An agentic multi-agent collaboration-based network threat intelligence knowledge graph construction method
By employing the Agentic multi-agent collaborative framework and autonomous tool invocation, the problems of stable extraction of complex entity relationships and graph pollution in long texts were solved, enabling dynamic updating and real-time verification of the network threat intelligence knowledge graph, thereby improving the stability and availability of threat intelligence processing.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUANGZHOU UNIVERSITY HUANGPU RESEARCH INSTITUTE
- Filing Date
- 2026-04-20
- Publication Date
- 2026-06-19
AI Technical Summary
Existing technologies struggle to reliably handle complex entity relationships in long texts, lack autonomous strategy capabilities, cannot link entity extraction and enrichment in real time, lack verification loops leading to graph contamination, and lack timely graph management and dynamic updates.
The Agentic multi-agent collaborative framework is adopted. Through the collaboration of planning agents, extraction agents, verification agents and cognitive update agents, a closed-loop mechanism is constructed. It autonomously calls tools to perform entity and relation extraction, verification and graph update. It adopts STIX-style ontology model and Pydantic structure verification technology.
It improves the stability and accuracy of long-text threat intelligence processing, reduces the risk of map contamination, enables dynamic updates and continuous availability of maps, and enhances the standardization and cross-system sharing capabilities of results.
Smart Images

Figure FT_1 
Figure FT_2 
Figure FT_3
Abstract
Description
Technical Field
[0001] This invention relates to the fields of cybersecurity technology and artificial intelligence, and in particular to a method for constructing a cyber threat intelligence knowledge graph. Background Technology
[0002] As cyberattacks become increasingly complex, threat intelligence is no longer limited to a single Indicator of Competence (IOC), but rather manifests as a complex semantic network spanning multiple phases, actors, infrastructures, and evidence sources. In practice, a large amount of threat intelligence exists in the form of long texts such as reports, analytical articles, incident notifications, sample descriptions, and posts in open-source communities. This type of data typically features weak structure, strong contextual dependencies, numerous cross-paragraph references, and widespread implicit expressions of evidence.
[0003] The existing technology has the following main problems:
[0004] 1. Traditional extraction schemes based on rules, templates, or single prompts struggle to reliably handle complex entity relationships in long texts, especially in maintaining relationship consistency across multiple contexts.
[0005] 2. Existing extraction schemes typically split entity extraction, IOC enrichment, rule validation, and graph writing into multiple discrete processes, resulting in the extraction results and enrichment results not being linked in real time.
[0006] 3. Existing methods lack autonomous strategy capabilities and cannot dynamically determine which tools to use, what key points to extract, or whether supplementary verification is needed based on the text content.
[0007] 4. Most existing graph construction processes lack verification loops. Once erroneous relationships are written into the graph database, they will cause long-term graph pollution.
[0008] 5. Existing knowledge graph systems typically treat knowledge as a static result and lack a management mechanism for the timeliness of intelligence, which results in originally malicious IPs, domains, or hashes being preserved as valid threat relationships for a long time after the time-series changes.
[0009] For example, in threat intelligence analysis scenarios, an IP address might be maliciously controlled by a server today, but could be reclaimed and restored to normal service tomorrow; a domain name might exhibit malicious behavior in the short term, but become ineffective in the long term. Therefore, if we rely solely on one-time extraction and permanent writing to the data graph, the graph will gradually become a static accumulation of data, losing its continuous availability.
[0010] Therefore, there is a need for a technical solution for constructing an agentic threat intelligence knowledge graph that is oriented towards long-text threat intelligence, possesses autonomous policy capabilities, supports autonomous tool invocation, has verification loops, and can perform self-updating of the graph. In summary, there is an urgent need for a method for sharing network threat intelligence to overcome the limitations of existing technologies. Summary of the Invention
[0011] The purpose of this invention is to provide a method, system, device, and storage medium for constructing a network threat intelligence knowledge graph based on agentic multi-agent collaboration and autonomous tool invocation, in order to solve the following technical problems:
[0012] 1. Solve the problem of the difficulty in reliably extracting entities and relationships in long-text threat intelligence.
