix and the list of weak neuron nodes; Step 5: Based on the quantization loss distribution matrix, the list of weak neuron nodes, and the dynamic adversarial verification dataset, the initial edge quantization model is reinforced with weak layer residuals based on low-rank adaptive method to obtain a secure reinforced edge model; Step 6: Perform asymmetric encryption compilation on the security-hardened edge model to obtain deployable final secure firmware.

[0007] Compared with existing technologies, this application provides a security verification method for quantization compression of edge AI models in the power Internet of Things (IoT). It decouples cloud model parameters into a conventional task feature subspace and a robust defense feature subspace through orthogonal projection separation of the feature space. Differential bit-width quantization is applied to both subspaces to maintain the integrity of the defense feature structure while compressing the model volume. A dynamic adversarial verification dataset is constructed to perform stimulated closed-loop inference on the quantized model to accurately locate weak neuron segments. Finally, targeted repair is implemented based on low-rank adaptive residual reinforcement. Based on this concept, this scheme effectively avoids the indiscriminate destruction of defense features by uniform quantization, achieves precise location of quantization losses and targeted reinforcement of weak segments, significantly improves the adversarial robustness retention rate of the edge model after quantization compression, and thus ensures the reliable deployment of edge intelligence in critical power business scenarios. Attached Figure Description

[0008] The above and other objects, features, and advantages of this application will become more apparent from the more detailed description of the embodiments of this application in conjunction with the accompanying drawings. The drawings are provided to further illustrate the embodiments of this application and form part of the specification. They are used together with the embodiments of this application to explain this application and do not constitute a limitation thereof. In the drawings, the same reference numerals generally represent the same components or steps.

[0009] Figure 1This is a flowchart of a power Internet of Things edge AI model quantization compression security verification method according to an embodiment of this application; Figure 2 This is a schematic diagram of the data flow in the power Internet of Things edge AI model quantization compression security verification method according to an embodiment of this application; Figure 3 This is a flowchart of step two in the power Internet of Things edge AI model quantization compression security verification method according to an embodiment of this application; Figure 4 This is a flowchart of step three in the power Internet of Things edge AI model quantization compression security verification method according to an embodiment of this application. Detailed Implementation

[0010] Hereinafter, exemplary embodiments according to this application will be described in detail with reference to the accompanying drawings. Obviously, the described embodiments are merely some embodiments of this application, and not all embodiments of this application. It should be understood that this application is not limited to the exemplary embodiments described herein.

[0011] As indicated in this application and claims, unless the context clearly indicates otherwise, the words "a," "an," "an," and / or "the" are not specifically singular and may include plural forms. Generally speaking, the terms "comprising" and "including" only indicate the inclusion of explicitly identified steps and elements, which do not constitute an exclusive list, and the method or apparatus may also include other steps or elements.

[0012] While this application makes various references to certain modules of the systems according to embodiments of this application, any number of different modules can be used and run on user terminals and / or servers. The modules described are merely illustrative, and different aspects of the systems and methods may use different modules.

[0013] Flowcharts are used in this application to illustrate the operations performed by the system according to embodiments of this application. It should be understood that the preceding or following operations are not necessarily performed in exact order. Instead, various steps can be processed in reverse order or simultaneously as needed. Furthermore, other operations can be added to these processes, or one or more steps can be removed from them.

[0014] The technical solution of this application proposes a method for security verification of edge AI model quantization and compression in the power Internet of Things. Figure 1 This is a flowchart of a power Internet of Things edge AI model quantization compression security verification method according to an embodiment of this application. Figure 2 This is a system architecture diagram of a power IoT edge AI model quantization compression security verification method according to an embodiment of this application. Figure 1 and Figure 2As shown, the wind and solar power generation and energy storage management method according to an embodiment of this application includes the following steps: S1, based on the three-phase current sampling sequence, temperature time series matrix, and partial discharge pulse signal in the original power scenario data stream, forward activation inference and orthogonal projection separation are performed on the high-precision floating-point pre-trained model in the cloud to obtain mutually orthogonal sets of conventional task feature parameters and robust defense feature parameters; S2, differentiated feature quantization and recombination based on orthogonal separation are performed on the conventional task feature parameter set and robust defense feature parameter set to obtain an edge initial quantization model; S3, the extreme operating condition boundary vector extracted from the original power scenario data stream is subjected to high-precision floating-point pre-trained model quantization and recombination based on orthogonal separation. S4. Frequency adversarial perturbation synthesis, and the resulting adversarial perturbation noise is superimposed back onto the original data stream to obtain a dynamic adversarial verification dataset; S5. The dynamic adversarial verification dataset is injected into the edge initial quantization model to perform edge-side stimulated closed-loop inference and security loss assessment to obtain a quantization loss distribution matrix and a list of weak neuron nodes; S6. Based on the quantization loss distribution matrix, the list of weak neuron nodes, and the dynamic adversarial verification dataset, the edge initial quantization model is reinforced with weak layer residuals based on low-rank adaptive to obtain a security-reinforced edge model; S7. The security-reinforced edge model is asymmetric encrypted compilation to obtain deployable final security firmware.

[0015] Specifically, S1, based on the three-phase current sampling sequence, temperature time series matrix, and partial discharge pulse signal in the original power scenario data stream, performs forward activation inference and orthogonal projection separation on the cloud-based high-precision floating-point pre-trained model to obtain mutually orthogonal sets of conventional task feature parameters and robust defense feature parameters. It should be understood that in the power IoT edge deployment scenario, the cloud-based high-precision floating-point pre-trained model needs to be quantized and compressed before it can run on edge microcontroller chips with limited computing power and storage resources. However, the model parameters simultaneously carry two types of feature information with distinctly different functions: one type is the conventional task feature parameters that support conventional power business inference tasks (such as fault classification and state recognition), and the other type is the robust defense feature parameters that maintain the model's decision-making stability when facing adversarial disturbance attacks. In real-world power IoT edge environments, the three-phase current sampling sequence, the device surface temperature time series matrix, and the high-frequency pulse signal of partial discharge are not independent physical quantities. Instead, they are subject to strict physical coupling constraints of thermodynamics and electromagnetics. This means that in the feature space learned by the model, conventional task features and robust defense features have complex coupling and intertwining relationships in the high-dimensional parameter space. If an indiscriminate bit width reduction is applied to all parameters in the subsequent quantization compression stage, the defense feature structure will inevitably be destroyed simultaneously, leading to a severe degradation of the adversarial robustness of the quantized model. Therefore, before performing quantization compression, the parameter space of the high-precision floating-point pre-trained model in the cloud is first decoupled structurally, separating the conventional task feature parameters and robust defense feature parameters into mutually orthogonal subspaces, thereby providing a structured parameter basis for the implementation of subsequent differentiated quantization strategies.

[0016] In practice, the three-phase current sampling sequence, temperature time series matrix, and partial discharge pulse signal from the original power scenario data stream are first used as excitation sources to perform forward stimulated inference on a high-precision floating-point pre-trained model in the cloud to obtain a high-dimensional hidden layer feature tensor. In this process, the original power scenario data stream is first preprocessed and formatted. The three-phase current sampling sequence is a two-dimensional real matrix with the number of rows as the number of three-phase channels and the current sampling time step length as the number of columns; the temperature time series matrix is ​​a two-dimensional real matrix with the number of spatial nodes of temperature sensors as the number of rows and the temperature sampling time step length as the number of columns; the partial discharge pulse signal is a two-dimensional real matrix with the number of discharge pulse detection channels as the number of rows and the pulse signal sampling time step length as the number of columns. After time axis alignment and numerical normalization of the above three physical signals, they are concatenated along the channel dimension to form a unified multimodal input tensor. The number of rows is the total number of channels, which is the sum of the number of three-phase channels, the number of temperature sensor nodes, and the number of discharge detection channels, and the number of columns is the unified aligned time step length.

[0017] Then, the multimodal input tensor is fed into a cloud-based high-precision floating-point pre-trained model for forward stimulated inference. Assuming the model contains several hidden layers, the forward propagation logic is as follows: for each hidden layer, the output of the previous layer is multiplied by the layer's weight matrix, the layer's bias vector is added, and then transformed by the layer's nonlinear activation function to obtain the hidden layer output. The input of the first hidden layer is the aforementioned multimodal input tensor, and subsequent layers sequentially use the output of the previous layer as input, propagating forward layer by layer. The outputs of all hidden layers are aggregated and collected to form a high-dimensional hidden layer feature tensor. This tensor completely records the internal feature response states of each layer of the cloud-based high-precision floating-point pre-trained model under the stimulus of original power scenario data, providing necessary feature activation information for subsequent extreme condition sensitivity matrix calibration.

