CN-122001669-A - Cross-layer feature coupling-based self-intention verification method and system

Abstract

The invention discloses an end-side safety dynamic management and control method, device and terminal equipment based on cross-layer causal verification, and relates to the technical field of computer safety and privacy calculation. The method comprises the steps of locally and asynchronously collecting a first characteristic sequence representing digital behavior intention of a user and a second characteristic sequence of physical interaction and environmental state coupled with space and time of the user in parallel at a terminal, calculating causal association strength between the two sequences in real time through a causal calculation model, quantifying whether a digital instruction is driven by real physical interaction to generate a dynamic credibility score, dynamically arbitrating and switching to a matched safe role operation environment at the terminal based on the score, and executing a fine-grained access control strategy. The invention abandons the traditional scheme depending on plaintext content or static rules, and constructs a new intended verification paradigm of digital-physical causal closed loop verification in an encryption environment. All sensitive data are processed at the end side without uploading, and the asynchronous trigger mechanism ensures low power consumption and millisecond response. The scheme can be flexibly deployed in heterogeneous terminals such as mobile phones, internet of things, intelligent network automobiles, industrial systems and the like, effectively detects non-self attacks such as remote control and automatic scripts and the like, and remarkably improves the initiative, the accuracy and the reliability of end-side safety protection.

Inventors

• ZHANG ZUOYI

Assignees

• 汉中大小果科技有限公司

Dates

Publication Date

20260508

Application Date

20260317

Claims (10)

1. 1. A method for self-intention verification based on cross-layer feature coupling, comprising the steps of: step S1, monitoring a digital behavior stream of a target object in real time, and extracting a first characteristic sequence representing behavior intention and risk level, wherein the digital behavior stream comprises network communication data, a system call instruction or an application layer operation event; Step S2, asynchronously activating a physical perception module in response to a risk triggering condition hit by the first feature sequence, and acquiring physical environment data or biological interaction data related to the target object in time and space to form a second feature sequence; Step S3, carrying out space-time alignment on the first characteristic sequence and the second characteristic sequence, and calculating causal association strength of the first characteristic sequence and the second characteristic sequence through a causal calculation model, wherein the causal association strength is used for quantifying the consistency degree between the initiating power of the digital behavior and the interaction state of the physical entity; And step S4, generating a verification conclusion based on the causal association strength, judging the causal association strength to be abnormal intention when the causal association strength indicates that the digital behavior and the physical entity state have logic fracture or non-consistency, and executing a corresponding safety intervention strategy.
2. 2. The method of claim 1, wherein the first feature sequence extracted in step S1 comprises at least one of a time sequence distribution, a packet length feature, an encrypted fingerprint, or a bursty traffic pattern of network traffic, a business semantic feature comprising a fund circulation instruction, a sensitive data access, a device control change, or a virtual asset operation, a frequency, a cadence, and a degree of deviation from a historical baseline of an operation behavior, wherein the risk triggering condition comprises detecting a highly sensitive business event, an active operation of an atypical period, or an automated script feature match.
3. 3. The method according to claim 1, wherein the second feature sequence acquired in step S2 comprises at least one of biomechanical features derived from touch, pressure, microscopic jitter of inertial measurement or torque sensor, change in compression force, track smoothness or limb exertion feedback, circadian features derived from optical, acoustic or electrical sensor, heartbeat jog, breathing rhythm, eye tracking data or voiceprint liveness, environmental status features derived from microphone, light sensation, distance sensor, camera or external internet of things sensor, presence of field personnel, environmental sound energy, vibration features or illumination change, device status features including screen display status, foreground focus, activation status of human-computer interaction interface and device spatial pose.
4. 4. The method of claim 1, wherein the logic for calculating the causal link strength in step S3 includes constructing a compulsory response coefficient, calculating an instantaneous correlation between the rate of change of energy of the digital command and the rate of change of response of the physical interaction signal, constructing a causal fracture index, determining that the causal fracture index is increasing if the second sequence of features exhibits physical silence, lack of biorhythmic features, or logic conflicts with environmental conditions when high weight digital behavior commands are detected, and determining that the power source is from an unobtrusive system internal call, remote injection, or automation script if the causal link strength indicates that the digital behavior is weakly, zero, or negatively correlated with the physical interaction.
5. 5. The method according to claim 1, wherein the security intervention policy in step S4 includes a hierarchical execution of a prompting stage including ejecting a secondary acknowledgement, broadcasting a warning, or forcing a lighting of an interactive interface, a blocking stage including discarding network packets, freezing processes, cutting off peripheral control rights, or terminating sessions at a kernel state or an application layer, and a linking stage including generating an exception report including a risk tag, and triggering a notification procedure to a preset trusted party.
6. 6. The method according to any one of claims 1 to 5, wherein the execution subject of the method runs in at least one of an application layer container of a host operating system, including a third party application or software development kit, SDK, a kernel layer of an operating system or a system service process, a virtualization container or a sandbox environment.
7. 7. The method of claim 6, wherein at least a portion of the processing logic of steps S1-S3, and the raw data of the second signature sequence, are further configured to run within a trusted execution environment TEE, a hardware security isolation domain, a Secure Enclave, or a separate Secure chip SE of the smart terminal, the trusted execution environment or hardware security isolation domain being logically isolated from the host operating system to enable tamper-resistant protection and privacy data isolation for data collection processes and causal computing processes.
8. 8. A cross-layer feature coupling-based self-intention verification system is characterized by comprising a digital perception module, a physical acquisition scheduling module, a causal algorithm engine and a safety decision execution module, wherein the digital perception module is configured to monitor a digital behavior flow of a target object in real time and extract a first feature sequence representing behavior intention and risk level, the physical acquisition scheduling module is configured to asynchronously activate the physical perception module in response to a risk triggering condition hit by the first feature sequence to acquire physical environment data or biological interaction data so as to form a second feature sequence, the causal algorithm engine is configured to align the first feature sequence with the second feature sequence in time and space, and calculate causal correlation strength of the first feature sequence and the second feature sequence through a causal algorithm model, the safety decision execution module is configured to generate a verification conclusion based on the causal correlation strength and execute a safety intervention strategy when abnormal intention is judged, and the system is configured to be deployed in an intelligent terminal or a computing device in the form of a software component, firmware, an operating system service, an independent safety chip or a cloud service.
9. 9. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method of any one of claims 1 to 5.
10. 10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any one of claims 1 to 5 when executing the program.

Description

Cross-layer feature coupling-based self-intention verification method and system Technical Field The invention relates to the technical fields of computer security, man-machine interaction and privacy computation, in particular to a method and a system for realizing high-precision intention verification and active security protection locally at an intelligent terminal, which are particularly suitable for distinguishing autonomous behaviors of a user from automatic attack, remote control or internal malicious call in an encrypted communication environment. Background With the acceleration of the digitizing process, intelligent terminals (such as smart phones, smart cars, industrial control systems) have become core portals for critical business and sensitive operations. At the same time, security threats against these terminals are increasingly complex and hidden. What is needed in the industry is an innovative technical solution that can realize accurate and real-time intention verification and intervention of high-risk digital behaviors on the premise that communication content is not decrypted and user privacy is not revealed locally by a terminal. However, the prior art solutions face two serious challenges: first, the popularity of encrypted communications has led to the failure of conventional detection techniques. The full link encryption protocols such as TLS 1.3, QUIC, etc. have become standard, rendering content analysis and behavior recognition techniques based on Deep Packet Inspection (DPI) completely ineffective. The security system faces the dilemma of "no content visible"; Second, privacy regulations and user experience require end-side processing. Regulations such as GDPR and China personal information protection law in the global scope strictly limit the uploading of user original data (such as touch track, biological signals and network flow) to the cloud for analysis. Meanwhile, delay and power consumption caused by cloud detection of all data are also seriously damaged. Prior art solutions attempt to solve the above problems, but all have fundamental limitations: The cloud analysis scheme is that original or slight desensitization data are required to be uploaded, legal and ethical risks of privacy leakage exist, response delay is high, and real-time intervention requirements cannot be met; The pure end side rule engine can only carry out simple release or blocking based on coarse granularity information such as application identification, IP address and the like, can not identify specific risk operation (such as distinguishing normal browsing from fraudulent transfer) in the application, is easy to bypass, and has high false alarm rate; Single-dimensional behavioral analysis, which only analyzes network traffic statistics (e.g., timing, packet length) or only analyzes user interaction patterns (e.g., click frequency). The former cannot distinguish between user active behavior and background silence traffic, and the latter cannot associate physical interactions with specific digital business risks. The two are split, so that the recognition accuracy is drastically reduced in complex scenes (such as multitasking parallelism and background updating); the "DPI-like" approach based on content guessing, which attempts to guess the content of the encrypted traffic by machine learning, is not only less reliable, but may also legally touch the red line of illicitly resolving the traffic. Aiming at the complex challenges of end-side safety protection, the related technical field has been subjected to multi-dimensional exploration and construction. For example, in the prior art, a content classification method based on encrypted traffic metadata (such as time sequence and SNI) has appeared, so as to provide network side feature sensing capability for end side behavior recognition, and a dynamic authority management system integrating behavior recognition and excitation strategies is further designed to display the application value of recognition results in management and control. However, when the technology is applied to high-value and high-safety scenes such as mental security and network overlong conservation, anti-aging induced payment, intelligent equipment error control prevention, financial anti-fraud and the like of minors, the inventor finds a novel common problem to be solved urgently, namely the existing scheme can effectively identify what' acts are and perform management control, but can not penetrate an encryption barrier at the moment of occurrence of the acts, and whether the acts are really driven by real physical interactions of users or not is verified. In the face of 'non-self' attacks, such as remote control, automation scripts, malicious calls in a system, and even induction of user hasten operations by utilizing social engineering, and the like, physical interaction signals are not generated or forged, and detection dead areas exist in the existing scheme. This lack of 'int