A big data knowledge graph construction and intelligent reasoning system
By leveraging the collaborative operation of the temporal evolution graph construction module, attack prediction module, and prediction verification module, combined with the adaptive adjustment of the graph optimization module, the problem of knowledge graph updates passively relying on data changes is solved, enabling autonomous iterative optimization and efficient prediction of the network security system.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- JIANGSU VOCATIONAL COLLEGE OF BUSINESS
- Filing Date
- 2026-06-03
- Publication Date
- 2026-07-03
AI Technical Summary
In existing technologies, knowledge graph updates passively rely on data changes and lack self-verification mechanisms, resulting in decreased prediction accuracy, high operation and maintenance costs, serious waste of computing resources, and a lack of autonomous iterative optimization capabilities.
A temporal evolution graph construction module is adopted, and the recalculation range is selected based on the difference in the temporal activity of nodes. Combined with the attack prediction module and the prediction verification module, a graph correction signal is generated through spatiotemporal matching and comparison, which is fed back to the graph optimization module for adaptive adjustment, thereby realizing the dynamic optimization of the knowledge graph.
It improves the iteration efficiency and prediction accuracy of knowledge graphs, reduces operation and maintenance costs, enables autonomous iteration and upgrading of network security systems, and improves the accuracy and early warning lead time of attack path inference and threat target prediction.
Smart Images

Figure CN122339854A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology, specifically to a big data knowledge graph construction and intelligent reasoning system. Background Technology
[0002] With the continuous development of network technology, knowledge graph-based intelligent reasoning has been widely applied in network security threat detection technologies, including attack chain mining, threat tracing, and attack situation prediction.
[0003] However, attack prediction and knowledge graph structure optimization are independent of each other. Traditional solutions often rely on static graphs or simple incremental updates to generate attack chain prediction results. The predicted data is only used for security alert output and cannot have a reverse effect on the iterative optimization of the graph. The update of the knowledge graph is only passively triggered by changes in the original data and is unrelated to the prediction accuracy. After long-term use, the attack reasoning and threat prediction capabilities gradually decline. Existing incremental update methods often adopt a unified and equalized processing logic, uniformly recalculating all nodes with changed features and their associated neighbors, ignoring the objective differences in the temporal activity of different nodes. This easily generates a large number of invalid calculations, resulting in a waste of computing resources and low overall graph update efficiency. At the same time, there is a lack of a complete prediction self-verification mechanism. It is impossible to quantify and compare the degree of deviation between the predicted attack chain and the actual security event, nor can it transform the deviation data into driving instructions for graph iterative optimization. System parameters and graph structure are highly dependent on manual annotation and manual tuning to complete the update and adjustment, resulting in problems such as response lag, high operation and maintenance costs, and poor adaptability. To address these issues, a big data knowledge graph construction and intelligent reasoning system is proposed. Summary of the Invention
[0004] To address the aforementioned technical issues, a big data knowledge graph construction and intelligent reasoning system is provided. This technical solution solves the problem of difficulty in tracing the evolution of network attacks.
[0005] To achieve the above objectives, the technical solution adopted by the present invention is as follows: A big data knowledge graph construction and intelligent reasoning system includes: a time-series evolution graph construction module, an attack prediction module, a prediction verification module, and a graph optimization module; The temporal evolution graph construction module is used to collect temporal data of network entity behavior, dynamically adjust the sliding time window based on the attack phase, construct a knowledge graph with temporal labels, monitor the deviation of node temporal characteristics and trigger differential updates, select the recalculation range according to the difference in node temporal activity, perform local recalculation only on the deviation node and its limited number of hop neighbors, and generate a temporal evolution knowledge graph. The attack prediction module, based on the generated temporal evolution knowledge graph, predicts the probability of future attack target nodes and attack method shifts, generates predicted attack chains and corresponding confidence levels, and performs intelligent reasoning and prediction on network security. The prediction verification module is used to perform spatiotemporal matching and comparison between the predicted attack chain and the actual security event, calculate the prediction deviation, and generate a graph correction signal when the deviation exceeds the preset prediction deviation threshold. The graph optimization module, based on the received correction signal, feeds back to the temporal evolution graph construction module, adaptively adjusting the sliding time window, the finite number of hops neighbor range, and the node temporal feature weights to achieve dynamic adaptation and closed-loop autonomous optimization of the knowledge graph and the attack evolution trend.
[0006] Preferably, the sliding time window is dynamically adjusted based on the attack phase. A hidden Markov model is used to analyze the time-series data of network entity behavior to identify the current attack phase of the network environment. The attack phase includes at least one of the attack probing phase, attack propagation phase, attack outbreak phase, and attack decay phase. Different attack phases correspond to different sliding time window parameters, including window duration and sliding step size. Based on the preset mapping relationship between the attack phase and the sliding time window parameters, the sliding time window parameters used to construct a knowledge graph with time-series labels are dynamically determined.
[0007] Preferably, the system monitors the temporal feature deviation of nodes, performs real-time periodic sampling of the temporal feature vectors of each node in the knowledge graph, calculates the difference in the temporal features of nodes within adjacent sampling periods, determines the feature deviation threshold according to the system's preset temporal feature judgment criteria, and determines that the node has a temporal feature deviation when the difference exceeds the feature deviation threshold, and marks it as a node to be updated.
[0008] Preferably, the recalculation range is selected based on the differences in node temporal activity. The temporal activity score is calculated based on the frequency of node interactions, the number of associated security events, and the magnitude of state changes within the sliding time window. Nodes are sorted from high to low according to their temporal activity scores, and divided into high-activity, medium-activity, and low-activity levels. The local recalculation range of the deviation node is determined based on the differences in activity levels.
[0009] Preferably, a differential update is triggered, and a local recalculation is performed on the deviation node and its neighbor nodes with a limited number of hops. This means that when a deviation in the temporal characteristics of a node is detected, the differential update mechanism is triggered, and only the deviation node whose temporal activity score meets the preset conditions and its neighbor subgraph within a limited number of hops are recalculated and updated with the embedding vector and edge weights. The original embedding representation of the non-deviation node remains unchanged. The limited number of hops is 1-3 hops, and the specific number of hops is dynamically determined according to the temporal activity level of the node.
[0010] Preferably, a predicted attack chain and its corresponding confidence level are generated. Based on the attack method transition probability matrix and the initial attack chain sequence, the top K optimal candidate attack chains are selected. The confidence level score of each candidate attack chain is calculated by combining the attack method transition probability and the temporal coherence of the attack path. The chains are then sorted from high to low confidence level, and the final attack prediction result is output.
[0011] Preferably, the spatiotemporal matching comparison and preset threshold judgment in the prediction verification module include: associating and matching the attack target and attack time in the predicted attack chain with the victim node and occurrence timestamp recorded in the actual security event log; calculating the time deviation, path matching deviation and confidence deviation between the prediction result and the actual observation, and weightedly fusing them to generate a prediction deviation value; when the prediction deviation value is greater than the preset deviation threshold, generating a graph correction signal.
[0012] Preferably, the graph optimization module feeds back the correction information to the temporal evolution graph construction module based on the received graph correction signal, and uses a Bayesian optimization algorithm to adaptively adjust the sliding time window length, the finite number of hop neighbor range, and the node temporal feature weights.
[0013] Preferably, the node temporal feature weights include node temporal activity weights, time decay factors, and correlation strength coefficients; the time decay factor is derived based on the temporal correlation of node temporal features, and the correlation strength coefficient is calculated based on the interaction frequency and correlation tightness between nodes; the graph optimization module dynamically updates the allocation ratio of the above weight coefficients according to the corresponding prediction deviation type in the correction signal.