[0018] Next, based on the high-dimensional hidden layer feature tensor and the original power scenario data stream, the extreme condition sensitivity matrix of the input operating condition variables is calibrated to obtain the Jacobian sensitivity matrix. The sensitivity matrix is ​​used to quantify the partial derivative response intensity of the model output relative to each input operating condition variable in the original power scenario data stream. In this process, for each input operating condition variable in the input tensor formed by the original power scenario data stream (i.e., the value of a specific physical mode channel at a specific time step), the partial derivative value of each component in the model output vector with respect to that input operating condition variable is calculated. All partial derivative values ​​are arranged according to the three dimensions of output component, physical mode channel, and time step to form the complete Jacobian matrix. The physical meaning of each element in this matrix is ​​the change in the corresponding component of the model output when the input operating condition variable at the corresponding position in the original power scenario data stream undergoes a unit small perturbation.

[0019] After obtaining the complete Jacobian matrix, extreme condition sensitivity calibration is further performed on the input operating condition variables in the original power scenario data stream. Specifically, based on the statistical characteristics and physical thresholds of each physical quantity in the original power scenario data stream, an extreme operating condition indicator weight matrix with the same dimension as the input operating condition variable tensor is constructed. The weight values ​​of the corresponding positions of the input operating condition variables in the original power scenario data stream under extreme operating conditions (such as overload current, abnormal temperature rise, high frequency discharge, etc.) are set to larger values, while the weight values ​​of the corresponding positions of the input operating condition variables under normal operating conditions are set to smaller values. Then, the Jacobian matrix and the weight matrix are multiplied element-wise, i.e., the Hadamard product, to obtain the Jacobian sensitivity matrix after extreme operating condition weighting. This matrix retains the global partial derivative information of the model output with respect to all input operating condition variables in the original Jacobian matrix, and selectively amplifies the sensitivity response of the input operating condition variables in the extreme operating condition region of the original power scenario data stream. This makes the dimension with higher sensitivity values ​​accurately correspond to the parameter space direction of the key feature direction on which the model relies to maintain correct decision-making under extreme operating conditions, i.e., the robust defense feature. This provides a quantitative basis for distinguishing between conventional task features and robust defense features in the orthogonal projection stripping in the subsequent sub-steps.

[0020] Furthermore, based on the Jacobi sensitivity matrix, orthogonal projection is performed on the global network weights of the high-precision floating-point pre-trained model in the cloud to obtain the set of feature parameters for conventional tasks and the set of robust defense feature parameters. In this process, firstly, the principal directions corresponding to the robust defense features are extracted from the Jacobi sensitivity matrix. Specifically, singular value decomposition (SVD) is performed on the Jacobi sensitivity matrix, decomposing it into a product of three matrices: a left singular vector matrix, a singular value diagonal matrix, and the transpose of the right singular vector matrix. Singular value decomposition is a standard method in linear algebra for decomposing any matrix into a set of orthogonal basis directions and their corresponding strengths. The magnitude of the singular values ​​reflects the degree of information energy concentration of the matrix in the corresponding direction. Directions with larger singular values ​​correspond to the feature directions where the model's output changes most drastically under extreme conditions, i.e., the principal directions in the parameter space where the robust defense features reside. The right singular vectors corresponding to the first few largest singular values ​​are selected, and these vectors are arranged column-wise to form the basis matrix of the defense feature subspace.

[0021] Next, based on the basis matrix of the defense feature subspace, an orthogonal projection operator is constructed. Specifically, first, the basis matrix of the defense feature subspace is multiplied by its own transpose to obtain the orthogonal projection matrix of the defense feature subspace; second, the orthogonal projection matrix of the defense feature subspace is subtracted from the identity matrix, and the difference is the orthogonal projection matrix of the regular task feature subspace.

[0022] Furthermore, using the aforementioned orthogonal projection operator, orthogonal projection stripping is performed on the global network weights of the high-precision floating-point pre-trained model in the cloud. Specifically, for each layer of the network weight matrix, firstly, matrix multiplication is performed between the orthogonal projection matrix of the defense feature subspace and the weight matrix of that layer to obtain the parameter components belonging to the robust defense features in that layer's weights; secondly, matrix multiplication is performed between the orthogonal projection matrix of the regular task feature subspace and the weight matrix of that layer to obtain the parameter components belonging to the regular task features in that layer's weights.

[0023] Subsequently, after performing the above projection operation layer by layer on all hidden layers of the model, the regular task parameter components obtained from each layer are aggregated into a regular task feature parameter set, and the defense feature parameter components obtained from each layer are aggregated into a robust defense feature parameter set. Due to the properties of orthogonal projection, the two parameter sets satisfy the orthogonality constraint, meaning that for any layer, the Frobenius inner product between the regular task parameter components and the defense feature parameter components of that layer is zero. Simultaneously, the original global weights can be reconstructed losslessly from both, i.e., the original weight matrix of any layer is equal to the sum of the regular task parameter components and the defense feature parameter components of that layer. This orthogonal separation structure ensures that the regular task feature parameters and the robust defense feature parameters can be processed independently without interference during the subsequent differential quantization and reorganization process in step two.

[0024] Specifically, in S2, differentiated feature quantization and recombination based on orthogonal separation are performed on the conventional task feature parameter set and the robust defense feature parameter set to obtain the initial edge quantization model. It should be understood that step one has already decoupled the global network weights of the cloud-based high-precision floating-point pre-trained model into mutually orthogonal conventional task feature parameter sets and robust defense feature parameter sets through forward activation inference and orthogonal projection separation. However, these two parameter sets still exist in their respective orthogonal subspaces as high-precision floating-point numbers and have not yet undergone any quantization compression processing, making them unsuitable for direct deployment to edge microcontroller chips with extremely limited computing power and storage resources. Furthermore, when high-dimensional parameters are quantized and compressed to low bit widths, the numerical distribution of robust feature parameters is usually scattered and extremely small, which is forcibly truncated and erased by the redundancy of conventional quantization methods, leading to a precipitous drop in the security performance of the model after deployment at the edge. If the same quantization strategy is applied to both parameter sets, while the conventional task feature parameters can maintain basic inference accuracy at a low bit width, the fine-grained structures in the robust defense feature parameters, which are numerically small but crucial for adversarial robustness, will be irreversibly truncated and lost. Therefore, in the technical solution of this application, the orthogonal separation structure established in step one is used to apply differentiated quantization strategies to the conventional task feature parameter set and the robust defense feature parameter set respectively—aggressive dimensionality reduction compression is performed on the conventional task feature parameter set to minimize the model volume, and high-granularity fidelity quantization mapping is performed on the robust defense feature parameter set to maximize the preservation of the integrity of the defense features—then, through the inverse mapping transformation of orthogonal projection, the two are mapped from their respective subspaces back to the global network topology space, and reorganized into a unified edge initial quantization model, thereby achieving a differentiated balance between inference efficiency and adversarial robustness at extreme compression ratios.

[0025] Figure 3 This is a flowchart of step two in the power IoT edge AI model quantization compression security verification method according to an embodiment of this application. Figure 3 The S2 includes: S21, performing aggressive dimensionality reduction and compression on the conventional task feature parameter set to obtain extremely low bit-width task parameters; S22, performing high-granularity fidelity quantization mapping on the robust defense feature parameter set to obtain high-fidelity defense parameters; S23, based on the inverse mapping transformation matrix of orthogonal projection, mapping the extremely low bit-width task parameters and high-fidelity defense parameters from their respective subspaces back to the global network topology space to obtain the edge initial quantization model.

[0026] Specifically, in step S21, aggressive dimensionality reduction compression is performed on the set of regular task feature parameters to obtain task parameters with extremely low bit widths. In this process, the set of regular task feature parameters includes weight parameter components belonging to the regular task subspace in all hidden layers of the model. For each layer's regular task parameter component, the aggressive dimensionality reduction compression process is as follows: First, the target quantization bit width is determined, which is set to an extremely low value, corresponding to a total number of quantization levels that is a power of 2 over the target bit width. Next, the maximum and minimum values ​​of all elements in the regular task parameter component of that layer are calculated, and the quantization step size is calculated. The quantization step size represents the numerical spacing between two adjacent quantization levels; a lower bit width results in fewer quantization levels, and a larger quantization step size results in coarser quantization precision.

[0027] Furthermore, based on the quantization step size, a uniform quantization mapping is performed on each element of the regular task parameter components of this layer, mapping it from continuous floating-point values ​​to the nearest discrete quantization level. After performing the above aggressive dimensionality reduction and compression operation layer by layer on the regular task parameter components of all hidden layers of the model, the extremely low bit-width quantization results obtained from each layer are aggregated in layer order to obtain a complete set of extremely low bit-width task parameters, which contains all regular task quantization parameters from the first hidden layer to the last hidden layer.

[0028] Specifically, in step S22, high-granularity fidelity quantization mapping is performed on the robust defense feature parameter set to obtain high-fidelity defense parameters. In this process, for each layer of robust defense parameter components, the target quantization bit width of the defense features is first determined. This bit width is set to a value significantly higher than the bit width of conventional task parameters (e.g., when conventional task parameters use 4-bit quantization, defense feature parameters use 8-bit or 12-bit quantization). The total number of corresponding quantization levels is a power of 2, which is much larger than the number of quantization levels for conventional task parameters. Specifically, the high-granularity fidelity quantization mapping employs a channel-by-channel non-uniform quantization strategy to more finely adapt to the differentiated numerical distribution of defense feature parameters across different channels. For each output channel of each layer of defense parameter components (i.e., each row of the weight matrix of that layer), the quantization step size of that channel is calculated independently.

[0029] Next, based on the channel-by-channel quantization step size, a high-fidelity quantization mapping is performed on the defense parameters of that channel. The quantization mapping calculation logic for each element is the same as that for the uniform quantization mapping in substep S21: first, the original floating-point value of the element is subtracted from the minimum value of the channel parameter to obtain the offset; then, the offset is divided by the quantization step size of the channel to obtain the continuous index value; the continuous index value is rounded to obtain the discrete index; finally, the discrete index is multiplied by the quantization step size of the channel and added to the minimum value of the channel to restore the quantized approximate floating-point value. The quantization results of all output channels of each layer are reassembled row by row to obtain the high-fidelity defense parameters of that layer.

[0030] Specifically, in step S23, based on the inverse mapping transformation matrix of orthogonal projection, the extremely low bit-width task parameters and high-fidelity defense parameters are mapped from their respective subspaces back to the global network topology space to obtain the initial edge quantization model. In the aforementioned steps, the orthogonal projection stripping operation decomposes the global network weights into two orthogonal subspaces, using the orthogonal projection matrix of the defense feature subspace and the orthogonal projection matrix of the regular task subspace, respectively. Since the orthogonal projection matrix itself is an idempotent matrix, its inverse mapping transformation within the orthogonal decomposition framework is equivalent to directly adding the parameter components in the two subspaces to recover the parameter representation in the global space.

[0031] Based on the aforementioned orthogonal direct summation property, an inverse mapping recombination is performed on the quantization parameters of each layer of the model. Specifically, the extremely low bit-width task parameters and the high-fidelity defense parameters of that layer are directly added using matrix addition, that is, the corresponding elements in the two matrices are added one by one. The result is the recombined quantization weight of that layer in the global network topology space. This operation is performed layer by layer on all layers of the model from the first hidden layer to the last hidden layer. It is worth mentioning that the extremely low bit-width task parameters are the result of the original weights being projected onto the conventional task projection operator and then quantized, and their components in the defense feature subspace direction are zero; the high-fidelity defense parameters are the result of the original weights being projected onto the defense feature projection operator and then quantized, and their components in the conventional task subspace direction are zero. Therefore, when the two are added, there is no cross-interference between subspaces, and the quantization accuracy in each subspace direction is completely determined independently by the quantization strategy of that subspace itself.

[0032] Furthermore, after performing the aforementioned inverse mapping and recombination operation layer by layer on all hidden layers of the model, the recombination quantization weights of each layer are assembled according to the original network topology, while retaining the bias parameters of the original model, ultimately obtaining the edge initial quantization model. The network topology of this edge initial quantization model is completely consistent with the cloud-pre-trained model, but its weight parameters have been converted from the original high-precision floating-point representation to a differentiated quantization representation. Parameters in the direction of conventional task features are stored with extremely low bit width, while parameters in the direction of defensive features are stored with higher bit width. This significantly reduces the overall storage overhead of the model while maximizing the preservation of the fine structure of robust defensive features.

[0033] Specifically, in step S3, high-frequency adversarial perturbation synthesis is performed on the extreme operating condition boundary vectors extracted from the original power scenario data stream, and the resulting adversarial perturbation noise is superimposed back onto the original data stream to obtain a dynamic adversarial verification dataset. It should be understood that while differentiated quantization and recombination strive to maintain the integrity of defensive features at the design level, the quantization process inevitably introduces truncation errors. Whether these truncation errors have caused a substantial degradation in the adversarial robustness of the initial edge quantization model must be evaluated through systematic adversarial verification. Specifically, in the security verification process of the edge AI model in the power IoT, the quality of the adversarial examples directly determines the credibility of the verification conclusions. If only conventional test data is used to evaluate the initial edge quantization model, the security weaknesses of the model in the face of malicious adversarial attacks cannot be exposed; if the adversarial examples used lack real physical destructiveness, the verification conclusions will be overly optimistic and cannot reflect the true security level of the model in actual adversarial environments. Therefore, in the technical solution of this application, boundary features under extreme operating conditions are extracted from the original power scenario data stream, and a noise signal with high-frequency adversarial disturbance characteristics is synthesized using a generative adversarial network. This signal is then superimposed back onto the original data stream to construct a dynamic adversarial verification dataset that includes both normal operating condition data and extreme adversarial disturbance data. This provides verification input with sufficient attack strength for the edge-side stimulated closed-loop inference and security loss assessment in the subsequent step four.

[0034] Figure 4 This is a flowchart of step three in the power IoT edge AI model quantization compression security verification method according to an embodiment of this application. Figure 4 As shown, in the first embodiment of this application, step S3 includes: S31, extracting extreme physical boundary features from the original power scenario data stream to obtain an extreme operating condition boundary vector; S32, inputting the extreme operating condition boundary vector and Gaussian distributed random prior noise into a generative adversarial network that introduces a nonlinear topological random walk operator to synthesize high-frequency adversarial perturbations on the extreme operating condition boundary vector to obtain high-frequency adversarial perturbation noise; and S33, fusing the high-frequency adversarial perturbation noise into the original power scenario data stream to obtain a dynamic adversarial verification dataset.

[0035] Specifically, in step S31, extreme physical boundary features are extracted from the original power scenario data stream to obtain the extreme operating condition boundary vector. In this process, firstly, a time window within the normal steady-state operation of the equipment is selected as the steady-state time window, and the start and end time step indices of this steady-state time window are predetermined. Within this steady-state time window, the statistical mean is calculated for each physical mode channel of the multimodal input tensor to obtain the normal operating condition physical baseline vector. After performing the above calculation on all physical mode channels, the baseline values ​​of each channel are arranged in channel order to form the normal operating condition physical baseline vector. The statistical mean within the steady-state time window represents the typical numerical level of each physical quantity under normal operating conditions. Using this as a baseline can measure the degree to which each physical quantity deviates from the normal state in subsequent time steps.

[0036] Next, for each time step in the original power scenario data stream, the absolute value difference between the multimodal numerical vector and the physical baseline vector under normal operating conditions is calculated. This calculation is performed for all time steps in the original data stream to obtain a complete absolute deviation matrix. The number of rows in this matrix equals the total number of physical mode channels, and the number of columns equals the total length of the sampling time steps. The absolute value difference eliminates the directionality of the deviation (both positive and negative deviations are considered as deviations), retaining only the magnitude of the deviation. This allows subsequent threshold judgments to simultaneously capture both positive and negative over-limit conditions.

[0037] Furthermore, a static threshold is set, which is a preset positive real scalar value used to define the boundary between normal and extreme operating conditions. For each element in the absolute deviation matrix, it is determined whether it exceeds the static threshold, and a binary mask matrix is ​​constructed accordingly. Specifically, for each element in the absolute deviation matrix, if the value of the element is strictly greater than the static threshold, the corresponding position in the binary mask matrix is ​​filled with the value 1, indicating that the position belongs to the extreme operating condition characteristic; if the value of the element is less than or equal to the static threshold, the corresponding position is filled with the value 0, indicating that the position belongs to the normal operating condition range.

[0038] Subsequently, a binary mask matrix is ​​used to strip features from the original power scenario data stream, extracting the extreme operating condition boundary vector. Specifically, the binary mask matrix is ​​multiplied element-wise with the original multimodal input tensor (i.e., Hadamard product). For each position in the matrix, the mask value (0 or 1) at that position is multiplied by the original data value, and the resulting product is the stripping result at that position. The final extreme operating condition boundary vector retains only extreme feature data that deviates from the normal operating condition physical baseline by more than a static threshold, while data within the normal operating condition range is filtered out. This extreme operating condition boundary vector encodes the extreme operating condition physical feature information in the original power scenario data stream, providing seed input for high-frequency adversarial perturbation synthesis in subsequent sub-steps.

