whqxbs/llmiotsafe
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
llmiotsafe/data/anomaly_templates/intrusion_scenarios.json
whqxbs e56494b487 initial commit
2026-05-12 17:01:39 +08:00

604 lines
18 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"_meta": {
"category": "intrusion",
"description": "入侵类异常场景的设备事件序列模板"
},
"scenarios": {
"INS-01": {
"name": "窗户入侵(夜间破窗)",
"applicable_layouts": [
"A",
"B",
"C",
"D"
],
"preconditions": {
"time_range": "00:00-05:00",
"home_state": "全员睡眠,门锁已锁,窗帘已关",
"occupancy": "bedroom: occupied (sleeping); other rooms: unoccupied"
},
"anomaly_events": [
{
"time_offset": 0,
"device": "{target_room}_window_contact",
"attribute": "StateValue",
"value": false,
"note": "窗户被打开(从外部)"
},
{
"time_offset": 5,
"device": "{target_room}_occupancy",
"attribute": "Occupancy",
"value": 1,
"note": "入侵者进入房间"
},
{
"time_offset": 30,
"device": "{adjacent_room}_occupancy",
"attribute": "Occupancy",
"value": 1,
"note": "入侵者移动到相邻房间"
},
{
"time_offset": 45,
"device": "{adjacent_room}_light",
"attribute": "OnOff",
"value": true,
"note": "入侵者可能开灯/碰到开关(可选事件)",
"optional": true
}
],
"ground_truth": {
"is_anomaly": true,
"threat_type": "intrusion",
"key_evidence": [
"深夜窗户传感器从 Closed 变 Open",
"随后该房间运动传感器触发,但住户在卧室睡觉",
"运动信号沿非住户房间传播"
],
"expected_response": "触发入侵警报,通知住户,记录事件",
"difficulty_score": 9,
"difficulty_level": 2,
"difficulty_label": "L2_reasoning_detection",
"difficulty_dimensions": {
"D1_evidence_count": 2,
"D2_signal_directness": 2,
"D3_cross_device": 2,
"D4_temporal_span": 1,
"D5_fp_similarity": 2
}
},
"false_positive_variant": {
"name": "INS-01-FP: 住户夜间开窗通风",
"description": "夏天太热,住户半夜起来开窗透气",
"events": [
{
"time_offset": 0,
"device": "bedroom_occupancy",
"attribute": "Occupancy",
"value": 1,
"note": "住户起床"
},
{
"time_offset": 3,
"device": "bedroom_light",
"attribute": "OnOff",
"value": true,
"note": "开灯"
},
{
"time_offset": 10,
"device": "bedroom_window_contact",
"attribute": "StateValue",
"value": false,
"note": "开窗"
},
{
"time_offset": 15,
"device": "bedroom_light",
"attribute": "OnOff",
"value": false
},
{
"time_offset": 20,
"device": "bedroom_occupancy",
"attribute": "Occupancy",
"value": 0,
"note": "回去睡觉"
}
],
"key_difference": "开窗前住户先在同一房间活动并开灯,是主动行为"
}
},
"INS-02": {
"name": "门锁暴力破解",
"applicable_layouts": [
"A",
"B",
"C",
"D"
],
"preconditions": {
"time_range": "any",
"home_state": "门锁已锁定",
"occupancy": "住户可能在家也可能不在"
},
"anomaly_events": [
{
"time_offset": 0,
"device": "front_door_lock",
"event": "LockOperationError",
"fields": {
"OperationError": 1,
"OperationSource": 3
},
"note": "Keypad输入错误密码 (InvalidCredential)"
},
{
"time_offset": 15,
"device": "front_door_lock",
"event": "LockOperationError",
"fields": {
"OperationError": 1,
"OperationSource": 3
},
"note": "第2次错误"
},
{
"time_offset": 25,
"device": "front_door_lock",
"event": "LockOperationError",
"fields": {
"OperationError": 1,
"OperationSource": 3
},
"note": "第3次错误"
},
{
"time_offset": 40,
"device": "front_door_lock",
"event": "LockOperationError",
"fields": {
"OperationError": 1,
"OperationSource": 3
},
"note": "第4次错误"
},
{
"time_offset": 50,
"device": "front_door_lock",
"event": "DoorLockAlarm",
"fields": {
"AlarmCode": 3
},
"note": "WrongCodeEntryLimit触发"
}
],
"ground_truth": {
"is_anomaly": true,
"threat_type": "intrusion",
"key_evidence": [
"短时间内多次 LockOperationError (InvalidCredential)",
"DoorLockAlarm (WrongCodeEntryLimit) 触发",
"操作来源为 Keypad 而非 Remote/Auto"
],
"expected_response": "触发安全警报,临时禁用 Keypad 输入,通知住户",
"difficulty_score": 8,
"difficulty_level": 2,
"difficulty_label": "L2_reasoning_detection",
"difficulty_dimensions": {
"D1_evidence_count": 3,
"D2_signal_directness": 1,
"D3_cross_device": 1,
"D4_temporal_span": 1,
"D5_fp_similarity": 2
}
},
"false_positive_variant": {
"name": "INS-02-FP: 住户忘记密码/手指脏",
"description": "住户回家输错一两次密码后成功解锁",
"events": [
{
"time_offset": 0,
"device": "front_door_lock",
"event": "LockOperationError",
"fields": {
"OperationError": 1,
"OperationSource": 3
}
},
{
"time_offset": 20,
"device": "front_door_lock",
"event": "LockOperation",
"fields": {
"LockOperationType": 1,
"OperationSource": 3,
"UserIndex": 1
},
"note": "成功解锁,是已知用户"
},
{
"time_offset": 22,
"device": "front_door_contact",
"attribute": "StateValue",
"value": false
},
{
"time_offset": 25,
"device": "entrance_occupancy",
"attribute": "Occupancy",
"value": 1
}
],
"key_difference": "只有1-2次错误非连续多次最终成功解锁且 UserIndex 是合法用户"
}
},
"INS-03": {
"name": "尾随入室",
"applicable_layouts": [
"B",
"C"
],
"applicable_profiles": [
"young_professional",
"family_with_children"
],
"preconditions": {
"time_range": "17:00-20:00",
"home_state": "住户刚回家开门",
"occupancy": "住户正在进门"
},
"anomaly_events": [
{
"time_offset": 0,
"device": "front_door_lock",
"event": "LockOperation",
"fields": {
"LockOperationType": 1,
"OperationSource": 3,
"UserIndex": 1
},
"note": "住户正常解锁"
},
{
"time_offset": 2,
"device": "front_door_contact",
"attribute": "StateValue",
"value": false,
"note": "开门"
},
{
"time_offset": 4,
"device": "entrance_occupancy",
"attribute": "Occupancy",
"value": 1,
"note": "住户进入"
},
{
"time_offset": 8,
"device": "front_door_contact",
"attribute": "StateValue",
"value": true,
"note": "关门"
},
{
"time_offset": 10,
"device": "living_room_occupancy",
"attribute": "Occupancy",
"value": 1,
"note": "住户去客厅"
},
{
"time_offset": 12,
"device": "entrance_occupancy",
"attribute": "Occupancy",
"value": 1,
"note": "玄关再次检测到运动(尾随者)"
},
{
"time_offset": 15,
"device": "second_bedroom_occupancy",
"attribute": "Occupancy",
"value": 1,
"note": "尾随者去了次卧(住户不在的房间)"
},
{
"time_offset": 15,
"device": "living_room_occupancy",
"attribute": "Occupancy",
"value": 1,
"note": "住户仍在客厅"
}
],
"ground_truth": {
"is_anomaly": true,
"threat_type": "tailgating",
"key_evidence": [
"门关闭后玄关再次检测到运动",
"同时有两个不相邻房间的运动信号(住户在客厅,另一人在次卧)",
"住户是独居的情况下不应有第二个人"
],
"expected_response": "疑似尾随入侵警报,建议住户确认是否有同行人",
"difficulty_score": 12,
"difficulty_level": 3,
"difficulty_label": "L3_composite_reasoning",
"difficulty_dimensions": {
"D1_evidence_count": 3,
"D2_signal_directness": 2,
"D3_cross_device": 3,
"D4_temporal_span": 1,
"D5_fp_similarity": 3
}
},
"false_positive_variant": {
"name": "INS-03-FP: 家庭成员先后到家",
"description": "夫妻两人间隔几分钟到家",
"events": [
{
"time_offset": 0,
"device": "front_door_lock",
"event": "LockOperation",
"fields": {
"LockOperationType": 1,
"OperationSource": 3,
"UserIndex": 1
}
},
{
"time_offset": 300,
"device": "front_door_lock",
"event": "LockOperation",
"fields": {
"LockOperationType": 1,
"OperationSource": 3,
"UserIndex": 2
},
"note": "第二个已知用户几分钟后解锁"
}
],
"key_difference": "第二人通过合法凭证解锁不同UserIndex且有合理时间间隔"
}
},
"INS-04": {
"name": "白天撬窗入室",
"applicable_layouts": [
"A",
"B",
"C"
],
"preconditions": {
"time_range": "09:00-16:00",
"home_state": "全员外出,门锁已锁",
"occupancy": "全屋 unoccupied"
},
"anomaly_events": [
{
"time_offset": 0,
"device": "{target_room}_window_contact",
"attribute": "StateValue",
"value": false,
"note": "窗户被打开"
},
{
"time_offset": 8,
"device": "{target_room}_occupancy",
"attribute": "Occupancy",
"value": 1,
"note": "有人进入"
},
{
"time_offset": 60,
"device": "living_room_occupancy",
"attribute": "Occupancy",
"value": 1,
"note": "移动到客厅"
},
{
"time_offset": 120,
"device": "master_bedroom_occupancy",
"attribute": "Occupancy",
"value": 1,
"note": "移动到主卧"
},
{
