A spatiotemporal log trace graph representation method, device, computer equipment and program product for a multi-source heterogeneous network

By performing cross-domain entity alignment and feature fusion in multi-source heterogeneous networks, the problems of semantic gap and graph model size growth are solved, and efficient spatiotemporal behavior representation and anomaly detection are achieved.

CN122372269APending Publication Date: 2026-07-10CHINA SOUTHERN POWER GRID COMPANY

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA SOUTHERN POWER GRID COMPANY
Filing Date
2026-04-15
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

In multi-source heterogeneous networks, existing technologies struggle to overcome the semantic gap, leading to difficulties in cross-domain entity association, rapid growth in graph model size, and limited ability to detect complex attacks.

Method used

By acquiring log data from multi-source heterogeneous networks, mapping it to a network security ontology model, performing cross-domain entity alignment and merging redundant nodes, and using heterogeneous graph attention and temporal attention mechanisms to extract causal topological features and temporal evolution features, then comparing and fusing them to generate spatiotemporal behavioral representations.

Benefits of technology

It achieves unified entity association paths across network domains, compresses the graph structure size, reduces computational complexity and memory overhead, and at the same time takes into account spatial structure dependencies and temporal action patterns, thereby improving the ability to detect anomalies.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122372269A_ABST
    Figure CN122372269A_ABST
Patent Text Reader

Abstract

This application relates to a method, apparatus, computer device, and computer program product for representing spatiotemporal log source graphs in multi-source heterogeneous networks, relating to the field of network security, and capable of accurately determining the spatiotemporal behavioral representation of the source graph of node interactions in multi-source heterogeneous networks. The method includes: acquiring log data from the multi-source heterogeneous network; mapping the log data to a preset network security ontology model in each network domain to obtain the entities corresponding to the log data and the relationships between these entities; obtaining an initial source graph based on the entities and relationships; merging redundant nodes based on the data dependencies between nodes in the initial source graph to obtain a target source graph; extracting causal topological features through a heterogeneous graph attention mechanism and extracting temporal evolution features through a temporal attention mechanism; and comparing and fusing the causal topological features and temporal evolution features to obtain the spatiotemporal behavioral representation corresponding to the target source graph.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security technology, and in particular to a method, apparatus, computer device, computer-readable storage medium, and computer program product for spatiotemporal log source graph representation of multi-source heterogeneous networks. Background Technology

[0002] As the modern network environment becomes increasingly complex, security analysis technology has become an important means of anomaly detection.

[0003] However, in real-world environments, security-related data is scattered across heterogeneous silos of hosts, networks, and applications, resulting in significant semantic gaps and making it difficult to establish effective cross-domain entity relationships. Furthermore, the massive volume of logs leads to an exponential increase in the size of the source graph, easily triggering dependency explosion during graph traversal and computation. Simultaneously, most existing graph models are designed for static topologies, neglecting the fine-grained evolutionary characteristics of node interactions over continuous time, thus limiting their ability to detect complex attacks. Therefore, overcoming the semantic gap of multi-source data and effectively controlling graph size to accurately determine the spatiotemporal representation of network interaction behavior are pressing technical problems that need to be solved in this field. Summary of the Invention

[0004] Based on this, it is necessary to provide a method, apparatus, computer device, computer-readable storage medium, and computer program product for spatiotemporal log source graph representation of multi-source heterogeneous networks to address the above-mentioned technical problems.

[0005] Firstly, this application provides a spatiotemporal log source graph representation method for multi-source heterogeneous networks, including:

[0006] Acquire log data from a multi-source heterogeneous network; the multi-source heterogeneous network includes multiple network domains with different data acquisition layers;

[0007] In each network domain, the log data is mapped to a preset network security ontology model to obtain the entities corresponding to the log data and the relationships between the entities;

[0008] Based on the entities and their relationships, cross-domain entity alignment is performed to obtain an initial source graph;

[0009] Based on the data dependencies between nodes in the initial source graph, redundant nodes in the initial source graph are identified and merged to obtain the target source graph.

[0010] The causal topological features of the target source graph are extracted using a heterogeneous graph attention mechanism, and the temporal evolution features of the target source graph are extracted using a temporal attention mechanism.

[0011] By comparing and fusing the causal topological features and the temporal evolution features, a spatiotemporal behavioral representation corresponding to the target tracing map is obtained.

[0012] In one embodiment, the step of extracting the causal topological features of the target source graph through a heterogeneous graph attention mechanism includes:

[0013] For any target edge in the target tracing graph, obtain the first node and the second node at both ends of the target edge;

[0014] Based on the first node projection matrix corresponding to the node type of the first node obtained in advance, the node features of the first node are mapped to a unified semantic space.

[0015] Based on the second node projection matrix corresponding to the node type of the second node obtained in advance, the node features of the second node are mapped to the unified semantic space;

[0016] The attention weight of the target edge is determined based on the pre-acquired edge parameter matrix corresponding to the edge type of the target edge, and the node features of the first node and the second node mapped to the unified semantic space.

[0017] Based on the attention weight of the target edge, the node features of multiple first nodes are weighted and fused to obtain the causal topological features of the target source graph.

[0018] In one embodiment, the step of extracting the temporal evolution features of the target source map through a temporal attention mechanism includes:

[0019] Obtain the continuous timestamps of multiple nodes in the target tracing graph, and convert the continuous timestamps into a high-dimensional time vector using a preset time mapping function;

[0020] Based on the high-dimensional time vector and the preset intensity decay function, the time weight of the current node's influence by the corresponding historical node is determined; wherein, the current node and the historical node are nodes among the plurality of nodes, and the timestamp of the historical node is earlier than the timestamp of the current node;

[0021] The features of the historical nodes are weighted and aggregated according to the time weight to obtain the time evolution features.

[0022] In one embodiment, the step of comparing and fusing the causal topological features and the temporal evolution features to obtain the spatiotemporal behavioral representation corresponding to the target source map includes:

[0023] The causal topological features and the temporal evolution features corresponding to the same node are constructed as positive sample pairs, and the causal topological features and the temporal evolution features corresponding to different nodes are constructed as negative sample pairs;

[0024] In a preset representation space, based on a preset cross-view contrastive loss function, the positive sample pairs and the negative sample pairs, the causal topological features and the temporal evolution features corresponding to the same node are aligned.

[0025] The causal topological features after feature alignment are fused with the temporal evolution features to obtain the spatiotemporal behavior representation.

[0026] In one embodiment, the step of determining redundant nodes in the initial source graph based on the data dependencies between nodes in the initial source graph, and merging the redundant nodes to obtain the target source graph, includes:

[0027] Based on the data dependencies, the main causal path in the initial source graph is obtained;

[0028] For multiple nodes that are connected on the main causal path, obtain the semantic similarity between the multiple nodes;

[0029] When the semantic similarity meets the preset merging conditions, the multiple nodes are identified as redundant nodes;

[0030] The redundant nodes are subjected to attribute aggregation and edge merging operations to obtain the target source graph.

[0031] In one embodiment, after comparing and fusing the causal topological features and the temporal evolution features to obtain the spatiotemporal behavioral representation corresponding to the target source map, the method further includes:

[0032] Obtain the distance between the spatiotemporal behavior representation and the reference center of the preset normal behavior in the preset representation space;

[0033] When the distance is greater than a preset anomaly threshold, the node corresponding to the spatiotemporal behavior representation is identified as an anomaly node.

[0034] Based on the abnormal node, a reverse traversal is performed on the target source graph, and the abnormal source result is determined according to the edge weight characteristics on the traversal path.

[0035] In one embodiment, the step of performing cross-domain entity alignment based on the entity and the association relationship to obtain an initial source graph includes:

[0036] Obtain the multimodal attribute features of the entities in different network domains;

[0037] Based on the multimodal attribute features, the entity is subjected to spatiotemporal constraint matching to obtain the spatiotemporal constraint matching result;

[0038] Using a non-axiomatic logic algorithm, the interaction premises and implicit associations between entities in different network domains are determined, and cross-domain association relationships are established based on the interaction premises and implicit associations.

[0039] Based on the spatiotemporal constraint matching results and the association relationships between the cross-domain entities, cross-domain entity alignment is performed to obtain the initial source graph.

[0040] Secondly, this application also provides a spatiotemporal log source graph representation device for multi-source heterogeneous networks, comprising:

[0041] The data acquisition module is used to acquire log data from a multi-source heterogeneous network; the multi-source heterogeneous network includes multiple network domains with different data acquisition layers.

[0042] The entity relationship determination module is used to map the log data to a preset network security ontology model in each network domain to obtain the entity corresponding to the log data and the relationship between each entity;

[0043] The initial source graph creation module is used to perform cross-domain entity alignment based on the entities and the association relationships to obtain the initial source graph;

[0044] The target tracing graph establishment module is used to determine redundant nodes in the initial tracing graph based on the data dependency relationships between nodes in the initial tracing graph, and to merge the redundant nodes to obtain the target tracing graph.

[0045] The feature extraction module is used to extract the causal topological features of the target source graph through a heterogeneous graph attention mechanism, and to extract the temporal evolution features of the target source graph through a temporal attention mechanism.

[0046] The spatiotemporal representation module is used to compare and fuse the causal topological features and the temporal evolution features to obtain the spatiotemporal behavior representation corresponding to the target source map.

[0047] Thirdly, this application also provides a computer device, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:

[0048] Acquire log data from a multi-source heterogeneous network; the multi-source heterogeneous network includes multiple network domains with different data acquisition layers;

[0049] In each network domain, the log data is mapped to a preset network security ontology model to obtain the entities corresponding to the log data and the relationships between the entities;

[0050] Based on the entities and their relationships, cross-domain entity alignment is performed to obtain an initial source graph;

[0051] Based on the data dependencies between nodes in the initial source graph, redundant nodes in the initial source graph are identified and merged to obtain the target source graph.