[0039] Specifically, in step S32, the extreme operating condition boundary vector and Gaussian distributed random prior noise are jointly input into a generative adversarial network that introduces a nonlinear topological random walk operator to synthesize high-frequency adversarial perturbations on the extreme operating condition boundary vector, resulting in high-frequency adversarial perturbation noise. In this process, firstly, a random prior noise vector is generated by sampling from a standard multivariate Gaussian distribution with zero mean and an identity matrix. The extreme operating condition boundary vector matrix is ​​then flattened into a one-dimensional vector and concatenated with the prior noise vector to form the joint input vector of the generator. The first half encodes the physical characteristics of the extreme operating condition, while the second half provides random diversity.

[0040] Next, the joint input vector is fed into the generator and propagated layer by layer. In the intermediate hidden layers, a nonlinear topological random walk operator performs a transformation on the hidden layer features: first, the squared Euclidean distance between each pair of hidden layer features is calculated, divided by the temperature parameter, and the negative is taken to calculate the natural exponent. Then, softmax normalization is performed row by row to obtain the local topological transition probability matrix. The closer the distance, the higher the transition probability. Furthermore, the transition probability matrix and the hidden layer feature vector are multiplied to achieve one-step diffusion propagation of features on the topological structure. A low-variance Gaussian perturbation term is superimposed to introduce path randomness. Finally, the transformation is completed through a nonlinear activation function. After processing by all hidden layers, the generator outputs high-frequency adversarial noise of the same size as the original data stream.

[0041] During the training phase, the generator and discriminator are alternately optimized using a minimax game strategy. The discriminator attempts to distinguish between real adversarial samples and generated samples, while the generator attempts to make the generated samples deceive the discriminator. After the adversarial process converges, the generator can synthesize adversarial perturbations with realistic statistical characteristics. Simultaneously, a high-frequency energy regularization term is introduced into the generator loss. After performing a discrete Fourier transform on the output perturbation, the squares of the amplitudes of components above the cutoff frequency are accumulated and negatively calculated as the regularization loss. This drives the generator to concentrate the perturbation energy in the high-frequency band to enhance its attack penetration against the model's decision boundary. Through this process, the generator finally outputs high-frequency adversarial perturbation noise with rich high-frequency adversarial components, based on the physical characteristics of extreme working condition boundary conditions.

[0042] Specifically, in step S33, the high-frequency adversarial disturbance noise is fused into the original power scenario data stream to obtain a dynamic adversarial verification dataset. In this process, firstly, a preset positive real-valued disturbance strength control coefficient is introduced. Each element in the high-frequency adversarial disturbance noise matrix is ​​multiplied by this coefficient to obtain an intensity-adjusted adversarial disturbance noise matrix. This coefficient determines the amplitude ratio of the adversarial disturbance relative to the original signal; a larger coefficient indicates a stronger adversarial disturbance and a greater attack on the model, while a smaller coefficient indicates a weaker adversarial disturbance and a smaller attack on the model.

[0043] Next, for each corresponding position in the original multimodal input tensor of the intensity-adjusted adversarial perturbation noise matrix, the original data value at that position is directly added to the adjusted adversarial perturbation noise value. The sum is the adversarial verification data value at that position. After performing the above addition operation on all positions one by one, the verification data matrix fused with adversarial perturbation is obtained.

[0044] It is worth mentioning that, in actual implementation, to construct a dynamic adversarial verification dataset covering multiple attack intensities, several different perturbation intensity control coefficient values ​​were set. The aforementioned intensity adjustment and superposition operations were performed on each coefficient value, and all superposition results were aggregated into a unified verification dataset. Simultaneously, since the Gaussian distributed random prior noise in the generative adversarial network is different with each sample, even under the same perturbation intensity control coefficient, multiple executions of sub-steps S32 and S33 can generate adversarial verification samples with different perturbation modes, thereby further enriching the diversity of the dynamic adversarial verification dataset. The final dynamic adversarial verification dataset contains adversarial verification samples generated under multiple attack intensities and perturbation modes. Each sample is a superposition of original power scenario data and high-frequency adversarial perturbation noise, simulating different types and intensities of malicious adversarial attacks that may be encountered in the edge scenario of the power Internet of Things. This dataset will be injected into the edge initial quantization model in subsequent step four to evaluate the impact of the quantization process on the model's adversarial robustness and accurately locate weak neuron layers whose defense capabilities have deteriorated due to the quantization operation.

[0045] In particular, those skilled in the art should know that in the security verification process of edge AI models in the power Internet of Things, the quality of adversarial examples directly determines the credibility of the verification conclusions. Sub-step S31 of the first embodiment uses the statistical mean within the steady-state time window as the physical baseline for normal operating conditions, and superimposes a static threshold with the absolute value difference. The feature stripping scheme is essentially a single-variable, single-moment absolute quantity limit detection logic. This logic has a fundamental blind spot in physical cognition in engineering practice: it completely ignores the objectively existing dynamic nonlinear physical coupling relationship between multimodal sensing data in the power Internet of Things.

[0046] In real-world power IoT edge scenarios, the three-phase current sampling sequence, the equipment surface temperature time series matrix, and the partial discharge high-frequency pulse signal are not independent physical quantities, but rather governed by strict physical coupling constraints of thermodynamics and electromagnetics. Taking a high-voltage transmission line icing scenario as an example: in the initial, concealed evolution stage of icing, the ice layer on the conductor surface simultaneously alters the conductor's heat dissipation coefficient and electromagnetic induction characteristics. This leads to an abnormal compression of the temperature rise slope while the load current remains at a normal level—a broken physical correlation where the current is normal but the temperature decreases instead of rising. At this time, the absolute values ​​of the three-phase currents do not exceed any static thresholds, and the absolute values ​​of the temperatures are also within the normal range. The absolute difference method of the first embodiment is completely blind to this type of extreme distortion and cannot trigger any feature stripping action.

[0047] Similar coupling breakdown phenomena also exist in the early incubation stage of transformer partial discharge: the amplitude of the partial discharge pulse may not yet exceed the static threshold of the historical average, but the phase coupling relationship between it and the load current has already undergone a significant nonlinear drift. The single-variable absolute value filtering logic of the first embodiment is also powerless against this cross-modal phase coupling anomaly.

[0048] The direct consequence of the above defects is that the extreme condition boundary vectors received in the subsequent sub-step S32 are severely lacking in the physical characteristics of the covert extreme conditions, resulting in the high-frequency adversarial disturbance noise synthesized by the generative adversarial network lacking real physical destructiveness, ultimately rendering the entire security verification process ineffective against the most dangerous covert attack modes.

[0049] In view of the above-mentioned technical defects, this application further proposes a second embodiment.

[0050] Specifically, firstly, the original power scenario data stream is dynamically reconstructed using a multi-physics coupling graph to obtain the coupling graph matrix and graph signal vector. In the edge scenario of the power Internet of Things, there is a cooperative evolution relationship between sensor data of different physical modes, which is constrained by physical laws. This relationship remains stable under normal operating conditions, but structural breakdowns can occur under extreme and severe operating conditions.

[0051] To make this implicit physical collaboration explicit, the original power scenario data stream is first normalized to eliminate dimensional differences and generate graph signal vectors. At the same time, the rate of change gradients of different physical modes within the time window T are calculated, and a coupled graph matrix is ​​constructed in the form of exponential decay of gradient differences, encoding the dynamic collaboration between physical quantities as edge weights of the graph.

[0052] When the rates of change of two physical quantities are highly consistent (such as current and temperature rising synchronously), the corresponding edge weight approaches 1, indicating strong physical coupling; when the rates of change of the two quantities diverge, the edge weight decays rapidly, indicating a loosening of the physical connection.

[0053] This step can be represented as: in, This is the data tensor of the original power scenario data stream; The normalized graph signal vector represents the state reference of each sensor at the current time section; Physical mode nodes in the coupling graph matrix With nodes Edge weights between them; For the first Each physical mode in The time gradient at any given moment; This is the physical smoothing control coefficient, used to adjust the sensitivity of edge weights to gradient differences; To prevent division by zero crashes, the smallest normal quantity; TT is the length of the sliding time window used to calculate dynamic cooperative relationships.

