Iot terminal identity authentication method and system based on device fingerprint features
By collecting associated perception information from medical implantable devices to assess the urgency coefficient of authentication, dynamically adjusting the authentication time window and matching the optimal fingerprint feature combination, the problem of existing authentication methods being unable to be dynamically adjusted is solved, thus enabling the adaptation of different scenarios' security and timeliness requirements in medical implantable devices.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- XIAN MEDICAL UNIV
- Filing Date
- 2026-05-26
- Publication Date
- 2026-07-14
Smart Images

Figure CN122394948A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of Internet of Things (IoT) security technology, specifically to an IoT terminal identity authentication method and system based on device fingerprint features. Background Technology
[0002] Currently, authentication technologies for Internet of Things (IoT) terminal devices are widely used in secure access scenarios for various smart devices. In the medical field, implantable medical devices such as insulin pumps, as key IoT terminals, typically employ traditional authentication methods based on passwords, digital certificates, or fixed device fingerprint features. Existing authentication schemes generally set fixed authentication time windows and uniform authentication strength, verifying identity by comparing the requester's device fingerprint features with locally pre-stored valid templates.
[0003] However, existing device fingerprint-based authentication methods all employ fixed-strength authentication strategies, presenting a fundamental contradiction between security and timeliness. Strong authentication schemes, used to ensure high security, require extracting complex fingerprint features and performing complex comparison calculations, resulting in lengthy authentication times. This could delay the insulin pump's response in emergency treatment scenarios such as abnormal blood sugar levels. Conversely, fast authentication schemes, used to reduce latency, have fewer authentication feature dimensions and lower verification strength, making them vulnerable to forgery or exploitation by attackers in suspicious environments with many unfamiliar devices. This could lead to unauthorized device access and tampering with treatment instructions, directly threatening patient safety. Furthermore, existing solutions cannot dynamically adjust authentication strategies based on the patient's physiological state, environmental security conditions, and the credibility of the requester, making it difficult to adapt to the diverse security and timeliness requirements of implantable medical devices. Summary of the Invention
[0004] This invention provides an IoT terminal identity authentication method and system based on device fingerprint features, aiming to solve the technical problem that existing device fingerprint-based authentication methods cannot dynamically adjust authentication strategies according to the patient's physiological state, environmental security conditions, and the credibility of the requester.
[0005] In view of the above problems, the present invention provides an IoT terminal identity authentication method and system based on device fingerprint features.
[0006] In a first aspect, the present invention provides an IoT terminal authentication method based on device fingerprint features, comprising: Collect the associated sensing information set of the medical implanted device at the current moment, and evaluate and determine the current authentication urgency coefficient based on the associated sensing information set; The baseline authentication time window is adjusted based on the current authentication urgency coefficient to determine the optimal authentication time window; Activate the corresponding authentication time zone-device fingerprint feature mapping association table according to the device type of the current authentication terminal device, and determine the appropriate device fingerprint feature combination according to the optimal authentication time window. Among them, the device fingerprint feature is optimized with the authentication time zone as a constraint, and the authentication time zone-device fingerprint feature mapping association table is pre-constructed. The device sends a request to the current authentication terminal device according to the matching device fingerprint feature combination and obtains the corresponding actual device fingerprint feature to perform device identity authentication.
[0007] Secondly, the present invention provides an IoT terminal identity authentication system based on device fingerprint features, comprising: The urgency factor assessment module is used to collect the associated sensing information set of the medical implanted device at the current moment, and to assess and determine the current authentication urgency factor based on the associated sensing information set. The time window correction module is used to correct the baseline authentication time window based on the current authentication urgency coefficient to determine the optimal authentication time window; The fingerprint feature matching module is used to activate the corresponding authentication time zone-device fingerprint feature mapping association table according to the device type of the current authentication terminal device, and determine the appropriate device fingerprint feature combination according to the optimal authentication time window. Among them, the device fingerprint feature is optimized with the authentication time zone as a constraint, and the authentication time zone-device fingerprint feature mapping association table is pre-constructed. The identity authentication execution module is used to send a request to the current authentication terminal device according to the matching device fingerprint feature combination and obtain the corresponding actual device fingerprint feature to perform device identity authentication.
[0008] One or more technical solutions provided in this invention have at least the following technical effects or advantages: This invention provides an IoT terminal authentication method and system based on device fingerprint features. First, it assesses the authentication urgency coefficient based on the patient's physiological state, environmental security information, and requester attributes, achieving accurate perception of the current scenario's risk level and timeliness requirements. Second, it adjusts the baseline authentication time window according to the urgency coefficient, and uses this time window as a constraint to match the optimal fingerprint feature combination through a pre-constructed authentication time window-device fingerprint feature mapping association table. In urgent scenarios, it automatically selects a low-latency, lightweight authentication scheme to avoid delaying treatment; in high-risk environments, it automatically selects a high-security authentication scheme to prevent malicious attacks. Finally, it achieves dynamic adjustment of the authentication strength for medical implantable devices, balancing authentication security and real-time performance, providing a security protection solution adapted to different scenario requirements for medical implantable devices such as insulin pumps. Attached Figure Description
[0009] Figure 1A flowchart illustrating the IoT terminal identity authentication method based on device fingerprint features provided in an embodiment of the present invention; Figure 2 A schematic diagram of the structure of an IoT terminal identity authentication system based on device fingerprint features provided in an embodiment of the present invention; The components represented by each number in the attached diagram are explained below: Emergency factor assessment module 11, time window correction module 12, fingerprint feature matching module 13, identity authentication execution module 14. Detailed Implementation
[0010] This invention provides an IoT terminal identity authentication method and system based on device fingerprint features, which addresses the technical problem that existing device fingerprint-based authentication methods cannot dynamically adjust authentication strategies according to the patient's physiological state, environmental security conditions, and the credibility of the requester.
[0011] Example 1, as Figure 1 As shown, the present invention provides an IoT terminal identity authentication method based on device fingerprint features, the method comprising: S100: Collect the associated sensing information set of the medical implanted device at the current moment, and evaluate and determine the current authentication urgency coefficient based on the associated sensing information set.
[0012] In this embodiment of the invention, a set of associated sensing information of the medical implantable device at the current moment is collected, and the current authentication urgency coefficient is determined based on the set of associated sensing information. In the authentication scenarios of medical implantable devices such as insulin pumps, existing technologies employ fixed-strength authentication strategies, which cannot dynamically identify the urgency level of the current authentication scenario based on the patient's physiological state, the security status of the environment, and the trustworthiness of the requesting device. If the patient experiences a sudden spike in blood sugar or other physiological emergencies, existing solutions cannot adjust the authentication strategy in a timely manner, potentially delaying treatment. Furthermore, if the device is in a high-risk environment with many unfamiliar devices, existing solutions cannot identify security risks and are vulnerable to malicious attacks. Therefore, it is necessary to collect multi-dimensional associated sensing information before authentication and quantitatively assess the urgency of the current authentication scenario to provide a basis for dynamically adjusting the authentication strategy.
[0013] Step S100 in the method provided in this embodiment of the invention includes: The associated sensing information set includes physiological state information, environmental safety information, and requester attribute information. The physiological state information includes continuous blood glucose monitoring values and blood glucose change trends. The environmental safety information includes wireless signal scanning results within a preset range, the number of unfamiliar wireless devices, geographical location data, and current time attributes. The requester attribute information includes at least one of the following: historical authentication records of the external device requesting access, the reputation value of the external device, and indication information indicating whether the external device exists in a pre-stored whitelist.
[0014] When a medical implantable device receives an access request from an external device, it triggers a process for collecting associated sensing information: First, it collects the physiological state information of the medical implantable device at the current moment. This physiological state information includes continuous blood glucose monitoring values and blood glucose change trends. Physiological state information refers to monitoring data reflecting the patient's current physiological risk level; in this embodiment, it includes continuous blood glucose monitoring values and blood glucose change trends. Real-time data from the built-in continuous blood glucose monitoring module is read to obtain the current continuous blood glucose monitoring value, and the blood glucose change trend is calculated based on the blood glucose data within a preset time window.
[0015] Secondly, the environmental safety information of the medical implanted device at the current moment is collected. This environmental safety information includes the wireless signal scan results within a preset range, the number of unfamiliar wireless devices, geographical location data, and the current time attribute. Environmental safety information refers to monitoring data reflecting the degree of safety risk in the environment in which the device is located. In this embodiment, it includes the wireless signal scan results within a preset range, the number of unfamiliar wireless devices, geographical location data, and the current time attribute. The preset range refers to a spatial area with a radius of 5 meters centered on the medical implanted device; unfamiliar wireless devices refer to wireless devices not pre-stored in the medical implanted device's whitelist. The built-in wireless scanning module is activated to scan the wireless signals within the preset range, count the number of unfamiliar wireless devices not pre-stored in the whitelist, and simultaneously read the geographical location data from the device's built-in positioning module and the current time attribute from the built-in clock module.
[0016] Next, the requester attribute information of the medical implantable device at the current moment is collected. This requester attribute information includes at least one of the following: historical authentication records of the external device requesting access, the reputation value of the external device, and indication information indicating whether the external device exists in a pre-stored whitelist. Requester attribute information reflects the trustworthiness of the requesting device; in this embodiment, it includes at least one of the following: historical authentication records of the external device requesting access, the reputation value of the external device, and indication information indicating whether the external device exists in a pre-stored whitelist. The local pre-stored external device authentication database is read to query the historical authentication records, reputation value, and whitelist status of the external device requesting access, thereby obtaining the requester attribute information.
[0017] For example, when an insulin pump receives an access request from an external controller, it collects the following associated sensing information: Physiological status information: The current continuous blood glucose monitoring value is 16 mmol / L, and the blood glucose change trend in the past hour is an increase of 2 mmol / L per hour; Environmental security information: Three unfamiliar wireless devices were detected within a preset 5-meter range, with the geographical location data being a hospital ward, and the current time being 2:00 AM; Requester attribute information: The external controller requesting access has one authentication failure record in its historical authentication records, a reputation score of 60 points (out of a maximum of 100 points), and is not present in the pre-stored whitelist.
[0018] Then, the current authentication urgency coefficient is determined based on the associated perception information set.
[0019] The determination of the current authentication urgency coefficient based on the associated perception information set includes: For each type of sensing information in the associated sensing information set, a corresponding single-item emergency index mapping table is configured. Based on the actual collected value of each type of sensing information, a matching query is performed in the corresponding single-item emergency index mapping table to obtain the physiological certification emergency index, environmental certification emergency index, and attribute certification emergency index. Among them, the physiological certification emergency index is positively correlated with the physiological risk level represented by the physiological state information, the environmental certification emergency index is negatively correlated with the environmental safety risk level represented by the environmental safety information, and the attribute certification emergency index is negatively correlated with the trustworthiness of the requester represented by the requester attribute information. The current certification urgency coefficient is determined by a weighted evaluation based on the physiological certification urgency index, environmental certification urgency index, and attribute certification urgency index.
[0020] The single-item urgency index mapping table is a pre-constructed table corresponding to the information collection value and the single-item urgency index for each type of perceived information. It converts the actual collected values of perceived information into quantified urgency indices, ranging from 0 to 1, with larger values indicating higher urgency levels for the corresponding dimension. The physiological authentication urgency index is a quantified value reflecting the patient's physiological risk level, derived from physiological state information. It is positively correlated with the physiological risk level; the higher the physiological risk, the larger the physiological authentication urgency index. The environmental authentication urgency index is a quantified value reflecting the environmental safety risk level, derived from environmental safety information. It is negatively correlated with the environmental safety risk level; the higher the environmental safety risk, the smaller the environmental authentication urgency index. The attribute authentication urgency index is a quantified value reflecting the requester's credibility level, derived from the requester's attribute information. It is negatively correlated with the requester's credibility level; the lower the requester's credibility level, the larger the attribute authentication urgency index.
[0021] First, a physiological certification emergency index mapping table is pre-constructed based on physiological state information. In this table, the higher the continuous blood glucose monitoring value and the faster the blood glucose change trend, the larger the corresponding physiological certification emergency index. Based on the actual collected continuous blood glucose monitoring values and blood glucose change trends, the physiological certification emergency index is obtained by matching and querying the physiological certification emergency index mapping table.
[0022] Secondly, for environmental safety information, an environmental certification urgency index mapping table is pre-constructed. The more unfamiliar wireless devices there are in this table, the smaller the environmental certification urgency index is for non-safe periods. Based on the actual number of unfamiliar wireless devices collected and the current time attribute, the environmental certification urgency index is obtained by matching and querying the environmental certification urgency index mapping table.
[0023] Secondly, for the requester attribute information, an attribute authentication urgency index mapping table is pre-built. The more historical authentication failure records in this table, the lower the reputation value, and the higher the attribute authentication urgency index corresponding to the attribute not in the whitelist. Based on the actual collected requester attribute information, the attribute authentication urgency index is obtained by matching and querying the attribute authentication urgency index mapping table.
[0024] For example, based on the collected associated sensing information set, a single-item emergency index mapping table is queried. Physiological authentication emergency index: Based on a blood glucose level of 16 mmol / L (exceeding the high blood glucose threshold of 13.9 mmol / L) and a blood glucose increase trend of 2 mmol / L per hour, the physiological authentication emergency index mapping table is queried, yielding a physiological authentication emergency index of 0.9; Environmental authentication emergency index: Based on the number of unfamiliar wireless devices (3, exceeding the preset safety threshold of 2) and the current time being 2:00 AM (a preset non-safe period), the environmental authentication emergency index mapping table is queried, yielding an environmental authentication emergency index of 0.3; Attribute authentication emergency index: Based on the external controller having one authentication failure record, a reputation score of 60, and not being in the whitelist, the attribute authentication emergency index mapping table is queried, yielding an attribute authentication emergency index of 0.7.
[0025] Finally, the current authentication urgency coefficient is determined by a weighted evaluation based on the physiological authentication urgency index, environmental authentication urgency index, and attribute authentication urgency index. The current authentication urgency coefficient is a quantitative value reflecting the overall urgency of the current authentication scenario, derived from the urgency indices of the three dimensions: physiological authentication urgency index, environmental authentication urgency index, and attribute authentication urgency index. The value ranges from 0 to 1; a higher value indicates a higher urgency of the authentication scenario and a greater need to shorten the authentication time. The weighted evaluation refers to the weighted summation of each individual urgency index based on the influence weight of the perceived information of each dimension on the authentication urgency, resulting in a comprehensive current authentication urgency coefficient. The weight values are pre-set according to the importance of each dimension of information; physiological state information, directly related to patient life safety, has the highest weight; environmental safety information and requester attribute information are auxiliary judgment dimensions, and their weights can be adjusted according to actual needs.
[0026] Specifically, weights are pre-defined for each individual urgency index. For example, the weight of the physiological certification urgency index is 0.6, the weight of the environmental certification urgency index is 0.2, and the weight of the attribute certification urgency index is 0.2. The physiological certification urgency index is multiplied by its corresponding weight to obtain the physiological dimension weighted value; the environmental certification urgency index is multiplied by its corresponding weight to obtain the environmental dimension weighted value; and the attribute certification urgency index is multiplied by its corresponding weight to obtain the attribute dimension weighted value. The physiological dimension weighted value, the environmental dimension weighted value, and the attribute dimension weighted value are then added together to obtain the current certification urgency coefficient.
[0027] For example, based on a single urgency index, the current authentication urgency coefficient is calculated as follows: Physiological dimension weighted value = Physiological authentication urgency index × weight of physiological authentication urgency index = 0.9 × 0.6 = 0.54; Environmental dimension weighted value = Environmental authentication urgency index × weight of environmental authentication urgency index = 0.3 × 0.2 = 0.06; Attribute dimension weighted value = Attribute authentication urgency index × weight of attribute authentication urgency index = 0.7 × 0.2 = 0.14; Current authentication urgency coefficient = Physiological dimension weighted value + Environmental dimension weighted value + Attribute dimension weighted value = 0.54 + 0.06 + 0.14 = 0.74.
[0028] In this embodiment of the invention, multi-dimensional and comprehensive perception of medical implantable device authentication scenarios is achieved by collecting three types of related perception information: physiological state, environmental safety, and requester attributes. Unstructured perception information is converted into a quantified urgency index through a single-item urgency index mapping table, and a weighted evaluation is used to obtain the current authentication urgency coefficient, thus achieving precise quantification of the urgency level of the authentication scenario. This step provides a quantitative basis for subsequently dynamically adjusting the authentication time window based on the authentication urgency coefficient.
[0029] S200: Adjust the baseline authentication time window based on the current authentication urgency coefficient to determine the optimal authentication time window.
[0030] In this embodiment of the invention, the baseline authentication time window is corrected based on the current authentication urgency coefficient to determine the optimal authentication time window. When medical implantable devices such as insulin pumps perform identity authentication, a fixed authentication time window cannot adapt to diverse application scenarios. In emergency scenarios with high physiological risks, an excessively long fixed authentication time window will delay the issuance of external device access control commands, thus missing the patient's treatment opportunity. In suspicious scenarios with a large number of unfamiliar wireless devices in the environment, an excessively short fixed authentication time window will result in insufficient fingerprint feature verification dimensions, making it easy for unauthorized devices to forge identities and intrude. In normal low-risk scenarios, the fixed authentication time window has redundant time consumption, causing unnecessary consumption of device computing power and communication resources. Therefore, it is necessary to first retrieve a preset baseline authentication time window, then combine the current authentication urgency coefficient and the number of unfamiliar wireless devices in the environment to determine the scenario type, and dynamically correct the baseline authentication time window according to the corresponding calculation time correction coefficient, outputting the optimal authentication time window adapted to the current scenario, achieving adaptive adjustment of the authentication time according to the scenario risk level.
[0031] Step S200 in the method provided in this embodiment of the invention includes: Obtain the preset baseline certification time window; Determine whether the current authentication urgency coefficient exceeds a preset urgency threshold; When the current authentication urgency coefficient exceeds the urgency threshold, it is determined that the current state is in a physiological emergency. The ratio of the urgency threshold to the current authentication urgency coefficient is calculated as a first time correction coefficient. The baseline authentication time window is multiplied by the first time correction coefficient to obtain a first authentication time window, and the first authentication time window is taken as the optimal authentication time window. When the current authentication urgency coefficient does not exceed the urgency threshold, it is further determined whether the number of unfamiliar wireless devices in the environmental security information exceeds a preset security threshold. When the number of unfamiliar wireless devices exceeds the security threshold, it is determined that the current environment is suspicious. The ratio of the number of unfamiliar wireless devices to the security threshold is calculated as a second time correction coefficient. The baseline authentication time window is multiplied by the second time correction coefficient to obtain a second authentication time window, and the second authentication time window is used as the optimal authentication time window. When the current authentication urgency coefficient does not exceed the urgency threshold and the number of unfamiliar wireless devices does not exceed the security threshold, the baseline authentication time window is taken as the optimal authentication time window.
[0032] First, a preset baseline certification time window is obtained. This baseline certification time window is a standard certification duration range configured by default for medical implantable devices. It serves as the basic certification time standard before scenario-based adjustments and is used as the calculation benchmark for subsequent time window adjustments. The medical implantable device has a locally stored fixed configuration parameter library. The pre-configured baseline certification time window value is directly read from this library as the basis for subsequent adjustment calculations. For example, the baseline certification time window for an insulin pump is pre-configured to be fixed at 400 milliseconds, serving as the benchmark for subsequent adjustment calculations.
[0033] Next, it is determined whether the current authentication urgency coefficient exceeds a preset urgency threshold. The urgency threshold is a pre-set critical value for the authentication urgency coefficient, used to distinguish between physiological emergency scenarios and normal scenarios, with a value range of 0-1. If the current authentication urgency coefficient exceeds the urgency threshold, it is determined to be a high-risk physiological scenario. A pre-stored fixed value for the urgency threshold is retrieved locally, and the current authentication urgency coefficient obtained in S100 is compared with the urgency threshold, outputting the comparison result. For example, if the preset urgency threshold is 0.6, and S100 calculates the current authentication urgency coefficient to be 0.74, since 0.74 > 0.6, it is determined that the current authentication urgency coefficient exceeds the preset urgency threshold.
[0034] Furthermore, when the current authentication urgency coefficient exceeds the urgency threshold, a physiological emergency state is determined. The ratio of the urgency threshold to the current authentication urgency coefficient is calculated as a first time correction coefficient. The baseline authentication time window is multiplied by the first time correction coefficient to obtain a first authentication time window, which is then used as the optimal authentication time window. A physiological emergency state is the scenario state corresponding to when the current authentication urgency coefficient exceeds the urgency threshold, indicating abnormal patient physiological indicators and the need for rapid identity authentication and timely intervention.
[0035] The first-time correction coefficient is a correction parameter obtained by comparing the emergency threshold with the current authentication emergency coefficient; the larger the current authentication emergency coefficient, the smaller the first-time correction coefficient. The first authentication time window is the corrected authentication duration obtained by multiplying the baseline authentication time window by the first-time correction coefficient. The optimal authentication time window is the final authentication duration adapted to the current scenario and used for subsequent fingerprint feature matching.
[0036] Specifically, the current scenario is determined to be a physiological emergency. The first time correction coefficient = emergency threshold / current authentication emergency coefficient, and the first authentication time window = baseline authentication time window × first time correction coefficient. The first authentication time window obtained by solving is directly set as the optimal authentication time window.
[0037] For example, given an emergency threshold of 0.6, a current authentication urgency coefficient of 0.74, and a baseline authentication time window of 800 milliseconds, the first time correction coefficient is approximately 0.6 / 0.74 = 0.81, and the first authentication time window is 400 milliseconds × 0.81 = 324 milliseconds. This 324 milliseconds is determined as the optimal authentication time window for the current scenario. Since the current authentication urgency coefficient is too high and the first time correction coefficient is too low, the optimal authentication time window is shortened accordingly.
[0038] Furthermore, when the current authentication urgency coefficient does not exceed the urgency threshold, it is further determined whether the number of unfamiliar wireless devices in the environmental security information exceeds a preset security threshold. The security threshold is a pre-set critical value for the number of unfamiliar wireless devices, used to distinguish between suspicious environmental scenarios and normal security scenarios. If the current authentication urgency coefficient does not exceed the preset urgency threshold, the number of unfamiliar wireless devices in the environmental security information collected in S100 is retrieved; this number is compared with the locally stored security threshold, and the scenario determination result is output. For example, if the current authentication urgency coefficient is 0.45, which does not exceed the urgency threshold of 0.6; the number of unfamiliar wireless devices retrieved is 3, and the preset security threshold is 2, the comparison determines that the number of unfamiliar wireless devices exceeds the security threshold.
[0039] First, when the number of unfamiliar wireless devices exceeds the security threshold, the current environment is determined to be suspicious. The ratio of the number of unfamiliar wireless devices to the security threshold is calculated as a second time correction coefficient. The baseline authentication time window is multiplied by the second time correction coefficient to obtain a second authentication time window, which is then used as the optimal authentication time window. A suspicious environment refers to the scenario state corresponding to the number of unfamiliar wireless devices exceeding the security threshold, indicating interference from unknown devices in the surrounding wireless environment, increasing access security risks. The second time correction coefficient is a correction parameter obtained by calculating the ratio of the number of unfamiliar wireless devices to the security threshold; the more unfamiliar wireless devices, the larger the value of the second time correction coefficient. The second authentication time window is the corrected authentication duration obtained by multiplying the baseline authentication time window by the second time correction coefficient.
[0040] Specifically, if the number of unfamiliar wireless devices exceeds the security threshold, the current scenario is determined to be a suspicious environment. The second time correction factor = number of unfamiliar wireless devices / security threshold, and the second authentication time window = baseline authentication time window × second time correction factor. The second authentication time window is set as the optimal authentication time window.
[0041] For example, given the number of unknown wireless devices = 3, the security threshold = 2, and the baseline authentication time window = 400 milliseconds. The second time correction factor = 3 / 2 = 1.5, and the second authentication time window = 400 milliseconds × 1.5 = 600 milliseconds; 600 milliseconds is determined as the optimal authentication time window. The more unknown wireless devices there are, the larger the second time correction factor becomes, correspondingly lengthening the optimal authentication time window.
[0042] Secondly, when the current authentication urgency coefficient does not exceed the urgency threshold and the number of unfamiliar wireless devices does not exceed the security threshold, the baseline authentication time window is used as the optimal authentication time window. If the current authentication urgency coefficient does not exceed the urgency threshold and the number of unfamiliar wireless devices does not exceed the security threshold, the preset baseline authentication time window is directly used as the optimal authentication time window without additional correction. For example, if the number of unfamiliar wireless devices is 1 and does not exceed the 2-device security threshold, then the 400-millisecond baseline authentication time window is directly used as the optimal authentication time window.
[0043] In this embodiment of the invention, a hierarchical threshold determination mechanism is used to classify application scenarios into three categories: physiological emergency state, suspicious environment state, and normal security state. Corresponding time correction coefficients are generated based on ratio calculations to achieve adaptive correction of the baseline authentication time window. In physiological emergency scenarios, the authentication time is automatically shortened to ensure that medical implantable devices can quickly complete identity authentication and respond promptly to treatment needs. In suspicious environment scenarios, the authentication time is automatically lengthened to increase the dimension of device fingerprint feature verification and improve the ability to prevent unauthorized access by illegal devices. In normal security scenarios, the baseline time is used to avoid redundant computing power and communication resource consumption. This solves the problem that traditional fixed authentication time windows cannot adapt to the different risk levels of medical implantable devices in various scenarios, achieving precise matching of authentication time with the emergency level of the scenario and the security level of the environment.
[0044] S300: Activate the corresponding authentication time zone-device fingerprint feature mapping association table according to the device type of the current authentication terminal device, and determine the appropriate device fingerprint feature combination according to the optimal authentication time window. Among them, the device fingerprint feature is optimized with the authentication time zone as a constraint, and the authentication time zone-device fingerprint feature mapping association table is pre-constructed.
[0045] In this embodiment of the invention, the corresponding authentication time zone-device fingerprint feature mapping association table is activated according to the device type of the current authentication terminal device. The optimal authentication time window is used to determine the appropriate device fingerprint feature combination. Specifically, the authentication time zone is used as a constraint for device fingerprint feature optimization, and the authentication time zone-device fingerprint feature mapping association table is pre-constructed. When medical implantable devices authenticate access terminals, the inherent fingerprint feature dimensions and feature adaptability of different types of authentication terminals vary significantly. Furthermore, devices contain multi-dimensional fingerprint features at the hardware, software, and behavioral state layers, resulting in a large number of features, redundant and disordered combinations, and a lack of a standardized feature optimization mechanism constrained by the authentication time zone. Therefore, it is necessary to pre-divide the authentication time zone based on historical authentication records, combine the device's multi-dimensional feature set with deep learning models for optimization, and construct authentication time zone-device fingerprint feature mapping association tables corresponding to different device types. During actual authentication, the corresponding association table is activated according to the terminal device type, and the optimal authentication time window is used to match the appropriate device fingerprint feature combination, ensuring optimal security level of identity authentication while meeting authentication time constraints.
[0046] Step S300 in the method provided in this embodiment of the invention includes: The steps for constructing the authentication time zone-device fingerprint feature mapping association table include: Obtain several device multidimensional feature sets from several sample authentication terminal devices, and randomly select the first device multidimensional feature set from the first sample authentication terminal device; Based on the historical authentication records of medical implantable devices within a historical time range, the historical minimum authentication time window and the historical maximum authentication time window are collected to construct a historical feasible authentication period. The historical feasible authentication period is then divided according to a preset interval step size to determine multiple authentication time zones. Based on the first device's multidimensional feature set and multiple authentication time zones, device fingerprint feature optimization is performed with authentication time zones as constraints. A first authentication time zone-device fingerprint feature mapping association table is pre-constructed, and several authentication time zone-device fingerprint feature mapping association tables for the several sample authentication terminal devices are constructed sequentially.
[0047] The device multidimensional feature set includes hardware layer fingerprint features, software layer fingerprint features, and behavioral state fingerprint features; The hardware layer fingerprint features include at least one of the following: physical non-clonable function response features, transient features of radio frequency signals, steady-state features of radio frequency signals, and clock drift features; The software layer fingerprint features include at least one of the following: operating system version information, protocol stack implementation features, and open port information; The behavioral state fingerprint features include at least one of the following: communication timing features, data packet transmission frequency features, and energy consumption mode features.