[0052] The causal topological features of the target source graph are extracted using a heterogeneous graph attention mechanism, and the temporal evolution features of the target source graph are extracted using a temporal attention mechanism.

[0053] By comparing and fusing the causal topological features and the temporal evolution features, the spatiotemporal behavior representation corresponding to the target source map is obtained.

[0054] Fourthly, this application also provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, performs the following steps:

[0055] Acquire log data from a multi-source heterogeneous network; the multi-source heterogeneous network includes multiple network domains with different data acquisition layers;

[0056] In each network domain, the log data is mapped to a preset network security ontology model to obtain the entities corresponding to the log data and the relationships between the entities;

[0057] Based on the entities and their relationships, cross-domain entity alignment is performed to obtain an initial source graph;

[0058] Based on the data dependencies between nodes in the initial source graph, redundant nodes in the initial source graph are identified and merged to obtain the target source graph.

[0059] The causal topological features of the target source graph are extracted using a heterogeneous graph attention mechanism, and the temporal evolution features of the target source graph are extracted using a temporal attention mechanism.

[0060] By comparing and fusing the causal topological features and the temporal evolution features, the spatiotemporal behavior representation corresponding to the target source map is obtained.

[0061] Fifthly, this application also provides a computer program product, including a computer program that, when executed by a processor, performs the following steps:

[0062] Acquire log data from a multi-source heterogeneous network; the multi-source heterogeneous network includes multiple network domains with different data acquisition layers;

[0063] In each network domain, the log data is mapped to a preset network security ontology model to obtain the entities corresponding to the log data and the relationships between the entities;

[0064] Based on the entities and their relationships, cross-domain entity alignment is performed to obtain an initial source graph;

[0065] Based on the data dependencies between nodes in the initial source graph, redundant nodes in the initial source graph are identified and merged to obtain the target source graph.

[0066] The causal topological features of the target source graph are extracted using a heterogeneous graph attention mechanism, and the temporal evolution features of the target source graph are extracted using a temporal attention mechanism.

[0067] By comparing and fusing the causal topological features and the temporal evolution features, the spatiotemporal behavior representation corresponding to the target source map is obtained.

[0068] The aforementioned spatiotemporal log source graph representation method, apparatus, computer equipment, computer-readable storage medium, and computer program product for multi-source heterogeneous networks acquire log data from a multi-source heterogeneous network. The multi-source heterogeneous network includes multiple network domains with different data acquisition layers. In each network domain, the log data is mapped to a preset network security ontology model to obtain the entities corresponding to the log data and the relationships between these entities. Based on the entities and the relationships, cross-domain entity alignment is performed to obtain an initial source graph. Based on the data dependencies between nodes in the initial source graph, redundant nodes in the initial source graph are identified and merged to obtain a target source graph. Causal topological features of the target source graph are extracted using a heterogeneous graph attention mechanism, and temporal evolution features are extracted using a temporal attention mechanism. The causal topological features and temporal evolution features are compared and fused to obtain the spatiotemporal behavior representation corresponding to the target source graph. In this application, by mapping multi-source log data to a network security ontology model and performing cross-domain entity alignment, the underlying semantic format of heterogeneous data is unified, and a connection path between entities across network domains is established. Secondly, based on the data dependency relationship between nodes, redundant nodes in the initial source graph are merged, compressing the overall scale of the graph structure while maintaining the integrity of the original causal logical chain, thereby reducing the memory overhead and processing complexity of subsequent graph computation. Finally, causal topological features and temporal evolution features are extracted through heterogeneous graph attention mechanism and temporal attention mechanism, respectively, and the two are compared and fused, so that the final spatiotemporal behavior representation can simultaneously take into account multi-dimensional spatial structural dependencies and continuous temporal action patterns. Attached Figure Description

[0069] To more clearly illustrate the technical solutions in the embodiments of this application or related technologies, the drawings used in the description of the embodiments of this application or related technologies will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.

[0070] Figure 1 This is a flowchart illustrating a spatiotemporal log source graph representation method for multi-source heterogeneous networks in one embodiment.

[0071] Figure 2 This is a schematic diagram of a dual-view spatiotemporal representation learning network in one embodiment;

[0072] Figure 3 This is a comparison chart of the semantic-aware graph reduction effect in one embodiment;

[0073] Figure 4This is a flowchart illustrating the anomaly detection and attack backtracking process in one embodiment;

[0074] Figure 5 This is a flowchart illustrating the multi-source heterogeneous data unification and entity alignment technology in one embodiment.

[0075] Figure 6 This is a flowchart illustrating a spatiotemporal log source graph representation method for multi-source heterogeneous networks in another embodiment.

[0076] Figure 7 This is a structural block diagram of a spatiotemporal log source graph characterization device for multi-source heterogeneous networks in one embodiment;

[0077] Figure 8 This is an internal structural diagram of a computer device in one embodiment. Detailed Implementation

[0078] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.

[0079] The spatiotemporal log source graph representation method for multi-source heterogeneous networks provided in this application can be applied to various computing and network architectures that have the ability to produce, collect, and correlate multidimensional data.

[0080] For example, this application environment is typically constructed by computing nodes and distributed data sources. The computing nodes can be single servers with high-performance processing capabilities, cluster architectures within security operations centers, or big data processing platforms relying on cloud computing power. The computing nodes communicate with network subdomains located in different geographical locations or logical levels through high-speed backbone networks, virtual private clouds, or cross-domain network connections, thereby achieving the aggregation of multi-source log data from host systems, network boundary facilities, cloud application services, and terminal devices. Furthermore, the multi-source heterogeneous network in this application environment manifests as a heterogeneous environment based on different communication protocols, operating system architectures, and data generation logics within the same business system.

[0081] In actual operation, the computing processing node is applied to the server as the execution entity, responsible for maintaining a logical security monitoring plane. This plane can receive and cache continuous log streams from multi-source heterogeneous spaces. Because these log streams have strong temporal order and deep semantic causal dependencies, the application environment also needs to provide storage support to persistently or semi-persistently save the mapped entity relationships and the derived source graph topology, thereby providing a stable technical foundation for subsequent real-time detection and long-term source tracing of complex threats such as Advanced Persistent Threat (APT) attacks.

[0082] In one embodiment, such as Figure 1 As shown, a spatiotemporal log source graph representation method for multi-source heterogeneous networks is provided. This embodiment illustrates the application of this method to a terminal. It is understood that this method can also be applied to a server, and to a system including both a terminal and a server, and implemented through the interaction between the terminal and the server. In this embodiment, the method includes the following steps:

[0083] Step S101: Obtain log data from a multi-source heterogeneous network; the multi-source heterogeneous network includes multiple network domains with different data acquisition layers.

[0084] Log data, as raw digital records reflecting the operational status of multi-source heterogeneous networks, can be generated from different dimensions such as kernel audit events, system call trajectories, network traffic packet summaries, and application software operational status information, providing the basic facts for causal analysis and behavioral auditing. Furthermore, network domains, as logical boundary divisions of multi-source heterogeneous networks, can be sub-environments defined based on business security requirements, geographical distribution, or differences in technology stacks, used to establish multi-layered and multi-dimensional observation perspectives at the data acquisition level.

[0085] Specifically, the server can establish communication links with multiple network domains at different data acquisition levels, and through the configuration of preset data interaction interfaces, achieve unified aggregation of raw operational trajectories scattered across various locations. For example, the server can categorize and retrieve or receive real-time pushes of system audit streams at the host level, message exchange records at the network level, and service call logs at the application level. During execution, the server can perform preliminary streaming processing on data from different network domains according to predefined acquisition strategies to ensure that the data has consistent timestamps and traceability of its source before entering subsequent processing stages.

[0086] Step S102: In each network domain, the log data is mapped to a preset network security ontology model to obtain the entities corresponding to the log data and the relationships between the entities.

[0087] Among them, the network security ontology model can be a structured semantic framework built for multi-source heterogeneous environments, used to transform raw log information from different sources and in different formats into a standardized expression with unified semantic connotation. It can be based on prior knowledge in the field of network security and predefine multi-dimensional attribute dimensions, including the executing subject, the operation object, and the environmental context.

[0088] An entity can be a uniquely identifiable information unit in an ontology model that carries specific business logic. It is used to represent objective objects such as computing resources, execution processes, or network connections. It can be instantiated based on key fields in logs.

[0089] Relationships can be interactive connections between different entities, used to describe dynamic behaviors such as data flow, permission triggering, or system calls. They are usually used to characterize the dependency paths of entities in the spatiotemporal dimension.

[0090] Specifically, the server can perform deep field parsing and semantic extraction on log text based on the log characteristics of different network domains, using preset parsing rules or mapping operators to identify active objects involved in the logs and their specific actions. In this process, the server can map the parsed attribute information to nodes (i.e., entities) in the model based on the definition of the ontology model, and determine the edge connections (i.e., associations) between different nodes according to the order of log records or logical dependencies.

[0091] Optionally, the server can first complete this local semantic modeling within the boundary of each independent network domain. Through this distributed mapping method, the discrete data generated by each network domain can be transformed into a local semantic subgraph.

[0092] Step S103: Based on entities and relationships, perform cross-domain entity alignment to obtain the initial source graph.

[0093] The initial source map can be a global topological network that reflects the behavior and interaction logic of the entire system, providing a panoramic data view for subsequent path analysis and causal deduction. It can be fused and constructed based on the aligned entities and their evolutionary relationships in a unified spatiotemporal coordinate system.

[0094] Specifically, the server can obtain a set of entities to be aligned distributed across different network domains and extract the attribute labels, multimodal features, and contextual behavior sequences carried by these entities. For example, the server can employ a preset attribute matching algorithm or logical association strategy to perform spatiotemporal constraint verification on entities with cross-domain association potential, thereby determining whether entities in different domains are redundant records of the same system object, network connection, or business operation. After determining the alignment relationship of the entities, the server can logically merge these cross-domain entities and synchronously update their association relationships in different domains, integrating the association subgraphs of each local network domain into a unified global topology architecture, thereby generating an initial source graph.

[0095] Step S104: Based on the data dependencies between nodes in the initial source graph, identify redundant nodes in the initial source graph and merge the redundant nodes to obtain the target source graph.

[0096] Among them, data dependencies can be causal constraints existing between nodes in the source graph, used to reveal the interaction trajectory and scope of influence of different entities in the execution sequence. They can be characterized based on the order of process derivation, file reading and writing, or network connection.

[0097] Redundant nodes can be information units in the source graph that do not contribute additional effective security semantics at a specific observation granularity or have highly repetitive behaviors. They are used to simplify the physical scale of the graph structure while ensuring the integrity of the source analysis. They can be logically identified based on the degree of overlap of attributes between nodes, the similarity of behavioral patterns, or the correlation strength of topological connections.

[0098] The target source graph can be a simplified source network after structural optimization and information aggregation, which can be used as input data for subsequent deep representation learning and anomaly detection. It can be generated by merging similar or related redundant nodes in the initial source graph.

[0099] Specifically, the server can extract the critical paths from the initial source graph and identify intermediate state nodes that are generated on the same interaction path and have temporal continuity or logical repetition. During execution, the server can perform topological folding and attribute compression on nodes and their associated edges that are deemed redundant, based on predefined aggregation criteria. This integrates discrete, low-value intermediate processes into composite nodes or enhanced paths with high semantic concentration, thereby reducing the total number of nodes in the graph while preserving the original causal chain of behavior, and ultimately generating the target source graph.

[0100] Step S105: Extract the causal topological features of the target source graph through the heterogeneous graph attention mechanism, and extract the temporal evolution features of the target source graph through the temporal attention mechanism.

[0101] Among them, the heterogeneous graph attention mechanism can be a weight allocation algorithm based on a neural network architecture, used to quantify the association strength between different entities in a target source graph containing multiple node and edge types. It can perform nonlinear projection and aggregation of features based on the path attributes or local neighborhood distribution of nodes.

[0102] The time attention mechanism can be a dependency strength measurement model built for time-series features, used to quantify the differentiated contribution of historical events to the current node state. It can deduce dynamic weights based on the evolution of continuous timestamps and preset decay logic.

[0103] Causal topological features can be high-dimensional vectors representing system behavior in spatial dimensions, used to characterize the penetration patterns and diffusion paths of attack behaviors in network structures. They can be generated based on the weighted fusion of features of neighboring nodes.

[0104] Temporal evolution characteristics can be numerical representations that reflect the evolution trend of system state on the time axis. They are used to capture the temporal patterns of covert attack behaviors such as low-frequency and slow attacks. They can be modeled based on the intensity accumulation and decay laws of historical events.

[0105] Specifically, the server can project different types of features onto a unified semantic space using a mapping function for nodes and edges with heterogeneous attributes in the graph. It can also identify key causal connections by calculating attention scores between nodes, thereby extracting causal topological features that reflect the global logical flow. Simultaneously, the server can obtain the temporal information of each event node in the graph. By analyzing the chronological order of events and the evolution of the influence strength between nodes over time, it can construct an evolution vector that characterizes the dynamic changes in the system state, thus obtaining temporal evolution features.

[0106] Step S106: Compare and fuse the causal topological features and temporal evolution features to obtain the spatiotemporal behavior representation corresponding to the target source map.

[0107] Among them, spatiotemporal behavioral representation can be a robust high-dimensional vector description, used as a digital behavioral fingerprint of network entities in a multidimensional heterogeneous environment. It can be generated based on feature aggregation and dimensional transformation after aligning causal topological features and temporal evolution features, thus providing highly condensed behavioral pattern input for subsequent detection, classification or source tracing analysis.

[0108] Specifically, the server can map the extracted two types of view features to the same preset representation space, and establish the correspondence between features by constructing specific association constraints. For example, the server can adopt a contrastive learning paradigm, constructing positive association samples for features of the same node in different view domains, and constructing negative association samples for features between different nodes or features of the same node in non-corresponding states. By bringing positive samples closer and pushing negative samples further apart in the representation space, semantic alignment at the feature level is achieved.

[0109] Optionally, after completing feature alignment, the server can use a preset fusion operator to perform nonlinear combination or feature splicing processing on causal topological features and temporal evolution features, thereby compressing the causal chain in the spatial dimension and the evolutionary trajectory in the temporal dimension into a unified representation vector.

[0110] In this embodiment, by mapping multi-source log data to a network security ontology model and performing cross-domain entity alignment, the underlying semantic format of heterogeneous data is unified, and a connection path between entities across network domains is established. Secondly, based on the data dependency relationship between nodes, redundant nodes in the initial source graph are merged. While maintaining the integrity of the original causal logical chain, the overall scale of the graph structure is compressed, thereby reducing the memory overhead and processing complexity of subsequent graph computation. Finally, causal topological features and temporal evolution features are extracted through heterogeneous graph attention mechanism and temporal attention mechanism, respectively, and the two are compared and fused, so that the final spatiotemporal behavior representation can simultaneously take into account multi-dimensional spatial structural dependencies and continuous temporal action patterns.

[0111] In one embodiment, causal topological features of the target source graph are extracted using a heterogeneous graph attention mechanism, including:

[0112] For any target edge in the target origination graph, obtain the first node and the second node at both ends of the target edge; based on the first node projection matrix corresponding to the node type of the pre-obtained first node, map the node features of the first node to a unified semantic space; based on the second node projection matrix corresponding to the node type of the pre-obtained second node, map the node features of the second node to a unified semantic space; based on the edge parameter matrix corresponding to the edge type of the target edge, and the node features of the first node and the second node mapped to the unified semantic space, determine the attention weight of the target edge; based on the attention weight of the target edge, perform weighted fusion of the node features of multiple first nodes to obtain the causal topological features of the target origination graph.

[0113] Among them, the first node and the second node can be topological units located at both ends of the target edge, representing different network entities, and are used as the information source (source node) and information destination (target node) in the attention mechanism calculation process. They can carry multi-dimensional initial behavioral features based on their respective node types.

[0114] The node projection matrix can be a linear transformation operator that is pre-trained or set for a specific entity type. It is used to map the original node features in a heterogeneous semantic space to a feature space with a unified dimension and scale. Based on the diversity of entity types in each network domain, it can achieve the standardized expression of features by matching the corresponding transformation parameters to different types of nodes.

[0115] The edge parameter matrix can be a weight coefficient matrix associated with a specific interaction action type, used to adjust the semantic contribution of different edge types in the information transmission process. It can enhance the sensitivity of feature extraction by setting differentiated parameter distributions for specific action types (such as reading, writing, execution, etc.) based on the prior importance assessment of causal relationships in the target source graph.

[0116] Attention weights are numerical metrics that quantify the degree of connection between nodes, and are used to dynamically guide information aggregation in the topology of heterogeneous graphs.

[0117] Specifically, the server maps the node features of the first node to a unified semantic space based on the first node projection matrix corresponding to the node type of the first node (e.g., the subject entity type representing a process). Simultaneously, the server maps the node features of the second node to the unified semantic space based on the second node projection matrix corresponding to the node type of the second node (e.g., the object entity type representing a file or registry), thereby eliminating the semantic gap between different entity types. Subsequently, the server determines the attention weight of the target edge by calculating the inner product mapping between feature vectors and combining it with semantic adjustment of the edge parameter matrix, based on the pre-obtained edge parameter matrix corresponding to the edge type of the target edge (e.g., system call action type), and the node features of the first and second nodes mapped to the unified semantic space. Based on this, the server can perform weighted aggregation of the node features of multiple first nodes in the neighborhood based on the attention weight of the target edge to obtain the causal topological features of the target source graph.

[0118] Optionally, the server can utilize a multi-head attention structure for parallel computation to capture complex interactive semantics from multiple independent subspaces, thereby generating highly discriminative feature vectors that can deeply characterize the causal topological relationships of the system.

[0119] Optionally, to extract the causal topological features of the target source graph, an improved Heterogeneous Graph Transformer (HGT) can be used to capture complex type dependencies and structural patterns between entities. Furthermore, a message-passing mechanism guided by meta-paths can be employed to capture high-order causal dependencies between different types of entities. For example, under the heterogeneous graph mechanism, meta-relation projection can be performed for each edge. According to its source node type Edge type and target node type Define a specific projection matrix to map node features to the same semantic space:

[0120]

[0121]

[0122]

[0123] in, It is the first Nodes in a layered neural network eigenvectors, , as well as These represent the key, query, and value in the Transformer architecture.

[0124] At the same time, multi-head attention is calculated to aggregate attention:

[0125]

[0126] in, and It is a learnable parameter matrix for a specific edge type. It is the dimension of the feature vector. This allows the model to distinguish between different types of interactions (e.g., Exec operations typically contain stronger attack semantics than Read operations).

[0127] In this embodiment, based on the specific projection and parameter matrix matching node type and edge type, the server can fully consider the essential differences in semantics between different entities and behaviors when processing heterogeneous source graphs, effectively solving the problem of information loss of heterogeneous features under the traditional isomorphic graph processing method.

[0128] In one embodiment, the temporal evolution features of the target source graph are extracted using a temporal attention mechanism, including:

[0129] The continuous timestamps of multiple nodes in the target source map are obtained, and the continuous timestamps are converted into high-dimensional time vectors through a preset time mapping function. Based on the high-dimensional time vector and the preset intensity decay function, the time weight of the current node affected by the corresponding historical node is determined. The current node and the historical node are nodes among multiple nodes, and the timestamp of the historical node is earlier than the timestamp of the current node. The features of the historical nodes are weighted and aggregated according to the time weight to obtain the time evolution features.

[0130] Among them, continuous timestamps can be the original time sequence values ​​that record the time when system events occur, used to maintain the absolute or relative order of behavior on the timeline. They can be uniformly encapsulated based on the system clock or logical sequence number when the log is generated.

[0131] A time mapping function can be a mathematical transformation operator that can transform scalar time data into a high-dimensional space to extract periodic features, frequency features, or nonlinear evolution patterns in the time dimension. It can be implemented based on Fourier transform, sine / cosine basis functions, or learnable time embedding layers.

[0132] A high-dimensional temporal vector can be a digital representation of the position of a time point in a specific semantic space. It is used to provide input features with vector operation capabilities for subsequent attention calculations and can be generated based on the operation results of the temporal mapping function.

[0133] The intensity decay function can be a mathematical model that describes the gradual weakening of the influence of historical events over time. It is used to simulate the changes in the correlation between system behaviors over time. It can be constructed based on exponential decay logic (such as the kernel function in the Hawkes process), power law distribution, or other pre-defined dynamic evolution laws.

[0134] Time weight is a quantitative coefficient that characterizes the degree of influence of historical nodes on the current node. It is used to adjust the contribution ratio of different historical behaviors during the aggregation process. It can be determined based on the distance metric between high-dimensional time vectors and the output value of the intensity decay function.

[0135] Specifically, the server can convert the aforementioned scalar continuous timestamps into high-dimensional time vectors using a preset time mapping function (e.g., Fast Temporal Embedding, FTE), allowing time information to participate in the deep computation of the neural network as feature vectors. Subsequently, the server determines the time weight of the current node's influence by corresponding historical nodes based on the high-dimensional time vector and a preset intensity decay function (e.g., using an exponential decay coefficient). During this process, the server specifically stipulates that the timestamps of historical nodes must be earlier than the timestamp of the current node to strictly adhere to the causal sequence of system behavior. After obtaining a series of time weights, the server performs weighted aggregation of the features of historical nodes based on these weights, thereby obtaining time evolution features that reflect the evolutionary trend of the node and its associated historical sequences.

[0136] Optionally, the server can set different attenuation parameters for different types of network domains to adapt to the different rates of behavioral evolution under different business environments.

[0137] Optionally, by introducing learnable Functional Time Encoding (FTE) to map continuous timestamps into high-dimensional vectors, and combining the intensity function of the Hawkes process to design a temporal attention mechanism, the self-excitation characteristics and time decay effects of events are explicitly modeled to accurately capture the temporal rhythm of APT attacks and thus capture the temporal patterns of interactions. Specifically, during the FTE process, timestamps are not treated as discrete features but are mapped to a continuous function space. For the current node time... Interactive historical nodes Calculate the time interval The FTE is defined as a set of learnable sinusoidal functions. This encoding method not only possesses translation invariance but can also adaptively capture periodic (such as timed tasks) and aperiodic (such as random scans) patterns. After mapping timestamps to a continuous function space, the intensity function principle of the Hawkes process is used to modulate the attention weights. The Hawkes process assumes that the influence of past events on future events decays exponentially over time.

[0138] The specific process is as follows:

[0139]

[0140] in, It is the current target node (central node). It is a node Any historical node in the set of neighboring nodes, Neighboring nodes In the The temporal evolution feature vector extracted from the layer network typically already contains high-dimensional temporal vector information encoded by FTE. It is the time attention weight. Represents the target node In the Temporal evolution feature vectors extracted from layer networks. It simulated memory decay. It is a learnable decay factor that determines how quickly historical influence disappears over time. The larger the value, the more the model focuses on recent behavior; The smaller the value, the stronger the model's memory of long-term patterns. For the time gap common in APT attacks, FTE can maintain the memory of long-term patterns, while the Hawkes decay term helps filter out old noise, allowing the model to focus on recent bursts of behavior.

[0141] In this embodiment, by using a time mapping function and an intensity decay function to construct a time attention mechanism, it is possible to accurately quantify the degree of correlation between different events in the source graph in the time dimension. This helps to identify abnormal behavior patterns with large spans, low frequencies, but strong causal dependencies from long-period log streams, effectively alleviating the dependency loss problem caused by excessively long time spans.

[0142] In one embodiment, causal topological features and temporal evolution features are compared and fused to obtain a spatiotemporal behavioral representation corresponding to the target source map, including:

[0143] The causal topological features and temporal evolution features corresponding to the same node are constructed as positive sample pairs, and the causal topological features and temporal evolution features corresponding to different nodes are constructed as negative sample pairs. In a preset representation space, based on a preset cross-view contrastive loss function, positive sample pairs and negative sample pairs, the causal topological features and temporal evolution features corresponding to the same node are aligned. The causal topological features and temporal evolution features after feature alignment are fused to obtain a spatiotemporal behavior representation.

[0144] Among them, positive sample pairs can be feature embedding combinations for the same node under different observation horizons, used to establish semantic associations between the same entity in spatial topological dimension and temporal evolution dimension. They can be generated by pairing mapping based on the causal topological features and temporal evolution features corresponding to the same node.

[0145] Negative sample pairs can be contrastive combinations that characterize the differences in features between different entities or in non-corresponding states. They are used to provide a differential reference and construct discriminative boundaries in the latent representation space. They can be constructed based on feature cross-combinations between different nodes or the embedding distribution of the same node in different time windows.

[0146] Cross-view contrastive loss function can be a target mathematical function used to measure and optimize the consistency between features of different views. It is used to drive the model to capture common semantics across dimensions by minimizing distribution differences. It can be determined based on information noise contrastive estimation logic (such as InfoNCE Loss) by calculating the cosine similarity between sample pairs and introducing a temperature adjustment parameter.

[0147] The representation space can be a mathematical manifold environment with high-dimensional vector operation capabilities, used to uniformly project and align features from different sources. It can be constructed based on preset dimension size and metric criteria.

[0148] Specifically, the server first constructs positive sample pairs by combining the causal topological features and temporal evolution features corresponding to the same node, and constructs negative sample pairs by combining the causal topological features and temporal evolution features corresponding to different nodes. For example, the server can use a pre-defined projection operator to embed and map the features of each node in the topological and temporal views into a unified representation space. Within this space, the server calculates the similarity distribution between positive and negative samples based on a pre-defined cross-view contrastive loss function, positive sample pairs, and negative sample pairs. By minimizing this contrastive loss, the model is forced to narrow the feature distance of the same entity in the two views under unsupervised conditions, while simultaneously widening the feature distance between different entities, thereby achieving feature alignment.

[0149] Based on feature alignment, the server fuses the aligned causal topological features with temporal evolution features. Specifically, the server can employ a multilayer perceptron (MLP) structure to perform nonlinear transformations and dimensionality compression on the stitched dual-view features, thereby deeply coupling the spatial causal topological information with the temporal evolutionary trajectory, ultimately obtaining a spatiotemporal behavioral representation. Because the server introduces contrastive loss as a constraint during the fusion process, the generated representation effectively eliminates random noise specific to each view while preserving stable, essential features across view domains.

[0150] Optionally, during cross-view contrastive fusion,

[0151] To integrate information from the topological and temporal perspectives and achieve unsupervised learning, the same node is first... Causal topological features in topological view Temporal evolution features under time view , as positive sample pairs. And nodes Other nodes Embedded combinations, or nodes Embeddings at different time windows are used as negative sample pairs. The objective function (InfoNCE Loss) can be set as follows:

[0152]

[0153] in, This is the overall contrastive loss function (InfoNCE Loss). The smaller its value, the higher the consistency between the topological features and temporal features learned by the model. For cosine similarity, Temperature is a parameter used to control the smoothness of the similarity distribution. The smaller the value, the more sensitive the model is to distinguishing nearest-neighbor negative samples. By minimizing this objective function (loss function), the model can align the topological and temporal features of the same entity in the latent space, thereby learning more robust and spatiotemporally consistent node representations. Finally, through the MLP mechanism, the final spatiotemporal behavioral representation is obtained:

[0154]

[0155] in, It is a node The final spatiotemporal behavior representation generated.

[0156] In this embodiment, by constructing positive and negative sample pairs and using a cross-view contrastive loss function for feature alignment, the server can achieve deep collaborative learning of spatiotemporal features in multi-source heterogeneous data without manual annotation. This contrastive fusion method helps the server maximize mutual information between different views in the latent space, effectively overcoming the shortcomings of traditional fusion methods that tend to ignore spatiotemporal correlation consistency. As a result, the spatiotemporal behavioral representation generated by the server has stronger robustness and discriminative power, and can more accurately reflect the true behavioral contours of system entities in complex interaction processes.

[0157] In a specific embodiment, such as Figure 2As shown, the server executes the steps of extracting target source graph features through a dual-view spatiotemporal representation learning network. The heterogeneous graph attention mechanism can be a graph feature extraction algorithm based on a transformer architecture (HGT) designed to capture complex topological relationships between system entities while maintaining the heterogeneity of node and edge types. It can be implemented based on node projection matrices defined for different entity categories and edge parameter matrices defined for different interaction actions. In specific implementation, the server obtains the initial node features in the target source graph and matches the corresponding node projection matrix according to the node's type (e.g., process or file), mapping the heterogeneous features to a unified semantic space. Subsequently, it calculates the attention weight of each target edge by combining the edge parameter matrix reflecting the action type (e.g., read or write). In this way, the server can extract causal topological features reflecting the attack propagation path and causal logic from the spatial dimension, providing topological feature support for identifying malicious lateral movement across entities.

