Intelligent early warning method and system for safety risks based on knowledge graph
By constructing temporal quadruple sequences and dynamic graph snapshots, and utilizing graph convolutional networks and attention mechanisms, the problem of insufficient real-time perception of advanced persistent threats in existing technologies is solved. This enables deep perception and pre-emptive prediction of risk development trends, improves security response efficiency, and constructs a closed-loop security defense system.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- HANGZHOU ZHUOMEI DATA TECHNOLOGY CO LTD
- Filing Date
- 2026-04-21
- Publication Date
- 2026-07-14
AI Technical Summary
Existing technologies lack the ability to perceive risk development trends in real time when dealing with advanced persistent threats and internal violations. They are unable to capture the dynamic evolution of relationships between entities, and have a high false negative rate and lag. They are also unable to accurately identify chain risk patterns that gradually emerge over time.
By constructing a temporal quadruple sequence, extracting spatiotemporal features using graph convolutional networks and gated recurrent units, and combining attention mechanisms and link prediction, the sliding time window is dynamically adjusted to generate risk evolution scores and trigger early warnings, thereby realizing probability calculation and real-time early warning of potential future threats.
It significantly enhances the ability to identify advanced persistent threats and internal fraud risks, achieving a technological leap from post-event retrospective to pre-event prediction, providing valuable emergency response buffer time, and building a closed-loop system from risk perception to automated interception, with extremely strong architectural scalability and real-time performance.
Smart Images

Figure CN122394884A_ABST
Abstract
Description
Technical Field
[0001] This application belongs to the field of artificial intelligence technology, specifically relating to an intelligent early warning method and system for security risks based on knowledge graphs. Background Technology
[0002] With the rapid development of network information technology and the continuous deepening of digital transformation, cybersecurity protection has become a crucial link in safeguarding national security and core corporate assets. Among these, security risk early warning technology plays a vital role as an important component of the proactive defense system. In large-scale, complex network environments, the explosive growth of massive amounts of heterogeneous security data has driven knowledge graph-based correlation analysis technology to become the mainstream method for identifying complex attack patterns and potential threats. By semantically modeling network entities and their relationships, fragmented security event information can be effectively integrated, thus providing underlying support for building a comprehensive and in-depth security defense system.
[0003] Among them, the intelligent early warning of security risks based on knowledge graphs aims to achieve accurate location and early detection of potential threats by automatically mining the potential logical relationships between security entities. This technology typically uses graph structures to uniformly represent network behavior, access records, and asset status, and discovers abnormal behavior paths through deep analysis of the graph topology. When dealing with complex scenarios such as advanced persistent threats and internal violations, this technology focuses on using the strong correlation characteristics of graphs to transform isolated alarm information into a logically coherent risk view, thereby improving the overall effectiveness of security response.
[0004] However, existing technologies are mostly based on static rule matching or anomaly detection of isolated nodes, resulting in poor performance when dealing with modern security threats that have long-term latency characteristics and cross-dimensional evolutionary features. Furthermore, traditional security analysis methods are often limited to log backtracking after a risk occurs, lacking the ability to perceive risk development trends in real time and failing to capture the dynamic evolution of relationships between entities. In addition, because existing models lack deep integration of temporal features, they cannot accurately identify chain-like risk patterns that gradually emerge over time, leading to high false negative rates and severe lag in early warning systems. Therefore, a knowledge graph-based intelligent early warning solution for security risks is desired. Summary of the Invention
[0005] The purpose of this invention is to provide a knowledge graph-based intelligent early warning method and system for security risks, which can effectively solve the problems mentioned in the background art.
