A security patrol event-based multi-dimensional association retrieval and visual review analysis method, system, device and medium
By constructing a data index using graph databases and natural language processing, and combining it with visualization interaction and a rule engine, the problem of semantic association of events in security patrol incidents was solved, enabling efficient and accurate security incident analysis and automated discovery of suspicious clues.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SUZHOU BAIZHENG INFORMATION TECH
- Filing Date
- 2026-03-12
- Publication Date
- 2026-06-19
Smart Images

Figure CN122240690A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of security correlation analysis technology, and in particular to a method, system, device and medium for multi-dimensional correlation retrieval and visualization review analysis based on security patrol events. Background Technology
[0002] Currently, in the post-incident review phase of security incidents, inspectors often need to manually sift through massive amounts of video footage and scattered alarm logs to piece together relevant information. This process is not only time-consuming and labor-intensive, but also makes it extremely difficult to fully and accurately reconstruct the temporal and spatial trajectory of the incident, resulting in a lack of clear presentation of the causal relationships and dynamic evolution of the entire incident chain.
[0003] Existing patents disclose a knowledge graph-based intelligent retrieval method for urban planning results and major events. By integrating spatiotemporal big data and multimodal urban information construction platforms, and building an urban spatiotemporal knowledge graph, it achieves precise correlation between various urban entities and major events. Utilizing multi-dimensional analysis and visualization tools, it outputs results and constructs a historical planning and design results query system and a major event intelligent retrieval system. Compared to traditional methods, the above-mentioned invention provides more comprehensive and accurate reference information in urban planning and development, offering strong support for smart city construction.
[0004] The existing technical solutions mentioned above have the following drawbacks: 1. Existing systems have a single retrieval method (such as by time or by channel) and lack intelligent association and visualization based on event semantics (such as "the whole process of a person going from gate A to area B"). Summary of the Invention
[0005] To address the shortcomings of existing technologies, the purpose of this application is to provide a method, system, device, and medium for multi-dimensional correlation retrieval and visual review analysis of security patrol events. By constructing a data index through graph databases and natural language processing, integrating event context through spatiotemporal sequence analysis, and utilizing visual interaction and rule engines, it achieves automated mining and report generation from multi-source data to suspicious clues, significantly improving the efficiency and accuracy of security event analysis.
[0006] This was achieved using the following technical solutions: Firstly, this application provides a method for multi-dimensional correlation retrieval and visual retrospective analysis based on security patrol events, including: Collect and clean multi-dimensional security data, extract key entity data, and build a joint index; Capture and transform user interaction operations, generate search query statements, and filter target data records based on composite index combinations; Aggregate target data records based on time series, generate event timeline sequences, and mark the target spatial locations; Dynamically interactive and visualized event timeline sequences, target spatial locations, and event detail tables form an event spatiotemporal sandbox; Based on the anomaly screening rules, key suspicious clues in the event spatiotemporal sandbox are retrieved and identified, and a graphic and text clue report is generated.
[0007] By adopting the above technical solution, multidimensional security data is collected and cleaned through data extraction, transformation, and loading processes and graph database technology. Key entities are extracted and a joint index is constructed. Natural language processing is used to convert user interactions into query statements, and target data is efficiently retrieved based on the index. Subsequently, time series aggregation algorithms are used to generate event timelines and associate spatial locations. Spatiotemporal fusion visualization technology is used to dynamically present the event spatiotemporal sandbox and details table. Finally, key suspicious clues in the sandbox are automatically identified based on anomaly detection rules, and a structured graphic clue report is generated, thereby significantly improving the efficiency of the entire chain of event correlation analysis and assisting in quickly locating clues and reconstructing the facts.
[0008] This application further includes: collecting and cleaning multi-dimensional security data, extracting key entity data, and constructing a joint index, including: Based on the data source, multi-dimensional data is collected from the security monitoring area to obtain multi-dimensional raw data; The multidimensional raw data is encapsulated according to a preset data format to obtain a security triplet. The security triplet is filtered for noise reduction, time-series alignment, and spatial mapping to generate multidimensional security data. Based on the data dimensions, entity extraction is performed on the multidimensional security data to obtain key entity data; Missing value cleaning and context association are performed on key entity data to obtain hierarchical derived entity data; Based on query frequency and entity tags, hierarchical derived entity data are combined to construct a hierarchical entity graph and extract the combined index.
[0009] By adopting the above technical solution, based on ETL and graph computing technologies, security monitoring data is collected from multiple sources and encapsulated into security triples. After preprocessing such as filtering, noise reduction, and spatiotemporal alignment, key entities are extracted using entity recognition algorithms. Then, hierarchical derived entities are constructed through context association and missing value filling. Finally, by combining query frequency and entity labels, a hierarchical entity graph is constructed using a graph database and a joint index is generated. This achieves efficient data organization and rapid association query, significantly improving the retrieval efficiency and association analysis capabilities of security data.
[0010] This application is further configured to: capture and transform user interaction operations, generate retrieval query statements, and filter target data records based on composite index combinations, including: Capture and encapsulate user interaction operations to generate search query statements; Based on the generated search query statement, the field names are validated, mapped, and converted to obtain a valid search statement; The target entity resource is obtained by matching and filtering valid search statements based on the composite index; Based on timestamps and logical priorities, target entity resources are sorted and combined to obtain target data records.