[0158] Subsequently, the server synchronously captures the evolutionary patterns of system behavior along the timeline using a time attention mechanism. A high-dimensional time vector can be a digital vector representing the position of an event within a specific function space, used to transform discrete time points into feature inputs with learning capabilities. It can be obtained by transforming continuous timestamps based on a preset time mapping function (such as Functional Time Encoding, FTE). The intensity decay function can be a mathematical model describing the dynamic weakening trend of the influence of historical events on the current node's state over time, used to simulate the self-excitation characteristics and latency patterns in attack behavior. It can be dynamically weighted based on the kernel function logic of the Hawkes process. In practice, the server extracts continuous time information associated with nodes, calculates the time weights of the current node's influence from multiple historical nodes, and weights and aggregates the features of historical nodes accordingly. Thus, the server generates time evolution features that reflect the evolutionary patterns of system behavior over time, effectively enhancing the ability to recognize time patterns of "low-frequency, slow" threats such as APTs.

[0159] Furthermore, the server utilizes cross-view contrastive loss to co-align the extracted causal topological features and temporal evolution features. Positive sample pairs can be combinations of feature maps representing the same entity across different observation dimensions, used to establish semantic associations between topological spatial attributes and temporal axis attributes. These pairs can be constructed by pairing based on feature embeddings generated by the same node in two branch views. Negative sample pairs can be contrastive combinations reflecting differences in features of different entities or non-corresponding temporal states, used to provide differential constraints in the representation space. For example, the server projects topological and temporal features onto a unified representation space, calculates the similarity between sample pairs based on loss functions such as InfoNCE, and drives the model to narrow the feature distance of the same node in two views under unsupervised conditions by minimizing the contrastive loss. Through this cross-view contrastive mechanism, the server can maximize the mutual information between the two views, thereby learning node representations with spatiotemporal consistency and stronger robustness.

[0160] Finally, the server performs fusion processing to produce the final spatiotemporal behavioral representation and support subsequent security discrimination. The spatiotemporal behavioral representation can be a digital behavioral fingerprint representing an entity's behavior in a heterogeneous network environment. It serves as a high-dimensional input feature for anomaly detection and path tracing, and can be generated by concatenating aligned causal topological features and temporal evolution features, followed by a nonlinear transformation using a multilayer perceptron (MLP). In practice, the server uses this deep coupling strategy to compress the causal chain in the spatial dimension and the evolutionary trajectory in the temporal dimension into a unified fingerprint vector. Because the generated representation vector simultaneously contains the entity's topological role and temporal pattern, the server can accurately capture abnormal fluctuations deviating from normal business benchmarks in the representation space based on this representation, and output the final source tracing analysis conclusions by combining the graph structure, significantly improving the accuracy of identifying covert attack links in complex heterogeneous environments.

[0161] In one embodiment, based on the data dependencies between nodes in the initial source graph, redundant nodes in the initial source graph are identified and merged to obtain the target source graph, including:

[0162] Based on data dependencies, the main causal path in the initial source graph is obtained; for multiple nodes with connections on the main causal path, the semantic similarity between the nodes is obtained; when the semantic similarity meets the preset merging conditions, the multiple nodes are identified as redundant nodes; attribute aggregation and edge merging operations are performed on the redundant nodes to obtain the target source graph.

[0163] Among them, the main causal path can be the core topological skeleton that carries the key information flow in the source graph. It is used to identify the execution link with significant causal impact in a large number of low-value background behaviors. It can be extracted by filtering out a large number of duplicate system events based on the data dependency strength and topological connectivity between nodes.

[0164] Semantic similarity can be a metric for measuring the consistency of different entities in business logic and operational behavior. It is used to determine whether multiple adjacent nodes substantially represent the same high-level semantic action. It can be based on the node's attribute feature vector, contextual information, and the specific operation type performed to calculate distance or evaluate relevance.

[0165] The merging conditions can be pre-defined logical criteria used to trigger node compression, which seek a balance between computational efficiency and information integrity. They can be combined based on similarity thresholds, time window overlap, and node type consistency.

[0166] Specifically, such as Figure 3 As shown, the server first obtains the main causal path in the initial source graph based on data dependencies. It can then use a path scoring mechanism to evaluate the saliency of critical paths involving file reading / writing, process evolution, and network communication, eliminating redundant path segments caused by cyclic reading / writing or high-frequency logs. Subsequently, for multiple nodes connected along the main causal path, the server obtains the semantic similarity between them. If, within a short period, the interaction patterns between two nodes are highly similar semantically and topologically, their marginal information for describing attack behavior decreases, and they can be merged.

[0167] During this process, the server can extract the static attributes (such as file paths and IP addresses) and dynamic behavior patterns of nodes to assess whether these nodes represent duplicate descriptions of the same logical task. When the semantic similarity meets preset merging conditions (e.g., the similarity score exceeds a preset dynamic threshold), the server identifies multiple nodes as redundant nodes. Optionally, the server performs attribute aggregation and edge merging operations on redundant nodes. By topologically folding highly similar intermediate state nodes and logically reconstructing their connections with external entities, a smaller and semantically purer target tracing graph is generated while preserving the original causal chain. Because the server uses semantic evaluation based on the backbone path during the reduction process, it can ensure that even after large-scale simplification, the critical attack footprint can still be completely preserved.

[0168] Optionally, during the merging process, the reachability of causal dependencies must be strictly adhered to. If a path exists... ,and Merged into Then it must be ensured that the source map exists. The path ensures that the link will not be broken when tracing the source of an attack.

[0169] Optionally, benign noise filtering is first performed using a whitelist mechanism to filter out high-frequency, harmless operations of the system itself (such as heartbeat read / write operations and log rotation operations of system monitoring processes). The whitelist is automatically learned through long-term baseline operations in a clean environment. Following this, structure-semantics merging is performed to merge subgraphs with the same parent node. A series of child nodes (For example, multiple child processes forked from the same web server process to handle requests), perform feature extraction, and extract each child node. The local topological features (such as degree, neighbor type distribution) and semantic features (such as process name, command line arguments) are then used to calculate node pairs. The Jaccard similarity or cosine similarity is shown below:

[0170]

[0171] in, This indicates that the target source graph has the same parent node. The child node to be evaluated , representing a node With nodes The overall similarity score between them Indicates the weighting adjustment factor. Representing nodes respectively and nodes The set of neighboring nodes (including objects connected by incoming and outgoing edges). Represented as Jaccard similarity, Represented as cosine similarity, Representing nodes respectively and nodes The attribute feature vector.

[0172] After calculating semantic similarity, child nodes can be clustered using K-means or DBSCAN algorithms. Nodes within the same cluster are merged into a single super node, and the timestamp attributes on the edges are converted to time intervals. and frequency This is used to characterize the temporal dimension features of the merged nodes.

[0173] In this embodiment, by obtaining the main causal path and merging redundant nodes based on semantic similarity, the server can effectively suppress the dependency explosion problem caused by fine-grained log auditing at the topology level. This semantically aware reduction method helps the server significantly reduce the redundancy of the source graph without losing key causal evidence, reducing data storage overhead and thus improving the response speed of real-time threat analysis in large-scale heterogeneous network environments.

[0174] In one embodiment, after comparing and fusing causal topological features and temporal evolution features to obtain the spatiotemporal behavioral representation corresponding to the target source map, the method further includes:

[0175] Obtain the distance between the spatiotemporal behavior representation and the reference center of the preset normal behavior in the preset representation space; when the distance is greater than the preset abnormal threshold, the node corresponding to the spatiotemporal behavior representation is identified as an abnormal node; based on the abnormal node, perform reverse traversal in the target source graph, and determine the abnormal source tracing result according to the edge weight features on the traversal path.

[0176] The reference center can be a benchmark vector kernel in a predefined representation space that represents normal behavior patterns. It is used to provide a distance metric reference for the node to be detected. It can be obtained by mean aggregation based on log representations under historical normal operation or by training through a hypersphere learning algorithm.

[0177] An anomaly threshold can be a numerical boundary that defines the degree of deviation from behavior, used to distinguish between legitimate operations and potential threats in the potential space. It can be set based on the boundary radius of the normal behavior distribution and in combination with a preset fault tolerance redundancy.

[0178] Anomaly nodes can be information units whose spatiotemporal representation deviates significantly from the normal reference range. They are used to identify entities affected by attacks and can be determined based on the comparison logic between distance calculation results and anomaly thresholds.

[0179] The results of anomaly tracing can be a structured analysis report reflecting the attack entry point, lateral movement path, and scope of damage, which can be used to provide a basis for security response decisions. It can be derived and generated based on the correlation weight of each node on the traversal path and the significance analysis of spatiotemporal characteristics.

[0180] Specifically, after comparing and fusing causal topological features and temporal evolution features to obtain a spatiotemporal behavioral representation, the server, such as... Figure 4As shown, the server first obtains the distance between the spatiotemporal behavior representation and the reference center of the preset normal behavior in the preset representation space. For example, the server can calculate the Euclidean distance or Mahalanobis distance between the high-dimensional feature vector of the node under test and the reference center vector. When the distance is greater than a preset anomaly threshold, the server determines the node corresponding to the spatiotemporal behavior representation as an anomalous node, meaning that the entity has significantly deviated from the predefined normal baseline in its spatiotemporal evolution pattern.

[0181] Subsequently, based on the identified anomalous nodes, the server performs a reverse traversal of the target source graph. During this process, the server prioritizes edges along the traversal path using attention weight features obtained from the heterogeneous graph attention mechanism. For example, the server may prioritize tracing along edges with higher attention weights, as these edges often carry stronger causal dependency semantics and are highly likely to be critical paths for attack payload delivery or privilege escalation operations. By tracing back layer by layer in the target source graph, the server can locate the initiating node of the attack or the source of the anomalous configuration and extract the entire attack path, thereby determining the anomaly tracing result.

