whqxbs/llmiotsafe
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e56494b4878c1bee6faffec99096938d97c59360
llmiotsafe/data/anomaly_templates/behavioral_anomaly_scenarios.json
whqxbs e56494b487 initial commit
2026-05-12 17:01:39 +08:00

482 lines
14 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"_meta": {
"category": "behavioral_anomaly",
"description": "行为模式异常类——不属于特定威胁类型,但偏离住户日常规律"
},
"scenarios": {
"BA-01": {
"name": "深夜异常多房间活动",
"applicable_layouts": [
"A",
"B",
"C",
"D"
],
"description": "凌晨2-5点出现多个房间连续活动不符合住户的任何正常行为模式",
"anomaly_events": [
{
"time": "02:30",
"device": "living_room_occupancy",
"attribute": "Occupancy",
"value": 1
},
{
"time": "02:32",
"device": "kitchen_occupancy",
"attribute": "Occupancy",
"value": 1
},
{
"time": "02:35",
"device": "living_room_light",
"attribute": "OnOff",
"value": true
},
{
"time": "02:37",
"device": "kitchen_light",
"attribute": "OnOff",
"value": true
},
{
"time": "02:40",
"device": "entrance_occupancy",
"attribute": "Occupancy",
"value": 1
},
{
"note": "卧室无活动——住户应该在睡觉"
}
],
"ground_truth": {
"is_anomaly": true,
"threat_type": "behavioral_anomaly",
"key_evidence": [
"凌晨2:30-2:40短时间内多房间连续活动",
"活动轨迹:客厅→厨房→玄关(像在搜索什么)",
"卧室全程无活动(住户在睡觉),这些活动不是住户产生的",
"注意区分:如果卧室先有活动再到其他房间,则可能是住户起夜"
],
"expected_response": "高优先级入侵警报",
"difficulty_score": 11,
"difficulty_level": 3,
"difficulty_label": "L3_composite_reasoning",
"difficulty_dimensions": {
"D1_evidence_count": 3,
"D2_signal_directness": 2,
"D3_cross_device": 3,
"D4_temporal_span": 1,
"D5_fp_similarity": 2
}
},
"false_positive_variant": {
"name": "BA-01-FP: 住户失眠在家走动",
"events": [
{
"time": "02:30",
"device": "bedroom_occupancy",
"value": 1,
"note": "先从卧室起来"
},
{
"time": "02:32",
"device": "living_room_occupancy",
"value": 1,
"note": "然后去客厅"
},
{
"time": "02:45",
"device": "kitchen_occupancy",
"value": 1,
"note": "去厨房喝水"
},
{
"time": "02:50",
"device": "bedroom_occupancy",
"value": 1,
"note": "回卧室"
}
],
"key_difference": "活动从卧室开始(住户起床),路径合理(卧室→客厅→厨房→卧室),最终回到卧室"
}
},
"BA-02": {
"name": "设备使用模式突变",
"applicable_layouts": [
"A",
"B",
"C",
"D"
],
"description": "在平时不使用某设备的时间段突然使用",
"anomaly_events": [
{
"note": "根据 daily_routines该住户从不在早上做饭只喝咖啡/吃面包)"
},
{
"time": "06:00",
"device": "kitchen_cook_surface",
"attribute": "OnOff",
"value": true,
"note": "凌晨6点灶具开启"
},
{
"time": "06:00",
"device": "kitchen_occupancy",
"attribute": "Occupancy",
"value": 1
}
],
"ground_truth": {
"is_anomaly": "low_confidence",
"threat_type": "behavioral_anomaly",
"key_evidence": [
"与已知行为模式不符",
"但单独看这个事件本身是正常的(有人在厨房开灶具)",
"需要更多上下文才能判断:是住户改变习惯了还是其他人在操作"
],
"expected_response": "记录异常但不报警,除非结合其他可疑信号",
"difficulty_score": 9,
"difficulty_level": 2,
"difficulty_label": "L2_reasoning_detection",
"difficulty_dimensions": {
"D1_evidence_count": 1,
"D2_signal_directness": 3,
"D3_cross_device": 1,
"D4_temporal_span": 1,
"D5_fp_similarity": 3
}
},
"false_positive_variant": {