[0006] To achieve the above objectives, the technical solution adopted by the present invention is as follows: A knowledge graph-based intelligent early warning method for security risks includes the following specific steps: S1: Collect multi-source heterogeneous security data, clean and structure it, and construct a time-series quadruple sequence consisting of subject, predicate, object and occurrence time; S2: Using the time-series quadruple sequence as input, a sliding time window is set, and the window step size is dynamically adjusted according to the ratio of the current network traffic density to the preset density threshold. The window length is adjusted within the range of 30 seconds to 300 seconds. The time-series quadruple sequence is divided into multiple consecutive graph snapshots in chronological order, and a time overlap area of 20% to 50% of the window length is provided between adjacent graph snapshots. S3: Using the graph snapshot sequence as input, the spatial structure features of each graph snapshot are extracted using a graph convolutional network to obtain a spatial representation vector matrix. Then, the temporal evolution features are extracted using a gated recurrent unit to output a hidden state vector sequence that integrates spatiotemporal information. S4: Using the hidden state vector sequence as input, an enhanced background vector is generated using an attention mechanism. Based on the background vector, the probability of illegal associations between entities in the future is calculated through link prediction to obtain a basic risk score. The changes in newly added connections of entities within the most recent predetermined number of time windows are statistically analyzed. When the number of new connections grows exponentially and involves unauthorized network segments or cross-domain operations, a correction function is invoked. The basic risk score is prioritized and adjusted to output a risk evolution score, whereby... This is the expansion factor calculated based on the growth rate of new connections; S5: The risk evolution score is compared with the preset grading threshold in real time. When the threshold is reached or exceeded, an early warning is triggered, and a visualized risk path map is generated and displayed.
[0007] A knowledge graph-based intelligent early warning system for security risks includes: The data acquisition and quadruple construction module is used to collect multi-source heterogeneous security data, clean and structure the data, and construct a temporal quadruple sequence consisting of subject, predicate, object and occurrence time. The dynamic graph snapshot sequence generation module is used to take the time-series quadruple sequence as input, set a sliding time window, dynamically adjust the step size of the sliding time window according to the ratio of the current network traffic density to a preset density threshold, and divide the time-series quadruple sequence into multiple consecutive graph snapshots in chronological order. A time overlap region of 20% to 50% of the window length is set between two adjacent graph snapshots. The spatiotemporal feature extraction module is used to extract the spatial structure features of each graph snapshot using the graph snapshot sequence as input, obtain a spatial representation vector matrix, and then use a gated recurrent unit to extract the temporal evolution features of the spatial representation vector matrix in chronological order, and output a hidden state vector sequence that integrates spatiotemporal information. The risk prediction and correction module is used to take the hidden state vector sequence as input, generate an enhanced background vector using an attention mechanism, calculate the probability of illegal associations between different entities in the future based on the background vector through link prediction to obtain a basic risk score, and count the changes in new connection relationships of entities within the most recent consecutive predetermined number of time windows. When the number of new connections shows an exponential growth trend and the targets involved include unauthorized network segments or cross-domain operations, the correction function is called to prioritize the correction of the basic risk score to output a risk evolution score. The early warning triggering and display module is used to compare the risk evolution score with the preset classification threshold in real time. When the risk evolution score reaches or exceeds the classification threshold, an early warning is triggered, and a visualized risk path map is generated and displayed.
[0008] In summary, this application includes at least one of the following beneficial technical effects: 1. This invention, by introducing a time dimension to construct temporal quadruples and dynamic graph snapshot sequences, completely changes the traditional technology's reliance on static rules or isolated node anomaly detection. This dynamic modeling approach can fully describe the entire process of security risks from initial detection and lateral movement to final outbreak, significantly improving the ability to identify long-term latent risks such as advanced persistent threats and internal fraud, enabling the early warning system to have a deep perception of risk development trends.
[0009] 2. This invention utilizes link prediction technology to calculate the probability of illegal associations that may occur in the future, achieving a technological leap from retrospective analysis to pre-emptive prediction. In practical applications, it can achieve a predetermined lead time for trend perception, providing valuable emergency response buffer time for security operations personnel.
[0010] 3. This invention, through deep integration with systems such as identity authentication and access control, constructs a closed-loop system from risk perception and intelligent scoring to automated interception. With extremely short response times, the system can automatically implement blocking strategies for high-risk situations, minimizing economic losses and data leakage risks caused by security incidents.
[0011] 4. The standardized alignment and parallel computing mechanism designed in this invention enables it to easily handle extremely high-scale log processing demands. While maintaining high real-time performance, the system can smoothly integrate data from various new security devices, exhibiting strong architectural scalability. Attached Figure Description
[0012] Figure 1 This is a schematic diagram of the overall technical solution for an intelligent early warning method for security risks based on knowledge graphs. Figure 2This is a schematic diagram illustrating the core principle of spatiotemporal depth feature extraction based on graph convolution and recurrent neural networks. Figure 3 It is a logical flowchart of multi-source heterogeneous data fusion and dynamic graph snapshot sequence construction; Figure 4 This is a flowchart illustrating the logic of risk path prediction and scoring based on the attention mechanism. Figure 5 This is a schematic diagram of the multi-level interaction relationship and data flow between risk warning triggering and automated closed-loop response. Detailed Implementation
[0013] To make the objectives, technical solutions, and advantages of this invention clearer, the following description is provided in conjunction with the appendix. Figure 1 To be continued Figure 5 The present invention will be further described in detail below with reference to specific embodiments.
[0014] Firstly, the intelligent early warning method for security risks based on knowledge graphs disclosed in this application is implemented according to the following steps: The first step, S1, involves collecting, cleaning, and structurally transforming data to construct a four-tuple sequence with temporal semantics, providing standardized data input for subsequent dynamic graph tiling. The specific implementation steps are as follows: Step S101: Multi-source data acquisition and integrity assurance. Distributed data acquisition components are deployed at key locations such as network backbone nodes, core switch bypass, and server cluster front-ends to acquire multi-source heterogeneous security data in real time and in full. The acquisition scope covers traffic records of perimeter protection devices, process monitoring data of terminal hosts, database access behavior audit logs, and permission change records of the internal network.
[0015] During operation, the data acquisition component employs a multi-threaded concurrent reading mechanism, supporting real-time acquisition of logs in Syslog, SNMP Trap, NetFlow, IPFIX, and various proprietary formats. To ensure no data loss during transmission, the acquisition component uses a message queue for buffering at the transport layer and appends a globally unique sequence number and a nanosecond-level precision raw timestamp to each raw record.
[0016] Step S102: Data Cleaning and Standardization Alignment. After obtaining the raw data, the data cleaning module is invoked to standardize firewall logs, host audit logs, and asset status information. This module employs field mapping technology to map log fields defined by different manufacturers and device models to a globally unified security mode. This security mode predefines a standard metadata structure, including source network protocol address, destination network protocol address, source port number, destination port number, access behavior operation type, authentication status, packet length, process fingerprint, and user credential identifier.
[0017] For unstructured text data, such as application-layer error descriptions or system event descriptions, the system uses a predefined ontology model and a parsing engine based on regular expressions and finite automata to convert it into a unified semantic representation. During this processing, the system automatically filters out duplicate noise entries and heuristically completes missing key fields. Specifically, the completion method involves inferring and filling in missing fields based on the values of other fields within the same session context or based on historical statistical baselines, ensuring semantic consistency in subsequent modeling.
[0018] Step S103: Construct a set of temporal quadruples by extracting core entities, relationships between entities, and corresponding timestamp information from the cleaned data. Each temporal quadruple consists of four parts: subject, predicate, object, and time of occurrence.
[0019] For a specific network interaction, the transformation rules are as follows: the device entity corresponding to the source network protocol address is taken as the subject, the TCP connection or specific application protocol operation is defined as the predicate, and the destination service port or specific file resource is taken as the object. The start and duration of the interaction are recorded at the time of occurrence. For network scanning behavior, it is transformed into a sequence of logically related time-series quadruples, with the source address entity as the subject, the probe as the predicate, and the destination network segment entity as the object. The start and end time period of the scanning behavior is taken as the aggregated occurrence time. In this way, scattered security logs are transformed into a sequence of logically related time-series quadruples.
[0020] In summary, step S1 transforms multi-source heterogeneous security logs into a structured temporal quadruple sequence. This sequence fully preserves the temporal attributes of the original events, forming the core data for subsequent dynamic modeling. Based on this, the next step will utilize these temporal quadruples to construct a dynamic graph sequence reflecting the evolution of network states over time by setting sliding time windows to divide continuous graph snapshots.
[0021] The next step, S2, involves using the temporal quadruple sequence generated in step S1 as input. A sliding time window is used to divide this sequence into multiple consecutive graph snapshots. Each snapshot represents the network security state topology within a time segment, providing structured graph sequence data for subsequent spatiotemporal feature extraction. The specific implementation steps are as follows.
[0022] Step S201: Set a dynamic sliding time window. The system sets a sliding time window of variable length based on the time-series quadruple set. The length of the window is dynamically adjusted within a preset duration range, with a lower limit of 30 seconds and an upper limit of 300 seconds.
[0023] The adjustment is based on the current network traffic density and entity activity, specifically measured by the number of time-series quadruples generated per unit time. The system pre-sets a density threshold of 100 time-series quadruples per second. When the number of time-series quadruples per unit time exceeds this threshold, it indicates dense network events. The system then proportionally reduces the current window step size by a factor equal to the reciprocal of the density ratio. In other words, the new step size equals the original step size multiplied by the ratio of the density threshold to the actual density, thereby improving the temporal sampling resolution.
[0024] Conversely, when the number of time-order quadruples is below the density threshold, the system increases the window step size proportionally to reduce computational overhead. Through this dynamic adjustment, the number of interaction events in each graph snapshot is maintained within a predetermined range, such as 500 to 2000 events, thereby ensuring that the topology of each snapshot is statistically significant.
[0025] Step S202: Divide the graph snapshot sequence and set overlapping areas. According to the time sequence, divide the time-series quadruple set into multiple consecutive graph snapshots. Each graph snapshot corresponds to the network security status topology structure within a time period.
[0026] During the partitioning process, a temporal overlap region is set between two adjacent snapshots. The length of this overlap region is preset to be 20% to 50% of the window length. Specifically, the system can select a fixed proportion within this range, such as 30%, based on the stability of the network environment. The purpose of the overlap region is to ensure a smooth transition in the temporal dimension and prevent the loss of related information that crosses the window boundary due to hard cutting.
[0027] For example, a slow password brute-force attack spanning several hours may have individual detection events distributed near the boundary of two adjacent windows. Without overlapping areas, the temporal continuity of the attack will be disrupted; with overlapping areas, the correlation of the attack can still be fully captured.
[0028] Step S203: Mathematical representation of graph snapshots. For each generated graph snapshot, the system uses an adjacency matrix to represent it mathematically. Assuming the current graph snapshot contains M entity nodes, an M-row, M-column adjacency matrix is constructed, denoted as A.
[0029] Elements in the matrix A non-zero value indicates that there is an association between node i and node j. The value of this element is quantified according to the attributes of the association: if the association is a discrete event, the value is the total number of times the relationship occurs within the window; if the association is continuous traffic, the value is the total number of bytes exchanged or the total number of data packets; if only the presence or absence of a relationship is required, the value is 1.
[0030] The system also constructs an initial feature vector for each entity node, which integrates two types of information. The first type is the node's static attributes, specifically including the asset importance level, which is an integer ranging from 1 to 5; the number of known vulnerabilities, which is a non-negative integer; and the current online time, in seconds.
[0031] The second category is the real-time interaction features of the nodes, specifically including the node's average connection rate within the window (total number of connections divided by window duration), the number of different ports accessed, and statistics such as the node's in-degree to out-degree ratio. These features together form a fixed-dimensional vector, which serves as the initial input to the node in the graph convolutional network.
[0032] In summary, through step S2, the system transforms continuous time-series data into discrete, temporally overlapping graph snapshot sequences. Each snapshot not only retains topological information but also prepares the data numerically for subsequent graph convolution operations through adjacency matrices and node feature vectors. Next, step S3 will extract the temporal and spatial depth fusion features of these graph snapshot sequences using graph convolutional networks and recurrent neural networks.
[0033] The next step, S3, uses the graph snapshot sequence generated in step S2 as input. First, a graph convolutional network is used to extract the spatial structure features of each graph snapshot. Then, a gated recurrent unit is used to extract the evolutionary features in the temporal dimension. Finally, a sequence of hidden state vectors that fuses spatiotemporal information is output, providing feature representations for subsequent risk path prediction. The specific implementation steps are as follows.
[0034] Step S301: Spatial feature extraction of the graph convolutional network. The system independently performs graph convolution operations on each graph snapshot. The graph convolutional network consists of multiple cascaded graph convolutional layers. Each layer updates the node representation by aggregating the features of the node and its neighboring nodes.
[0035] In the specific calculation, self-connections are first added to the adjacency matrix of each graph snapshot, that is, each node adds an edge pointing to itself, resulting in the matrix. Simultaneously calculate the corresponding degree matrix. ,in .
[0036] No. layer to the first The update rule for the node feature matrix of the layer is as follows: The meanings of the symbols in the formula are as follows: Indicates the first The node feature matrix of the layer has the number of rows equal to the total number of nodes. The number of columns represents the feature dimension of that layer. hour, This is the matrix composed of the initial feature vectors constructed for each node in step S203.
[0037] It is the graph adjacency matrix after adding self-joins, with dimension . ,in like ,otherwise . yes The corresponding degree matrix is a diagonal matrix. .
[0038] Indicates to The diagonal matrix is obtained by raising each diagonal element to the power of negative 1 / 2.
[0039] It is the first The learnable weight parameter matrix of the layer has a dimension equal to the product of the input feature dimension and the output feature dimension of the current layer, and its values are determined through training. It is a non-linear activation function; this method uses the ReLU function, i.e. .
[0040] After multi-layer graph convolution, the topological information of its multi-hop neighbors is fused into the feature vector of each node, thus obtaining the spatial representation vector matrix of the graph snapshot. The system arranges the spatial representation vector matrix corresponding to each graph snapshot in chronological order to form a feature vector sequence.
[0041] Step S302, Training settings for the graph convolutional network: To enable the graph convolutional network to effectively extract spatial features related to security risks, it needs to be trained. The training process is as follows: The training data is constructed as follows: labeled graph snapshots are extracted from the historical security event database as training samples. Each sample contains an adjacency matrix of a graph snapshot. and node initial feature matrix Nodes are labeled based on whether they participated in subsequently confirmed attack activities within the corresponding time window. Specifically, if a node is confirmed as a key entity in the attack chain within the next 10 minutes after the snapshot time window ends, the node is labeled as positive sample category 1; otherwise, it is labeled as negative sample category 0.
[0042] The loss function used is cross-entropy loss, and the calculation formula is as follows: in, This represents the total number of nodes in the graph snapshot. For nodes The actual label, with a value of 0 or 1. The nodes output by the graph convolutional network The predicted probability of belonging to the positive sample class. The training objective is to make the loss function... Minimize, even if the model predicts the node risk category as accurately as possible.
[0043] Step S303: Temporal feature extraction of the recurrent neural network. The spatial representation vector matrix of each graph snapshot output in step S301 is flattened into a one-dimensional feature vector and input sequentially into a gated recurrent unit network in chronological order. The gated recurrent unit contains update gates and reset gates. The update gate controls how much of the hidden state from the previous time step is retained in the current time step, and the reset gate determines how the current input is combined with the hidden state from the previous time step.
[0044] Let the current time be The input feature vector is The hidden state at the previous moment was The update process of the gated loop unit is as follows: Update Gate Reset door Candidate hidden state Current hidden state in, It is the sigmoid activation function. This represents element-wise multiplication. The weight matrix is a learnable matrix. This is the bias term. After processing the entire sequence, the hidden state vector at each time step is obtained. This vector integrates the spatial features of the current graph snapshot with the temporal evolution information of all historical moments. The hidden state vector is set to 128 or 256 dimensions, with each dimension representing an abstract security semantic feature, such as the second derivative of access frequency, the entropy value of connection dispersion, the abnormal deviation of protocol message length, or the potential tendency of privilege escalation.
[0045] Step S304, training setup for the recurrent neural network: The training data for the gated recurrent unit network is jointly trained with the graph convolutional network, or they can be pre-trained separately. This method adopts an end-to-end joint training approach. The training data is constructed as follows: continuous data is extracted from historical security events. The feature vector sequence of the first snapshot is used as the input sequence, and the corresponding output label is the first snapshot. The category of the highest-risk event actually occurring within the snapshot time window. Risk event categories include: normal, scanning probe, privilege escalation, lateral movement, data breach, etc., and are represented using one-hot encoding.