[0011] By adopting the above technical solution, user interaction behavior is dynamically transformed into retrieval queries based on natural language processing and intent recognition technology. The query optimization algorithm verifies, maps, and encodes the statements to generate standardized query instructions. Relying on a pre-built composite index, index matching and graph traversal algorithms are used to efficiently filter target entity resources. Based on timestamps and logical priorities, multi-dimensional sorting and combination are performed to finally output structured target data records, thereby significantly improving the response speed and accuracy of interactive retrieval and realizing efficient and intelligent mapping from user intent to data results.
[0012] This application is further configured to: aggregate target data records based on time series data, generate an event timeline sequence, and mark the target spatial location, including: The target data records are unified by time zone and sorted in ascending order. The number of data records is counted to form a time series array. If the number of data records exceeds the preset data limit, the event time distribution density is extracted, and the current time series array is aggregated into an event record cluster. The event record clusters are traversed and sorted to generate timeline event objects, and the event timeline sequences are mapped and extracted. Based on the event timeline sequence, coordinate mapping is performed on the event objects in the timeline to mark the target spatial location.
[0013] By adopting the above technical solution, the target data records are unified and sorted by time series analysis method. When the data volume exceeds the limit, density clustering algorithm (such as DBSCAN) is used to aggregate and generate event record clusters based on the event distribution density. By traversing and sorting, a coherent timeline event object is constructed and extracted as a sequence. Then, the spatial location corresponding to the event is marked by geographic coordinate mapping technology. This realizes the automated and structured spatiotemporal integration of massive event records, significantly improves the accuracy and efficiency of event context reconstruction, and enhances the intuitiveness and completeness of spatiotemporal correlation analysis.
[0014] This application further includes: mapping the timeline event objects to coordinates based on the event timeline sequence, and marking the target spatial location, including: A geographic information table is constructed based on the spatial layout of the security monitoring area and location information tags; Location identifiers are collected from the geographic information tables to obtain a coordinate location mapping dictionary; Based on the location identifier and the coordinate location mapping dictionary, the target fields of the timeline event objects are merged to generate spatially enhanced event objects; The spatially enhanced event objects are traversed according to the event type, and map markers are created. The target spatial location is determined by associating map markers with event timeline sequences based on event identifiers.
[0015] By adopting the above technical solution, based on spatial data modeling and geocoding technology, a geographic information table is constructed by integrating security area layout and location tags and generating a coordinate mapping dictionary. Then, timeline event objects and spatial fields are associated and merged into spatially enhanced event objects. Map markers are automatically created and associated according to event types, and finally, accurate mapping between event timelines and geographic coordinates is achieved, thereby significantly improving the accuracy and intuitiveness of event spatiotemporal positioning and supporting rapid and visualized full-link security situation analysis and decision-making.
[0016] This application further includes: a dynamic interactive and visualized event timeline sequence, target spatial location, and event details table, forming an event spatiotemporal sandbox, including: Based on the event subject, render the event timeline sequence, target spatial location, and event details table to construct a joint event view; The event federation view is interactively constructed based on the event identifier to form an event element index; Based on the event element index, spatially enhanced event objects are interactively clustered to obtain event interaction cards; Based on the event type, multimodal information is assembled and contextualized into event interaction cards to generate an event spatiotemporal sandbox.
[0017] By adopting the above technical solutions, through visualization rendering and interactive clustering algorithms, through the construction of event joint views and the interactive design of event element indexes, spatially enhanced event objects are clustered into event interactive cards. Furthermore, by integrating multimodal information assembly and context association technologies, an event spatiotemporal sandbox is dynamically generated, thereby achieving an intuitive and interactive presentation of the entire chain of information on complex security events, significantly improving situational awareness efficiency and multi-dimensional analysis and decision support capabilities.
[0018] This application is further configured to: retrieve and identify key suspicious clues in the event spatiotemporal sandbox according to anomaly filtering rules, and generate a graphic and textual clue report, including: The anomaly filtering rules are parsed and compiled to generate a time-series scan detection function; Based on the entities to be traced, the event spatiotemporal sand table is grouped and regionalized to obtain a business area map; Feature extraction is performed on the subject to be traced, and query matching is performed on the business area map to calculate feature similarity; If the feature similarity is greater than the preset similarity threshold, the current business area map is determined to be an event-related topology map; The event association topology graph is scanned temporally using a temporal scanning detection function to generate key and suspicious clues. Based on the temporal interaction status, key suspicious clues are aggregated in a multimodal manner to obtain a text and image clue report.
[0019] By adopting the above technical solution, based on the rule engine and feature matching algorithm, the time-series scanning function is generated by parsing abnormal rules, the features of the subject to be traced are extracted and similarity is calculated with the business area map, and then the time-series pattern scanning is performed on the determined event association topology map to automatically identify key suspicious clues. With the help of multimodal information aggregation technology, a structured graphic clue report is generated, thereby realizing intelligent and automated suspicious behavior mining and report output for massive security events, which greatly improves the efficiency of clue discovery and the accuracy of analysis.
[0020] Secondly, this application also provides a multi-dimensional correlation retrieval and visualization review analysis system based on security patrol events, which adopts the following technical solution: A multi-dimensional correlation retrieval and visualization review analysis system based on security patrol events, used to implement multi-dimensional correlation retrieval and visualization review analysis methods, including: The index building module is used to collect and clean multi-dimensional security data, extract key entity data, and build a joint index. The target filtering module is used to capture and transform user interaction operations, generate search query statements, and filter target data records based on composite indexes. The event aggregation module is used to aggregate target data records based on time series, generate event timeline sequences, and mark the target spatial locations; The multi-dimensional interactive module is used for dynamic interaction and visualization of event timeline sequences, target spatial locations, and event detail tables, forming an event spatiotemporal sandbox; The anomaly filtering module is used to retrieve and identify key suspicious clues in the event spatiotemporal sandbox according to anomaly filtering rules, and generate graphic and text clue reports.
[0021] By adopting the above technical solutions, a joint index is constructed based on the data extraction, transformation, and loading process and graph database technology. Interactive target filtering is achieved through natural language processing and query optimization. Event spatiotemporal sequences are generated using time series analysis and spatial mapping. An event spatiotemporal sandbox is constructed with the help of interactive clustering and multimodal visualization. Finally, suspicious clues are automatically mined and graphic reports are generated through rule engine and pattern recognition. This enables full-link, intelligent analysis of security incidents, significantly improving investigation efficiency and decision-making accuracy.
[0022] Thirdly, this application also provides an electronic device, comprising: One or more processors; Memory, used to store one or more programs; When one or more programs are executed by one or more processors, the one or more processors implement any of the methods in the above scheme.
[0023] Fourthly, this application also provides a storage medium storing at least one instruction, at least one program, code set, or instruction set, wherein the at least one instruction, at least one program, code set, or instruction set is loaded and executed by a processor to realize the multi-dimensional correlation retrieval and visualization review analysis method based on security patrol events as described above.
[0024] In summary, the beneficial technical effects of this application are as follows: By constructing data indexes through graph databases and natural language processing, integrating event contexts through spatiotemporal sequence analysis, and utilizing visualization interaction and rule engines, the system achieves automated mining and report generation from multi-source data to suspicious clues, significantly improving the efficiency and accuracy of security event analysis. By using spatial data modeling and geocoding technology, a geographic information table is constructed by integrating security area layout and location tags, and a coordinate mapping dictionary is generated. Then, timeline event objects and spatial fields are associated and merged into spatially enhanced event objects. Map markers are automatically created and associated according to event types, ultimately achieving a precise mapping between event timelines and geographic coordinates, thereby significantly improving the accuracy and intuitiveness of event spatiotemporal positioning. Attached Figure Description
[0025] Figure 1 This is a schematic diagram of the overall process of the multi-dimensional association retrieval and visualization retrospective analysis method in this application; Figure 2 This is a flowchart illustrating step S3 in the multi-dimensional association retrieval and visualization retrospective analysis method of this application; Figure 3 This is a flowchart illustrating step S34 in the multi-dimensional association retrieval and visualization retrospective analysis method of this application; Figure 4 This is a schematic diagram of the structure of the multi-dimensional association retrieval and visualization retrospective analysis system in this application. Detailed Implementation
[0026] The present application will be further described in detail below with reference to the accompanying drawings.
[0027] Reference Figure 1 This application discloses a method for multi-dimensional correlation retrieval and visualization retrospective analysis based on security patrol events, including: S1: Collect and clean multi-dimensional security data, extract key entity data, and build a joint index; S2: Capture and transform user interaction operations, generate search query statements, and filter target data records based on composite index combinations; S3: Aggregate target data records based on time series, generate event timeline sequences, and mark the target spatial locations; S4: Dynamically interactive and visualized event timeline sequence, target spatial location and event details table to form an event spatiotemporal sand table; S5: Based on the anomaly filtering rules, retrieve and identify key suspicious clues in the event spatiotemporal sandbox, and generate a graphic and textual clue report.
[0028] The implementation principle of this embodiment is as follows: a joint index is built through ETL process and graph database technology, interactive target filtering is achieved by using natural language processing and query optimization, event spatiotemporal sequence is generated through time series analysis and spatial mapping, an event spatiotemporal sandbox is formed with the help of interactive visualization, and suspicious clues are automatically mined and graphic reports are generated by relying on rule engine and pattern recognition technology, so as to achieve intelligent full-link analysis of security events.
[0029] Preferably, step S1 includes: Based on the data source, multi-dimensional data is collected from the security monitoring area to obtain multi-dimensional raw data; The multidimensional raw data is encapsulated according to a preset data format to obtain a security triplet. The security triplet is filtered for noise reduction, time-series alignment, and spatial mapping to generate multidimensional security data. Based on the data dimensions, entity extraction is performed on the multidimensional security data to obtain key entity data; Missing value cleaning and context association are performed on key entity data to obtain hierarchical derived entity data; Based on query frequency and entity tags, hierarchical derived entity data are combined to construct a hierarchical entity graph and extract the combined index.
[0030] In this embodiment, an adapter is defined for each type of data source, such as: HTTPAPI or Kafka topic for video structured data, TCPSocket or direct database connection synchronization for access control card swipe records, and Logstash / Fluentd proxy for log files.
[0031] All interfaces aggregate raw data into a unified message queue (such as Apache Kafka or RabbitMQ) for buffering using either a "push" or "pull" mode, thereby achieving decoupling and traffic shaping.
[0032] Each piece of raw data is encapsulated into a basic object containing raw_data (raw message or text), source_type, and receive_time upon access, ensuring full traceability.
[0033] The corresponding parsing rule or parsing model is invoked based on the source_type. For data with a fixed format (such as access control records "Card Number: 001, Time: 2023-10-27 14:30:00, Door: South Gate, Event: Enter"), regular expressions or JSONPath are used for extraction.
[0034] For unstructured logs or alarm texts (such as "Warning: Server Rack-01 temperature is too high, threshold alarm triggered at 14:30"), use a pre-trained natural language processing model (NLP) to perform named entity recognition (NER) to extract time, location, device, and event type.
[0035] The extracted information is forcibly mapped to four core dimensions and standardized: all timestamps are unified to ISO8601 format (e.g., 2023-10-27T14:30:00+08:00).
[0036] Map access control points, camera IDs, area names, etc., to globally unique location_ids (such as LOC_GATE_SOUTH).
[0037] Map personnel names, employee IDs, card numbers, device IPs, hostnames, etc., to unique subject_ids (such as PERSON_1001, DEVICE_SERVER_01).
[0038] Descriptions such as "entry", "boundary crossing alarm", and "high temperature" are normalized into a preset event type enumeration (such as EVENT_ACCESS_GRANT, EVENT_INTRUSION_ALARM).
[0039] The output is {timestamp, location_id, subject_id, event_type, raw_data, source_type, confidence}, where confidence is the resolution confidence level.
[0040] Rule-based cleaning: For example, removing records with future timestamps or invalid records whose location_id is not in the known list.
[0041] For records with missing subject_id, attempt to complete the record by associating the most common legitimate subject from the history based on source_type and location_id.
[0042] For alarm events, try to correlate them with operation logs or status change records of the same device or area within a similar time period to form a more complete "event context".
[0043] Fields such as date, hour, and day of week are derived from the timestamp, which facilitates aggregation and analysis at the time granularity.
[0044] From the geographic information table associated with location_id, hierarchical information such as building, floor, and area_type is derived.
[0045] Based on query frequency, create composite indexes such as (location_id, timestamp, event_type) and (subject_id, timestamp). The index order follows the principle of high cardinality (high distinguishability) fields first, followed by low cardinality fields, and fully covers the query conditions to maximize query performance.
[0046] Preferably, step S2 includes: Capture and encapsulate user interaction operations to generate search query statements; Based on the generated search query statement, the field names are validated, mapped, and converted to obtain a valid search statement; The target entity resource is obtained by matching and filtering valid search statements based on the composite index; Based on timestamps and logical priorities, target entity resources are sorted and combined to obtain target data records.
[0047] In this embodiment, the front-end encapsulates user interactions (such as selecting a time range, checking an event type, and selecting a location from a dropdown) into a JSON object and sends it to the back-end. Front-end field names (such as "location") are mapped to database column names (location_id). Front-end values (such as "first floor lobby") are converted to encoded values (LOC_LOBBY_F1) stored in the database.
[0048] Identify fields in the query conditions and match them with existing composite indexes. For example, the composite index (location_id, timestamp, event_type) can perfectly match the query location_id = ? AND timestampBETWEEN ? AND ? AND event_type IN (?, ?).
[0049] Prioritize query plans that begin with the leftmost column of the index. For example, if a user only filters for a time range and event type without specifying a location, the above index may not be usable, and the system might choose another index that begins with timestamp.
[0050] Based on the validated conditions, the WHERE clause is constructed securely in a parameterized manner to strictly prevent SQL injection. Since the results are sorted by time by default, and the timestamp field is in a composite index, the database can directly utilize the index's ordered nature for sorting, avoiding expensive full table sorting operations. Adding the ORDER BY timestamp ASC LIMIT :page_sizeOFFSET :offset clause enables efficient pagination.
[0051] Upon receiving a parameterized query, a fast range scan is performed on the matching composite index (e.g., (location_id, timestamp, event_type)) to directly locate the index leaf node that satisfies location_id and timestamp. Then, event_type is filtered within it, and finally, the complete data row is retrieved from the table based on the index pointer.
[0052] The database returns a subset of data records sorted by timestamp. The server can perform further processing, such as converting the encoding LOC_LOBBY_F1 back to the readable "first floor lobby", or querying other extended information.
[0053] When the filter condition is "event type=A or event type=B", it will generate event_type=:A OR event_type=:B. The database may use index merging optimization.
[0054] For nested logic such as "location = first floor lobby and (event type = motion detection or subject = someone)", a complex WHERE clause with parentheses will be constructed to ensure that the logic priority is correct.
[0055] If a user filters fields that are not indexed (such as certain fuzzy matches of subject), a secondary filter will be performed in a small result set in memory after the main filtering is completed using the index, and the query pattern will be recorded as a basis for future optimization or the creation of new indexes.
[0056] Record the response time, number of rows scanned, and index usage for each query. For queries with poor performance (such as full table scans caused by missing indexes), automatically trigger alerts and prompt the administrator to analyze whether the indexing strategy needs to be adjusted.
[0057] Preferably, refer to Figure 2 Step S3 includes: S31: Unify the time zone and sort the target data records in ascending order, count the number of data records, and form a time series array; S32: If the number of data records exceeds the preset data limit, extract the event time distribution density and aggregate the current time series array into an event record cluster; S33: Traverse and sort the event record clusters, generate timeline event objects, and map and extract the event timeline sequence; S34: Map coordinates of timeline event objects according to the event timeline sequence and mark the target spatial location.
[0058] In this embodiment, the timestamp field of all records is ensured to be converted to the same time zone (such as UTC+8), and then they are strictly sorted in ascending order to form a basic time series array.
[0059] When the number of records is large (e.g., more than 1,000), direct rendering can cause the timeline to become too crowded. The system calculates the temporal distribution density of events: if events explode within a short time window (e.g., within 1 minute), these events are automatically aggregated into an "event cluster" and displayed on the timeline as an aggregated icon with a number (e.g., "15 events").
[0060] After a user clicks the aggregation icon, they can expand to view a detailed list of events within that time period. Each sorted record is then iterated through to generate a standard "timeline event object". Map timestamps to locations on the horizontal timeline. Combine information such as eventTypeLabel, subjectLabel, and locationLabel to render event cards on the timeline. Maintain a mapping table (geographic information table) from location_id to geographic coordinates. For each event's location_id, query its corresponding latitude and longitude coordinates [lng, lat] and a readable location label. Determine the icon type and color displayed on the map based on the event's event_type field.
[0061] Front-end map components (such as Amap / Baidu / Leaflet) create a map marker at coordinates [lng, lat] for each event. The marker's icon and color are determined by the rules mentioned above. When a user hovers over or clicks a map marker, a detailed information card for that event is displayed, and the corresponding event on the timeline is highlighted.
[0062] If the subject being filtered is a person or a vehicle, the system can connect all their location_id coordinates in chronological order to generate a movement trajectory line on the map, visually displaying their activity path and completely corresponding to the timeline events.
[0063] Upon initial load, only aggregated event clusters and map hotspots are displayed. As the user zooms in on the timeline or map, detailed event data for that time granularity or geographic area is dynamically loaded. The timeline uses virtual scrolling technology, rendering only the currently visible area and a small number of event cards in the preceding and following buffers, ensuring smooth scrolling even with tens of thousands of records.
[0064] Map markers in densely populated areas (such as multiple card swipes at the same entrance / exit) are displayed in a cluster, and then disperse after clicking the cluster icon.
[0065] Preferably, refer to Figure 3 Step S34 includes: S341: Construct a geographic information table based on the spatial layout of the security monitoring area and location information tags; S342: Collect location identifiers from the geographic information table to obtain a coordinate location mapping dictionary; S343: Merge the target fields of the timeline event objects based on the location identifier and the coordinate location mapping dictionary to generate spatially enhanced event objects; S344: Iterate through the spatially enhanced event objects according to the event type and create map markers; S345: Based on the event identifier, map markers are associated and mapped with the event timeline sequence to determine the target spatial location.
[0066] In this embodiment, a table named `location_geo_info` is created in the database. The core fields include at least: `location_id` (primary key, consistent with the `location_id` in the event data); `coordinates` (stores latitude and longitude, formatted as POINT(121.4737,31.2304) or split into `lng` and `lat`); `location_name` (Chinese name, such as "First Floor Lobby South Gate"); `location_type` (such as "Entrance / Exit", "Camera", "Corridor", "Equipment Room"); and `floor` (floor information, used for multi-story buildings). Precise latitude and longitude coordinates are entered for all `location_id` values that may generate events.
[0067] Iterate through all event objects, collecting unique `location_id` values to form a query list. Execute a single, efficient database query using the `IN` statement to retrieve the coordinates and metadata of all relevant `location_id` values from the `location_geo_info` table. Return a Map.<location_id, GeoInfo> The mapping dictionary.
[0068] Iterate through each event object, use its location_id as the key to retrieve the corresponding GeoInfo from the mapping dictionary above, and merge fields such as coordinates and location_name into the event object to generate a new "space-enhanced event object".
[0069] Based on the event type, a mapping from `event_type` to `icon` is predefined. The array of "spatial enhanced event objects" is iterated through using a map engine (such as Leaflet, Mapbox GL JS), and for each object, its coordinates are used as the coordinate points. The `eventTypeIconMap` is queried based on the `eventType` to obtain the icon configuration. The map API is called to create a custom icon at the specified coordinates (using `L.marker` or an equivalent method), and the icon style (color, symbol) is applied to it.
[0070] When creating map markers and timeline DOM elements, assign them the same unique event ID (e.g., data-event-id="event_001"). Simultaneously, maintain a Map in memory.<event_id, {marker,timelineElement}> Relationship index.
[0071] Find the corresponding map marker by index, trigger the map's panTo() method to pan the view to that marker, and call the marker's highlight() method (e.g., to enlarge the icon or add a halo animation). Find the corresponding timeline element by index, trigger the timeline container to scroll (scrollIntoView), and highlight the event card.
[0072] A marker for a given location_id is created only if the coordinates of that location_id are within the current map viewport. As the map moves or zooms, markers outside the viewport are dynamically destroyed and new markers are created to enter the viewport.
[0073] When the map zoom level is low (the viewing area is large), multiple event markers that are very close in screen pixel distance are clustered into a single cluster marker, which is displayed as a circle with a number (such as "12").
[0074] When the map is zoomed in to a certain level, the clusters are automatically disbanded, and the map is displayed as a single, independent marker. This functionality can be achieved using mature plugins such as Leaflet.markercluster.
[0075] If a single timeline event spans a long period (e.g., 24 hours), it can be loaded asynchronously in time slices (e.g., one hour per slice). When the user scrolls the timeline to a specific time period, the events for that time period are dynamically loaded and rendered onto the map.
[0076] If the location_id of an event cannot be found in the location_geo_info table, it will be mapped to a default "unknown area" coordinate (such as the center of the company campus) and marked with a special "question mark" icon. At the same time, the event details will indicate "coordinates not configured".
[0077] Record the location_id and event ID for missing coordinates to facilitate administrators in supplementing geographical information later.
[0078] Preferably, step S4 includes: Based on the event subject, render the event timeline sequence, target spatial location, and event details table to construct a joint event view; The event federation view is interactively constructed based on the event identifier to form an event element index; Based on the event element index, spatially enhanced event objects are interactively clustered to obtain event interaction cards; Based on the event type, multimodal information is assembled and contextualized into event interaction cards to generate an event spatiotemporal sandbox.
[0079] In this embodiment, a shared state center is created using a state management library (such as Vuex, Redux, or Pinia). During the rendering of the three views, inverted indexes are built for the timeline card DOM element and map marker object corresponding to each event, and their references are stored in memory to quickly locate view elements by event ID. Interactive events are bound to each view, and updates are coordinated through the state center.
[0080] Sort the event array by time and use virtual scrolling technology to efficiently render cards. Trigger the selectEvent action to submit the event ID to the state center. At the same time, the card is visually highlighted (e.g., by adding a border shadow). Listen for scrolling and zooming operations on the timeline and synchronize the currently visible start and end times of the timelineViewport to the state center.
[0081] Use the map library's clustering plugin to dynamically render markers as the mapViewport changes. Trigger the same selectEvent action to update the state center.
[0082] The event details table displays the four core elements of an event (time, location, subject, and type).
[0083] Dynamic loading of multimedia content: For video analysis events, embed real-time video streams or recorded footage from the event trigger. For access control events, display captured facial images and credentials. For device alarms, display device status trend graphs. Automatically query and display other events occurring within the same area within 10 minutes of the current event, forming an "event context".
[0084] Preferably, step S5 includes:
[0085] The anomaly filtering rules are parsed and compiled to generate a time-series scan detection function; Based on the entities to be traced, the event spatiotemporal sand table is grouped and regionalized to obtain a business area map; Feature extraction is performed on the subject to be traced, and query matching is performed on the business area map to calculate feature similarity; If the feature similarity is greater than the preset similarity threshold, the current business area map is determined to be an event-related topology map; The event association topology graph is scanned temporally using a temporal scanning detection function to generate key and suspicious clues. Based on the temporal interaction status, key suspicious clues are aggregated in a multimodal manner to obtain a text and image clue report.
[0086] In this embodiment, each rule is an independent module containing triggering conditions, association logic, and visualization style; all enabled rules are loaded, and their logic is compiled into a detection function that can efficiently scan time series data.
[0087] For events within the current view, group them by subject_id (subject), and sort the event sequence for each person by time. Simultaneously, load the regional association topology map (defining which regions are business-adjacent or related).
[0088] Execution rule scanning: For each rule, the event sequence of each subject is scanned. For example, for the "short-term cross-regional movement" rule: traverse a person's access control records in a sliding window (e.g., 5 minutes); count the different location_ids that appear in the window; query the regional topology map, and if these regions are defined as "non-related" (e.g., distributed in different buildings that are far apart) and the number exceeds the threshold (e.g., 3), then the rule is triggered.
[0089] Each triggered rule generates a "clue object", which includes the set of triggered event IDs, core subject, time window, rule ID, confidence score, and automatically generates a text description (such as "Person Zhang San appeared in 3 unrelated areas between 04:30 and 04:35").
[0090] All event cards that trigger the rule will have their border color changed to the timelineColor defined in the rule.
[0091] The markers corresponding to these events are highlighted. If connectPoints is true, these points are connected by dashed lines in chronological order to form a movement trajectory line.
[0092] A new "Clues Panel" has been added, which displays all automatically discovered clues in a list format. Clicking on a list item will highlight the relevant event on both the map and the timeline.
[0093] Serialize all current interaction states into a JSON file; Automatically generate report summaries, including the analysis timeframe, number of entities involved, total number of events, and number of leads discovered. Assign a section to each lead and automatically insert rule-generated descriptive text; automatically capture and embed two key images: a screenshot of the map view, clearly displaying highlighted markers and connecting lines.
[0094] Screenshots of key sections of the timeline show highlighted sequences of event cards. An appendix provides a structured list of all triggering events (time, location, subject, event type). Before report generation, users can add text annotations or arrow markers to the sandbox interface; these human insights will be captured and inserted into the corresponding positions in the report. The final result is a formatted, richly illustrated PDF or Word document, suitable for direct printing or distribution.
[0095] Reference Figure 4 A multi-dimensional correlation retrieval and visualization review analysis system based on security patrol events, applied to fault detection methods, including: The index building module is used to collect and clean multi-dimensional security data, extract key entity data, and build a joint index. In this embodiment, this module is responsible for real-time parsing and management of the multi-source, heterogeneous security data streams (video analytics, access control, alarms, logs, etc.). Its core is to use a rule engine and NLP model to accurately extract standardized entities based on four dimensions—time, location, subject, and event type—from unstructured data, and to complete data cleaning, association, and completion. Ultimately, the massive amount of information is transformed into structured records in a unified format, and a high-performance composite index is built on these four core fields. This provides upper-layer applications with millisecond-level multi-dimensional combined query capabilities, achieving efficient transformation from raw data to searchable knowledge.
[0096] The target filtering module is used to capture and transform user interaction operations, generate search query statements, and filter target data records based on composite indexes. In this embodiment, this module is responsible for translating user interaction intents on the front end into efficient database operations. It captures complex query conditions set by the user in real time through combined filters (such as timelines, map selection, and dropdown menus) and converts them into precise parameterized query statements. The module embeds a query optimizer that automatically matches the best composite index strategy based on the query condition pattern, ensuring that even with hundreds of millions of data records, it can still instantly complete the filtering, sorting, and pagination of target data records and seamlessly deliver the result set to downstream modules.
[0097] The event aggregation module is used to aggregate target data records based on time series, generate event timeline sequences, and mark the target spatial locations; In this embodiment, this module is responsible for reorganizing discrete target data records into a continuous narrative thread, sorting events by timestamp as the main axis, and performing intelligent time grouping based on data density to optimize visual presentation. Simultaneously, the module invokes a geolocation mapping service to assign precise latitude and longitude coordinates to each record. The output consists of two key products: first, an array of event sequences with spatiotemporal markers for timeline rendering; and second, a geotagged dataset containing coordinate and style information for use by the map engine, laying the foundation for integrated spatiotemporal visualization.
[0098] The multi-dimensional interactive module is used for dynamic interaction and visualization of event timeline sequences, target spatial locations, and event detail tables, forming an event spatiotemporal sandbox; In this embodiment, this module is responsible for building and driving the "spatiotemporal sandbox"; it integrates event sequences, spatial coordinates, and detailed metadata, and synchronously renders three interconnected views in the interface: the main timeline view, the planar map view, and the details panel. Through global state management and an event bus, the module achieves profound interactive linkage: clicking on a timeline event automatically locates and highlights the corresponding position on the map; clicking on a map icon scrolls the timeline to the corresponding moment. This two-way feedback mechanism allows users to intuitively explore the spatiotemporal relationships and causal chains between events.
[0099] The anomaly filtering module is used to retrieve and identify key suspicious clues in the event spatiotemporal sandbox according to anomaly filtering rules, and generate graphic and text clue reports.
[0100] In this embodiment, this module is responsible for proactively identifying risks within the "spatiotemporal sandbox." It incorporates a configurable rule engine capable of real-time scanning and pattern recognition of events within the current view based on preset or custom logical models (such as "short-term cross-regional abnormal movement" and "association of device alarms and access control events"). Key suspicious clues automatically discovered are highlighted in the sandbox using visual methods such as highlighting and connecting lines. Users can conduct in-depth analysis based on this and save the current analysis scenario (including all view states, filtering conditions, and identified clues) as a reproducible "recap snapshot" with a single click, or export it as a standardized graphic report containing key evidence screenshots and structured data, completing a closed loop from analysis to knowledge accumulation.
[0101] The implementation principle of this embodiment is as follows: Based on ETL process and graph database technology, multi-source security data is cleaned and entity extracted to build a joint index. Natural language processing and query optimization algorithms are used to transform user interaction into structured retrieval and filter target data. Spatiotemporal event chains are generated through time series clustering and geographic information mapping. An event spatiotemporal sandbox is built with the help of interactive visualization technology. Finally, a rule engine and pattern recognition algorithm are combined to automatically mine suspicious clues and generate graphic and text reports, so as to realize intelligent correlation analysis and decision support for security events.
[0102] An electronic device, comprising: One or more processors; Memory, used to store one or more programs; When one or more programs are executed by one or more processors, the one or more processors implement any of the methods in the above scheme.
[0103] A storage medium storing at least one instruction, at least one program, code set, or instruction set, wherein the at least one instruction, at least one program, code set, or instruction set is loaded and executed by a processor to realize the multi-dimensional correlation retrieval and visualization retrospective analysis method based on security patrol events as described above.
[0104] The embodiments described in this specific implementation are preferred embodiments of this application and are not intended to limit the scope of protection of this application. Therefore, all equivalent changes made in accordance with the structure, shape and principle of this application should be covered within the scope of protection of this application.
Claims
1. A method for multi-dimensional correlation retrieval and visual debriefing analysis based on security patrol events, characterized in that, include: Collect and clean multi-dimensional security data, extract key entity data, and build a joint index; Capture and transform user interaction operations, generate search query statements, and filter target data records based on the composite index combination; The target data records are aggregated based on the time series to generate an event timeline sequence, and the target spatial location is marked. The event timeline sequence, the target spatial location, and the event details table are dynamically interacted with and visualized to form an event spatiotemporal sandbox; Based on the anomaly filtering rules, key suspicious clues in the event spatiotemporal sandbox are retrieved and identified, and a graphic clue report is generated.