"name": "BA-02-FP: 住户周末改变习惯早起做饭",
"events": [
{
"time_offset": 0,
"device": "bedroom_occupancy",
"cluster": "OccupancySensing",
"attribute": "Occupancy",
"value": 1,
"note": "住户起床"
},
{
"time_offset": 60,
"device": "kitchen_occupancy",
"cluster": "OccupancySensing",
"attribute": "Occupancy",
"value": 1
},
{
"time_offset": 90,
"device": "kitchen_cook_surface",
"cluster": "OnOff",
"attribute": "OnOff",
"value": true
},
{
"time_offset": 90,
"device": "kitchen_light",
"cluster": "OnOff",
"attribute": "OnOff",
"value": true
}
],
"key_difference": "住户先从卧室起床再去厨房(正常路径),虽然时间段不同寻常但行为模式是住户自己"
}
},
"BA-03": {
"name": "异常高频设备交互",
"applicable_layouts": [
"A",
"B",
"C",
"D"
],
"description": "短时间内大量灯光开关切换",
"anomaly_events": [
{
"time_offset": 0,
"device": "living_room_light",
"attribute": "OnOff",
"value": true
},
{
"time_offset": 3,
"device": "living_room_light",
"attribute": "OnOff",
"value": false
},
{
"time_offset": 5,
"device": "living_room_light",
"attribute": "OnOff",
"value": true
},
{
"time_offset": 8,
"device": "living_room_light",
"attribute": "OnOff",
"value": false
},
{
"time_offset": 10,
"device": "living_room_light",
"attribute": "OnOff",
"value": true
},
{
"time_offset": 12,
"device": "bedroom_light",
"attribute": "OnOff",
"value": true
},
{
"time_offset": 14,
"device": "bedroom_light",
"attribute": "OnOff",
"value": false
},
{
"note": "1分钟内7次灯光切换"
}
],
"ground_truth": {
"is_anomaly": true,
"threat_type": "behavioral_anomaly",
"key_evidence": [
"1分钟内多次灯光开关",
"可能原因:智能家居系统被入侵/远程控制;设备自动化规则冲突;或电路问题",
"也可能是恐慌信号(住户通过反复开关灯试图引起注意)"
],
"expected_response": "通知住户检查是否有人误操作或系统异常",
"difficulty_score": 10,
"difficulty_level": 2,
"difficulty_label": "L2_reasoning_detection",
"difficulty_dimensions": {
"D1_evidence_count": 3,
"D2_signal_directness": 2,
"D3_cross_device": 2,
"D4_temporal_span": 1,
"D5_fp_similarity": 2
}
},
"false_positive_variant": {
"name": "BA-03-FP: 小孩玩开关",
"applicable_profiles": [
"family_with_children"
],
"events": [
{
"time_offset": 0,
"device": "kids_room_occupancy",
"cluster": "OccupancySensing",
"attribute": "Occupancy",
"value": 1,
"note": "小孩在房间"
},
{
"time_offset": 2,
"device": "kids_room_light",
"cluster": "OnOff",
"attribute": "OnOff",
"value": true
},
{
"time_offset": 4,
"device": "kids_room_light",
"cluster": "OnOff",
"attribute": "OnOff",
"value": false
},
{
"time_offset": 6,
"device": "kids_room_light",
"cluster": "OnOff",
"attribute": "OnOff",
"value": true
},
{
"time_offset": 8,
"device": "kids_room_light",
"cluster": "OnOff",
"attribute": "OnOff",
"value": false
}
],
"key_difference": "只在儿童房一个房间内发生kids_room_occupancy=1有小孩在场"
}
},
"BA-04": {
"name": "不合理的房间移动序列",
"applicable_layouts": [
"B",
"C"
],
"description": "运动传感器显示的移动路径跳过了物理上必须经过的房间",
"anomaly_events": [
{
"time_offset": 0,
"device": "balcony_door_contact",
"attribute": "StateValue",
"value": false,
"note": "阳台门打开"
},
{
"time_offset": 3,