[0013] 2. Address the issue that IOC enrichment results cannot be used in inference immediately during the extraction phase.
[0014] 3. To address the lack of multi-agent division of labor and policy planning capabilities in existing systems.
[0015] 4. Solve the problem of spectrum contamination caused by the lack of self-verification closed loop.
[0016] 5. Solve the problem of the difficulty in automatically updating the map based on time and reputation.
[0017] To achieve the above objectives, the present invention adopts the following technical solution:
[0018] This invention provides a method for constructing an Agentic threat intelligence knowledge graph. This method no longer treats the large language model as a one-time information extractor, but embeds it into a multi-agent collaborative framework. Through the collaboration of planning agents, extraction agents, verification agents, and cognitive update agents, a closed loop of "plan generation, autonomous tool invocation, structured extraction, verification feedback, graph writing, and time-series updating" is constructed.
[0019] in:
[0020] 1. The planning agent is responsible for task understanding of threat intelligence text and outputting a structured extraction plan;
[0021] 2. The extraction agent is responsible for performing entity and relation extraction under the guidance of the extraction plan, and autonomously calling external tools for IOC enrichment during inference;
[0022] 3. The verification agent is responsible for performing structural verification, ontology verification, and evidence verification on the extracted results;
[0023] 4. The cognitive updating agent is responsible for proactively re-invoking the tool to update the graph state based on the expiration time, confidence level, and current detection status of nodes or edges in the graph;
[0024] 5. The graph writing module is responsible for writing entities and relationships into the graph database. Relationships are stored in the form of edges between entities, along with source evidence, confidence level, and expiration time.
[0025] In a preferred implementation, the present invention constructs a workflow based on LangGraph or an equivalent state graph orchestration framework, modeling the "planning-extraction-verification" process as a directed cyclic state graph. When verification fails, the extraction agent re-executes under error feedback conditions until the maximum number of iterations is reached or the result meets the requirements.
[0026] In another preferred implementation, the present invention uses a STIX-style ontology model to describe entities and relationships, uses unified fields to constrain the output results, and uses Pydantic or equivalent structure verification techniques to ensure that the output strictly meets the predefined structure.
[0027] Compared with the prior art, the present invention has at least the following beneficial effects:
[0028] 1. By using the Agentic multi-agent collaboration mechanism, task planning, extraction, verification, and updating are decoupled, improving the stability and maintainability of long-text threat intelligence processing.
[0029] 2. By using an autonomous tool invocation mechanism, the IOC enrichment results can be used in inference in real time during the extraction stage, thereby improving the accuracy of entity recognition, relationship determination, and threat assessment.
[0030] 3. By using a closed loop of "extraction-verification-feedback retry", the probability of writing erroneous relationships into the graph is significantly reduced, thus reducing graph contamination.
[0031] 4. Enhance the standardization of results through unified structural constraints in the STIX style, facilitating cross-system reuse, sharing, and auditing.
[0032] 5. By introducing TTL and confidence management through a cognitive update agent, the graph can be updated in a timely manner, self-driven, and managed for failed relationships, thus evolving the graph from a static data set into a dynamic cognitive graph. Attached Figure Description
[0033] Figure 1 This is the overall framework diagram of the Agentic Network Threat Intelligence Knowledge Graph Construction System of the present invention, used to illustrate the composition of each functional module and their logical connection relationships.
[0034] Figure 2This is a flowchart of the Agentic closed-loop execution process of the present invention, which is used to illustrate the "planning-extraction-verification-feedback retry" closed-loop execution mechanism formed between the planning agent, the extraction agent, the tool calling module, and the verification agent.
[0035] Figure 3 This is a schematic diagram of the graph database storage of the present invention, used to illustrate the organization of entity nodes, relation edges and their attributes in the graph database.