2. The method for multi-dimensional correlation retrieval and visual review analysis based on security patrol events according to claim 1, characterized in that, The collection and cleaning of multi-dimensional security data, extraction of key entity data, and construction of a joint index include: Based on the data source, multi-dimensional data is collected from the security monitoring area to obtain multi-dimensional raw data; The multidimensional raw data is encapsulated according to a preset data format to obtain a security triplet; The security triplet is filtered, denoised, time-series aligned, and spatially mapped to generate multidimensional security data. Based on the data dimensions, entity extraction is performed on the multidimensional security data to obtain key entity data; The key entity data is cleaned of missing values and contextualized to obtain hierarchical derived entity data; Based on the query frequency and entity tags, the hierarchical derived entity data are combined to construct a hierarchical entity graph and extract the combined index.
3. The method for multi-dimensional correlation retrieval and visual review analysis based on security patrol events according to claim 1, characterized in that, The process of capturing and transforming user interaction operations, generating search query statements, and filtering target data records based on the composite index includes: Capture and encapsulate user interaction operations to generate search query statements; Based on the generated search query statement, the field names are validated, mapped, and converted to obtain a valid search statement; The target entity resources are obtained by matching and filtering the valid search statements according to the composite index; Based on timestamps and logical priorities, the target entity resources are sorted and combined to obtain target data records.
4. The method for multi-dimensional correlation retrieval and visual review analysis based on security patrol events according to claim 1, characterized in that, The step of aggregating the target data records according to the time series to generate an event timeline sequence and marking the target spatial location includes: The target data records are unified by time zone and sorted in ascending order. The number of data records is counted to form a time series array. If the number of data records exceeds the preset data limit, the event time distribution density is extracted, and the current time series array is aggregated into an event record cluster. The event record clusters are traversed and sorted to generate timeline event objects, and the event timeline sequences are mapped and extracted. Based on the event timeline sequence, coordinate mapping is performed on the timeline event objects to mark the target spatial location.
5. The method for multi-dimensional correlation retrieval and visual review analysis based on security patrol events according to claim 4, characterized in that, The step of mapping the timeline event objects to coordinates and marking the target spatial location based on the event timeline sequence includes: A geographic information table is constructed based on the spatial layout of the security monitoring area and location information tags; The location identifiers of the geographic information table are collected to obtain a coordinate location mapping dictionary; Based on the location identifier and the coordinate location mapping dictionary, the target fields of the timeline event objects are merged to generate spatially enhanced event objects; The spatially enhanced event objects are traversed according to the event type, and map markers are created. The target spatial location is determined by associating and mapping the map markers with the event timeline sequence based on the event identifier.
6. The method for multi-dimensional correlation retrieval and visual review analysis based on security patrol events according to claim 1, characterized in that, The dynamic interaction and visualization of the event timeline sequence, the target spatial location, and the event details table form an event spatiotemporal sandbox, including: Based on the event subject, render the event timeline sequence, target spatial location, and event details table to construct a joint event view; The event federation view is interactively constructed based on the event identifier to form an event element index; Based on the event element index, the spatially enhanced event objects are interactively clustered to obtain event interaction cards; Based on the event type, the event interaction cards are assembled with multimodal information and associated with context to generate an event spatiotemporal sandbox.
7. The method for multi-dimensional correlation retrieval and visual review analysis based on security patrol events according to claim 1, characterized in that, The process of retrieving and identifying key suspicious clues in the event spatiotemporal sandbox according to anomaly filtering rules, and generating a graphic clue report, includes: The anomaly filtering rules are parsed and compiled to generate a time-series scan detection function; Based on the entities to be traced, the event spatiotemporal sand table is grouped and regionalized to obtain a business area map; Feature extraction is performed on the subject to be traced, and query matching is performed on the business area map to calculate feature similarity; If the feature similarity is greater than a preset similarity threshold, then the current business area map is determined to be an event-related topology map; The event association topology is scanned temporally according to the temporal scanning detection function to generate key suspicious clues; Based on the temporal interaction status, the key suspicious clues are aggregated in a multimodal manner to obtain a text and image clue report.
8. A multi-dimensional correlation retrieval and visualization review analysis system based on security patrol events, used to implement the multi-dimensional correlation retrieval and visualization review analysis method as described in any one of claims 1-7, characterized in that, include: The index building module is used to collect and clean multi-dimensional security data, extract key entity data, and build a joint index. The target filtering module is used to capture and transform user interaction operations, generate search query statements, and filter target data records based on the composite index combination. The event aggregation module is used to aggregate the target data records according to the time series, generate an event timeline sequence, and mark the target spatial location; The multi-dimensional interactive module is used for dynamic interaction and visualization of the event timeline sequence, the target spatial location, and the event details table, forming an event spatiotemporal sandbox; The anomaly filtering module is used to retrieve and identify key suspicious clues in the event spatiotemporal sandbox according to anomaly filtering rules, and generate a graphic and textual clue report.
9. An electronic device, characterized in that, include: One or more processors; Memory, used to store one or more programs; When the one or more programs are executed by the one or more processors, the one or more processors implement the method as described in any one of claims 1-7.
10. A storage medium storing at least one instruction, at least one program, a code set, or an instruction set, wherein the at least one instruction, the at least one program, the code set, or the instruction set is loaded and executed by a processor to implement the multi-dimensional association retrieval and visualization retrospective analysis method as described in any one of claims 1 to 7.