[0054] Next, a manifold deviation metric is applied to the coupled graph matrix and the graph signal vector to obtain the deviation energy vector. Graph structure alone is insufficient to quantify the degree of breakdown in physical relationships. The graph Laplace operator is a core tool in graph signal processing for measuring the smoothness of a signal on a graph structure—when the graph signal maintains coordinated change between adjacent nodes (i.e., sensors with strong physical coupling), the graph Laplace quadratic form has low energy; once the change of a physical quantity deviates from its coupling constraints (such as abnormal temperature compression caused by icing), this energy value will undergo a drastic change.

[0055] Based on this, the graph Laplacian matrix L is derived using the coupled graph matrix, and the graph signal vector is projected onto this operator to calculate the physical cooperative fracture energy in the spatial dimension. Simultaneously, the L2 norm term of the time gradient is introduced to capture sudden shocks in the time dimension. The weighted sum of these two terms outputs the deviation energy vector. This process is represented as follows: in, The graph Laplacian matrix is ​​the degree matrix of the coupled graph matrix. minus It is obtained by itself; This is the output bias energy vector; The input is the graph signal vector; The quadratic energy of the graph signal quantifies the structural rebellion degree of each physical quantity in space, which is free from coupling constraints. The time partial derivative of the signal is used to capture sudden shocks in the time domain. This is the spatiotemporal penalty balance coefficient, used to adjust the relative weights between the spatial coupling breakdown term and the temporal abrupt change term; It is a column vector consisting entirely of 1s.

[0056] In the scenario of icing-induced concealed evolution, even if the absolute values ​​of current and temperature do not exceed limits, the divergence in their rates of change will cause a sharp drop in the smoothness of the graph signal at the coupling edges, leading to... Significant energy spikes appear, thus accurately identifying hidden extreme conditions that are completely imperceptible in the first embodiment.

[0057] Furthermore, based on the deviation energy vector, energy-gated physical boundary adaptive extraction is performed on the original power scenario data stream to obtain the extreme operating condition boundary vector. That is, after obtaining the deviation energy vector, it needs to be transformed into a precise mask extraction of the original data. The first embodiment uses a fixed threshold. Hard cut-off requires frequent manual recalibration under different operating conditions, seasons, and equipment aging levels, and is not sensitive to the boundary position of energy mutation.

[0058] The second embodiment uses the expected value of the sliding window of the deviation energy vector as a dynamic baseline, constructs a nonlinear adaptive gating function in the form of a sigmoid function, and performs a Hadamard product with the original power scenario data stream to achieve adaptive boundary optimization that yields more complete feature extraction as the physical relationship becomes more abnormal, outputting an extreme operating condition boundary vector, as shown below: in, This is for extracting the extreme condition boundary vectors of the final output; The input is the raw power scenario data stream; The input bias energy vector; The steady-state mathematical expectation of the deviation energy within the sliding window serves as the dynamic adaptive baseline; The gated nonlinear steepness factor controls the response sensitivity of the Sigmoid function near the energy abrupt change point. It is the operator for tensor Hadamard product (element-level multiplication).

[0059] The deviation energy at a certain moment Significantly higher than the dynamic baseline When the deviation energy is at a normal level, the Sigmoid gate value approaches 1, and the original data is fully transmitted; when the deviation energy is at a normal level, the gate value approaches 0, and the normal operating condition data is naturally suppressed.

[0060] This mechanism completely eliminates the reliance on manually calibrated static thresholds. In high-risk and concealed scenarios such as the early incubation of partial discharge in transformers and the hidden evolution of icing on transmission lines, it can accurately capture the extreme boundary features carried by cross-modal physical correlation ruptures, providing feature inputs with real physical destructiveness for subsequent synthesis of anti-disturbance.

[0061] The absolute threshold stripping scheme in the first embodiment suffers from a systematic feature omission defect when facing concealed extreme operating conditions where the absolute values ​​of all physical quantities have not exceeded the limits, but the physical coupling relationship has structurally broken. This renders the security verification process ineffective against the most dangerous concealed attack modes. The improved mechanism proposed in the second embodiment introduces graph signal processing and manifold learning to explicitly encode the dynamic physical coupling relationship between multimodal sensing data into a graph structure. It then uses graph Laplace quadratic energy to quantify the degree of breakage of the physical cooperative relationship and finally replaces static threshold cutting with adaptive energy gating, achieving accurate adaptive extraction of boundary features for concealed extreme operating conditions.

[0062] At the engineering implementation level, the improved mechanism eliminates the need for manual recalibration of threshold parameters and automatically adjusts the dynamic baseline according to equipment aging, seasonal climate changes, and load fluctuations, significantly reducing edge-side operation and maintenance costs. More importantly, the extracted extreme condition boundary vectors carry real cross-modal physical fracture information, enabling the subsequent synthesis of adversarial examples to possess true physical penetration, fundamentally improving the credibility of the entire security verification process in assessing the ability of the power IoT edge AI model to defend against covert attacks.

[0063] Specifically, in step S4, the dynamic adversarial verification dataset is injected into the edge initial quantization model to perform edge-side stimulated closed-loop inference and security lapse assessment to obtain the quantization loss distribution matrix and a list of weak neuron nodes. It should be understood that existing solutions lack targeted security lapse assessment and weak link location mechanisms after quantization, failing to accurately identify specific neuron segments whose defense capabilities have deteriorated due to quantization operations, and also failing to implement targeted reinforcement and repair of exposed security vulnerabilities. Without a systematic security lapse assessment of the edge initial quantization model, the subsequent security reinforcement in step five will lack precise location basis, only allowing for indiscriminate global repair of all model parameters. This not only incurs huge computational costs but may also damage parameter regions that have already maintained good performance. Therefore, in the technical solution of this application, the dynamic adversarial verification dataset constructed in step three is injected into the edge initial quantization model. Stimulated closed-loop inference is used to obtain the model's output response under adversarial perturbation input, quantifying and assessing the degree of classification decision offset between the model output and the true label. Error backpropagation is then used to accurately locate the weak neuron nodes whose defense capabilities have deteriorated most severely due to quantization operations, providing accurate quantization loss distribution information and weak link location results for targeted security reinforcement in step five.

[0064] In practice, the dynamic adversarial validation dataset is first injected into the edge initial quantization model for stimulated closed-loop inference to obtain the output confidence prediction matrix. In this process, the dynamic adversarial validation dataset is initially set to contain several adversarial validation samples, each with the same size as the original multimodal input tensor. Each adversarial validation sample is injected into the edge initial quantization model, and forward propagation is performed layer by layer from the input layer to the output layer according to the model's network topology. The edge initial quantization model contains several hidden layers, and the forward inference process for each layer is as follows: the output of the previous layer (for the first layer, the output of the previous layer is the current adversarial validation sample itself) is taken as the input of the current layer; the quantization weight matrix of the current layer is multiplied by this input; the bias vector of the current layer is added; and finally, the result is transformed element-wise through the nonlinear activation function of the current layer to obtain the activation output of the current layer. This process starts from the first hidden layer and proceeds layer by layer until the last hidden layer completes its calculation.

[0065] After forward propagation through all hidden layers, the output of the last hidden layer is fed into the model's output layer. The output layer typically contains a linear transformation and a softmax normalization function, used to map the hidden layer features to confidence probability values ​​for each category. After performing the above forward inference process on each sample in the dynamic adversarial validation dataset, the confidence probability vectors of each sample are arranged row-wise, ultimately yielding the output confidence prediction matrix. This matrix completely records the output response of the initial edge quantization model on all adversarial validation samples, providing the necessary prediction data for the classification decision offset quantization calculation in subsequent sub-steps.