[0014] Compared with the prior art, the beneficial effects of the present invention are as follows: This invention distinguishes computational priorities by node temporal activity and defines the recalculation scope based on differences in actual node interactions and abnormal behavior. It performs local recalculation only on deviation nodes, highly active nodes, and their limited-hop neighbors, improving the efficiency of constructing and iterating temporal evolution knowledge graphs. Through spatiotemporal bidirectional matching, it quantifies the prediction deviation between the predicted attack chain and actual security events. Relying on correction signals to drive graph optimization, it adaptively adjusts the sliding time window, the coverage of limited-hop neighbors, and the weights of node temporal features, overcoming the limitations of traditional graphs that passively respond to data changes. The three core links of attack prediction, result verification, and structural optimization are organically integrated into an automated closed-loop process, enabling autonomous iterative upgrades of the network security inference system and effectively reducing operational costs. Through closed-loop optimization, it continuously corrects the graph structure and temporal feature weights, solving the prediction deviation drift problem caused by lag and feature disconnect in traditional static or semi-dynamic graph structures, effectively improving the accuracy of attack path deduction and threat target prediction, and increasing early warning lead time. Attached Figure Description
[0015] Figure 1This is a schematic diagram of the system framework of the present invention. Detailed Implementation
[0016] The following description is intended to disclose the invention and enable those skilled in the art to implement it. The preferred embodiments described below are merely examples, and other obvious variations will occur to those skilled in the art.
[0017] Reference Figure 1 As shown, a big data knowledge graph construction and intelligent reasoning system includes: a temporal evolution graph construction module, an attack prediction module, a prediction verification module, and a graph optimization module; The temporal evolution graph construction module is used to collect temporal data of network entity behavior, dynamically adjust the sliding time window based on the attack phase, construct a knowledge graph with temporal labels, monitor the deviation of node temporal characteristics and trigger differential updates, select the recalculation range according to the difference in node temporal activity, perform local recalculation only on the deviation node and its limited number of hop neighbors, and generate a temporal evolution knowledge graph. The attack prediction module, based on the generated temporal evolution knowledge graph, predicts the probability of future attack target nodes and attack method shifts, generates predicted attack chains and corresponding confidence levels, and performs intelligent reasoning and prediction on network security. The prediction verification module is used to perform spatiotemporal matching and comparison between the predicted attack chain and the actual security event, calculate the prediction deviation, and generate a graph correction signal when the deviation exceeds the preset prediction deviation threshold. The graph optimization module, based on the received correction signal, feeds back to the temporal evolution graph construction module, adaptively adjusting the sliding time window, the finite number of hops neighbor range, and the node temporal feature weights to achieve dynamic adaptation and closed-loop autonomous optimization of the knowledge graph and the attack evolution trend.
[0018] This application achieves closed-loop management of the entire process, from network entity behavior data collection and temporal feature extraction to attack path prediction, security event verification, and parameter adaptive optimization, through the collaborative operation of a temporal evolution graph construction module, an attack prediction module, a prediction verification module, and a graph optimization module. The system uses a knowledge graph with temporal labels as its core, relies on a temporal graph neural network model to mine attack evolution patterns, and combines a Bayesian optimization algorithm to dynamically adjust key parameters. This not only ensures the accuracy and timeliness of attack prediction, but also continuously improves the system's adaptability through a closed-loop optimization mechanism, effectively supporting the orderly development of network security protection work and providing reliable technical support for network security situation awareness and risk prevention and control.
[0019] Based on the dynamic adjustment of the sliding time window according to the attack phase, the Hidden Markov Model is used to analyze the time series data of network entity behavior to identify the current attack phase of the network environment. The attack phase includes at least one of the attack probing phase, attack diffusion phase, attack outbreak phase, and attack decay phase. Different attack phases correspond to different sliding time window parameters, including window duration and sliding step size. According to the preset mapping relationship between the attack phase and the sliding time window parameters, the sliding time window parameters used to construct the knowledge graph with time series labels are dynamically determined.
[0020] Collect time-series data on the behavior of network entities, as detailed below: Network traffic data records various information generated during daily internet use, including the start and end times of each internet session, the number of data packets sent and received, the total amount of data generated, the IP address and network port used during the connection, and the duration of each internet session. The system operation log records the operating status of all devices, including whether the device started normally, whether the operation was successful, who the operator was, the specific content of the operation, and the exact time when each operation occurred; Terminal security alarm information records abnormal situations that occur on the device, including which operations do not conform to normal specifications, the level of security risks involved, the specific time of the anomaly, the affected devices, and the corresponding risk indicators; The collected raw data is preprocessed to unify the data format and ensure standardization and usability: the time information in all data is unified into a standard time format to avoid confusion caused by format differences; network entity identifiers such as IP addresses and domain names are standardized and encoded to facilitate system identification and matching; and the detected attack-related tags are mapped to common security attack standard terms to ensure uniformity in attack type descriptions.
[0021] Hidden Markov Models are used to analyze the time-series data of network entity behavior to identify the current attack stage of the network environment. The attack stage includes at least one of attack probing, attack propagation, attack outbreak and attack decay. Different attack stages correspond to different network behavior characteristics and risk intensity. The overall attack situation shows regular changes as the stages progress. Based on the Hidden Markov Model's ability to analyze continuous time-series data, the system combines the comprehensive characteristics of the real-time operation and security of the entire network for unified processing, forming time-series observation information that the model can identify. Through the model's inference and analysis of time-series data, combined with the overall network risk change pattern, the system judges and determines the current attack stage of the network. The system matches appropriate window durations and sliding step sizes for different attack stages based on a preset mapping relationship between attack stages and sliding time window parameters. This is used for the construction of time-series tag knowledge graphs. After identifying the current attack stage identifier, the system retrieves the preset mapping relationship, automatically matches the corresponding sliding time window parameters, and dynamically adjusts the parameters. Through the fixed association and matching of stages and parameters, the collection cycle and update rhythm of the time-series tag knowledge graph are made to keep pace with the evolution of network attacks in real time, improving the rationality of time-series data collection and the accuracy of graph construction.
[0022] The system monitors the temporal feature deviation of nodes, performs real-time periodic sampling of the temporal feature vectors of each node in the knowledge graph, calculates the difference in the temporal features of nodes within adjacent sampling periods, determines the feature deviation threshold based on the system's preset temporal feature judgment criteria, and determines that the node has a temporal feature deviation when the difference exceeds the feature deviation threshold, and marks it as a node to be updated.
[0023] The sampling period is synchronized with the sliding time window step size corresponding to the attack phase. Each time the time window completes one slide, the system synchronously completes the periodic sampling of the temporal feature vector of the nodes that have changed in the current window, and counts the difference in the temporal features of the nodes between adjacent sampling periods. The temporal feature vector consists of multiple sets of values, which are used to characterize the running behavior and state changes of the nodes in the current time window. In order to detect the temporal feature deviation, the system compares the feature vector obtained in this sampling with the feature vector of the previous sampling period according to the preset temporal feature judgment criteria, and quantifies the difference in the temporal features of the nodes. When the difference exceeds the feature deviation threshold, the node is judged to have a temporal feature deviation and is marked as a node to be updated, providing a judgment basis for subsequent local updates of the map. The feature deviation threshold is determined based on the statistical distribution of historical normal behavior data. During system operation, the feature deviation threshold is adaptively adjusted according to network traffic density: when the network interaction frequency is higher than the baseline level, the feature deviation threshold is increased to reduce noise sensitivity; when the network interaction frequency is lower than the baseline level, the feature deviation threshold is decreased to improve detection sensitivity.