"device": "master_bedroom_occupancy",
"attribute": "Occupancy",
"value": 1,
"note": "主卧运动——但从阳台到主卧必须经过客厅"
},
{
"time_offset": 3,
"device": "living_room_occupancy",
"attribute": "Occupancy",
"value": 0,
"note": "客厅无运动"
}
],
"ground_truth": {
"is_anomaly": true,
"threat_type": "behavioral_anomaly",
"key_evidence": [
"从阳台到主卧在物理上必须经过客厅,但客厅无运动信号",
"可能原因:(1) 客厅运动传感器故障 (2) 有人故意躲避传感器 (3) 数据异常",
"不管哪种原因都值得调查"
],
"expected_response": "标记为异常事件,建议检查客厅传感器或确认是否有人",
"difficulty_score": 11,
"difficulty_level": 3,
"difficulty_label": "L3_composite_reasoning",
"difficulty_dimensions": {
"D1_evidence_count": 2,
"D2_signal_directness": 2,
"D3_cross_device": 3,
"D4_temporal_span": 1,
"D5_fp_similarity": 3
}
},
"false_positive_variant": {
"name": "BA-04-FP: 传感器触发延迟导致顺序看似跳跃",
"events": [
{
"time_offset": 0,
"device": "balcony_door_contact",
"cluster": "BooleanState",
"attribute": "StateValue",
"value": false,
"note": "阳台门打开"
},
{
"time_offset": 2,
"device": "living_room_occupancy",
"cluster": "OccupancySensing",
"attribute": "Occupancy",
"value": 1,
"note": "经过客厅"
},
{
"time_offset": 5,
"device": "master_bedroom_occupancy",
"cluster": "OccupancySensing",
"attribute": "Occupancy",
"value": 1,
"note": "到达主卧"
}
],
"key_difference": "客厅occupancy在阳台和主卧之间有触发2秒时移动路径合理"
}
},
"BA-05": {
"name": "假期/出差模式中出现活动",
"applicable_layouts": [
"A",
"B",
"C"
],
"preconditions": {
"home_state": "住户已出远门(连续多天无活动+门锁有出门记录)"
},
"anomaly_events": [
{
"day": "Day1",
"note": "住户出门此后连续3天全屋无活动"
},
{
"day": "Day4 14:00",
"device": "living_room_occupancy",
"attribute": "Occupancy",
"value": 1,
"note": "第4天下午客厅出现运动"
},
{
"day": "Day4 14:00",
"note": "但无 LockOperation 解锁事件——不是从正门进来的"
}
],
"ground_truth": {
"is_anomaly": true,
"threat_type": "intrusion",
"key_evidence": [
"住户已知不在家(连续多天无活动模式)",
"突然出现活动信号",
"无门锁操作记录——不是通过正门合法进入",
"极高可能性是入侵"
],
"expected_response": "紧急入侵警报",
"difficulty_score": 11,
"difficulty_level": 3,
"difficulty_label": "L3_composite_reasoning",
"difficulty_dimensions": {
"D1_evidence_count": 2,
"D2_signal_directness": 2,
"D3_cross_device": 2,
"D4_temporal_span": 3,
"D5_fp_similarity": 2
}
},
"false_positive_variant": {
"name": "BA-05-FP: 邻居/亲友代为浇花/喂宠物",
"events": [
{
"time_offset": 0,
"device": "front_door_lock",
"event": "LockOperation",
"fields": {
"LockOperationType": 1,
"OperationSource": 3,
"UserIndex": 5
},
"note": "临时用户密码解锁"
},
{
"time_offset": 3,
"device": "front_door_contact",
"cluster": "BooleanState",
"attribute": "StateValue",
"value": false,
"note": "开门"
},
{
"time_offset": 5,
"device": "entrance_occupancy",
"cluster": "OccupancySensing",
"attribute": "Occupancy",
"value": 1
},
{
"time_offset": 600,
"device": "front_door_lock",
"event": "LockOperation",
"fields": {
"LockOperationType": 0,
"OperationSource": 3,
"UserIndex": 5
},
"note": "完事后锁门离开"
}
],
"key_difference": "通过门锁合法进入(有效的临时 UserIndex进出有完整的开锁+锁门记录"
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink