{ "_meta": { "category": "behavioral_anomaly", "description": "行为模式异常类——不属于特定威胁类型,但偏离住户日常规律" }, "scenarios": { "BA-01": { "name": "深夜异常多房间活动", "applicable_layouts": [ "A", "B", "C", "D" ], "description": "凌晨2-5点出现多个房间连续活动,不符合住户的任何正常行为模式", "anomaly_events": [ { "time": "02:30", "device": "living_room_occupancy", "attribute": "Occupancy", "value": 1 }, { "time": "02:32", "device": "kitchen_occupancy", "attribute": "Occupancy", "value": 1 }, { "time": "02:35", "device": "living_room_light", "attribute": "OnOff", "value": true }, { "time": "02:37", "device": "kitchen_light", "attribute": "OnOff", "value": true }, { "time": "02:40", "device": "entrance_occupancy", "attribute": "Occupancy", "value": 1 }, { "note": "卧室无活动——住户应该在睡觉" } ], "ground_truth": { "is_anomaly": true, "threat_type": "behavioral_anomaly", "key_evidence": [ "凌晨2:30-2:40短时间内多房间连续活动", "活动轨迹:客厅→厨房→玄关(像在搜索什么)", "卧室全程无活动(住户在睡觉),这些活动不是住户产生的", "注意区分:如果卧室先有活动再到其他房间,则可能是住户起夜" ], "expected_response": "高优先级入侵警报", "difficulty_score": 11, "difficulty_level": 3, "difficulty_label": "L3_composite_reasoning", "difficulty_dimensions": { "D1_evidence_count": 3, "D2_signal_directness": 2, "D3_cross_device": 3, "D4_temporal_span": 1, "D5_fp_similarity": 2 } }, "false_positive_variant": { "name": "BA-01-FP: 住户失眠在家走动", "events": [ { "time": "02:30", "device": "bedroom_occupancy", "value": 1, "note": "先从卧室起来" }, { "time": "02:32", "device": "living_room_occupancy", "value": 1, "note": "然后去客厅" }, { "time": "02:45", "device": "kitchen_occupancy", "value": 1, "note": "去厨房喝水" }, { "time": "02:50", "device": "bedroom_occupancy", "value": 1, "note": "回卧室" } ], "key_difference": "活动从卧室开始(住户起床),路径合理(卧室→客厅→厨房→卧室),最终回到卧室" } }, "BA-02": { "name": "设备使用模式突变", "applicable_layouts": [ "A", "B", "C", "D" ], "description": "在平时不使用某设备的时间段突然使用", "anomaly_events": [ { "note": "根据 daily_routines,该住户从不在早上做饭(只喝咖啡/吃面包)" }, { "time": "06:00", "device": "kitchen_cook_surface", "attribute": "OnOff", "value": true, "note": "凌晨6点灶具开启" }, { "time": "06:00", "device": "kitchen_occupancy", "attribute": "Occupancy", "value": 1 } ], "ground_truth": { "is_anomaly": "low_confidence", "threat_type": "behavioral_anomaly", "key_evidence": [ "与已知行为模式不符", "但单独看这个事件本身是正常的(有人在厨房开灶具)", "需要更多上下文才能判断:是住户改变习惯了还是其他人在操作" ], "expected_response": "记录异常但不报警,除非结合其他可疑信号", "difficulty_score": 9, "difficulty_level": 2, "difficulty_label": "L2_reasoning_detection", "difficulty_dimensions": { "D1_evidence_count": 1, "D2_signal_directness": 3, "D3_cross_device": 1, "D4_temporal_span": 1, "D5_fp_similarity": 3 } }, "false_positive_variant": { "name": "BA-02-FP: 住户周末改变习惯早起做饭", "events": [ { "time_offset": 0, "device": "bedroom_occupancy", "cluster": "OccupancySensing", "attribute": "Occupancy", "value": 1, "note": "住户起床" }, { "time_offset": 60, "device": "kitchen_occupancy", "cluster": "OccupancySensing", "attribute": "Occupancy", "value": 1 }, { "time_offset": 90, "device": "kitchen_cook_surface", "cluster": "OnOff", "attribute": "OnOff", "value": true }, { "time_offset": 90, "device": "kitchen_light", "cluster": "OnOff", "attribute": "OnOff", "value": true } ], "key_difference": "住户先从卧室起床再去厨房(正常路径),虽然时间段不同寻常但行为模式是住户自己" } }, "BA-03": { "name": "异常高频设备交互", "applicable_layouts": [ "A", "B", "C", "D" ], "description": "短时间内大量灯光开关切换", "anomaly_events": [ { "time_offset": 0, "device": "living_room_light", "attribute": "OnOff", "value": true }, { "time_offset": 3, "device": "living_room_light", "attribute": "OnOff", "value": false }, { "time_offset": 5, "device": "living_room_light", "attribute": "OnOff", "value": true }, { "time_offset": 8, "device": "living_room_light", "attribute": "OnOff", "value": false }, { "time_offset": 10, "device": "living_room_light", "attribute": "OnOff", "value": true }, { "time_offset": 12, "device": "bedroom_light", "attribute": "OnOff", "value": true }, { "time_offset": 14, "device": "bedroom_light", "attribute": "OnOff", "value": false }, { "note": "1分钟内7次灯光切换" } ], "ground_truth": { "is_anomaly": true, "threat_type": "behavioral_anomaly", "key_evidence": [ "1分钟内多次灯光开关", "可能原因:智能家居系统被入侵/远程控制;设备自动化规则冲突;或电路问题", "也可能是恐慌信号(住户通过反复开关灯试图引起注意)" ], "expected_response": "通知住户检查是否有人误操作或系统异常", "difficulty_score": 10, "difficulty_level": 2, "difficulty_label": "L2_reasoning_detection", "difficulty_dimensions": { "D1_evidence_count": 3, "D2_signal_directness": 2, "D3_cross_device": 2, "D4_temporal_span": 1, "D5_fp_similarity": 2 } }, "false_positive_variant": { "name": "BA-03-FP: 小孩玩开关", "applicable_profiles": [ "family_with_children" ], "events": [ { "time_offset": 0, "device": "kids_room_occupancy", "cluster": "OccupancySensing", "attribute": "Occupancy", "value": 1, "note": "小孩在房间" }, { "time_offset": 2, "device": "kids_room_light", "cluster": "OnOff", "attribute": "OnOff", "value": true }, { "time_offset": 4, "device": "kids_room_light", "cluster": "OnOff", "attribute": "OnOff", "value": false }, { "time_offset": 6, "device": "kids_room_light", "cluster": "OnOff", "attribute": "OnOff", "value": true }, { "time_offset": 8, "device": "kids_room_light", "cluster": "OnOff", "attribute": "OnOff", "value": false } ], "key_difference": "只在儿童房一个房间内发生,kids_room_occupancy=1,有小孩在场" } }, "BA-04": { "name": "不合理的房间移动序列", "applicable_layouts": [ "B", "C" ], "description": "运动传感器显示的移动路径跳过了物理上必须经过的房间", "anomaly_events": [ { "time_offset": 0, "device": "balcony_door_contact", "attribute": "StateValue", "value": false, "note": "阳台门打开" }, { "time_offset": 3, "device": "master_bedroom_occupancy", "attribute": "Occupancy", "value": 1, "note": "主卧运动——但从阳台到主卧必须经过客厅" }, { "time_offset": 3, "device": "living_room_occupancy", "attribute": "Occupancy", "value": 0, "note": "客厅无运动" } ], "ground_truth": { "is_anomaly": true, "threat_type": "behavioral_anomaly", "key_evidence": [ "从阳台到主卧在物理上必须经过客厅,但客厅无运动信号", "可能原因:(1) 客厅运动传感器故障 (2) 有人故意躲避传感器 (3) 数据异常", "不管哪种原因都值得调查" ], "expected_response": "标记为异常事件,建议检查客厅传感器或确认是否有人", "difficulty_score": 11, "difficulty_level": 3, "difficulty_label": "L3_composite_reasoning", "difficulty_dimensions": { "D1_evidence_count": 2, "D2_signal_directness": 2, "D3_cross_device": 3, "D4_temporal_span": 1, "D5_fp_similarity": 3 } }, "false_positive_variant": { "name": "BA-04-FP: 传感器触发延迟导致顺序看似跳跃", "events": [ { "time_offset": 0, "device": "balcony_door_contact", "cluster": "BooleanState", "attribute": "StateValue", "value": false, "note": "阳台门打开" }, { "time_offset": 2, "device": "living_room_occupancy", "cluster": "OccupancySensing", "attribute": "Occupancy", "value": 1, "note": "经过客厅" }, { "time_offset": 5, "device": "master_bedroom_occupancy", "cluster": "OccupancySensing", "attribute": "Occupancy", "value": 1, "note": "到达主卧" } ], "key_difference": "客厅occupancy在阳台和主卧之间有触发(2秒时),移动路径合理" } }, "BA-05": { "name": "假期/出差模式中出现活动", "applicable_layouts": [ "A", "B", "C" ], "preconditions": { "home_state": "住户已出远门(连续多天无活动+门锁有出门记录)" }, "anomaly_events": [ { "day": "Day1", "note": "住户出门,此后连续3天全屋无活动" }, { "day": "Day4 14:00", "device": "living_room_occupancy", "attribute": "Occupancy", "value": 1, "note": "第4天下午客厅出现运动" }, { "day": "Day4 14:00", "note": "但无 LockOperation 解锁事件——不是从正门进来的" } ], "ground_truth": { "is_anomaly": true, "threat_type": "intrusion", "key_evidence": [ "住户已知不在家(连续多天无活动模式)", "突然出现活动信号", "无门锁操作记录——不是通过正门合法进入", "极高可能性是入侵" ], "expected_response": "紧急入侵警报", "difficulty_score": 11, "difficulty_level": 3, "difficulty_label": "L3_composite_reasoning", "difficulty_dimensions": { "D1_evidence_count": 2, "D2_signal_directness": 2, "D3_cross_device": 2, "D4_temporal_span": 3, "D5_fp_similarity": 2 } }, "false_positive_variant": { "name": "BA-05-FP: 邻居/亲友代为浇花/喂宠物", "events": [ { "time_offset": 0, "device": "front_door_lock", "event": "LockOperation", "fields": { "LockOperationType": 1, "OperationSource": 3, "UserIndex": 5 }, "note": "临时用户密码解锁" }, { "time_offset": 3, "device": "front_door_contact", "cluster": "BooleanState", "attribute": "StateValue", "value": false, "note": "开门" }, { "time_offset": 5, "device": "entrance_occupancy", "cluster": "OccupancySensing", "attribute": "Occupancy", "value": 1 }, { "time_offset": 600, "device": "front_door_lock", "event": "LockOperation", "fields": { "LockOperationType": 0, "OperationSource": 3, "UserIndex": 5 }, "note": "完事后锁门离开" } ], "key_difference": "通过门锁合法进入(有效的临时 UserIndex),进出有完整的开锁+锁门记录" } } } }