[0048] First, several multi-dimensional feature sets of several sample authentication terminal devices are obtained, and the first multi-dimensional feature set of the first sample authentication terminal device is randomly selected. Sample authentication terminal devices refer to historical device samples of various types that belong to the same medical IoT access terminal and are used to participate in the construction of the mapping association table. The device multi-dimensional feature set is a summary of all fingerprint features that can be used for identification, collected from the hardware, software, and behavioral status of the terminal device. The first sample authentication terminal device refers to a single sample device randomly selected from numerous sample authentication terminal devices, serving as the benchmark sample for constructing the mapping association table. The first device multi-dimensional feature set is the complete device multi-dimensional feature set corresponding to the first sample authentication terminal device.
[0049] The device multidimensional feature set includes hardware layer fingerprint features, software layer fingerprint features, and behavioral state fingerprint features. The hardware layer fingerprint features include at least one of the following: physically non-clonable function response features, transient features of radio frequency signals, steady-state features of radio frequency signals, and clock drift features. The software layer fingerprint features include at least one of the following: operating system version information, protocol stack implementation features, and open port information. The behavioral state fingerprint features include at least one of the following: communication timing features, data packet transmission frequency features, and energy consumption mode features.
[0050] Specifically, 20 devices, including insulin pump controllers, medical wireless gateways, and ward monitoring terminals, were selected as sample authentication terminal devices. One of these devices was randomly selected as the first sample authentication terminal device, and its multi-dimensional feature set was collected. For each sample device, complete fingerprint features, including hardware, software, and behavioral state layers, were collected to form a unique multi-dimensional feature set for that device.
[0051] For example, an insulin pump controller is randomly selected as the first sample authentication terminal device. The multi-dimensional feature set of the first device corresponding to the insulin pump controller specifically includes: hardware layer fingerprint features: physical non-cloning function response code 8A36F279BD05, transient rise time of wireless radio frequency signal of 18 microseconds and peak value of 12.5dBm, steady-state operating frequency of 433.92MHz and transmit power of 8.2dBm, clock drift deviation of +12ppm; software layer fingerprint features: operating system version V2.3.6 and compilation number 2025031208, protocol stack message header of 32 bytes and using CRC16 private check, open ports 5010 and 5012; behavioral state fingerprint features: communication packet interval of 500 milliseconds, 18 data packets sent per minute, standby power consumption of 15mA, communication power consumption of 45mA, and operating power consumption of 68mA. After summarizing the fingerprint features of all the above-mentioned specific measured data, the first device multidimensional feature set of the first sample authentication terminal device is formed. The remaining 19 sample authentication terminal devices collect their own exclusive fingerprint feature data according to the same standard to form the device multidimensional feature set corresponding to each sample authentication terminal device.
[0052] Secondly, based on the historical authentication records of medical implantable devices within a historical time range, historical minimum authentication time windows and historical maximum authentication time windows are collected to construct historical feasible authentication time periods. These historical feasible authentication time periods are then divided according to a preset interval step size to determine multiple authentication time zones. Historical authentication records refer to archived data such as authentication time, authentication duration, device type, and abnormal events retained during the past full-scale identity authentication process of medical implantable devices. The preset interval step size is a pre-set fixed time interval used to equally divide the historical feasible authentication time periods. The authentication time zone refers to each independent sub-time interval obtained after dividing the historical feasible authentication time periods according to the preset interval step size, serving as a time constraint condition for optimizing device fingerprint features.
[0053] The historical minimum certification time window is the shortest certification time obtained from all historical certification time data. The historical maximum certification time window is the longest certification time obtained from all historical certification time data. The historical feasible certification period is a time interval enclosed by the historical minimum certification time window as the starting value and the historical maximum certification time window as the ending value, representing the total allowable time range for legal certification of medical devices.
[0054] Specifically, all historical authentication records within the preset historical time range of the medical implant device are retrieved, and the minimum and maximum historical authentication time windows are statistically selected from them. The minimum historical authentication time window is used as the starting point of the interval and the maximum historical authentication time window is used as the ending point of the interval to form a historical feasible authentication period. The historical feasible authentication period is equally divided using a pre-set fixed time interval step size, resulting in several independent time intervals, which are multiple authentication time zones.
[0055] For example, the historical certification records of the insulin pump over the past year are retrieved, and the historical minimum certification time window is found to be 80 milliseconds, and the historical maximum certification time window is found to be 480 milliseconds. Thus, a historical feasible certification period of 80 milliseconds to 480 milliseconds is constructed. The preset interval step size is set to 100 milliseconds, and this period is divided into four certification time zones: 80-180 milliseconds, 180-280 milliseconds, 280-380 milliseconds, and 380-480 milliseconds.
[0056] Furthermore, based on the first device's multidimensional feature set and multiple authentication time zones, device fingerprint feature optimization is performed with authentication time zones as constraints. A first authentication time zone-device fingerprint feature mapping association table is pre-constructed, and several authentication time zone-device fingerprint feature mapping association tables for the several sample authentication terminal devices are constructed sequentially.
[0057] Specifically, based on the first device's multidimensional feature set and multiple authentication time zones, device fingerprint feature optimization is performed with authentication time zones as constraints. A first authentication time zone-device fingerprint feature mapping association table is pre-constructed, including: Randomly select a first authentication time zone from the plurality of authentication time zones; Based on the historical authentication records of similar medical implantable devices, and constrained by the device type of the first sample authentication terminal device, several sample first device fingerprint feature sets are collected, and several sample authentication durations and several sample authentication security indices are calculated. The sample authentication duration is the average of multiple historical authentication durations, and the sample authentication security index is determined based on the proportion of historical authentication abnormal events. Using the fingerprint feature set of the first device from the aforementioned samples as input, and the authentication duration and authentication security index of the aforementioned samples as supervision, a deep learning model is trained until convergence, generating a first authentication duration prediction plugin and a first authentication security assessment plugin. With the authentication duration being less than the first authentication time zone as a constraint, the device fingerprint features are optimized using the first authentication duration prediction plugin and the first authentication security assessment plugin. The first authentication time zone-device fingerprint feature mapping association is constructed and added to the first authentication time zone-device fingerprint feature mapping association table.
[0058] First, a first authentication time zone is randomly selected from the multiple authentication time zones. The first authentication time zone is a single sub-time interval randomly selected from the divided authentication time zones, serving as the constraint time zone for the first round of feature optimization. One of the divided authentication time zones is randomly selected as the first authentication time zone. For example, 80-180 milliseconds is randomly selected from the four authentication time zones as the first authentication time zone.
[0059] Secondly, based on historical authentication records of similar medical implantable devices, and constrained by the device type of the first sample authentication terminal device, several sample first device fingerprint feature sets are collected, and several sample authentication durations and several sample authentication security indices are calculated. The sample authentication duration is the average of multiple historical authentication durations, and the sample authentication security index is determined based on the proportion of historical authentication anomalies. The sample first device fingerprint feature set refers to a combination of historical fingerprint features from multiple similar first sample authentication terminal devices. The sample authentication duration is the arithmetic mean of the authentication times corresponding to multiple historical authentications for a single sample device fingerprint feature set. The sample authentication security index is a quantitative value characterizing the authentication security protection capability of a single fingerprint feature combination. The sample authentication security index value is calculated as 1 - the proportion of historical authentication anomalies; the higher the proportion of historical authentication anomalies, the lower the sample authentication security index value.
[0060] Specifically, using the device type of the first sample authentication terminal as a limiting condition, historical data of similar devices are retrieved to collect multiple sets of fingerprint feature sets for the first sample device. For each set of fingerprint feature sets, the corresponding historical authentication times are statistically analyzed and their arithmetic mean is calculated as the authentication time for the corresponding sample. Simultaneously, the number of historical authentication anomalies corresponding to each fingerprint feature combination is compared with the total number of authentication events. The proportion of historical authentication anomalies to the total authentication events is calculated, and the sample authentication security index is calculated as 1 - the proportion of historical authentication anomalies. The sample authentication security index for the corresponding group is then obtained.
[0061] For example, using an insulin pump controller as the device type constraint, 15 sets of historical fingerprint feature combinations of the same type of device are collected as the first sample device fingerprint feature set. For each set of the first sample device fingerprint feature set, 20 historical authentication time records are retrieved and their arithmetic mean is calculated. For example, after averaging the 20 historical authentication times corresponding to one set of feature combinations, the authentication time for that set of samples is 156 milliseconds. Simultaneously, the total number of historical authentication events and the number of abnormal events corresponding to each set of fingerprint feature combinations are counted. For example, one set of fingerprint feature combinations has a total of 20 historical authentications, with 2 abnormal events of unauthorized access and authentication forgery, resulting in an abnormal event ratio of 2 / 20 = 0.1, and a sample authentication security index of 1 - 0.1 = 0.9. The remaining 14 sets of the first sample device fingerprint feature sets are calculated using the same statistical method and calculation logic, respectively, to obtain the corresponding sample authentication time and sample authentication security index, ultimately yielding 15 sets of sample authentication times and 15 sets of sample authentication security indices.
[0062] Next, using the aforementioned sample first device fingerprint feature set as input, and the aforementioned sample authentication duration and sample authentication security index as supervision, a deep learning model is trained until convergence, generating a first authentication duration prediction plugin and a first authentication security assessment plugin. The deep learning model is a training model constructed using a regression fitting structure, capable of predicting authentication duration and assessing security levels from fingerprint feature combinations. The first authentication duration prediction plugin is a functional unit formed after the deep learning model training convergence; inputting the device fingerprint feature combination predicts the corresponding authentication time. The first authentication security assessment plugin is also a functional unit formed after the deep learning model training convergence; inputting the device fingerprint feature combination outputs the corresponding authentication security index.
[0063] First, a multi-layer fully connected neural network is selected as the basic deep learning model, with one input layer, two hidden layers, and two independent output layers. The first hidden layer has 64 neurons, and the second hidden layer has 32 neurons. Both hidden layers use the ReLU function as the activation function, and both output layers use linear activation functions, which are adapted to the authentication duration regression prediction and authentication security index regression prediction tasks, respectively.
[0064] Secondly, the normalized fingerprint feature set of several samples is used as the input feature vector of the deep learning model; at the same time, the authentication duration of several samples and the authentication security index of several samples are used as the supervision labels of the dual output branches of the deep learning model to construct a supervised model training dataset.
[0065] Furthermore, the batch gradient descent method is used to iteratively train the deep learning model. The mean squared error is used as the loss function for the deep learning model as a whole. The error between the predicted authentication time and the actual authentication time, and the error between the predicted authentication security index and the actual authentication security index are calculated separately. The total loss value of the deep learning model is obtained by summing them up. Based on the total loss value, the weights and bias parameters of the neurons in each layer of the model are updated layer by layer in reverse.
[0066] Finally, the maximum number of iterations for training the deep learning model is set to 1000, and the convergence threshold of the loss function is preset to 0.001. Continuous iterative training is performed, and when the total loss value of the deep learning model is less than the preset convergence threshold, or when the maximum number of iterations is reached and the loss value no longer decreases significantly, the deep learning model is determined to have completed training and converged. The converged deep learning model is then split and solidified to generate the first authentication duration prediction plugin and the first authentication security assessment plugin, which each have independent reasoning capabilities.
[0067] Furthermore, with the authentication duration being less than the first authentication time zone as a constraint, the device fingerprint features are optimized using the first authentication duration prediction plugin and the first authentication security assessment plugin, and a first authentication time zone-device fingerprint feature mapping association is constructed and added to the first authentication time zone-device fingerprint feature mapping association table.
[0068] Specifically, with the authentication duration being less than the first authentication time zone as a constraint, the device fingerprint features are optimized using the first authentication duration prediction plugin and the first authentication security assessment plugin to construct a first authentication time zone-device fingerprint feature mapping association, including: Random feature combinations are performed based on the multidimensional feature set of the first device to generate multiple multidimensional feature groups of the first device. Using the first authentication duration prediction plugin and the first authentication security assessment plugin, multiple first predicted authentication durations and multiple first predicted authentication security indices are predicted based on the multiple first device multidimensional feature groups, respectively. With the authentication duration being less than the first authentication time zone as a constraint, the multiple first predicted authentication durations are used to filter the multiple first device multidimensional feature groups to determine multiple qualified device multidimensional feature groups. Based on the multiple first predicted authentication durations and multiple first predicted authentication security indices, the authentication adaptability of the multiple qualified device multidimensional feature groups is evaluated, and the qualified device multidimensional feature group with the maximum authentication adaptability is selected as the first optimal device fingerprint feature. The authentication adaptability is negatively correlated with the predicted authentication duration and positively correlated with the predicted authentication security index. A first authentication time zone-device fingerprint feature mapping association is constructed based on the first authentication time zone and the first optimal device fingerprint features.
[0069] First, multiple multidimensional feature groups of the first device are generated by randomly combining features based on the multidimensional feature set of the first device. The multidimensional feature group of the first device refers to multiple sets of non-overlapping features formed by randomly combining and matching the fingerprint features of the hardware layer, software layer, and behavioral state layer in the multidimensional feature set of the first device. Each set contains a different number and type of fingerprint features for subsequent optimization and selection.
[0070] First, identify all subdivided fingerprint features in the first device's multidimensional feature set and determine the combination rules. Each feature combination must include at least one feature from the hardware layer, software layer, and behavioral state layer to avoid single-dimensional feature combinations. Second, use a random permutation and combination algorithm to randomly combine all subdivided features, generating multiple sets of non-repeating first device multidimensional feature groups. Finally, eliminate invalid combinations, such as those with duplicate features or missing features in a certain dimension, and retain feature groups that conform to the rules as the basis for subsequent prediction and selection. For example, following the rule that each group must contain at least one feature from each of three dimensions, a random combination algorithm is used to generate 30 sets of non-repeating first device multidimensional feature groups.
[0071] Secondly, using the first authentication duration prediction plugin and the first authentication security assessment plugin, multiple first predicted authentication durations and multiple first predicted authentication security indices are predicted based on the multiple multi-dimensional feature groups of the first devices. The first predicted authentication duration is the estimated authentication time output by the first authentication duration prediction plugin through inference calculation on each group of multi-dimensional feature groups of the first devices, and its dimension is consistent with the sample authentication duration. The first predicted authentication security index is the estimated quantitative value of security protection capability output by the first authentication security assessment plugin through inference calculation on each group of multi-dimensional feature groups of the first devices.
[0072] For example, 30 sets of first device multidimensional feature groups are input one by one into the first authentication duration prediction plugin and the first authentication security evaluation plugin after training convergence. For example, for one combination, the plugin outputs a first predicted authentication duration of 128 milliseconds and a first predicted authentication security index of 0.88. The remaining 29 feature combinations are processed in the same way to obtain the corresponding predicted authentication duration and predicted security index, thus completing the aggregation of 30 prediction results.
[0073] Next, with the authentication duration being less than the first authentication time zone as a constraint, the multiple first device multi-dimensional feature groups are filtered based on the multiple first predicted authentication durations to determine multiple qualified device multi-dimensional feature groups. A qualified device multi-dimensional feature group refers to a first device multi-dimensional feature group that meets the constraint that the first predicted authentication duration is less than the maximum duration of the first authentication time zone; that is, the estimated authentication time of this feature combination does not exceed the duration limit of the current first authentication time zone. The constraint is: the first predicted authentication duration < the maximum value of the first authentication time zone, ensuring that the subsequent authentication process can be completed within the duration specified in the first authentication time zone, meeting the timeliness requirements of the scenario.
[0074] For example, the current first authentication time zone is 80-180 milliseconds, and its maximum duration is 180 milliseconds; traverse 30 sets of prediction results, compare the first predicted authentication duration of each set with 180 milliseconds, and retain the device multidimensional feature groups with a first predicted authentication duration < 180 milliseconds. After screening, 22 sets of the 30 feature combinations meet the constraints, which are multiple qualified device multidimensional feature groups.
[0075] Furthermore, based on the multiple first predicted authentication durations and multiple first predicted authentication security indices, the authentication fit of the multiple qualified device multidimensional feature groups is evaluated. The qualified device multidimensional feature group with the highest authentication fit is selected as the first optimal device fingerprint feature. The authentication fit is negatively correlated with the predicted authentication duration and positively correlated with the predicted authentication security index. The first optimal device fingerprint feature refers to the feature combination with the highest authentication fit score among all qualified device multidimensional feature groups; that is, it is the optimal fingerprint feature combination that balances duration and security under the current first authentication time zone.
[0076] The certification fit is a comprehensive score of the multi-dimensional feature group of qualified equipment, which is based on the first predicted certification time and the first predicted certification security index. It is used to measure the degree of fit of the feature group in terms of both time constraints and security protection. The certification fit is negatively correlated with the predicted certification time, that is, the shorter the predicted time, the higher the fit; and positively correlated with the predicted certification security index, that is, the higher the security index, the higher the fit.
[0077] Specifically, the authentication fit calculation formula is: Authentication Fit = (1 - First Predicted Authentication Duration / Maximum Duration of First Authentication Time Zone) × 0.4 + First Predicted Authentication Security Index × 0.6. For each set of qualified device multi-dimensional feature groups, the corresponding first predicted authentication duration and first predicted authentication security index are substituted to calculate the authentication fit score for each group. By comparing the fit scores of all qualified groups, the qualified device multi-dimensional feature group with the highest score is selected and determined as the first optimal device fingerprint feature.
[0078] For example, for one combination, the plugin outputs a first predicted authentication duration of 128 milliseconds, a first predicted authentication security index of 0.88, a first authentication time zone maximum duration of 180 milliseconds, and an authentication fit rate of (1-128 / 180)×0.4+0.88×0.6≈0.64. The remaining qualified groups are calculated using the same formula. The fit rate scores of the 22 combined groups are compared, and the combination with the highest fit rate is selected as the first optimal device fingerprint feature.
[0079] Then, a first authentication time zone-device fingerprint feature mapping association is constructed based on the first authentication time zone and the first optimal device fingerprint feature. The first authentication time zone-device fingerprint feature mapping association refers to establishing a one-to-one binding relationship between the current first authentication time zone and the first optimal device fingerprint feature, clarifying the optimal combination of device fingerprint features that is suitable under this authentication time zone, for rapid matching during subsequent actual authentication.
[0080] For example, the current first authentication time zone is 80-180 milliseconds, and the first optimal device fingerprint features are: physical non-cloning function response feature: 8A36F279BD05, operating system version information: V2.3.6 (compilation number 2025031208), and communication timing feature: 500 millisecond packet transmission interval. The 80-180 millisecond range is bound to the first optimal device fingerprint features to form a first authentication time zone-device fingerprint feature mapping association.
[0081] Finally, several authentication time zone-device fingerprint feature mapping association tables are constructed sequentially for the aforementioned sample authentication terminal devices. Each authentication time zone-device fingerprint feature mapping association table is a table categorized by device type, storing the mapping associations between all authentication time zones and their corresponding optimal device fingerprint features for that type of device. Each sample authentication terminal device corresponds to a dedicated mapping association table, used for subsequent actual authentication to quickly activate and match feature combinations according to device type.
[0082] Specifically, for the first sample authentication terminal device, repeat the above operations to sequentially construct corresponding mapping associations for all other authentication time zones, such as 180-280 milliseconds, 280-380 milliseconds, and 380-480 milliseconds. Summarize all the mapping associations for authentication time zones to form a unique authentication time zone-device fingerprint feature mapping association table for the first sample authentication terminal device. For all other sample authentication terminal devices, follow the same complete process to construct a mapping association table for each sample device. Finally, complete the construction of mapping association tables for all sample authentication terminal devices, forming a complete set of association tables categorized by device type.
[0083] In this embodiment of the invention, a multi-dimensional feature set of various types of medical access terminals is pre-collected. By dividing the authentication time zone and training a deep learning model with historical authentication data, intelligent optimization of device fingerprint features constrained by the authentication time zone is achieved. An authentication time zone-device fingerprint feature mapping association table is constructed according to device type, avoiding the subjectivity and redundancy of manually selecting feature combinations. During actual authentication, a dedicated association table can be accurately activated according to the terminal device type, and a suitable fingerprint feature combination can be quickly matched based on the optimal authentication time window. This strictly limits the authentication time to meet the timeliness requirements of medical emergency scenarios, while ensuring the security level of identity authentication through multi-layer, multi-dimensional fingerprint feature optimization. Simultaneously, it standardizes the application standards of hardware, software, and behavioral fingerprint features, solving the problems of disordered selection of traditional authentication features and the inability to balance time and security, thus adapting to the application needs of dynamic authentication in multiple scenarios for medical implantable devices.
[0084] S400: Send a request to the current authentication terminal device according to the matching device fingerprint feature combination and obtain the corresponding actual device fingerprint feature to perform device identity authentication.
[0085] In this embodiment of the invention, a request is sent to the currently authenticated terminal device according to the matching device fingerprint feature combination to obtain the corresponding actual device fingerprint feature for device authentication. After the medical implantable device completes the matching of the matching device fingerprint feature combination, it needs to collect fingerprint feature data of a specified dimension from the access request terminal. It cannot collect all device features indiscriminately to avoid redundant data transmission and invalid comparisons. Simultaneously, the actual device fingerprint feature returned by the terminal needs to be quantitatively compared with the locally pre-stored legitimate device fingerprint template. Based on a preset matching threshold, the device is classified as legitimate or illegitimate, and permission granting or connection denial policies are executed accordingly. This eliminates the risk of unauthorized terminals forging device parameters for malicious access and tampering with medical implantable device control commands, ensuring the communication security and clinical use safety of medical implantable devices such as insulin pumps.
[0086] Step S400 in the method provided in this embodiment of the invention includes: The medical implant device sends a fingerprint extraction request to the currently authenticated terminal device, which includes each feature identifier in the fingerprint feature combination of the adapter device; The current authentication terminal device extracts its own actual device fingerprint features based on the feature identifier and returns them; The medical implant device compares the received actual device fingerprint features with a locally pre-stored legitimate device fingerprint template; If the similarity of the comparison results is greater than or equal to the preset matching threshold, the current authentication terminal device is determined to be a legitimate device and operation permissions are granted. If the similarity of the comparison results is less than the preset matching threshold, the current authentication terminal device is determined to be an illegal device and the connection is refused.
[0087] First, the medical implant device sends a fingerprint extraction request to the currently authenticated terminal device, containing each feature identifier in the fingerprint feature combination of the adapter device. The medical implant device retrieves the fingerprint feature combination of the adapter device obtained by matching in S300, and reads the preset feature identifier corresponding to each fingerprint feature in the combination one by one; it encapsulates all feature identifiers into a standard communication message to generate a fingerprint extraction request; and it sends the fingerprint extraction request to the currently authenticated terminal device that initiated the access request through the wireless communication link.
[0088] For example, the matching device fingerprint feature combination obtained by the insulin pump is: physical non-clonable function response feature, operating system version information, and communication timing feature; the feature identifiers corresponding to the three features are ID01, ID05, and ID09 respectively; the insulin pump encapsulates ID01, ID05, and ID09 into a request message and sends a fingerprint extraction request to the insulin pump controller that requests access.
[0089] Secondly, the current authentication terminal device extracts its own actual device fingerprint features based on the feature identifiers and returns them. The actual device fingerprint features refer to the original fingerprint feature data that the current authentication terminal device itself actually collects and generates, corresponding to each feature identifier. The current authentication terminal device receives the fingerprint extraction request from the medical implant device, parses all feature identifiers carried in the message, extracts the corresponding actual device fingerprint features from its own hardware layer, software system, and operational behavior data according to the feature type corresponding to each feature identifier, and encapsulates all extracted actual device fingerprint features into a unified response message, which is then sent back to the medical implant device.
[0090] For example, the insulin pump controller receives a fingerprint extraction request and parses out the feature identifiers ID01, ID05, and ID09; based on the identifiers, it extracts its own actual device fingerprint features: ID01 corresponds to the physical unclonable function response code 8A36F279BD05, ID05 corresponds to the operating system version V2.3.6 and compilation number 2025031208, and ID09 corresponds to a communication timing interval of 500 milliseconds; the three actual feature data are encapsulated and sent back to the insulin pump.
[0091] Next, the medical implantable device compares the received actual device fingerprint features with a locally pre-stored legitimate device fingerprint template. The legitimate device fingerprint template refers to a standard fingerprint feature dataset of registered and compliant terminal devices that is pre-stored locally on the medical implantable device, and it corresponds one-to-one with the matching device fingerprint feature combination dimensions.
[0092] First, the insulin pump receives three actual device fingerprint features from the controller: physical non-clonable function response feature, operating system version information, and communication timing feature. The insulin pump pre-configures differentiated weights for the three types of features, for example, the weight of the physical non-clonable function response feature is 0.5, the weight of the operating system version information is 0.3, and the weight of the communication timing feature is 0.2.
[0093] Secondly, the insulin pump retrieves the locally stored fingerprint template of the legitimate insulin pump controller, compares parameters item by item, and calculates the similarity of each item: the actual code of the physically unclonable function response feature is 8A36F279BD05, which is completely consistent with the legitimate template code. Using the exact match rule, the similarity of the physically unclonable function response feature is 1.0. The actual version of the operating system is V2.3.6, and the compilation number is 2025031208. There are slight differences from the legitimate template version. The version number and compilation number are concatenated into a complete string, and the character matching ratio method is used: Operating system version information similarity = number of matching characters / total number of characters in the string. For example, the calculated operating system version information similarity is 0.77. The actual packet sending interval of the communication timing feature is 500 milliseconds. The numerical deviation normalization algorithm is used: Communication timing feature similarity = 1 − |actual timing value − template timing value| / template timing value. For example, the communication timing feature similarity is 1.0.
[0094] Secondly, the weighted similarity calculation formula is used: Overall matching similarity = Physical non-cloning function response feature similarity × Weight of physical non-cloning function response feature + Operating system version information similarity × Weight of operating system version information + Communication timing feature similarity × Weight of communication timing feature. For example, overall matching similarity = 1.0 × 0.5 + 0.77 × 0.3 + 1.0 × 0.2 = 0.931.
[0095] Secondly, if the similarity of the comparison results is greater than or equal to a preset matching threshold, the current authentication terminal device is determined to be a legitimate device and is granted operating permissions. The preset matching threshold is a pre-set fingerprint feature similarity threshold, used as a criterion for distinguishing between legitimate and illegitimate devices, with a value range of 0-1. A fixed preset matching threshold is pre-configured locally on the medical implant device. The overall matching similarity is compared with the preset matching threshold. When the overall matching similarity is greater than or equal to the preset matching threshold, the current authentication terminal device is determined to be a legitimate device, and all preset controllable operating permissions are granted to the current authentication terminal device, establishing a long-term communication connection.
[0096] For example, the preset matching threshold is set to 0.85. The matching similarity of 0.931 calculated in this case is greater than 0.85, so the insulin pump controller is determined to be a legitimate device. The insulin pump grants the controller full operation permissions for parameter query, infusion command issuance, and blood glucose threshold setting, and establishes a stable communication connection.
[0097] Furthermore, if the similarity of the comparison results is less than the preset matching threshold, the currently authenticated terminal device is determined to be an illegal device and the connection is refused. An illegal device refers to an access terminal device that poses a risk of being counterfeited, imitated, or maliciously intruded upon. If the overall matching similarity is less than the preset matching threshold, the currently authenticated terminal device is directly determined to be an illegal device; the medical implantable device immediately refuses to establish a communication connection with the terminal, discards the access request message, and can record this illegal access event to the local log.
[0098] For example, if another unfamiliar terminal returns fingerprint features and the calculated matching similarity is 0.72, which is less than the preset matching threshold of 0.85, the insulin pump determines that the terminal is an illegal device, directly rejects the access request, does not establish any communication connection, and retains the record of this illegal access.
[0099] In this embodiment of the invention, terminal fingerprint features are collected in a targeted manner according to the fingerprint feature combination of the adapted device, avoiding the resource waste caused by full feature transmission; the device identity is accurately determined by comparing the quantitative similarity between the actual device fingerprint features and the local legitimate template, combined with a preset matching threshold. Legitimate terminals can normally obtain medical device operation permissions, ensuring the reliable issuance of normal diagnosis and treatment control commands; illegal terminals are directly blocked and denied access, effectively preventing the security risks of forged terminals intruding and tampering with the operating parameters of medical implantable devices, and ensuring the operational safety of medical implantable devices and the safety of patient diagnosis and treatment from the source of access.
[0100] Through the specific implementation methods described above, the embodiments of the present invention achieve the following technical effects: This invention provides an IoT terminal authentication method and system based on device fingerprint features. By collecting multi-dimensional associated perception information such as physiological state, environmental security, and requester attributes, it achieves accurate quantitative assessment of the urgency of the authentication scenario. Based on a hierarchical correction of the authentication urgency coefficient, the baseline authentication time window is adjusted. In physiological emergency scenarios, the authentication time is shortened to ensure timely treatment; in suspicious environmental scenarios, the authentication time is extended to enhance security protection, achieving precise adaptation between authentication time and scenario risk. By pre-constructing a device-specific authentication time zone-device fingerprint feature mapping association table, and combining the optimal authentication time window with the optimal fingerprint feature combination, the security level is maximized while meeting time constraints, avoiding redundancy and blindness in feature selection. By selectively extracting actual device fingerprint features and weighted quantitatively comparing them with legitimate templates, the identity of the terminal device is accurately determined, effectively intercepting unauthorized device intrusion and ensuring device operational security. This invention achieves scenario-adaptive, duration-dynamic, feature-optimized, and verification-accurate identity authentication for medical implantable devices. It takes into account the timeliness requirements of treatment in physiological emergency scenarios, ensures authentication security in high-risk environments, and adapts to the differentiated needs of different types of access terminals. It strengthens the security defense of medical implantable devices from the source of access, ensuring patient treatment safety and device operation reliability.
[0101] Example 2, as Figure 2 As shown, the present invention provides an IoT terminal identity authentication system based on device fingerprint features, the system comprising: The urgency coefficient assessment module 11 is used to collect the associated perception information set of the medical implantation device at the current moment, and to assess and determine the current authentication urgency coefficient based on the associated perception information set. The time window correction module 12 is used to correct the baseline authentication time window based on the current authentication urgency coefficient to determine the optimal authentication time window; The fingerprint feature matching module 13 is used to activate the corresponding authentication time zone-device fingerprint feature mapping association table according to the device type of the current authentication terminal device, and determine the appropriate device fingerprint feature combination according to the optimal authentication time window. The device fingerprint feature is optimized with the authentication time zone as a constraint, and the authentication time zone-device fingerprint feature mapping association table is pre-constructed. The identity authentication execution module 14 is used to send a request to the current authentication terminal device according to the matching device fingerprint feature combination and obtain the corresponding actual device fingerprint feature to perform device identity authentication.
[0102] In one embodiment, the urgency factor assessment module 11 is further configured to: The associated sensing information set includes physiological state information, environmental safety information, and requester attribute information. The physiological state information includes continuous blood glucose monitoring values and blood glucose change trends. The environmental safety information includes wireless signal scanning results within a preset range, the number of unfamiliar wireless devices, geographical location data, and current time attributes. The requester attribute information includes at least one of the following: historical authentication records of the external device requesting access, the reputation value of the external device, and indication information indicating whether the external device exists in a pre-stored whitelist.
[0103] The determination of the current authentication urgency coefficient based on the associated perception information set includes: For each type of sensing information in the associated sensing information set, a corresponding single-item emergency index mapping table is configured. Based on the actual collected value of each type of sensing information, a matching query is performed in the corresponding single-item emergency index mapping table to obtain the physiological certification emergency index, environmental certification emergency index, and attribute certification emergency index. Among them, the physiological certification emergency index is positively correlated with the physiological risk level represented by the physiological state information, the environmental certification emergency index is negatively correlated with the environmental safety risk level represented by the environmental safety information, and the attribute certification emergency index is negatively correlated with the trustworthiness of the requester represented by the requester attribute information. The current certification urgency coefficient is determined by a weighted evaluation based on the physiological certification urgency index, environmental certification urgency index, and attribute certification urgency index.
[0104] In one embodiment, the time window correction module 12 is further configured to: Obtain the preset baseline certification time window; Determine whether the current authentication urgency coefficient exceeds a preset urgency threshold; When the current authentication urgency coefficient exceeds the urgency threshold, it is determined that the current state is in a physiological emergency. The ratio of the urgency threshold to the current authentication urgency coefficient is calculated as a first time correction coefficient. The baseline authentication time window is multiplied by the first time correction coefficient to obtain a first authentication time window, and the first authentication time window is taken as the optimal authentication time window. When the current authentication urgency coefficient does not exceed the urgency threshold, it is further determined whether the number of unfamiliar wireless devices in the environmental security information exceeds a preset security threshold. When the number of unfamiliar wireless devices exceeds the security threshold, it is determined that the current environment is suspicious. The ratio of the number of unfamiliar wireless devices to the security threshold is calculated as a second time correction coefficient. The baseline authentication time window is multiplied by the second time correction coefficient to obtain a second authentication time window, and the second authentication time window is used as the optimal authentication time window. When the current authentication urgency coefficient does not exceed the urgency threshold and the number of unfamiliar wireless devices does not exceed the security threshold, the baseline authentication time window is taken as the optimal authentication time window.
[0105] In one embodiment, the fingerprint feature matching module 13 is further configured to: The steps for constructing the authentication time zone-device fingerprint feature mapping association table include: Obtain several device multidimensional feature sets from several sample authentication terminal devices, and randomly select the first device multidimensional feature set from the first sample authentication terminal device; Based on the historical authentication records of medical implantable devices within a historical time range, the historical minimum authentication time window and the historical maximum authentication time window are collected to construct a historical feasible authentication period. The historical feasible authentication period is then divided according to a preset interval step size to determine multiple authentication time zones. Based on the first device's multidimensional feature set and multiple authentication time zones, device fingerprint feature optimization is performed with authentication time zones as constraints. A first authentication time zone-device fingerprint feature mapping association table is pre-constructed, and several authentication time zone-device fingerprint feature mapping association tables for the several sample authentication terminal devices are constructed sequentially.
[0106] The device multidimensional feature set includes hardware layer fingerprint features, software layer fingerprint features, and behavioral state fingerprint features; The hardware layer fingerprint features include at least one of the following: physical non-clonable function response features, transient features of radio frequency signals, steady-state features of radio frequency signals, and clock drift features; The software layer fingerprint features include at least one of the following: operating system version information, protocol stack implementation features, and open port information; The behavioral state fingerprint features include at least one of the following: communication timing features, data packet transmission frequency features, and energy consumption mode features.
[0107] Specifically, based on the first device's multidimensional feature set and multiple authentication time zones, device fingerprint feature optimization is performed with authentication time zones as constraints. A first authentication time zone-device fingerprint feature mapping association table is pre-constructed, including: Randomly select a first authentication time zone from the plurality of authentication time zones; Based on the historical authentication records of similar medical implantable devices, and constrained by the device type of the first sample authentication terminal device, several sample first device fingerprint feature sets are collected, and several sample authentication durations and several sample authentication security indices are calculated. The sample authentication duration is the average of multiple historical authentication durations, and the sample authentication security index is determined based on the proportion of historical authentication abnormal events. Using the fingerprint feature set of the first device from the aforementioned samples as input, and the authentication duration and authentication security index of the aforementioned samples as supervision, a deep learning model is trained until convergence, generating a first authentication duration prediction plugin and a first authentication security assessment plugin. With the authentication duration being less than the first authentication time zone as a constraint, the device fingerprint features are optimized using the first authentication duration prediction plugin and the first authentication security assessment plugin. The first authentication time zone-device fingerprint feature mapping association is constructed and added to the first authentication time zone-device fingerprint feature mapping association table.
[0108] Specifically, with the authentication duration being less than the first authentication time zone as a constraint, the device fingerprint features are optimized using the first authentication duration prediction plugin and the first authentication security assessment plugin to construct a first authentication time zone-device fingerprint feature mapping association, including: Random feature combinations are performed based on the multidimensional feature set of the first device to generate multiple multidimensional feature groups of the first device. Using the first authentication duration prediction plugin and the first authentication security assessment plugin, multiple first predicted authentication durations and multiple first predicted authentication security indices are predicted based on the multiple first device multidimensional feature groups, respectively. With the authentication duration being less than the first authentication time zone as a constraint, the multiple first predicted authentication durations are used to filter the multiple first device multidimensional feature groups to determine multiple qualified device multidimensional feature groups. Based on the multiple first predicted authentication durations and multiple first predicted authentication security indices, the authentication adaptability of the multiple qualified device multidimensional feature groups is evaluated, and the qualified device multidimensional feature group with the maximum authentication adaptability is selected as the first optimal device fingerprint feature. The authentication adaptability is negatively correlated with the predicted authentication duration and positively correlated with the predicted authentication security index. A first authentication time zone-device fingerprint feature mapping association is constructed based on the first authentication time zone and the first optimal device fingerprint features.
[0109] In one embodiment, the identity authentication execution module 14 is further configured to: The medical implant device sends a fingerprint extraction request to the currently authenticated terminal device, which includes each feature identifier in the fingerprint feature combination of the adapter device; The current authentication terminal device extracts its own actual device fingerprint features based on the feature identifier and returns them; The medical implant device compares the received actual device fingerprint features with a locally pre-stored legitimate device fingerprint template; If the similarity of the comparison results is greater than or equal to the preset matching threshold, the current authentication terminal device is determined to be a legitimate device and operation permissions are granted. If the similarity of the comparison results is less than the preset matching threshold, the current authentication terminal device is determined to be an illegal device and the connection is refused.
[0110] It should be noted that the above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the protection scope of the present invention.
Claims
1. An IoT terminal authentication method based on device fingerprint features, characterized in that, Used in medical implantable devices, including: Collect the associated sensing information set of the medical implanted device at the current moment, and evaluate and determine the current authentication urgency coefficient based on the associated sensing information set; The baseline authentication time window is adjusted based on the current authentication urgency coefficient to determine the optimal authentication time window; Activate the corresponding authentication time zone-device fingerprint feature mapping association table according to the device type of the current authentication terminal device, and determine the appropriate device fingerprint feature combination according to the optimal authentication time window. Among them, the device fingerprint feature is optimized with the authentication time zone as a constraint, and the authentication time zone-device fingerprint feature mapping association table is pre-constructed. The device sends a request to the current authentication terminal device according to the matching device fingerprint feature combination and obtains the corresponding actual device fingerprint feature to perform device identity authentication.
2. The IoT terminal authentication method based on device fingerprint features according to claim 1, characterized in that, The associated sensing information set includes physiological state information, environmental safety information, and requester attribute information. The physiological state information includes continuous blood glucose monitoring values and blood glucose change trends. The environmental safety information includes wireless signal scanning results within a preset range, the number of unfamiliar wireless devices, geographical location data, and current time attributes. The requester attribute information includes at least one of the following: historical authentication records of the external device requesting access, the reputation value of the external device, and indication information indicating whether the external device exists in a pre-stored whitelist.
3. The IoT terminal authentication method based on device fingerprint features according to claim 2, characterized in that, The current authentication urgency coefficient is determined based on the aforementioned associated perception information set, including: For each type of sensing information in the associated sensing information set, a corresponding single-item emergency index mapping table is configured. Based on the actual collected value of each type of sensing information, a matching query is performed in the corresponding single-item emergency index mapping table to obtain the physiological certification emergency index, environmental certification emergency index, and attribute certification emergency index. Among them, the physiological certification emergency index is positively correlated with the physiological risk level represented by the physiological state information, the environmental certification emergency index is negatively correlated with the environmental safety risk level represented by the environmental safety information, and the attribute certification emergency index is negatively correlated with the trustworthiness of the requester represented by the requester attribute information. The current certification urgency coefficient is determined by a weighted evaluation based on the physiological certification urgency index, environmental certification urgency index, and attribute certification urgency index.
4. The IoT terminal authentication method based on device fingerprint features according to claim 2, characterized in that, The baseline authentication time window is adjusted based on the current authentication urgency coefficient to determine the optimal authentication time window, including: Obtain the preset baseline certification time window; Determine whether the current authentication urgency coefficient exceeds a preset urgency threshold; When the current authentication urgency coefficient exceeds the urgency threshold, it is determined that the current state is in a physiological emergency. The ratio of the urgency threshold to the current authentication urgency coefficient is calculated as a first time correction coefficient. The baseline authentication time window is multiplied by the first time correction coefficient to obtain a first authentication time window, and the first authentication time window is taken as the optimal authentication time window. When the current authentication urgency coefficient does not exceed the urgency threshold, it is further determined whether the number of unfamiliar wireless devices in the environmental security information exceeds a preset security threshold. When the number of unfamiliar wireless devices exceeds the security threshold, it is determined that the current environment is suspicious. The ratio of the number of unfamiliar wireless devices to the security threshold is calculated as a second time correction coefficient. The baseline authentication time window is multiplied by the second time correction coefficient to obtain a second authentication time window, and the second authentication time window is used as the optimal authentication time window. When the current authentication urgency coefficient does not exceed the urgency threshold and the number of unfamiliar wireless devices does not exceed the security threshold, the baseline authentication time window is taken as the optimal authentication time window.
5. The IoT terminal authentication method based on device fingerprint features according to claim 1, characterized in that, The steps for constructing the authentication time zone-device fingerprint feature mapping association table include: Obtain several device multidimensional feature sets from several sample authentication terminal devices, and randomly select the first device multidimensional feature set from the first sample authentication terminal device; Based on the historical authentication records of medical implantable devices within a historical time range, the historical minimum authentication time window and the historical maximum authentication time window are collected to construct a historical feasible authentication period. The historical feasible authentication period is then divided according to a preset interval step size to determine multiple authentication time zones. Based on the first device's multidimensional feature set and multiple authentication time zones, device fingerprint feature optimization is performed with authentication time zones as constraints. A first authentication time zone-device fingerprint feature mapping association table is pre-constructed, and several authentication time zone-device fingerprint feature mapping association tables for the several sample authentication terminal devices are constructed sequentially.
6. The IoT terminal authentication method based on device fingerprint features according to claim 5, characterized in that, The device multidimensional feature set includes hardware layer fingerprint features, software layer fingerprint features, and behavioral state fingerprint features; The hardware layer fingerprint features include at least one of the following: physical non-clonable function response features, transient features of radio frequency signals, steady-state features of radio frequency signals, and clock drift features; The software layer fingerprint features include at least one of the following: operating system version information, protocol stack implementation features, and open port information; The behavioral state fingerprint features include at least one of the following: communication timing features, data packet transmission frequency features, and energy consumption mode features.
7. The IoT terminal authentication method based on device fingerprint features according to claim 5, characterized in that, Based on the first device's multidimensional feature set and multiple authentication time zones, device fingerprint feature optimization is performed with authentication time zones as constraints. A first authentication time zone-device fingerprint feature mapping association table is pre-constructed, including: Randomly select a first authentication time zone from the plurality of authentication time zones; Based on the historical authentication records of similar medical implantable devices, and constrained by the device type of the first sample authentication terminal device, several sample first device fingerprint feature sets are collected, and several sample authentication durations and several sample authentication security indices are calculated. The sample authentication duration is the average of multiple historical authentication durations, and the sample authentication security index is determined based on the proportion of historical authentication abnormal events. Using the fingerprint feature set of the first device from the aforementioned samples as input, and the authentication duration and authentication security index of the aforementioned samples as supervision, a deep learning model is trained until convergence, generating a first authentication duration prediction plugin and a first authentication security assessment plugin. With the authentication duration being less than the first authentication time zone as a constraint, the device fingerprint features are optimized using the first authentication duration prediction plugin and the first authentication security assessment plugin. The first authentication time zone-device fingerprint feature mapping association is constructed and added to the first authentication time zone-device fingerprint feature mapping association table.
8. The IoT terminal authentication method based on device fingerprint features according to claim 7, characterized in that, With the authentication duration being less than the first authentication time zone as a constraint, the device fingerprint features are optimized using the first authentication duration prediction plugin and the first authentication security assessment plugin to construct a first authentication time zone-device fingerprint feature mapping association, including: Random feature combinations are performed based on the multidimensional feature set of the first device to generate multiple multidimensional feature groups of the first device. Using the first authentication duration prediction plugin and the first authentication security assessment plugin, multiple first predicted authentication durations and multiple first predicted authentication security indices are predicted based on the multiple first device multidimensional feature groups, respectively. With the authentication duration being less than the first authentication time zone as a constraint, the multiple first predicted authentication durations are used to filter the multiple first device multidimensional feature groups to determine multiple qualified device multidimensional feature groups. Based on the multiple first predicted authentication durations and multiple first predicted authentication security indices, the authentication adaptability of the multiple qualified device multidimensional feature groups is evaluated, and the qualified device multidimensional feature group with the maximum authentication adaptability is selected as the first optimal device fingerprint feature. The authentication adaptability is negatively correlated with the predicted authentication duration and positively correlated with the predicted authentication security index. A first authentication time zone-device fingerprint feature mapping association is constructed based on the first authentication time zone and the first optimal device fingerprint features.
9. The IoT terminal authentication method based on device fingerprint features according to claim 1, characterized in that, According to the adapted device fingerprint feature combination, a request is sent to the current authentication terminal device to obtain the corresponding actual device fingerprint feature, and device identity authentication is performed, including: The medical implant device sends a fingerprint extraction request to the currently authenticated terminal device, which includes each feature identifier in the fingerprint feature combination of the adapter device; The current authentication terminal device extracts its own actual device fingerprint features based on the feature identifier and returns them; The medical implant device compares the received actual device fingerprint features with a locally pre-stored legitimate device fingerprint template; If the similarity of the comparison results is greater than or equal to the preset matching threshold, the current authentication terminal device is determined to be a legitimate device and operation permissions are granted. If the similarity of the comparison results is less than the preset matching threshold, the current authentication terminal device is determined to be an illegal device and the connection is refused.
10. An IoT terminal identity authentication system based on device fingerprint features, characterized in that, The method for implementing the IoT terminal authentication method based on device fingerprint features as described in any one of claims 1-9 includes: The urgency factor assessment module is used to collect the associated sensing information set of the medical implanted device at the current moment, and to assess and determine the current authentication urgency factor based on the associated sensing information set. The time window correction module is used to correct the baseline authentication time window based on the current authentication urgency coefficient to determine the optimal authentication time window; The fingerprint feature matching module is used to activate the corresponding authentication time zone-device fingerprint feature mapping association table according to the device type of the current authentication terminal device, and determine the appropriate device fingerprint feature combination according to the optimal authentication time window. Among them, the device fingerprint feature is optimized with the authentication time zone as a constraint, and the authentication time zone-device fingerprint feature mapping association table is pre-constructed. The identity authentication execution module is used to send a request to the current authentication terminal device according to the matching device fingerprint feature combination and obtain the corresponding actual device fingerprint feature to perform device identity authentication.