[0024] The recalculation range is selected based on the differences in node temporal activity. The temporal activity score is calculated based on the frequency of node interactions, the number of associated security events, and the magnitude of state changes within the sliding time window. Nodes are sorted from high to low according to their temporal activity scores, and divided into high-activity, medium-activity, and low-activity levels. The local recalculation range of the deviation node is determined based on the differences in activity level.
[0025] After identifying the deviation nodes to be updated, the system calculates the node's temporal activity score to differentiate and determine the local recalculation range, thereby improving the overall update efficiency of the knowledge graph. The temporal activity score is derived by combining multiple indicators within the sliding time window, mainly including three core elements: node interaction frequency, number of associated security events, and the magnitude of node state changes. The system integrates multiple indicators to complete the comprehensive evaluation of activity, sorts them from high to low according to the temporal activity score, and divides them into three levels: high activity, medium activity, and low activity based on the evaluation results. The system matches the corresponding local recalculation range for the deviation node according to different activity levels. The higher the activity level, the larger the corresponding local recalculation range, thereby achieving differentiated recalculation range selection and reasonably controlling the computational cost while ensuring the map update effect.
[0026] Trigger differential update and perform local recalculation on the deviation node and its neighbor nodes with a limited number of hops. When a deviation in the temporal characteristics of a node is detected, the differential update mechanism is triggered. Only the deviation node that meets the preset conditions in the temporal activity score and its neighbor subgraph within a limited number of hops are recalculated and updated with the embedding vector and edge weights. The original embedding representation of the non-deviation node remains unchanged. The limited number of hops is 1-3 hops, and the specific number of hops is dynamically determined according to the temporal activity level of the node.
[0027] After completing the node activity level classification, the system triggers a differential update mechanism, which only performs local recalculation on deviation nodes whose time-series activity scores meet preset conditions. For nodes with low activity and slight feature fluctuations, only their own node attributes are updated to reduce the overall computational overhead. The preset conditions are that the node activity level reaches medium or above. The finite number of hops neighbor range for such nodes is dynamically determined according to the activity level, with a hop range of 1 to 3 hops. High-activity deviation nodes select a three-hop neighbor range, medium-activity deviation nodes select a two-hop neighbor range, and low-activity nodes only perform self-updates or are limited to a minimum update within a one-hop range. Centered on the deviation node, a neighbor subgraph is formed by expanding the scope of the subgraph with a limited number of hops using a breadth-first approach. Valid neighbors are selected based on the node association strength, and weakly associated isolated nodes are removed to determine the boundary of the recalculated subgraph. For the determined neighbor subgraph, the node embedding vector and edge weights are locally recalculated and updated in a unified manner, keeping the original embedding representation of non-deviation nodes outside the subgraph unchanged. Neighbor feature aggregation and feature transformation are only performed within the subgraph to generate updated node embedding vectors. At the same time, the edge weights within the subgraph are dynamically updated based on the recent interaction frequency and interaction timeliness of the nodes.
[0028] Predict the future attack target nodes and attack method transition probabilities. Extract the temporal features of each node based on the temporal evolution knowledge graph, and input them into a pre-trained temporal graph neural network model to learn the temporal evolution law of attack paths. Calculate the attack probability of each node in the future time step, and generate an attack method transition probability matrix based on the state transition relationship between nodes. Output an initial attack chain sequence containing the attack source, intermediate stepping stones, and target nodes. The pre-trained temporal graph neural network model is pre-trained based on historically labeled attack path data.
[0029] After acquiring the latest temporal evolution knowledge graph, the attack prediction module performs attack situation prediction and reasoning. First, it extracts the temporal features corresponding to each node from the temporal evolution knowledge graph. After organizing the node temporal features according to the graph structure, it inputs them into the pre-trained temporal graph neural network model. The model fully learns and mines the temporal evolution rules of network attack paths. During the model inference phase, the system combines the graph structure and node relationships to calculate the probability of each node being attacked within a future time step, forming a quantified risk distribution. At the same time, based on the state transition logic between nodes, it constructs and generates an attack method transition probability matrix. Combining the node attack probability and the attack method transition probability matrix for comprehensive analysis, the system finally generates and outputs a complete initial attack chain sequence containing the attack source, intermediate stepping stones, and target nodes.