[0066] Next, based on the true labels in the dynamic adversarial validation dataset, the classification decision bias between the output confidence prediction matrix and the true labels is quantized to obtain the quantized loss distribution matrix. Each adversarial validation sample in the dynamic adversarial validation dataset is accompanied by a true label, which is an integer value representing the correct class to which the sample belongs. In this process, the true labels are first converted to one-hot encoded form to obtain a true label vector, where only the element corresponding to the true class is 1, and the elements at all other positions are 0. Secondly, for each sample, the cross-entropy loss function is first used to calculate the classification decision bias between the output confidence prediction result and the true label. Specifically, each element in the one-hot encoded vector of the true label is multiplied by the natural logarithm of the confidence probability value at the corresponding position in the output confidence prediction matrix. The products for all classes are summed, and finally, the sum is negative to obtain the cross-entropy loss value for that sample. When the model's confidence probability value for the true class is higher (closer to 1), the natural logarithm value is closer to 0, and the negative value results in a smaller loss, indicating a smaller classification decision bias. Conversely, when the model's confidence probability value for the true class is lower (closer to 0), the natural logarithm value tends towards negative infinity, and the negative value results in a larger loss, indicating a larger classification decision bias, meaning a more severe degradation of the model's adversarial robustness on that sample. Therefore, a class-specific decision bias is calculated for each category of each sample. The class-specific decision bias is quantified using the squared difference between the predicted confidence and the true label. Specifically, for each category of each sample, the confidence probability value of the sample in that category in the output confidence prediction matrix is ​​subtracted from the element value corresponding to that category in the one-hot encoding vector of the true label (1 for the true category, 0 for the non-true category). The difference is then multiplied by itself (i.e., squared) to obtain the class-specific decision bias of the sample in that category. The squared difference quantifies the deviation between the predicted probability and the ideal probability. For the true class, the ideal probability is 1; if the model predicts a probability much lower than 1, the squared difference is large. For the non-true class, the ideal probability is 0; if the model incorrectly assigns a higher predicted probability, the squared difference is also large. Subsequently, the class-specific decision offsets of all samples are arranged by row and column to obtain the quantization loss distribution matrix. For the column corresponding to the true class, a large loss value indicates that the model failed to assign sufficient confidence to the true class; for the column corresponding to the non-true class, a large loss value indicates that the model incorrectly assigned excessive confidence to that non-true class. This matrix comprehensively characterizes the security churn distribution pattern of the initial quantization model on the dynamic adversarial validation dataset, providing a source of loss signals for error backpropagation and weak point localization in subsequent sub-steps.

[0067] Furthermore, based on the quantized loss distribution matrix, the error gradient is backpropagated into the edge initial quantization model through error backpropagation, and the sensitivity of each bottom-level tensor node to defend against deteriorating gradients is traced back to obtain a list of weak neuron nodes. In this process, firstly, the loss values ​​in the quantized loss distribution matrix are aggregated into a scalar loss signal for backpropagation. Specifically, all elements are summed and averaged to compress the refined loss information for each sample and each category into a single scalar value. This scalar value serves as the starting signal for error backpropagation, driving the gradient backpropagation layer by layer from the output layer to the input layer. Secondly, using this overall loss scalar as the starting point of the error signal, the error gradient is backpropagated from the output layer to the input layer and injected into the edge initial quantization model through the error backpropagation mechanism. The error backpropagation process follows a chain rule, starting from the output layer and sequentially calculating the partial derivative (i.e., gradient value) of the overall loss with respect to each node parameter in each layer. For the quantization weights of each layer in the edge initial quantization model, the calculation logic of the gradient matrix of the overall loss with respect to the weights of that layer involves two key quantities: the error term of that layer and the input of that layer. The gradient matrix of each layer is equal to the product of the transpose of the error term of that layer and the matrix product of the input of that layer (i.e., the activation output of the previous layer). The gradient matrix quantifies the ratio of the change in overall loss to the change in the value of each parameter element in the weights of that layer when a small change occurs. A larger gradient value indicates a greater impact of that parameter on the overall loss. For the output layer, the error term is equal to the difference between the model's confidence prediction vector and the one-hot encoded vector of the true label. That is, for each class, the model's predicted confidence probability value is subtracted from the corresponding value in the one-hot encoded vector of the true label (1 for the true class, 0 for the non-true class), and the resulting difference vector is the error term of the output layer. The output layer error term directly reflects the direction and magnitude of the deviation between the model's prediction and the true label, and is the initial signal for error backpropagation. For intermediate hidden layers, the transpose of the quantization weight matrix of the next layer (i.e., the layer closer to the output layer) is first multiplied with the error term of the next layer to obtain the error signal propagated back from the next layer to the current layer. Then, this propagated error signal is multiplied element-wise with the derivative of the current layer's activation function at the output of the current layer's linear transformation (i.e., the Hadamard product) to obtain the error term of the current layer. This recursive process starts from the error term of the output layer and backtracks layer by layer until the first hidden layer, ensuring that each layer of the model obtains its corresponding error term and gradient matrix. After performing the above error backpropagation calculation layer by layer on all hidden layers of the model, the gradient matrix of each layer is obtained, and the size of this gradient matrix is ​​exactly the same as the quantization weight matrix of the corresponding layer.

[0068] Subsequently, after obtaining the gradient matrices of all layers, the defensive degradation gradient sensitivity of each bottom-level tensor node is traced back to its source. Specifically, for each neuron node in each layer, the absolute value of each element in the gradient vector corresponding to that node (i.e., all elements in the row containing that node in the gradient matrix of that layer) is taken, and then all absolute values ​​are summed one by one to obtain the scalar value of the defensive degradation gradient sensitivity of that node. The larger the defensive degradation gradient sensitivity value of a node, the greater the contribution of the parameter accuracy loss of that node to the overall robustness degradation of the model, that is, the node is the weakest link whose defensive capability is most severely degraded due to quantization operations.

[0069] Finally, after calculating the defense degradation gradient sensitivity for all neurons in all hidden layers of the model, all nodes are globally sorted according to their sensitivity values ​​from high to low. A weak node screening threshold is set, and nodes with sensitivity values ​​higher than this threshold are selected to form a weak neuron node list. The nodes in this list are arranged from high to low defense degradation gradient sensitivity, representing the weakest links in the edge initial quantization model whose defense capabilities have been most severely degraded due to quantization operations. This weak neuron node list, together with the quantization loss distribution matrix, constitutes the output of step four, which will serve as the precise location basis and loss signal source for weak layer residual reinforcement based on low-rank adaptation in the subsequent step five.

[0070] Specifically, in S5, based on the quantization loss distribution matrix, the list of weak neuron nodes, and the dynamic adversarial verification dataset, the initial quantization model at the edge is reinforced with low-rank adaptive weak layer residuals to obtain a security-reinforced edge model. It should be understood that merely identifying and locating weak links cannot eliminate the security risks faced by the initial quantization model at the edge. In these weak segments, the accuracy loss introduced by quantization compression has created structural gaps in the model's adversarial robustness defenses. Adversarial attack samples can precisely penetrate these gaps, causing the AI ​​model deployed at the edge to produce incorrect classification decisions when facing malicious adversarial attacks. This is unacceptable for critical decision-making tasks related to the safe operation of the power grid in the power Internet of Things scenario. Therefore, in the technical solution of this application, the quantization loss distribution matrix is ​​used as the error gradient guidance signal, the weak neuron node list is used as the precise positioning coordinates, and the dynamic adversarial verification dataset is used as the adversarial incentive source for reinforcement training. The weak segments in the initial quantization model of the edge are specifically reinforced by residual compensation based on low-rank adaptive, so that the security defense capability of these weak segments is restored to the level close to that of the high-precision floating-point pre-trained model in the cloud. The reinforcement effect is ensured to meet the security deployment standard through backtracking and breakdown success rate verification, and finally a secure reinforced edge model is output.

[0071] In practice, firstly, all backbone parameters in the initial edge quantization model, excluding those represented by the weak neuron node list, are frozen. Then, residual fine-tuning training is performed on the damaged segments based on the downhill gradient of the quantization loss distribution matrix to obtain a robust edge model. During this process, firstly, when freezing the backbone parameters, the weight parameters of all network layers in the initial edge quantization model, except for those represented by the weak neuron node list, are marked as frozen. This means that in subsequent residual fine-tuning training, these frozen backbone parameters do not participate in gradient calculations or parameter updates, and their values ​​remain completely consistent with the initial edge quantization model. Specifically, all network layers in the initial edge quantization model are traversed. For any given layer, it is determined whether the layer belongs to the set of segments represented by the weak neuron node list. If the layer does not belong to the set of segments represented by the weak neuron node list, the quantization weight parameters of that layer are frozen. This means that the gradient generated by that layer during the backpropagation of the loss function is forcibly set to a zero vector, ensuring that the quantization weight parameters of that layer remain constant in all subsequent training iterations.

[0072] Secondly, low-rank adaptive residual decomposition and compensation matrix injection are performed on weak layers. For each damaged network layer indicated by the weak neuron node list, instead of directly fine-tuning the full parameters of the quantized weight matrix of that layer, a low-rank residual compensation matrix is ​​injected as a bypass into the quantized weight matrix of that layer. This low-rank residual compensation matrix is ​​parametrically decomposed through the product of two low-rank factor matrices: the low-rank residual compensation matrix is ​​decomposed into the product of a lower projection matrix and an upper projection matrix, where the number of rows in the lower projection matrix is ​​equal to the output dimension of the weight matrix of that layer, and the number of columns is equal to the preset low-rank number; the number of rows in the upper projection matrix is ​​equal to the preset low-rank number, and the number of columns is equal to the input dimension of the weight matrix of that layer. The low-rank number is a positive integer much smaller than the smaller of the output dimension and the input dimension of the weight matrix of that layer. By constraining the residual compensation matrix within a very low-dimensional subspace, the number of parameters that need to be trained is significantly reduced. This avoids the computational overhead and overfitting risk associated with full parameter fine-tuning under limited computing power at the edge, while ensuring that the expressive power of the residual compensation is sufficient to repair the accuracy loss for security defenses introduced by quantization compression.

[0073] Furthermore, after injecting the residual compensation matrix, the original quantized weights are superimposed with the low-rank residual compensation matrix to obtain the effective weights for the weak layers. In this superimposed structure, the original quantized weight matrix of this layer is the quantized weight output in step two (which is also frozen during training and does not participate in gradient updates), and only the lower projection matrix and the upper projection matrix are used as trainable parameters to participate in gradient descent optimization.

[0074] Subsequently, residual fine-tuning training guided by the downhill gradient of the quantized loss distribution matrix error is performed. This training process uses a dynamic adversarial verification dataset as input and the quantized loss distribution matrix as the error weight guidance signal for each weak layer. During residual fine-tuning training, the downhill gradient of the quantized loss distribution matrix error serves as a weighting factor to differentiate the gradient update magnitude of the low-rank residual compensation matrix for each weak layer—layers and nodes with larger quantized losses receive larger parameter update steps in each gradient descent iteration, ensuring that the repair strength of the residual compensation is proportional to the actual safety loss of that layer, achieving precise targeted repair rather than indiscriminate global perturbation. Specifically, the calculation logic for constructing the loss function of residual fine-tuning training is as follows: Each adversarial sample and its corresponding real label in the dynamic adversarial verification dataset are input into the edge initial quantization model injected with a low-rank residual compensation matrix for forward inference to obtain the hardened output prediction. Then, the cross-entropy loss between the hardened predicted output and the real label is calculated, and the loss value of the corresponding layer in the quantization loss distribution matrix is ​​used as the weighting coefficient for weighted summation to obtain the overall residual fine-tuning training loss.

[0075] In each iteration of gradient descent, the gradient is calculated and parameters are updated only for the low-rank factor matrix of the weak layers. Specifically, after multiple iterations of training until the overall residual fine-tuning training loss converges, the trained low-rank residual compensation matrix (i.e., the matrix product of the lower projection matrix and the upper projection matrix) is permanently superimposed and fused with the original quantization weight matrix to obtain the hardened weights of each weak layer (i.e., the original quantization weight matrix plus the matrix product of the lower projection matrix and the upper projection matrix). These hardened weights are written back to the corresponding layer positions in the initial edge quantization model, and together with the unmodified frozen backbone parameters, they constitute a safe and hardened edge model.

[0076] Next, the dynamic adversarial verification dataset is re-injected into the security-hardened edge model for backtracking, and the penetration resistance success rate of the security-hardened edge model is verified to obtain a verification pass report. In this process, firstly, the dynamic adversarial verification dataset is completely re-injected into the security-hardened edge model output from the previous sub-step for forward inference, i.e., backtracking. Specifically, using the exact same adversarial verification dataset as in step four, a complete round of stimulated closed-loop inference is re-executed on the hardened model to obtain the output prediction results of the security-hardened edge model when facing the same batch of adversarial attack samples. This is used to compare and evaluate with the output prediction results of the edge initial quantization model in step four, thereby quantifying the degree of security defense capability recovery brought about by the residual hardening operation. The output of the backtracking is the set of classification prediction results of the security-hardened edge model for each adversarial sample in the dynamic adversarial verification dataset.

[0077] Secondly, the classification prediction results of the security hardening edge model on the dynamic adversarial verification dataset are compared with the corresponding real labels one by one. For each adversarial sample, it is determined whether the classification prediction output of the security hardening edge model for the adversarial sample is consistent with the real label corresponding to the adversarial sample. If they are consistent, it is recorded as 1, and if they are inconsistent, it is recorded as 0. Then, the above judgment results of all adversarial samples are summed and then divided by the total number of adversarial samples in the dynamic adversarial verification dataset to obtain the penetration prevention success rate.

[0078] Then, the calculated breakdown success rate is compared with the preset security deployment threshold: if the breakdown success rate is greater than or equal to the security deployment threshold, the security-hardened edge model is deemed to have passed the breakdown success rate verification, and a verification report is generated. This report records key information such as the breakdown success rate of the security-hardened edge model, the comparison of quantization loss before and after reinforcement of each weak layer, and the rank and parameter count of the low-rank residual compensation matrix, which serve as the input basis for subsequent steps; if the breakdown success rate is less than the security deployment threshold, it is necessary to adjust the hyperparameters such as the low-rank rank or learning rate and then re-execute the residual fine-tuning training of the first sub-step until the breakdown success rate meets the security deployment requirements.

[0079] Specifically, in step S6, the security-hardened edge model is asymmetrically encrypted and compiled to obtain deployable final secure firmware. It should be understood that the security-hardened edge model at this point still exists in its original data form, consisting of neural network weight parameters and model topology, and has not yet been converted into a firmware format that can be directly burned to the power IoT edge terminal hardware. More critically, during the transmission and writing process from the cloud-based security verification environment to the edge-side physical deployment environment, the weight parameters and inference logic of the security-hardened edge model face a serious security threat of malicious interception, tampering, or replacement. Attackers may make minor modifications to the model parameters on the transmission link to implant backdoors, or directly replace the legitimate security-hardened edge model with a forged malicious model, causing the edge terminal to run corrupted inference logic without its knowledge. This poses an intolerable supply chain security risk for critical decision-making tasks related to the safe operation of the power grid in the power IoT scenario. Therefore, in the technical solution of this application, asymmetric encryption compilation technology is further used to compile all weight parameters, model topology and inference configuration information of the security-hardened edge model into an edge-deployable firmware format protected by cryptographic signature. This allows any tampering with the firmware content to be detected and rejected immediately on the edge terminal side through the public key verification mechanism, thereby establishing an end-to-end integrity protection and source authentication barrier in the model distribution and deployment process, and finally outputting deployable final secure firmware.

[0080] The security-hardened edge model includes weight parameters for all network layers (where the weights of weak layers are the effective weights after low-rank residual compensation hardening, and the weights of non-weak layers are the original quantized weights output in step two), the model's network topology definition (including the type, connection relationships, activation function configuration, etc. of each network layer), and configuration information required for inference runtime (including preprocessing parameters of input data, output classification label mapping table, quantization scaling factor, etc.). In the specific example of this application, firstly, the firmware serialization compilation operation structures and encodes all the above information according to the firmware format specifications required by the edge terminal hardware platform, transforming the security-hardened edge model from a data object in memory into a continuous raw firmware binary stream that can be directly written to the edge terminal's non-volatile memory. During the serialization compilation process, the weight parameters of each network layer are arranged sequentially according to the layer index order, and the metadata header information of each layer is appended before the weight data of each layer (including the layer index number, the dimension of the weight matrix, the data type identifier, the quantization bit width identifier, etc.). The model topology definition and inference configuration information are encoded into the global metadata section of the firmware header. After serialization and compilation are completed, a complete raw firmware binary stream is output. This binary stream contains all the information needed to fully reconstruct the secure hardened edge model and perform inference on the edge terminal.

[0081] Secondly, the asymmetric key pair is pre-generated by the cloud-based security verification environment before firmware compilation. It contains a private key and a public key. The private key is strictly protected by the cloud-based security verification environment and is not disclosed to external parties, while the public key is pre-burned into the secure storage area of ​​the edge terminal in the form of a digital certificate. The digital signature operation first performs a cryptographic hash digest calculation on the original firmware binary stream. This involves taking the entire original firmware binary stream as input and performing iterative compression operations block by block using a cryptographically secure hash function (such as SHA-256). The final output is a fixed-length digest value, which is the unique fingerprint of the original firmware binary stream content—a change in any bit of the original firmware binary stream will cause unpredictable and drastic changes in the digest value. The calculation principle of the cryptographic hash digest is as follows: the original firmware binary stream is divided into blocks according to the block length specified by the hash function. The hash function compression transformation is performed sequentially on each data block. The compressed output of the previous data block is used as the chained input for the compression transformation of the next data block, and the compressed output of the last data block is the final digest value. Then, the private key from the asymmetric key pair is used to perform a digital signature operation on the digest value. Specifically, the digest value is taken as input, and an asymmetric encryption operation (such as private key encryption based on the RSA algorithm or signature generation based on the Elliptic Curve Digital Signature Algorithm ECDSA) is performed on it using the private key, outputting a firmware signature value. This signature value can only be generated by the signer holding the corresponding private key, while any verifier holding the corresponding public key can verify the signature value. During execution, the private key and the firmware digest value calculated in the previous step are used as input to the signature generation function of the asymmetric signature algorithm. After the asymmetric encryption operation of the signature generation function, the firmware signature value is output; this firmware signature value is equivalent to the signature result of the digest value calculated by the cryptographically secure hash function on the original firmware binary stream using the private key.