[0036] Figure 4 This is a schematic diagram of the overall framework of the present invention. Detailed Implementation
[0037] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention. Unless otherwise defined, the technical or scientific terms used herein should have the ordinary meaning understood by those skilled in the art. The terms "comprising" and similar expressions used herein mean that the element or object preceding the word covers the element or object listed after the word and its equivalents, but does not exclude other elements or objects.
[0038] This invention provides a method for constructing a network threat intelligence knowledge graph based on agentic multi-agent collaboration and autonomous tool invocation, comprising the following steps:
[0039] S1. Establish the Agentic multi-agent collaborative workflow, which includes: an input processing module, a text segmentation module, a planning agent module, an extraction agent module, a tool invocation module, a verification agent module, a graph writing module, and a cognitive update agent module.
[0040] S2. Start the state diagram orchestration framework and load threat intelligence ontology rules, structured output patterns, and external intelligence tool registration information;
[0041] S3. Obtain the original content of network threat intelligence, and have the input processing module perform text standardization preprocessing on the original content;
[0042] S4. The text segmentation module performs text segmentation on the preprocessed threat intelligence content according to the preset segmentation length and overlap length to obtain multiple text blocks to be processed; an extraction plan is generated for each text block to be processed, and the extraction plan includes at least the report type, the type of entity of concern, the toolset and the extraction strategy.
[0043] S5. The extraction agent module drives the large language model to perform structured extraction based on the extraction plan, and autonomously calls external intelligence tools through the tool calling module to obtain entity, relationship and IOC enrichment information.
[0044] S6. The verification agent module performs structural verification, ontology rule verification, and evidence support verification on the extraction results, and feeds back the verification error to the extraction agent module when the verification fails to trigger iterative re-extraction.
[0045] S7. After the verification is passed, the graph writing module writes the entities into the graph database nodes, writes the relationships into the graph edges between the entities, and saves the relationship type, source evidence, source identifier, confidence level and expiration time attributes on the graph edges.
[0046] S8. The cognitive update agent module autonomously calls external intelligence tools again based on the expiration time, confidence level and re-verification strategy of entities or relationships in the graph, and performs refresh, downgrading or invalidation marking on intelligence that is expired, suspected of being invalid or has changed status.
[0047] In step S1, a workflow architecture for constructing a network threat intelligence knowledge graph based on agentic multi-agent collaboration and autonomous tool invocation is designed. This workflow architecture consists of eight parts: input processing module, text segmentation module, agent planning module, agent extraction module, tool invocation module, agent verification module, graph writing module, and cognitive update agent module.
[0048] The overall system architecture diagram of the network threat intelligence knowledge graph construction method based on agentic multi-agent collaboration and autonomous tool invocation provided by this invention is shown in Figure 1.
[0049] Figure 2 shows the workflow framework of a network threat intelligence knowledge graph construction method based on agentic multi-agent collaboration and autonomous tool invocation provided by this invention.
[0050] 1) Input Processing Module: This module aims to receive, identify, and standardize raw content of network threat intelligence, and maintain the source information of the input objects. Through a series of preprocessing functions, this module implements functions such as raw text reception, character encoding standardization, whitespace normalization, noise symbol filtering, source type identification, and source identifier initialization, thereby providing a unified data entry point for subsequent text segmentation, structured extraction, and source tracing.
[0051] (2) Text Segmentation Module: This module aims to perform context-preserving segmentation of long threat intelligence texts to improve the stability and accuracy of subsequent intelligent agents when processing long texts. This module achieves functions such as segmentation, overlap preservation, and boundary control of threat intelligence texts by preset parameters such as segmentation length, overlap length, and sliding step size, thereby reducing the problems of entity omission and relationship breakage caused by text boundary truncation.
[0052] (3) Planning Agent Module: This module aims to automatically generate extraction plans for different text blocks and guide the execution strategy of the subsequent extraction process. This module realizes functions such as report type recognition, entity recognition, toolset planning, and extraction strategy generation by combining large language model reasoning with rule constraints, thereby making the subsequent extraction process more targeted and autonomous.
[0053] (4) Agent Extraction Module: This module aims to perform structured extraction of threat intelligence text and output entity and relation results that conform to a predefined format. This module realizes entity extraction, relation extraction, enriched information integration and structured JSON generation by calling a large language model that supports function calls or tool calls, and completes the joint identification of threat behaviors, infrastructure, vulnerabilities, indicators and other objects based on contextual semantics.
[0054] (5) Tool Invocation Module: This module aims to provide the extraction agent with the ability to autonomously invoke external intelligence tools to enhance the authenticity and completeness of the extraction results. Through mechanisms such as tool registration, parameter mapping, result backfilling, and anomaly handling, this module realizes functions such as IOC type identification, autonomous tool selection, tool execution, and tool result return, and supports the linkage invocation of external intelligence data sources such as VirusTotal, Shodan, and MITRE ATT&CK.
[0055] (6) Verification Agent Module: This module aims to perform multi-layer verification on the extraction results and trigger rollback and re-extraction processes when problems are found. This module realizes functions such as entity structure verification, relation structure verification, relation legality verification and evidence support verification through mechanisms such as structure verification, ontology rule verification, evidence consistency verification and error feedback control, thereby reducing the risk of writing erroneous entities and erroneous relations into the graph.
[0056] (7) Graph Writing Module: This module aims to write verified threat intelligence entities and relationships into the graph database to form a queryable and reasonable knowledge graph. This module uses mechanisms such as node writing, relationship edge writing, attribute updating, and dynamic mapping of relationship types to realize functions such as entity node storage, relationship edge construction, source information storage, confidence level storage, and expiration time writing, thereby completing the persistent storage of the threat intelligence knowledge graph.
[0057] (8) Cognitive Update Agent Module: This module aims to continuously inspect and dynamically update the time-sensitive intelligence in the graph to avoid information distortion caused by long-term solidification of the graph. Through mechanisms such as expiration detection, re-verification scheduling, confidence refresh, failure marking, and historical state maintenance, this module realizes periodic re-verification and state correction of highly volatile IOCs, temporary infrastructure, and low-confidence relationships, thereby improving the long-term availability and dynamic reliability of the graph.
[0058] During step S2, the state graph orchestration framework is initiated and threat intelligence ontology rules, structured output patterns, and external intelligence tool registration information are loaded to construct a recursively executable Agentic workflow framework. The state graph orchestration framework can be implemented using LangGraph or an equivalent state machine orchestration framework. Its core lies in organizing the planning agent module, extraction agent module, and verification agent module into a directed graph execution structure that is rollback-enabled, retry-enabled, and terminate-enabled.
[0059] In a preferred embodiment, the state graph orchestration framework maintains state variables such as `current_text`, `plan`, `extracted_graph`, `validation_errors`, `iteration_count`, and `status`. Here, `current_text` represents the currently processed text block, `plan` represents the extraction plan output by the planning agent, `extracted_graph` represents the current extraction result graph, `validation_errors` represents the set of validation errors, `iteration_count` represents the current iteration count, and `status` represents the current workflow status. Through the flow control of these state variables, closed-loop execution of planning, extraction, validation, and retries can be achieved.
[0060] During step S3, the input processing module acquires the original content of the network threat intelligence and performs text standardization preprocessing on the original content. The preprocessing includes at least character encoding unification, whitespace normalization, newline character cleaning, invalid symbol filtering, source type identification, and source identifier initialization. In a preferred embodiment, the input content can be plain text, extracted text from a file, or extracted text from a webpage, and the source type includes `text`, `file`, and `url`. By writing unified source information during the preprocessing stage, a consistent source basis can be provided for subsequent entities and relationships.
[0061] In step S4, the text segmentation module performs context-preserving segmentation processing on the preprocessed threat intelligence content, and the planning agent module generates an extraction plan for each text block to be processed. Let the input text length be `L`, the preset segmentation length be `C`, and the overlap length be `O`, satisfying `0 ≤ O < C`, then the segmentation step size `S = C - O`. The starting position of the `i`th text block is `start_i = i × S`, and the corresponding text block is `chunk_i = text[start_i : start_i + C]`. Through this method, cross-sentence and cross-segment context can be preserved while ensuring processing efficiency, reducing entity omissions and relationship breaks caused by boundary segmentation.
[0062] In a preferred embodiment, the extraction plan generated by the planning agent for a text block includes at least a report type `report_type`, focus entity types `focus_entities`, a set of required tools `required_tools`, and extraction strategies `strategy_notes`. For example, when a text block contains information about an attack group, IP address, domain name, and malicious file hash, the planning agent can identify the text block as an IOC-oriented report and prioritize the use of VirusTotal, Shodan, and MITRE ATT&CK search tools.
[0063] During step S5, the extraction agent module drives the large language model, which supports function calls or tool calls, to perform structured extraction. Unlike the traditional linear process of "extract first, then enrich," this invention allows the large language model to autonomously decide whether to call tools, which tools to call, and the order of calling tools during the inference process, based on the current text content, identified entities, and the extraction plan generated in step S4.
[0064] In a preferred embodiment, when an IP address appears in the text, `search_virustotal_ip(ip)` and `search_shodan_ip(ip)` can be called; when a domain name appears in the text, `search_virustotal_domain(domain)` can be called; when a file hash appears in the text, `search_virustotal_file(file_id)` can be called; and when an attack description appears in the text, `search_mitre_attack(description)` can be called. After obtaining the results returned by the tool, the extraction agent writes the results into the entity's enrichment field `enrichment`, and corrects the entity type judgment, relation type judgment, and confidence score assignment based on the results.
[0065] In this embodiment, the output of step S5 is further constrained to a unified threat intelligence structured format. Entity output fields include at least `id`, `type`, `name`, `description`, `source_type`, `source`, `enrichment`, `confidence`, and `expiretime`; relation output fields include at least `relation_type`, `source_evidence`, `confidence`, `source`, and `expiretime`. These constraints ensure that the output meets the unified format requirements and facilitate subsequent verification and graph writing.
[0066] During step S6, the verification agent module performs structural verification, ontology rule verification, and evidence support verification on the extraction results generated in step S5. The structural verification checks whether the output meets the predefined JSONSchema or Pydantic model; the ontology rule verification checks whether the entity type and relationship type meet the predefined ontology constraints; and the evidence support verification checks whether the relationship evidence explicitly mentions at least two extracted entity names.
[0067] When any verification fails, the verification agent outputs a corresponding error list and feeds back the errors to the extraction agent module to trigger iterative re-extraction of the current text block. In a preferred embodiment, when the relational evidence does not explicitly mention the corresponding entity, the verification agent returns an evidence ambiguity error and requests the extraction agent to regenerate the relational result with explicit evidence, thereby forming an Agentic iterative closed loop.
[0068] During step S7, the graph writing module writes the verified entities and relationships into the graph database. In this embodiment, the graph database uses Neo4j. Entities are written as nodes, and relationships are written as graph edges between entities, storing attributes such as `relation_type`, `source_evidence`, `source`, `confidence`, and `expiretime` on the graph edges. The graph writing module achieves persistent storage of the threat intelligence knowledge graph through mechanisms such as node merging, relationship merging, attribute updating, and dynamic mapping of relationship types.
[0069] In a preferred embodiment, the edge type of a relation edge is dynamically generated based on `relation_type`. For example, `uses` is mapped to `USES`, `related-to` is mapped to `RELATED_TO`, and `communicates-with` is mapped to `COMMUNICATES_WITH`. By adopting a dynamic relation type mapping method, the graph structure can be made more in line with the semantic expression habits in threat intelligence analysis.
[0070] During step S8, the cognitive update agent module performs periodic inspections of entities and relationships in the graph to avoid information distortion caused by long-term graph solidification. This module focuses on monitoring the following conditions: first, `expiretime` is nearing its expiration date; second, `confidence` is below a preset threshold; and third, the IOC is a highly volatile object, such as an IP address, domain name, or temporary infrastructure.
[0071] In a preferred embodiment, let the current timestamp be `t_now` and the expiration timestamp of the entity or relation be `t_expire`. Then, the condition for re-verification can be expressed as `t_expire - t_now <= Δt`, where `Δt` is a preset early re-verification window. If the condition for re-verification is met, the cognitive update agent calls the external intelligence tool again to obtain the latest intelligence; when the returned result shows that the IOC still has malicious attributes, `expiretime` and `confidence` are refreshed; when the returned result shows that the IOC no longer has malicious characteristics, the corresponding entity or relation is marked as invalid or written to the historical status field.
[0072] In a preferred embodiment, the input text is: `Lazarus used 8.8.8.8 and google.com as C2, and sample hash 44d88612fea8a8f36de82e1278abb02f indicates malwareactivity.` The system first completes source identification and text cleaning through the input processing module; then, the text segmentation module generates text blocks to be processed, and the planning agent generates the corresponding extraction plan; the extraction agent autonomously calls tools such as `search_virustotal_ip`, `search_shodan_ip`, `search_virustotal_domain`, and `search_virustotal_file` during the inference process; the verification agent completes evidence and relationship legitimacy verification; the graph writing module writes the entities corresponding to `Lazarus`, `8.8.8.8`, `google.com`, and the file hash into Neo4j, and completes the connection with equi-edges `USES` and `INDICATES`; finally, the cognitive update agent re-checks the corresponding IOC after a set time. The reputation and network status are updated, and the corresponding edge attributes are refreshed if the status changes.
[0073] Through the above implementation methods, the present invention not only completes one-time extraction and graph writing, but also achieves continuous verification, dynamic enrichment and time-series updates through Agentic multi-agent collaboration and autonomous tool invocation mechanism, thereby constructing a sustainably maintainable network threat intelligence knowledge graph.
[0074] While embodiments of the present invention have been described in detail above, it will be apparent to those skilled in the art that various modifications and variations can be made to these embodiments. However, it should be understood that such modifications and variations fall within the scope and spirit of the invention as set forth in the claims. Furthermore, the invention described herein may have other embodiments and can be implemented or carried out in various ways.
Claims
1. A method for constructing a network threat intelligence knowledge graph based on agentic multi-agent collaboration, characterized in that, Includes the following steps: A multi-agent collaborative workflow is established, which includes: an input processing module, a text segmentation module, a planning agent module, an extraction agent module, a tool invocation module, a verification agent module, a graph writing module, and a cognitive update agent module. Start the state diagram orchestration framework and load threat intelligence ontology rules, structured output patterns, and external intelligence tool registration information; The original content of network threat intelligence is obtained, and the input processing module performs text standardization preprocessing on the original content. The text segmentation module performs text segmentation on the preprocessed threat intelligence content according to the preset segmentation length and overlap length, resulting in multiple text blocks to be processed. The planning agent module generates an extraction plan for each text block to be processed. The extraction plan includes at least the report type, the type of entity of interest, the toolset, and the extraction strategy. The extraction agent module drives the large language model to perform structured extraction based on the extraction plan, and autonomously calls external intelligence tools through the tool calling module to obtain entity, relationship and IOC enrichment information; The verification agent module performs structural verification, ontology rule verification, and evidence support verification on the extraction results, and feeds back the verification error to the extraction agent module when the verification fails to trigger iterative re-extraction. After the verification is passed, the graph writing module writes the entities into the graph database nodes, writes the relationships into the graph edges between the entities, and saves the relationship type, source evidence, source identifier, confidence level and expiration time attributes on the graph edges; The cognitive update agent module autonomously re-invokes external intelligence tools based on the expiration time, confidence level, and re-verification strategy of entities or relationships in the graph, and performs refresh, downgrading, or invalidation marking on intelligence that is expired, suspected of being invalid, or has changed status.
2. The method for constructing a network threat intelligence knowledge graph according to claim 1, characterized in that, The input processing module is used to receive raw threat intelligence content, normalize its format, clean the text, and manage the source identifier. It also initializes the corresponding source field, source type field, and raw evidence identifier according to the source type of the input object. The text segmentation module performs context-preserving segmentation on long texts by defining segmentation length, overlap length and sliding step size, so that cross-sentence entities and cross-segment relationships in the same attack chain can be repeatedly preserved and jointly identified in adjacent text blocks. The planning agent module is used to generate and manage extraction plans. The planning agent module has at least four functions, including: report type identification, entity of interest identification, toolset planning, and extraction strategy generation.
3. The method for constructing a network threat intelligence knowledge graph according to claim 1, characterized in that, The extraction agent module is used to drive the large language model to output structured threat intelligence results according to the extraction plan. The extraction agent module has at least four functions, including: entity extraction, relation extraction, enriched field integration, and structured JSON generation.
4. The method for constructing a network threat intelligence knowledge graph according to claim 1, characterized in that, The tool invocation module is responsible for invoking external intelligence tools and returning tool results to the extraction agent module. It includes three core functions: IOC type identification, autonomous tool selection, and tool result backfilling. The external intelligence tools include at least the VirusTotal query tool, the Shodan query tool, the MITRE ATT&CK retrieval tool, the graph entity existence check tool, and the ontology rule query tool.
5. The method for constructing a network threat intelligence knowledge graph according to claim 1, characterized in that, The verification agent module is responsible for verifying and backtracking the extraction results, including four core functions: entity structure verification, relation structure verification, ontology rule verification, and evidence support verification. The evidence support verification is used to determine whether the relation evidence explicitly contains the corresponding entity name.
6. The method for constructing a network threat intelligence knowledge graph according to claim 1, characterized in that, The graph writing module is used to manage and write threat intelligence entity and relationship information. It is responsible for storing the graph in the graph database and includes three core functions: entity node writing, relationship edge writing, and graph attribute updating. The edge type of the relationship edge is dynamically mapped and generated according to the relationship type field.
7. The method for constructing a network threat intelligence knowledge graph according to claim 1, characterized in that, The cognitive update agent module is responsible for re-verifying and maintaining the state of time-sensitive information in the graph, including four core functions: expiration detection, re-verification scheduling, confidence refresh, and expiration marking.
8. The method for constructing a network threat intelligence knowledge graph according to claim 1, characterized in that, The structured output mode adopts the unified ontology field constraints of threat intelligence. The entity fields include at least `id`, `type`, `name`, `description`, `source_type`, `source`, `enrichment`, `confidence`, and `expiretime`, and the relation fields include at least `relation_type`, `source_evidence`, `confidence`, `source`, and `expiretime`.
9. The method for constructing a network threat intelligence knowledge graph according to claim 1, characterized in that, The state diagram orchestration framework is used to manage the cyclic execution flow between the planning agent module, the extraction agent module, and the verification agent module, and to control whether to continue extraction, retry extraction, or terminate execution based on the verification results.
10. A network threat intelligence knowledge graph construction system based on agentic multi-agent collaboration and autonomous tool invocation, characterized in that, It includes an input processing module, a text segmentation module, a planning agent module, an extraction agent module, a tool invocation module, a verification agent module, a graph writing module, and a cognitive update agent module, among which: The input processing module is used to receive and standardize threat intelligence content; The text segmentation module is used to perform segmentation processing on threat intelligence content; The planning agent module is used to generate an extraction plan; The extraction agent module is used to drive the large language model to perform structured extraction; The tool invocation module is used to support the extraction of intelligent agents to autonomously invoke external intelligence tools; The verification agent module is used to verify the structure, relationships, and evidence of the extraction results; The graph writing module is used to write entities and relationships into the graph database; The cognitive update agent module is used to perform self-driven re-verification and state refresh of timely information in the graph.