[0030] Generate predicted attack chains and their corresponding confidence scores. Based on the attack method transition probability matrix and the initial attack chain sequence, select the top K optimal candidate attack chains. Combine the attack method transition probability and the temporal coherence of the attack path to calculate the confidence score of each candidate attack chain, sort them from high to low confidence scores, and output the final attack prediction result.
[0031] After generating the initial attack chain sequence, the system combines the attack method transition probability matrix to select the best of multiple attack paths and obtain the top K optimal candidate attack chains. Starting from the attack entry node, the system expands the attack path hop by hop, and retains the candidate path with high matching degree according to the cumulative probability of the path, while eliminating invalid and redundant paths, thus controlling the overall computational cost while ensuring the screening effect. The system comprehensively evaluates the credibility of candidate attack chains based on two core dimensions: first, the attack method transfer probability, which quantifies the overall probability of the path occurring by calculating the geometric mean of the attack method transfer probabilities among nodes in the chain; and second, the temporal coherence of the attack path, which judges the rationality of the attack behavior based on the changing patterns of the interaction time intervals between nodes in the path. The two dimensions are weighted and fused to obtain the corresponding confidence score for each candidate attack chain. Finally, all candidate attack chains are sorted from high to low according to their confidence scores, and the final attack prediction results are output after sorting, thus generating multiple predicted attack chains and their corresponding confidence scores.
[0032] The spatiotemporal matching comparison and preset threshold judgment in the prediction verification module include: associating and matching the attack target and attack time in the predicted attack chain with the victim node and occurrence timestamp recorded in the actual security event log; calculating the time deviation, path matching deviation and confidence deviation between the prediction result and the actual observation, and weighted fusion to generate a prediction deviation value; when the prediction deviation value is greater than the preset deviation threshold, generating a spectrum correction signal.
[0033] The prediction verification module performs spatiotemporal matching and comparison and preset threshold judgment to verify and check the prediction results against the actual security events. The module first extracts the attack target node, predicted attack time and attack method information in the predicted attack chain, and then retrieves the victim node, event timestamp and attack type data from the actual security event log. After completing the data standardization and alignment, it performs multi-dimensional deviation calculation. The system calculates three types of deviation indicators: time deviation, which is the absolute value of the difference between the predicted attack time and the actual event time, reflecting the prediction accuracy in the time dimension; path matching deviation, which quantifies the degree of attack path matching by comparing the overlap between the predicted attack path nodes and the actual victim node set; and confidence deviation, which characterizes the difference between the prediction confidence and the actual event matching, reflecting the prediction credibility deviation. The three types of deviation indicators are weighted and fused to generate a comprehensive prediction deviation value. This comprehensive prediction deviation value is compared with the system's preset deviation threshold. Prediction deviation samples generated during multiple rounds of prediction verification in the early stage of system operation are collected, and the statistical distribution characteristics of the prediction deviation samples are calculated. The upper quantile of the statistical distribution is taken as the initial preset deviation threshold. When the deviation value exceeds the threshold, the system immediately generates a graph correction signal and pushes it to the graph optimization module to start the subsequent knowledge graph parameter optimization process.
[0034] The graph optimization module feeds back the correction information to the temporal evolution graph construction module based on the received graph correction signal, and uses a Bayesian optimization algorithm to adaptively adjust the sliding time window length, the finite number of hop neighbors range, and the node temporal feature weights.
[0035] After receiving the map correction signal, the map optimization module analyzes the deviation-related information in the signal and synchronously feeds back the correction information to the time-series evolution map construction module to guide the parameter adjustment work in the map construction process. The module uses Bayesian optimization algorithm as its core, and combines the deviation data corresponding to the correction signal to adaptively optimize and adjust the key parameters of knowledge graph construction. The adjustment objects include the sliding time window length, the range of neighbors with a limited number of hops, and the weight of node temporal features. The algorithm aims to reduce the overall prediction deviation and obtains the optimal parameter combination that is suitable for the current network environment through iterative optimization. The optimized parameters are then formally applied to the system operation to realize the dynamic adaptation and adjustment of the knowledge graph, and continuously improve the accuracy of attack inference prediction and the overall operational adaptability.
[0036] The node temporal feature weights include node temporal activity weights, time decay factors, and correlation strength coefficients. The node temporal activity weights are derived from the frequency of behavior triggers within a continuous sampling period, and are used to measure the frequency and magnitude of node behavior within the time period. The time decay factor is derived based on the temporal correlation of node temporal features and is used to control the weakening of historical behavior data over time. The correlation strength coefficient is calculated based on the interaction frequency and correlation tightness between nodes and is used to quantify the level of correlation between nodes. The graph optimization module dynamically updates the allocation ratio of the above weight coefficients according to the corresponding prediction deviation type in the correction signal. The three work together to form a complete node temporal feature weighting system, which acts uniformly on the node feature update process of the knowledge graph. After receiving the graph correction signal, the graph optimization module accurately distinguishes the different prediction deviation types corresponding to the signal, and dynamically adjusts the distribution ratio and intensity of each weight coefficient in a targeted manner based on the actual causes of the deviation. This completes the adaptive optimization of the weight parameters, making the node temporal feature expression adapt to the current network attack evolution, and effectively improving the model inference accuracy and the overall adaptability of the graph.
[0037] The foregoing has shown and described the basic principles, main features, and advantages of the present invention. Those skilled in the art should understand that the present invention is not limited to the above embodiments. The embodiments and descriptions in the specification are merely principles of the invention. Various changes and modifications can be made to the invention without departing from its spirit and scope, and all such changes and modifications fall within the scope of the claimed invention. The scope of protection claimed by the present invention is defined by the appended technical solutions and their equivalents.
Claims
1. A big data knowledge graph construction and intelligent reasoning system, characterized in that, include: The system includes a temporal evolution graph construction module, an attack prediction module, a prediction verification module, and a graph optimization module. The temporal evolution graph construction module is used to collect temporal data of network entity behavior, dynamically adjust the sliding time window based on the attack phase, construct a knowledge graph with temporal labels, monitor the deviation of node temporal characteristics and trigger differential updates, select the recalculation range according to the difference in node temporal activity, perform local recalculation only on the deviation node and its limited number of hop neighbors, and generate a temporal evolution knowledge graph. The attack prediction module, based on the generated temporal evolution knowledge graph, predicts the probability of future attack target nodes and attack method shifts, generates predicted attack chains and corresponding confidence levels, and performs intelligent reasoning and prediction on network security. The prediction verification module is used to perform spatiotemporal matching and comparison between the predicted attack chain and the actual security event, calculate the prediction deviation, and generate a graph correction signal when the deviation exceeds the preset prediction deviation threshold. The graph optimization module, based on the received correction signal, feeds back to the temporal evolution graph construction module, adaptively adjusting the sliding time window, the finite number of hops neighbor range, and the node temporal feature weights to achieve dynamic adaptation and closed-loop autonomous optimization of the knowledge graph and the attack evolution trend.
2. The big data knowledge graph construction and intelligent reasoning system according to claim 1, characterized in that, Based on the dynamic adjustment of the sliding time window according to the attack phase, the Hidden Markov Model is used to analyze the time series data of network entity behavior to identify the current attack phase of the network environment. The attack phase includes at least one of the attack probing phase, attack diffusion phase, attack outbreak phase, and attack decay phase. Different attack phases correspond to different sliding time window parameters, including window duration and sliding step size. According to the preset mapping relationship between the attack phase and the sliding time window parameters, the sliding time window parameters used to construct the knowledge graph with time series labels are dynamically determined.
3. The big data knowledge graph construction and intelligent reasoning system according to claim 1, characterized in that, The system monitors the temporal feature deviation of nodes, performs real-time periodic sampling of the temporal feature vectors of each node in the knowledge graph, calculates the difference in the temporal features of nodes within adjacent sampling periods, determines the feature deviation threshold based on the system's preset temporal feature judgment criteria, and determines that the node has a temporal feature deviation when the difference exceeds the feature deviation threshold, and marks it as a node to be updated.
4. The big data knowledge graph construction and intelligent reasoning system according to claim 1, characterized in that, The recalculation range is selected based on the differences in node temporal activity. The temporal activity score is calculated based on the frequency of node interactions, the number of associated security events, and the magnitude of state changes within the sliding time window. Nodes are sorted from high to low according to their temporal activity scores, and divided into high-activity, medium-activity, and low-activity levels. The local recalculation range of the deviation node is determined based on the differences in activity level.
5. The big data knowledge graph construction and intelligent reasoning system according to claim 1, characterized in that, Trigger differential update and perform local recalculation on the deviation node and its neighbor nodes with a limited number of hops. When a deviation in the temporal characteristics of a node is detected, the differential update mechanism is triggered. Only the deviation node whose temporal activity score meets the preset conditions and its neighbor subgraph within a limited number of hops are recalculated and updated with the embedding vector and edge weights. The original embedding representation of the non-deviation node remains unchanged. The limited number of hops is 1-3 hops, and the specific number of hops is dynamically determined according to the temporal activity level of the node.
6. The big data knowledge graph construction and intelligent reasoning system according to claim 1, characterized in that, Predict the future attack target node and attack method transition probability. Extract the temporal features of each node based on the temporal evolution knowledge graph, input them into the pre-trained temporal graph neural network model to learn the temporal evolution law of the attack path; calculate the attack probability of each node in the future time step, and generate the attack method transition probability matrix according to the state transition relationship between nodes. Output the initial attack chain sequence containing the attack source, intermediate stepping stones and target nodes.
7. The big data knowledge graph construction and intelligent reasoning system according to claim 1, characterized in that, Generate predicted attack chains and their corresponding confidence scores. Based on the attack method transition probability matrix and the initial attack chain sequence, select the top K optimal candidate attack chains. Combine the attack method transition probability and the temporal coherence of the attack path to calculate the confidence score of each candidate attack chain, sort them from high to low confidence scores, and output the final attack prediction result.
8. The big data knowledge graph construction and intelligent reasoning system according to claim 1, characterized in that, The spatiotemporal matching comparison and preset threshold judgment in the prediction verification module include: associating and matching the attack target and attack time in the predicted attack chain with the victim node and occurrence timestamp recorded in the actual security event log; calculating the time deviation, path matching deviation and confidence deviation between the prediction result and the actual observation, and weighted fusion to generate a prediction deviation value; when the prediction deviation value is greater than the preset deviation threshold, generating a spectrum correction signal.
9. The big data knowledge graph construction and intelligent reasoning system according to claim 1, characterized in that, The graph optimization module feeds back the correction information to the temporal evolution graph construction module based on the received graph correction signal, and uses a Bayesian optimization algorithm to adaptively adjust the sliding time window length, the finite number of hop neighbors range, and the node temporal feature weights.
10. A big data knowledge graph construction and intelligent reasoning system according to claim 1, characterized in that, The node temporal feature weights include: node temporal activity weight, time decay factor, and correlation strength coefficient; the time decay factor is derived based on the temporal correlation of node temporal features, and the correlation strength coefficient is calculated based on the interaction frequency and correlation tightness between nodes; the graph optimization module dynamically updates the allocation ratio of the above weight coefficients according to the corresponding prediction deviation type in the correction signal.