[0182] Optionally, based on what has been learned A hypersphere anomaly detection strategy is employed. During the training phase, the model is trained using only normal log data, and the center of embedding of all normal nodes in the latent space is calculated. and radius The detection phase is for newly arriving event nodes. Calculate its distance to the reference center distance .

[0183] if If the threshold for an anomaly is exceeded, the system is considered an anomaly. Because attack behaviors (such as unauthorized privilege escalation or abnormal data transmission) differ drastically from normal business operations in terms of spatiotemporal patterns, their embedding vectors are mapped to locations far from the normal center. Once an anomaly node is detected, the system triggers a backtracking mechanism. First, a backward traversal is performed, starting from the anomaly node and searching backward along the incoming edges until the root source node (such as an external IP connection or a compromised user entry point) is reached. Then, the critical path is extracted, utilizing the attention weights in the HGT (Hardware Time Group). As an importance score for edges, edges with high weights are retained, and edges with low weights are pruned.

[0184] Optionally, the extracted sub-graph can be rendered as a visual attack scenario diagram, and the attacker's timeline, the scope of affected assets, and the inferred attack intent can be marked.

[0185] In this embodiment, by determining abnormal nodes based on distance metrics in the representation space and combining this with reverse traversal using edge weights, real-time perception and accurate attribution of network threats can be achieved. This detection method based on hyperspherical distance helps servers discover unknown abnormal behavior patterns without needing to predefine attack characteristics. Simultaneously, the reverse traversal mechanism using attention weights enables the rapid extraction of the most interpretable attack paths from complex attribution graphs, significantly reducing the difficulty for security analysts in forensic analysis of massive alerts.

[0186] In one embodiment, cross-domain entity alignment is performed based on entities and relationships to obtain an initial source graph, including:

[0187] The process involves: acquiring multimodal attribute features of entities in different network domains; performing spatiotemporal constraint matching on entities based on these multimodal attribute features to obtain the spatiotemporal constraint matching results; using a non-axiomatic logic algorithm to determine the interaction prerequisites and implicit associations between entities in different network domains, and establishing cross-domain entity associations based on these prerequisites and implicit associations; and aligning cross-domain entities based on the spatiotemporal constraint matching results and the cross-domain entity associations to obtain the initial source graph.

[0188] Among them, multimodal attribute features can be a comprehensive data set that characterizes the static identifiers and dynamic behaviors of network entities in different dimensions, and can be used to provide a multi-perspective matching basis for cross-domain alignment. It can be extracted in multiple dimensions based on the entity's process metadata at the host level, flow features at the network level, and semantic tags at the application level.

[0189] Spatiotemporal constraint matching can be a filtering mechanism to verify whether entities in different network domains have the possibility of coexistence in terms of time logic and spatial location. It is used to exclude interference samples that are logically impossible to point to the same object. It can perform consistency verification based on the entity's activity time window, the logical affiliation of the IP address range, and the adjacency constraints of the network topology.

[0190] Non-axiomatic logic algorithms can be logical reasoning frameworks for handling uncertain information and incomplete knowledge. They are used to infer potential connections between entities in the absence of hard unique identifiers. They can be based on empirical deduction rules in non-axiomatic logic (NAL) and accumulate and calculate the strength of evidence by the similarity of entity behavior and the logical rationality of the interaction background.

[0191] Interaction prerequisites and implicit associations can be causal relationships that exist between heterogeneous entities, are not directly recorded in the original logs, but are logically necessary or possible. They are used to reconstruct the hidden actions of attackers when moving across domains and can be determined based on the frequency of entity interactions, resource sharing status, and semantic dependency paths.

[0192] Specifically, such as Figure 5 The server first acquires multimodal attribute features of entities in different network domains (such as host monitoring domain and network traffic analysis domain). For example, the server can extract process hashes and parent process relationships of host domain entities, as well as protocol fingerprints of network domain entities.

[0193] Subsequently, the server performs spatiotemporal constraint matching on entities based on multimodal attribute characteristics. During this process, the server compares whether the occurrence times of events recorded in different domains are within a reasonable delay range and verifies the accessibility of each entity in the logical space based on a preset network topology view, thereby obtaining the spatiotemporal constraint matching results. Further, the server utilizes non-axiomatic logic algorithms to determine the interaction prerequisites and implicit associations between entities in different network domains. For example, based on the evidence synthesis rules of non-axiomatic logic, the server can analyze whether two entities in different domains act together on the same virtual resource at a certain moment (such as a temporary file or a specific system call), thereby deriving the interaction prerequisites between them and establishing implicit associations between cross-domain entities based on these prerequisites.

[0194] Finally, the server performs confidence fusion scoring on candidate entity pairs based on the spatiotemporal constraint matching results and the established associations, thereby completing cross-domain entity alignment. The aligned entities and their topological connections are then merged to construct the initial source graph.

[0195] Optionally, to address the issue of inconsistent log formats from multiple sources, a general network security ontology model is defined. ,in For a collection of entity categories, This is a set of relationship categories. Entity categories. This includes, but is not limited to, Process, File, Socket, User, IP address, Domain, and MemoryObject. Relationship Categories This includes, but is not limited to, Fork, Exec, Read, Write, Connect, Bind, Send, Recv, LoadLibrary, etc.

[0196] The server employs an improved Drain algorithm to extract templates from the raw logs, identifying key attribute fields. It then uses a BERT model to extract semantic vectors from the unstructured text, while converting attributes such as timestamps and file paths into a globally unified format to eliminate data representation differences across network domains. Specifically, a tree-based parsing algorithm (such as the improved Drain algorithm) is used to process the raw log messages. For example, "Failed password for root from 192.168.1.1" is parsed into the template "Failed password for <*> from <*>". Subsequently, for unstructured text portions (such as error messages), a pre-trained BERT model is used to extract semantic vectors. For structured fields (such as system call types), an embedding layer is used to map them to category vectors. Finally, timestamps are uniformly converted to the UnixEpoch microsecond-level format; file paths are converted to absolute paths; and user IDs are mapped to unified global identifiers.

[0197] Meanwhile, to address the challenge of cross-domain entity association (e.g., how to determine which PID in the host log corresponds to 10.0.0.1:5432 in the network log), this application proposes a NALA (Non-Axiomatic Logic Alignment) enhanced alignment algorithm. In this algorithm, spatiotemporal matching is first performed for Socket entities in the host log. (Described by process PID, FD, local IP, and port) and the Flow entity in the network log. (Described by SrcIP, SrcPort, DstIP, DstPort, and Proto, i.e., source IP, source port, destination IP, destination port, and protocol description). For example, the server verifies the host event timestamp. With network event timestamps The difference is calculated if and only if the IP address and port are identical and the time difference is within the time deviation threshold. Within a certain timeframe, the server determines that the two types of entities have spatiotemporal consistency. Spatiotemporal matching can be performed using the following matching function:

[0198]

[0199] in, This is for IP consistency verification. It requires that the local IP address recorded on the host side is exactly the same as the source IP address captured on the network side. For port consistency verification, the local port number used by the host-side process must be exactly the same as the source port number observed by the network side. Record the timestamp of the event on the host side. The network side records the timestamp of this traffic occurrence. It can be a preset fault tolerance parameter used to offset log collection jitter or network latency, used to define a reasonable spatiotemporal overlap boundary in the representation space. It can be dynamically set based on the average latency fluctuation of the system or use a preset value (e.g., 100ms) to take into account the latency jitter of log collection.

[0200] Subsequently, the server can analyze the process's reading behavior of a specific file and the network connection behavior initiated by that process. When it finds that the hash value of the payload transmitted in the network connection and the hash value of the file content meet a preset similarity requirement, it establishes an implicit data flow association between the file and the network connection through logical deduction, even if the original log does not directly record the operation of data flowing from the file descriptor to the socket. Simultaneously, the server can continuously maintain a dynamic mapping table to track the entity correspondence in address translation or port reuse cases. In a specific embodiment, premise 1 exists: process Open the file And read the content; Prerequisite 2: Process A network connection was created. Prerequisite 3: Network connection The data stream transmitted in the file payload hash value and file Their hash values ​​are highly similar. Under non-axiomatic logic, it is possible to establish a structure from the file... To network connection The DataFlow edge ensures that data flows directly from the file descriptor to the socket descriptor even without direct system call log evidence. Simultaneously, the system maintains a dynamic tuple-to-process map, continuously updating the mapping from (IP, Port, Protocol) to Process_GUID over time to handle port reuse and dynamic NAT scenarios.

[0201] In this embodiment, by acquiring multimodal attribute features and using non-axiomatic logic algorithms for implicit association derivation, the problem of inconsistent entity identification and severe data fragmentation in multi-source heterogeneous environments can be effectively solved. This alignment method based on spatiotemporal constraints and logical reasoning helps the server capture hidden interaction trajectories across different network planes (such as from the host layer to the network layer) without relying on globally unique identifiers, significantly improving the completeness of the initial source graph construction.

[0202] In a more specific embodiment, with the deepening of digital transformation, the modern network environment exhibits extreme complexity and heterogeneity. Advanced Persistent Threat (APT) attacks are on the rise. These attacks typically exploit zero-day vulnerabilities, employ a "low-and-slow" strategy to remain dormant for extended periods, and perform lateral movement and data theft at multiple levels, including hosts, networks, and applications. To address these challenges, security analysis techniques based on provenance graphs have become a hot research topic. However, existing technologies still have the following significant shortcomings in practical applications:

[0203] First, there is a semantic gap in the semantic fusion of multi-source heterogeneous data.

[0204] In production environments, security data is scattered across multiple silos, such as host audit logs (recording processes and system calls), network traffic logs (recording communication behavior), and application logs (recording business logic). Existing log analysis systems typically treat logs from different sources as independent text streams, lacking a unified entity alignment mechanism. For example, a process identifier in a host log and a communication port in a network log may physically point to the same malicious entity, but existing graph construction methods struggle to achieve real-time and accurate alignment of cross-domain entities in dynamic network environments (such as dynamic IP allocation and short-lifecycle processes). This lack of entity alignment directly leads to incomplete attack chain reconstruction.

[0205] Second, the construction of the source map faces the problem of dependency explosion.

[0206] While source graphs can overcome the limitations of traditional feature detection by leveraging causal dependencies, the massive logs generated during long-term system operation lead to an exponential growth in the size of the source graph. The enormous storage overhead and high computational complexity of graph traversal for the full source graph make real-time detection difficult. Existing graph reduction schemes are mostly based on manual rule filtering or simple causal relationship preservation algorithms, which are prone to losing crucial contextual information, resulting in missed detections. Furthermore, the application of semantic similarity-based graph compression technology in heterogeneous graph environments is still in its early stages, and it remains difficult to balance the trade-off between compression ratio and information integrity.

[0207] Third, spatiotemporal feature representation suffers from a lack of fine-grained detail and insufficient coupling.

[0208] The origin graph is essentially a dynamically evolving spatiotemporal graph, and attack behaviors simultaneously contain spatial topological connectivity features and temporal pattern features (such as frequency and interval). Currently, most mainstream graph neural networks (GNNs) are designed for static graphs, neglecting the evolution over time. While some dynamic graph neural networks introduce snapshot mechanisms or recurrent neural network (RNN) structures, their essence is to discretize time, failing to capture fine-grained dependencies in continuous time. In APT attack scenarios, the deliberately lengthened operation intervals of attackers are easily smoothed out in coarse-grained temporal snapshots. Furthermore, existing temporal encoding methods have weak generalization capabilities and lack effective means to deeply couple complex causal topological structures with continuous temporal evolutionary features (such as functional temporal encoding (FTE) or self-excited models).

[0209] Fourth, representation learning relies excessively on supervised learning and has poor generalization ability.

[0210] Most existing GNN-based intrusion detection systems rely on large-scale labeled samples for supervised learning. However, in real-world scenarios, attack samples (especially zero-day attacks) are extremely scarce, resulting in insufficient generalization ability of supervised models when faced with unknown attack patterns. Although graph contrastive learning has demonstrated the potential of self-supervised learning, existing contrastive learning frameworks are mostly limited to isomorphic graphs or single-view (topology only or attribute only), lacking dual-view contrast mechanisms designed for heterogeneous spatiotemporal graphs, and thus failing to fully utilize the complementary information in spatiotemporal data for training.

[0211] In summary, existing technologies face pressing technical challenges in multi-source semantic fusion, graph size control, fine-grained spatiotemporal modeling, and unsupervised generalization capabilities. To address these issues, the method presented in this application is described below. Figure 6 As shown, it specifically includes:

[0212] The server first performs multi-source log collection and ontology mapping. The multi-source heterogeneous network can be a distributed monitoring system encompassing host auditing, network traffic, and application business layers, providing a multi-dimensional perspective on behavior observation in complex heterogeneous computing environments. It can be constructed based on kernel auditing modules of different operating systems, network boundary traffic capture facilities, and application middleware. Log data can be raw digital records generated by the aforementioned facilities, providing factual evidence for behavioral analysis. It can be generated by using a tree-based Drain parsing algorithm to extract templates from the original messages, combining semantic vectors generated by a pre-trained BERT model, and timestamp attributes standardized at the Unix Epoch microsecond level. For example, the server instantiates the parsed logs into entities and relationships with unified semantics based on a network security ontology model (including entities such as processes, files, and sockets, and their corresponding interactions). In this process, the server achieves a unified representation of the underlying heterogeneous data in the semantic space by fusing the semantic features of unstructured text with standardized attributes, providing a semantically meaningful data foundation for subsequently constructing a global causal chain.

[0213] Subsequently, the server performs cross-domain entity alignment and graph reduction steps to generate a simplified target source graph. Cross-domain entity alignment can be the process of identifying and associating entities distributed across different network domains that point to the same objective object. This is used to eliminate information silos and piece together a complete attack trajectory. It can be achieved based on spatiotemporal constraint matching of host-side socket entities and network-side traffic entities, as well as implicit causal inference algorithms based on non-axiomatic logic (NAL). For example, the server uses a NALA-enhanced alignment strategy to deduce data flow relationships between processes, files, and network connections that are not directly recorded, thereby constructing an initial source graph covering the entire domain. Next, the server performs semantic-aware reduction on the initial source graph based on data dependencies. Redundant nodes can be intermediate repeating units in the source graph that do not contribute additional significant security semantics. They are used to reduce the graph size while preserving key causal logic to alleviate the "dependency explosion" problem. They can be determined based on extracting the backbone causal path and calculating the semantic similarity of path nodes. By performing attribute aggregation and topology folding on redundant units, the server finally generates a target source graph that can efficiently carry security semantics.

[0214] Furthermore, the server utilizes a dual-viewpoint (topological and temporal) representation of the learning network to extract causal topological features and temporal evolution features in parallel. The heterogeneous graph attention mechanism can be a weight allocation algorithm based on a neural network architecture, used to quantify complex causal relationships between heterogeneous entities. It can be implemented based on a heterogeneous graph neural network (HGT) by configuring projection matrices for different node types and calculating attention weights within a unified semantic space. Simultaneously, the temporal attention mechanism can be a metric model based on a continuous time axis to capture the dynamic evolution of events, used to characterize the self-excitation and decay characteristics of the system state over time. It can convert continuous timestamps into high-dimensional time vectors based on a time mapping function and combine an intensity decay function based on the Hawkes process to quantify the dynamic influence of historical nodes on the current state. Because the server processes the topological and temporal perspectives in parallel and decoupled during feature extraction, this helps the server accurately identify lateral movement paths in space and sensitively capture the attacker's "low-frequency, slow" stealth patterns on a temporal scale when dealing with long-term attacks.

[0215] Finally, the server performs contrastive fusion to produce the final spatiotemporal behavioral representation and output the anomaly tracing results. Contrastive fusion can be a feature consistency alignment process based on a self-supervised contrastive learning paradigm, used to maximize mutual information between features from different perspectives within a unified representation space. It can be based on constructing positive and negative sample pairs and using cross-perspective contrastive loss functions (such as InfoNCE loss) to drive the model to learn robust and spatiotemporally consistent feature representations. For example, the server performs Concat concatenation and nonlinear transformation (MLP) processing on the aligned features, generating a spatiotemporal behavioral representation as a digital behavioral fingerprint of the entity. When the server determines, using a hyperspherical anomaly detection algorithm, that the distance between a representation vector and the normal reference center exceeds an anomaly threshold, it identifies the corresponding anomaly node and performs a reverse traversal based on the edge weight features in the graph structure, thereby outputting a complete tracing analysis conclusion. Because the server deeply couples topological causality and continuous-time features throughout the entire process, it significantly improves the accuracy of identifying unknown threats in complex heterogeneous environments, achieving a precise characterization of the entire attack lifecycle.

[0216] It should be understood that although the steps in the flowcharts of the embodiments described above are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the embodiments described above may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages of other steps.

[0217] Based on the same inventive concept, this application also provides a spatiotemporal log source graph representation device for multi-source heterogeneous networks, which implements the aforementioned spatiotemporal log source graph representation method for multi-source heterogeneous networks. The solution provided by this device is similar to the implementation scheme described in the above method. Therefore, the specific limitations of one or more embodiments of the spatiotemporal log source graph representation device for multi-source heterogeneous networks provided below can be found in the limitations of the spatiotemporal log source graph representation method for multi-source heterogeneous networks described above, and will not be repeated here.

[0218] In one exemplary embodiment, such as Figure 7 As shown, a spatiotemporal log source graph representation device for multi-source heterogeneous networks is provided, comprising: a data acquisition module 710, an entity relationship determination module 720, an initial source graph establishment module 730, a target source graph establishment module 740, a feature extraction module 750, and a spatiotemporal representation module 760, wherein:

[0219] The data acquisition module 710 is used to acquire log data from a multi-source heterogeneous network; the multi-source heterogeneous network includes multiple network domains with different data acquisition layers.

[0220] The entity relationship determination module 720 is used to map the log data to a preset network security ontology model in each network domain to obtain the entity corresponding to the log data and the relationship between each entity.

[0221] The initial source graph establishment module 730 is used to perform cross-domain entity alignment based on the entities and the association relationships to obtain an initial source graph;

[0222] The target tracing graph establishment module 740 is used to determine redundant nodes in the initial tracing graph based on the data dependency relationship between nodes in the initial tracing graph, and merge the redundant nodes to obtain the target tracing graph.

[0223] The feature extraction module 750 is used to extract the causal topological features of the target source graph through a heterogeneous graph attention mechanism, and to extract the temporal evolution features of the target source graph through a temporal attention mechanism;

[0224] The spatiotemporal representation module 760 is used to compare and fuse the causal topological features and the temporal evolution features to obtain the spatiotemporal behavior representation corresponding to the target source map.

[0225] In one embodiment, the feature extraction module 750 is further configured to:

[0226] For any target edge in the target tracing graph, obtain the first node and the second node at both ends of the target edge;

[0227] Based on the first node projection matrix corresponding to the node type of the first node obtained in advance, the node features of the first node are mapped to a unified semantic space.

[0228] Based on the second node projection matrix corresponding to the node type of the second node obtained in advance, the node features of the second node are mapped to the unified semantic space;

[0229] The attention weight of the target edge is determined based on the pre-acquired edge parameter matrix corresponding to the edge type of the target edge, and the node features of the first node and the second node mapped to the unified semantic space.

[0230] Based on the attention weight of the target edge, the node features of multiple first nodes are weighted and fused to obtain the causal topological features of the target source graph.

[0231] In one embodiment, the feature extraction module 750 is further configured to:

[0232] Obtain the continuous timestamps of multiple nodes in the target tracing graph, and convert the continuous timestamps into a high-dimensional time vector using a preset time mapping function;

[0233] Based on the high-dimensional time vector and the preset intensity decay function, the time weight of the current node's influence by the corresponding historical node is determined; wherein, the current node and the historical node are nodes among the plurality of nodes, and the timestamp of the historical node is earlier than the timestamp of the current node;

[0234] The features of the historical nodes are weighted and aggregated according to the time weight to obtain the time evolution features.

[0235] In one embodiment, the spatiotemporal representation module 760 is further configured to:

[0236] The causal topological features and the temporal evolution features corresponding to the same node are constructed as positive sample pairs, and the causal topological features and the temporal evolution features corresponding to different nodes are constructed as negative sample pairs;

[0237] In a preset representation space, based on a preset cross-view contrastive loss function, the positive sample pairs and the negative sample pairs, the causal topological features and the temporal evolution features corresponding to the same node are aligned.

[0238] The causal topological features after feature alignment are fused with the temporal evolution features to obtain the spatiotemporal behavior representation.

[0239] In one embodiment, the target tracing map establishment module 740 is further configured to:

[0240] Based on the data dependencies, the main causal path in the initial source graph is obtained;

[0241] For multiple nodes that are connected on the main causal path, obtain the semantic similarity between the multiple nodes;

[0242] When the semantic similarity meets the preset merging conditions, the multiple nodes are identified as redundant nodes;

[0243] The redundant nodes are subjected to attribute aggregation and edge merging operations to obtain the target source graph.

[0244] In one embodiment, the spatiotemporal representation module 760 is further configured to:

[0245] Obtain the distance between the spatiotemporal behavior representation and the reference center of the preset normal behavior in the preset representation space;

[0246] When the distance is greater than a preset anomaly threshold, the node corresponding to the spatiotemporal behavior representation is identified as an anomaly node.

[0247] Based on the abnormal node, a reverse traversal is performed on the target source graph, and the abnormal source result is determined according to the edge weight characteristics on the traversal path.

[0248] In one embodiment, the initial source map establishment module 730 is further configured to:

[0249] Obtain the multimodal attribute features of the entities in different network domains;

[0250] Based on the multimodal attribute features, the entity is subjected to spatiotemporal constraint matching to obtain the spatiotemporal constraint matching result;

[0251] Using a non-axiomatic logic algorithm, the interaction premises and implicit associations between entities in different network domains are determined, and cross-domain association relationships are established based on the interaction premises and implicit associations.

[0252] Based on the spatiotemporal constraint matching results and the association relationships between the cross-domain entities, cross-domain entity alignment is performed to obtain the initial source graph.

[0253] Each module in the aforementioned spatiotemporal log source map representation device for multi-source heterogeneous networks can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in or independent of the processor in a computer device, or stored in the memory of a computer device as software, so that the processor can call and execute the operations corresponding to each module.

[0254] In one exemplary embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as follows: Figure 8 As shown, this computer device includes a processor, memory, input / output (I / O) interfaces, and a communication interface. The processor, memory, and I / O interfaces are connected via a system bus, and the communication interface is also connected to the system bus via the I / O interfaces. The processor provides computational and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system, computer programs, and a database. The internal memory provides the environment for the operating system and computer programs stored in the non-volatile storage media. The database stores data such as target tracing maps. The I / O interfaces are used for information exchange between the processor and external devices. The communication interface is used for communication with external terminals via a network connection. When executed by the processor, the computer program implements a spatiotemporal log tracing map representation method for multi-source heterogeneous networks.

[0255] Those skilled in the art will understand that Figure 8 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.

[0256] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties, and the collection, use and processing of the relevant data must comply with relevant regulations.

[0257] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile memory and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, artificial intelligence (AI) processors, etc., and are not limited to these.

[0258] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this application.

[0259] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of this patent application. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this application should be determined by the appended claims.

Claims

1. A spatiotemporal log source graph representation method for multi-source heterogeneous networks, characterized in that, The method includes: Acquire log data from a multi-source heterogeneous network; the multi-source heterogeneous network includes multiple network domains with different data acquisition layers; In each network domain, the log data is mapped to a preset network security ontology model to obtain the entities corresponding to the log data and the relationships between the entities; Based on the entities and their relationships, cross-domain entity alignment is performed to obtain an initial source graph; Based on the data dependencies between nodes in the initial source graph, redundant nodes in the initial source graph are identified and merged to obtain the target source graph. The causal topological features of the target source graph are extracted using a heterogeneous graph attention mechanism, and the temporal evolution features of the target source graph are extracted using a temporal attention mechanism. By comparing and fusing the causal topological features and the temporal evolution features, a spatiotemporal behavioral representation corresponding to the target tracing map is obtained.

2. The method according to claim 1, characterized in that, The extraction of causal topological features of the target source graph through the heterogeneous graph attention mechanism includes: For any target edge in the target tracing graph, obtain the first node and the second node at both ends of the target edge; Based on the first node projection matrix corresponding to the node type of the first node obtained in advance, the node features of the first node are mapped to a unified semantic space. Based on the second node projection matrix corresponding to the node type of the second node obtained in advance, the node features of the second node are mapped to the unified semantic space; The attention weight of the target edge is determined based on the pre-acquired edge parameter matrix corresponding to the edge type of the target edge, and the node features of the first node and the second node mapped to the unified semantic space. Based on the attention weight of the target edge, the node features of multiple first nodes are weighted and fused to obtain the causal topological features of the target source graph.

3. The method according to claim 1, characterized in that, The extraction of temporal evolution features of the target source map through a temporal attention mechanism includes: Obtain the continuous timestamps of multiple nodes in the target tracing graph, and convert the continuous timestamps into a high-dimensional time vector using a preset time mapping function; Based on the high-dimensional time vector and the preset intensity decay function, the time weight of the current node's influence by the corresponding historical node is determined; wherein, the current node and the historical node are nodes among the plurality of nodes, and the timestamp of the historical node is earlier than the timestamp of the current node; The features of the historical nodes are weighted and aggregated according to the time weight to obtain the time evolution features.

4. The method according to claim 1, characterized in that, The step of comparing and fusing the causal topological features and the temporal evolution features to obtain the spatiotemporal behavioral representation corresponding to the target source map includes: The causal topological features and the temporal evolution features corresponding to the same node are constructed as positive sample pairs, and the causal topological features and the temporal evolution features corresponding to different nodes are constructed as negative sample pairs; In a preset representation space, based on a preset cross-view contrastive loss function, the positive sample pairs and the negative sample pairs, the causal topological features and the temporal evolution features corresponding to the same node are aligned. The causal topological features after feature alignment are fused with the temporal evolution features to obtain the spatiotemporal behavior representation.

5. The method according to claim 1, characterized in that, The process of identifying redundant nodes in the initial source graph based on the data dependencies between nodes in the initial source graph, and merging these redundant nodes to obtain the target source graph, includes: Based on the data dependencies, the main causal path in the initial source graph is obtained; For multiple nodes that are connected on the main causal path, obtain the semantic similarity between the multiple nodes; When the semantic similarity meets the preset merging conditions, the multiple nodes are identified as redundant nodes; The redundant nodes are subjected to attribute aggregation and edge merging operations to obtain the target source graph.

6. The method according to claim 1, characterized in that, After comparing and fusing the causal topological features and the temporal evolution features to obtain the spatiotemporal behavioral representation corresponding to the target source map, the method further includes: Obtain the distance between the spatiotemporal behavior representation and the reference center of the preset normal behavior in the preset representation space; When the distance is greater than a preset anomaly threshold, the node corresponding to the spatiotemporal behavior representation is identified as an anomaly node. Based on the abnormal node, a reverse traversal is performed on the target source graph, and the abnormal source result is determined according to the edge weight characteristics on the traversal path.

7. The method according to claim 1, characterized in that, The step of performing cross-domain entity alignment based on the entities and the association relationships to obtain an initial source graph includes: Obtain the multimodal attribute features of the entities in different network domains; Based on the multimodal attribute features, spatiotemporal constraint matching is performed on the entity to obtain the spatiotemporal constraint matching result; Using a non-axiomatic logic algorithm, the interaction premises and implicit associations between entities in different network domains are determined, and cross-domain association relationships are established based on the interaction premises and implicit associations. Based on the spatiotemporal constraint matching results and the association relationships between the cross-domain entities, cross-domain entity alignment is performed to obtain the initial source graph.

8. A spatiotemporal log source graph representation device for multi-source heterogeneous networks, characterized in that, The device includes: The data acquisition module is used to acquire log data from a multi-source heterogeneous network; the multi-source heterogeneous network includes multiple network domains with different data acquisition layers. The entity relationship determination module is used to map the log data to a preset network security ontology model in each network domain to obtain the entity corresponding to the log data and the relationship between each entity; The initial source graph creation module is used to perform cross-domain entity alignment based on the entities and the association relationships to obtain the initial source graph; The target tracing graph establishment module is used to determine redundant nodes in the initial tracing graph based on the data dependencies between nodes in the initial tracing graph, and to merge the redundant nodes to obtain the target tracing graph. The feature extraction module is used to extract the causal topological features of the target source graph through a heterogeneous graph attention mechanism, and to extract the temporal evolution features of the target source graph through a temporal attention mechanism. The spatiotemporal representation module is used to compare and fuse the causal topological features and the temporal evolution features to obtain the spatiotemporal behavior representation corresponding to the target source map.

9. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 7.

10. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 7.