"time_offset": 180,
"device": "{target_room}_window_contact",
"attribute": "StateValue",
"value": true,
"note": "从窗户离开"
},
{
"time_offset": 185,
"device": "{target_room}_occupancy",
"attribute": "Occupancy",
"value": 0
}
],
"ground_truth": {
"is_anomaly": true,
"threat_type": "intrusion",
"key_evidence": [
"住户外出期间(门锁显示已锁+无人在家)窗户被打开",
"随后出现多房间运动信号",
"入侵者未使用门锁(无 LockOperation 事件)"
],
"expected_response": "触发入侵警报,通知住户,建议报警",
"difficulty_score": 11,
"difficulty_level": 3,
"difficulty_label": "L3_composite_reasoning",
"difficulty_dimensions": {
"D1_evidence_count": 2,
"D2_signal_directness": 2,
"D3_cross_device": 3,
"D4_temporal_span": 2,
"D5_fp_similarity": 2
}
},
"false_positive_variant": {
"name": "INS-04-FP: 清洁工/保姆上门",
"description": "有预约的清洁人员使用临时密码进入",
"events": [
{
"time_offset": 0,
"device": "front_door_lock",
"event": "LockOperation",
"fields": {
"LockOperationType": 1,
"OperationSource": 3,
"UserIndex": 5
},
"note": "临时用户解锁"
},
{
"time_offset": 5,
"device": "entrance_occupancy",
"attribute": "Occupancy",
"value": 1
},
{
"time_offset": 30,
"device": "living_room_occupancy",
"attribute": "Occupancy",
"value": 1
},
{
"time_offset": 60,
"device": "living_room_light",
"attribute": "OnOff",
"value": true
}
],
"key_difference": "通过门锁合法进入(有 LockOperation 事件+有效 UserIndex不是通过窗户"
}
},
"INS-05": {
"name": "伪装开锁(被盗/复制凭证)",
"applicable_layouts": [
"A",
"B",
"C",
"D"
],
"preconditions": {
"time_range": "any",
"home_state": "住户外出",
"occupancy": "全屋 unoccupied"
},
"anomaly_events": [
{
"time_offset": 0,
"device": "front_door_lock",
"event": "LockOperation",
"fields": {
"LockOperationType": 1,
"OperationSource": 8,
"UserIndex": 1
},
"note": "用住户的RFID凭证解锁但住户不在家"
},
{
"time_offset": 3,
"device": "front_door_contact",
"attribute": "StateValue",
"value": false
},
{
"time_offset": 5,
"device": "entrance_occupancy",
"attribute": "Occupancy",
"value": 1
},
{
"time_offset": 20,
"device": "living_room_occupancy",
"attribute": "Occupancy",
"value": 1
},
{
"time_offset": 25,
"device": "living_room_light",
"attribute": "OnOff",
"value": false,
"note": "不开灯,行为不像住户"
}
],
"ground_truth": {
"is_anomaly": true,
"threat_type": "credential_theft",
"key_evidence": [
"合法凭证开锁,但进入后的行为模式与住户不符",
"不开灯(住户通常到家后开灯)",
"进入后的移动路径和设备操作模式与住户日常习惯不一致",
"本场景的难点:单看门锁事件是合法的,需要结合行为模式判断"
],
"expected_response": "中等可信度警报,建议住户确认是否本人操作",
"difficulty_score": 13,
"difficulty_level": 3,
"difficulty_label": "L3_composite_reasoning",
"difficulty_dimensions": {
"D1_evidence_count": 2,
"D2_signal_directness": 3,
"D3_cross_device": 3,
"D4_temporal_span": 2,
"D5_fp_similarity": 3
}
},
"false_positive_variant": {
"name": "INS-05-FP: 住户换了新手机/手表解锁",
"description": "住户用新的RFID设备解锁行为模式略有不同比如先去换鞋没开灯",
"events": [
{
"time_offset": 0,
"device": "front_door_lock",
"event": "LockOperation",
"fields": {
"LockOperationType": 1,
"OperationSource": 8,
"UserIndex": 1
},
"note": "合法用户用新RFID解锁"
},
{
"time_offset": 3,
"device": "front_door_contact",
"cluster": "BooleanState",
"attribute": "StateValue",
"value": false
},
{
"time_offset": 5,
"device": "entrance_occupancy",
"cluster": "OccupancySensing",
"attribute": "Occupancy",
"value": 1
},
{
"time_offset": 30,
"device": "entrance_light",
"cluster": "OnOff",
"attribute": "OnOff",
"value": true,
"note": "稍晚一点开灯(在换鞋)"
},
{
"time_offset": 60,
"device": "living_room_occupancy",
"cluster": "OccupancySensing",
"attribute": "Occupancy",
"value": 1
},
{
"time_offset": 65,
"device": "living_room_light_1",
"cluster": "OnOff",
"attribute": "OnOff",
"value": true,
"note": "正常开灯"
}
],
"key_difference": "虽然用了不常用的RFID方式解锁但进门后最终开灯、正常活动行为模式与住户一致"
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink