{ "_meta": { "category": "intrusion", "description": "入侵类异常场景的设备事件序列模板" }, "scenarios": { "INS-01": { "name": "窗户入侵(夜间破窗)", "applicable_layouts": [ "A", "B", "C", "D" ], "preconditions": { "time_range": "00:00-05:00", "home_state": "全员睡眠,门锁已锁,窗帘已关", "occupancy": "bedroom: occupied (sleeping); other rooms: unoccupied" }, "anomaly_events": [ { "time_offset": 0, "device": "{target_room}_window_contact", "attribute": "StateValue", "value": false, "note": "窗户被打开(从外部)" }, { "time_offset": 5, "device": "{target_room}_occupancy", "attribute": "Occupancy", "value": 1, "note": "入侵者进入房间" }, { "time_offset": 30, "device": "{adjacent_room}_occupancy", "attribute": "Occupancy", "value": 1, "note": "入侵者移动到相邻房间" }, { "time_offset": 45, "device": "{adjacent_room}_light", "attribute": "OnOff", "value": true, "note": "入侵者可能开灯/碰到开关(可选事件)", "optional": true } ], "ground_truth": { "is_anomaly": true, "threat_type": "intrusion", "key_evidence": [ "深夜窗户传感器从 Closed 变 Open", "随后该房间运动传感器触发,但住户在卧室睡觉", "运动信号沿非住户房间传播" ], "expected_response": "触发入侵警报,通知住户,记录事件", "difficulty_score": 9, "difficulty_level": 2, "difficulty_label": "L2_reasoning_detection", "difficulty_dimensions": { "D1_evidence_count": 2, "D2_signal_directness": 2, "D3_cross_device": 2, "D4_temporal_span": 1, "D5_fp_similarity": 2 } }, "false_positive_variant": { "name": "INS-01-FP: 住户夜间开窗通风", "description": "夏天太热,住户半夜起来开窗透气", "events": [ { "time_offset": 0, "device": "bedroom_occupancy", "attribute": "Occupancy", "value": 1, "note": "住户起床" }, { "time_offset": 3, "device": "bedroom_light", "attribute": "OnOff", "value": true, "note": "开灯" }, { "time_offset": 10, "device": "bedroom_window_contact", "attribute": "StateValue", "value": false, "note": "开窗" }, { "time_offset": 15, "device": "bedroom_light", "attribute": "OnOff", "value": false }, { "time_offset": 20, "device": "bedroom_occupancy", "attribute": "Occupancy", "value": 0, "note": "回去睡觉" } ], "key_difference": "开窗前住户先在同一房间活动并开灯,是主动行为" } }, "INS-02": { "name": "门锁暴力破解", "applicable_layouts": [ "A", "B", "C", "D" ], "preconditions": { "time_range": "any", "home_state": "门锁已锁定", "occupancy": "住户可能在家也可能不在" }, "anomaly_events": [ { "time_offset": 0, "device": "front_door_lock", "event": "LockOperationError", "fields": { "OperationError": 1, "OperationSource": 3 }, "note": "Keypad输入错误密码 (InvalidCredential)" }, { "time_offset": 15, "device": "front_door_lock", "event": "LockOperationError", "fields": { "OperationError": 1, "OperationSource": 3 }, "note": "第2次错误" }, { "time_offset": 25, "device": "front_door_lock", "event": "LockOperationError", "fields": { "OperationError": 1, "OperationSource": 3 }, "note": "第3次错误" }, { "time_offset": 40, "device": "front_door_lock", "event": "LockOperationError", "fields": { "OperationError": 1, "OperationSource": 3 }, "note": "第4次错误" }, { "time_offset": 50, "device": "front_door_lock", "event": "DoorLockAlarm", "fields": { "AlarmCode": 3 }, "note": "WrongCodeEntryLimit触发" } ], "ground_truth": { "is_anomaly": true, "threat_type": "intrusion", "key_evidence": [ "短时间内多次 LockOperationError (InvalidCredential)", "DoorLockAlarm (WrongCodeEntryLimit) 触发", "操作来源为 Keypad 而非 Remote/Auto" ], "expected_response": "触发安全警报,临时禁用 Keypad 输入,通知住户", "difficulty_score": 8, "difficulty_level": 2, "difficulty_label": "L2_reasoning_detection", "difficulty_dimensions": { "D1_evidence_count": 3, "D2_signal_directness": 1, "D3_cross_device": 1, "D4_temporal_span": 1, "D5_fp_similarity": 2 } }, "false_positive_variant": { "name": "INS-02-FP: 住户忘记密码/手指脏", "description": "住户回家输错一两次密码后成功解锁", "events": [ { "time_offset": 0, "device": "front_door_lock", "event": "LockOperationError", "fields": { "OperationError": 1, "OperationSource": 3 } }, { "time_offset": 20, "device": "front_door_lock", "event": "LockOperation", "fields": { "LockOperationType": 1, "OperationSource": 3, "UserIndex": 1 }, "note": "成功解锁,是已知用户" }, { "time_offset": 22, "device": "front_door_contact", "attribute": "StateValue", "value": false }, { "time_offset": 25, "device": "entrance_occupancy", "attribute": "Occupancy", "value": 1 } ], "key_difference": "只有1-2次错误(非连续多次),最终成功解锁且 UserIndex 是合法用户" } }, "INS-03": { "name": "尾随入室", "applicable_layouts": [ "B", "C" ], "applicable_profiles": [ "young_professional", "family_with_children" ], "preconditions": { "time_range": "17:00-20:00", "home_state": "住户刚回家开门", "occupancy": "住户正在进门" }, "anomaly_events": [ { "time_offset": 0, "device": "front_door_lock", "event": "LockOperation", "fields": { "LockOperationType": 1, "OperationSource": 3, "UserIndex": 1 }, "note": "住户正常解锁" }, { "time_offset": 2, "device": "front_door_contact", "attribute": "StateValue", "value": false, "note": "开门" }, { "time_offset": 4, "device": "entrance_occupancy", "attribute": "Occupancy", "value": 1, "note": "住户进入" }, { "time_offset": 8, "device": "front_door_contact", "attribute": "StateValue", "value": true, "note": "关门" }, { "time_offset": 10, "device": "living_room_occupancy", "attribute": "Occupancy", "value": 1, "note": "住户去客厅" }, { "time_offset": 12, "device": "entrance_occupancy", "attribute": "Occupancy", "value": 1, "note": "玄关再次检测到运动(尾随者)" }, { "time_offset": 15, "device": "second_bedroom_occupancy", "attribute": "Occupancy", "value": 1, "note": "尾随者去了次卧(住户不在的房间)" }, { "time_offset": 15, "device": "living_room_occupancy", "attribute": "Occupancy", "value": 1, "note": "住户仍在客厅" } ], "ground_truth": { "is_anomaly": true, "threat_type": "tailgating", "key_evidence": [ "门关闭后玄关再次检测到运动", "同时有两个不相邻房间的运动信号(住户在客厅,另一人在次卧)", "住户是独居的情况下不应有第二个人" ], "expected_response": "疑似尾随入侵警报,建议住户确认是否有同行人", "difficulty_score": 12, "difficulty_level": 3, "difficulty_label": "L3_composite_reasoning", "difficulty_dimensions": { "D1_evidence_count": 3, "D2_signal_directness": 2, "D3_cross_device": 3, "D4_temporal_span": 1, "D5_fp_similarity": 3 } }, "false_positive_variant": { "name": "INS-03-FP: 家庭成员先后到家", "description": "夫妻两人间隔几分钟到家", "events": [ { "time_offset": 0, "device": "front_door_lock", "event": "LockOperation", "fields": { "LockOperationType": 1, "OperationSource": 3, "UserIndex": 1 } }, { "time_offset": 300, "device": "front_door_lock", "event": "LockOperation", "fields": { "LockOperationType": 1, "OperationSource": 3, "UserIndex": 2 }, "note": "第二个已知用户几分钟后解锁" } ], "key_difference": "第二人通过合法凭证解锁(不同UserIndex),且有合理时间间隔" } }, "INS-04": { "name": "白天撬窗入室", "applicable_layouts": [ "A", "B", "C" ], "preconditions": { "time_range": "09:00-16:00", "home_state": "全员外出,门锁已锁", "occupancy": "全屋 unoccupied" }, "anomaly_events": [ { "time_offset": 0, "device": "{target_room}_window_contact", "attribute": "StateValue", "value": false, "note": "窗户被打开" }, { "time_offset": 8, "device": "{target_room}_occupancy", "attribute": "Occupancy", "value": 1, "note": "有人进入" }, { "time_offset": 60, "device": "living_room_occupancy", "attribute": "Occupancy", "value": 1, "note": "移动到客厅" }, { "time_offset": 120, "device": "master_bedroom_occupancy", "attribute": "Occupancy", "value": 1, "note": "移动到主卧" }, { "time_offset": 180, "device": "{target_room}_window_contact", "attribute": "StateValue", "value": true, "note": "从窗户离开" }, { "time_offset": 185, "device": "{target_room}_occupancy", "attribute": "Occupancy", "value": 0 } ], "ground_truth": { "is_anomaly": true, "threat_type": "intrusion", "key_evidence": [ "住户外出期间(门锁显示已锁+无人在家)窗户被打开", "随后出现多房间运动信号", "入侵者未使用门锁(无 LockOperation 事件)" ], "expected_response": "触发入侵警报,通知住户,建议报警", "difficulty_score": 11, "difficulty_level": 3, "difficulty_label": "L3_composite_reasoning", "difficulty_dimensions": { "D1_evidence_count": 2, "D2_signal_directness": 2, "D3_cross_device": 3, "D4_temporal_span": 2, "D5_fp_similarity": 2 } }, "false_positive_variant": { "name": "INS-04-FP: 清洁工/保姆上门", "description": "有预约的清洁人员使用临时密码进入", "events": [ { "time_offset": 0, "device": "front_door_lock", "event": "LockOperation", "fields": { "LockOperationType": 1, "OperationSource": 3, "UserIndex": 5 }, "note": "临时用户解锁" }, { "time_offset": 5, "device": "entrance_occupancy", "attribute": "Occupancy", "value": 1 }, { "time_offset": 30, "device": "living_room_occupancy", "attribute": "Occupancy", "value": 1 }, { "time_offset": 60, "device": "living_room_light", "attribute": "OnOff", "value": true } ], "key_difference": "通过门锁合法进入(有 LockOperation 事件+有效 UserIndex),不是通过窗户" } }, "INS-05": { "name": "伪装开锁(被盗/复制凭证)", "applicable_layouts": [ "A", "B", "C", "D" ], "preconditions": { "time_range": "any", "home_state": "住户外出", "occupancy": "全屋 unoccupied" }, "anomaly_events": [ { "time_offset": 0, "device": "front_door_lock", "event": "LockOperation", "fields": { "LockOperationType": 1, "OperationSource": 8, "UserIndex": 1 }, "note": "用住户的RFID凭证解锁,但住户不在家" }, { "time_offset": 3, "device": "front_door_contact", "attribute": "StateValue", "value": false }, { "time_offset": 5, "device": "entrance_occupancy", "attribute": "Occupancy", "value": 1 }, { "time_offset": 20, "device": "living_room_occupancy", "attribute": "Occupancy", "value": 1 }, { "time_offset": 25, "device": "living_room_light", "attribute": "OnOff", "value": false, "note": "不开灯,行为不像住户" } ], "ground_truth": { "is_anomaly": true, "threat_type": "credential_theft", "key_evidence": [ "合法凭证开锁,但进入后的行为模式与住户不符", "不开灯(住户通常到家后开灯)", "进入后的移动路径和设备操作模式与住户日常习惯不一致", "本场景的难点:单看门锁事件是合法的,需要结合行为模式判断" ], "expected_response": "中等可信度警报,建议住户确认是否本人操作", "difficulty_score": 13, "difficulty_level": 3, "difficulty_label": "L3_composite_reasoning", "difficulty_dimensions": { "D1_evidence_count": 2, "D2_signal_directness": 3, "D3_cross_device": 3, "D4_temporal_span": 2, "D5_fp_similarity": 3 } }, "false_positive_variant": { "name": "INS-05-FP: 住户换了新手机/手表解锁", "description": "住户用新的RFID设备解锁,行为模式略有不同(比如先去换鞋没开灯)", "events": [ { "time_offset": 0, "device": "front_door_lock", "event": "LockOperation", "fields": { "LockOperationType": 1, "OperationSource": 8, "UserIndex": 1 }, "note": "合法用户用新RFID解锁" }, { "time_offset": 3, "device": "front_door_contact", "cluster": "BooleanState", "attribute": "StateValue", "value": false }, { "time_offset": 5, "device": "entrance_occupancy", "cluster": "OccupancySensing", "attribute": "Occupancy", "value": 1 }, { "time_offset": 30, "device": "entrance_light", "cluster": "OnOff", "attribute": "OnOff", "value": true, "note": "稍晚一点开灯(在换鞋)" }, { "time_offset": 60, "device": "living_room_occupancy", "cluster": "OccupancySensing", "attribute": "Occupancy", "value": 1 }, { "time_offset": 65, "device": "living_room_light_1", "cluster": "OnOff", "attribute": "OnOff", "value": true, "note": "正常开灯" } ], "key_difference": "虽然用了不常用的RFID方式解锁,但进门后最终开灯、正常活动,行为模式与住户一致" } } } }