[0082] Subsequently, the original firmware binary stream output from the first sub-step, the firmware signature value output from the second sub-step, and the digital certificate corresponding to the public key in the asymmetric key pair are combined into a complete firmware package according to the firmware encapsulation format specification. The main data section of the firmware package stores the original firmware binary stream, the signature section stores the firmware signature value, and the certificate section stores the public key certificate (or a reference identifier for the public key certificate, if the public key certificate has been pre-burned to the edge terminal). After encapsulation, a deployable final secure firmware is output. This deployable final secure firmware can be distributed to the power IoT edge terminal through a secure transmission channel. After receiving the firmware package, the edge terminal first extracts the public key from the certificate section, and then uses the public key to perform a signature verification operation on the firmware signature value in the signature section. The calculation principle of the signature verification operation is as follows: using the public key to perform an asymmetric decryption operation (or signature verification operation) on the firmware signature value to recover the digest value used when signing. At the same time, the same cryptographic hash digest calculation is re-performed on the original firmware binary stream in the main data section of the firmware package to obtain a new digest value. The recovered digest value is then compared with the recalculated digest value. Specifically, the public key and firmware signature value are used together as inputs to the verification function of the asymmetric signature algorithm. The verification function uses the public key to recover a digest value from the firmware signature value. At the same time, the original firmware binary stream in the main data segment of the firmware package is recalculated using a cryptographically secure hash function to obtain a new digest value. Then, the recovered digest value is compared bit by bit with the recalculated digest value. If the two digest values ​​are completely identical, the verification result is acceptance, indicating that the firmware content has not been tampered with during transmission and was indeed signed by a cloud-based secure verification environment holding a legitimate private key. The edge terminal accepts the firmware and performs burning and deployment. If the two digest values ​​are inconsistent, the verification result is rejection, indicating that the firmware content has been tampered with or its source is untrustworthy. The edge terminal rejects the firmware and triggers a security alarm.

[0083] In summary, the power IoT edge AI model quantization compression security verification method according to the embodiments of this application is explained. It decouples the cloud model parameters into a regular task feature subspace and a robust defense feature subspace through orthogonal projection separation of the feature space. Differential bit-width quantization is applied to both to maintain the integrity of the defense feature structure while compressing the model volume. A dynamic adversarial verification dataset is constructed to perform stimulated closed-loop inference on the quantized model to accurately locate weak neuron segments. Then, targeted repair is implemented based on low-rank adaptive residual reinforcement. Based on the above concept, this scheme can effectively avoid the indiscriminate destruction of defense features by uniform quantization, achieve precise location of quantization loss and targeted reinforcement of weak segments, significantly improve the adversarial robustness retention rate of the edge model after quantization compression, thereby ensuring the reliable deployment of edge intelligence in critical power business scenarios.

[0084] The various embodiments of this disclosure have been described above. These descriptions are exemplary and not exhaustive, nor are they limited to the disclosed embodiments. Many modifications and variations will be apparent to those skilled in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen to best explain the principles, practical application, or improvement of the technology in the market, or to enable others skilled in the art to understand the embodiments disclosed herein.

Claims

1. A method for security verification of edge AI model quantization and compression in the power Internet of Things, characterized in that, include: Step 1: Based on the three-phase current sampling sequence, temperature time series matrix and partial discharge pulse signal in the original power scenario data stream, perform forward activation inference and orthogonal projection separation on the high-precision floating-point pre-trained model in the cloud to obtain mutually orthogonal sets of conventional task feature parameters and robust defense feature parameters. Step 2: Perform differential feature quantization and recombination based on orthogonal separation on the conventional task feature parameter set and the robust defense feature parameter set to obtain the edge initial quantization model; Step 3: Perform high-frequency adversarial perturbation synthesis on the extreme operating condition boundary vectors extracted from the original power scenario data stream, and superimpose the obtained adversarial perturbation noise back into the original data stream to obtain a dynamic adversarial verification dataset; Step 4: Inject the dynamic adversarial verification dataset into the edge initial quantization model to perform edge-side stimulated closed-loop inference and security loss assessment to obtain the quantization loss distribution matrix and the list of weak neuron nodes; Step 5: Based on the quantization loss distribution matrix, the list of weak neuron nodes, and the dynamic adversarial verification dataset, perform low-rank adaptive weak layer residual reinforcement on the initial edge quantization model to obtain a secure reinforced edge model.

2. The security verification method for quantization and compression of edge AI models in the power Internet of Things according to claim 1, characterized in that, It also includes the step of performing asymmetric cryptographic compilation on the security-hardened edge model to obtain deployable final secure firmware.

3. The security verification method for quantization and compression of edge AI models in the power Internet of Things according to claim 1, characterized in that, Step one includes: The three-phase current sampling sequence, temperature time series matrix and partial discharge pulse signal in the original power scene data stream are used as excitation sources to perform forward stimulated inference on the high-precision floating-point pre-trained model in the cloud to obtain the high-dimensional hidden layer feature tensor. Based on the high-dimensional hidden layer feature tensor and the original power scenario data stream, the extreme operating condition sensitivity matrix of the input operating condition variables is calibrated to obtain the Jacobian sensitivity matrix. Based on the Jacobi sensitivity matrix, orthogonal projection stripping is performed on the global network weights of the high-precision floating-point pre-trained model in the cloud to obtain the feature parameter set for conventional tasks and the feature parameter set for robust defense.

4. The security verification method for quantization and compression of edge AI models in the power Internet of Things according to claim 1, characterized in that, Step two includes: A radical dimensionality reduction and compression method is used to compress the feature parameter set of conventional tasks to obtain task parameters with extremely low bit width. High-granularity quantization mapping is performed on the robust defense feature parameter set to obtain high-fidelity defense parameters; Based on the inverse mapping transformation matrix of orthogonal projection, the extremely low bit width task parameters and high-fidelity defense parameters are mapped from their respective subspaces back to the global network topology space to obtain the edge initial quantization model.

5. The security verification method for quantization and compression of edge AI models in the power Internet of Things according to claim 1, characterized in that, Step three includes: Extreme physical boundary features are extracted from the original power scenario data stream to obtain the extreme operating condition boundary vector; The extreme working condition boundary vector and Gaussian distributed random prior noise are jointly input into a generative adversarial network that introduces a nonlinear topological random walk operator to synthesize high-frequency adversarial perturbation on the extreme working condition boundary vector, thus obtaining high-frequency adversarial perturbation noise. High-frequency adversarial disturbance noise is fused into the original power scenario data stream to obtain a dynamic adversarial verification dataset.

6. The security verification method for quantization and compression of edge AI models in the power Internet of Things according to claim 1, characterized in that, Step four includes: The dynamic adversarial verification dataset is injected into the edge initial quantization model for stimulated closed-loop inference to obtain the output confidence prediction matrix. Based on the real labels in the dynamic adversarial verification dataset, the classification decision offset between the output confidence prediction matrix and the real labels is quantized to obtain the quantized loss distribution matrix. Based on the quantization loss distribution matrix, the error gradient is backpropagated and injected into the edge initial quantization model. The defense degradation gradient sensitivity of each bottom tensor node is traced back to obtain the list of weak neuron nodes.

7. The security verification method for quantization and compression of edge AI models in the power Internet of Things according to claim 1, characterized in that, Step five includes: The weak neuron node list in the initial quantization model of the frozen edge refers to all backbone parameters other than the nodes. The residual fine-tuning training of the damaged segment is performed based on the error downhill gradient of the quantization loss distribution matrix to obtain the safe and reinforced edge model. The dynamic adversarial verification dataset is then re-injected into the security hardening edge model for backtracking and simulation. The success rate of the security hardening edge model in preventing breakdown is then verified to obtain a verification report.

8. The security verification method for quantization and compression of edge AI models in the power Internet of Things according to claim 5, characterized in that, Extreme physical boundary features are extracted from the original power scenario data stream to obtain extreme operating condition boundary vectors, including: Dynamic reconstruction of the multi-physics coupling graph of the original power scenario data stream is performed to obtain the coupling graph matrix and graph signal vector; Manifold deviation metric is performed on the coupled graph matrix and graph signal vector to obtain the deviation energy vector; Based on the bias energy vector, energy-gated physical boundary adaptive extraction is performed on the original power scenario data stream to obtain the extreme operating condition boundary vector.