[0046] The loss function used is the classification cross-entropy loss, and the calculation formula is as follows: in, This represents the total number of risk event categories. This is the true category indicator value; if the true category is... Then take 1, otherwise take 0. This represents the predicted probability output by the recurrent neural network. The training objective is to enable the model to accurately predict the types of high-risk events that may occur in the next moment based on a sequence of historical snapshots.
[0047] The system uses the Adam optimizer during training, with an initial learning rate of 0.001, and employs an early stopping strategy to prevent overfitting. After training, the parameters of the graph convolutional network and recurrent neural network are fixed for real-time inference.
[0048] In summary, step S3 first utilizes a graph convolutional network to extract the spatial topological features of each graph snapshot, then uses gated recurrent units to capture the evolution of these features over time, ultimately outputting a sequence of hidden state vectors that fuses spatiotemporal information. This sequence contains both the static relationship structure between entities and the dynamic trends of behavioral patterns. Next, step S4 will use an attention mechanism based on these hidden state vectors to predict and score the probability of future risk paths.
[0049] Next, in step S4, the hidden state vector sequence output from step S3 is used as input. First, an attention mechanism is used to focus on key historical events. Then, the probability of future abnormal associations between entities is calculated through link prediction. Finally, the risk path is prioritized and corrected based on the behavior expansion speed, and the risk evolution score is output. The specific implementation steps are as follows.
[0050] Step S401, Attention Weight Calculation and Background Vector Generation: For each target entity, the system calculates the correlation between its current hidden state vector and its hidden state vectors from multiple historical time points. Specifically, dot product similarity is used as the metric: for the current time... Hidden state vector With historical moments Hidden state vector Calculate the dot product .in The length of the backtracking window, which is an integer between 10 and 20.
[0051] The obtained similarity scores are normalized using the softmax function to obtain the attention weight coefficients. : Weighting coefficient Reflecting historical moments The significance of the behavior's contribution to current and future risks is determined. Subsequently, the hidden state vectors at each historical moment are weighted and summed according to weight coefficients to generate the enhanced background vector. This background vector highlights key historical events that play a crucial role in the attack chain, such as the initial credential theft or early scanning probes.
[0052] Step S402, Link Prediction and Risk Evolution Score Calculation: The system uses a link prediction algorithm to calculate the probability of abnormal associations occurring between different entities at future times. Let the main entity... The spatiotemporal fusion hidden state vector is object entity The hidden state vector is Both are 128-dimensional or 256-dimensional vectors output from step S303. A learnable correlation transformation matrix is defined. , dimension ,in is the dimension of the hidden state vector, and its value is determined through training.
[0053] Predicted time entity With entity The formula for calculating the probability of an illegal association existing is: The meanings of the symbols in the formula are as follows: Predicting at time At that time, the main entity With the object entity The conditional probability value for an illegal association between them, ranging from 0 to 1. : Main entity The spatiotemporal fusion hidden state vector is in column vector form. : The transpose of , i.e., a row vector. : Learnable correlation transformation matrix, with dimension It is used to map the latent states of subjects and objects to the association space. : Object entity The spatiotemporal fusion hidden state vector. : Natural exponential function. The complete entity set, which is the set of all nodes in the current knowledge graph. Entity set Any entity in the denominator is used as the index of the summation term.
[0054] This calculation yields the probability that an illegal association exists between the main entity and a specific sensitive asset entity. The system multiplies this probability value by 100 and normalizes it into a risk score between 0 and 100, with a higher score indicating a greater risk.
[0055] Step S403: Behavioral Expansion Speed Analysis and Path Priority Correction. Based on the hidden state sequence output in step S303, the system analyzes the behavioral expansion speed of each entity. Specifically, it counts the change in the number of new connections added by an entity within the last five consecutive time windows. If the number of new connections shows an exponential growth trend or increases by more than double consecutively, and the targets involved include multiple unauthorized network segments, cross-domain operations, or high-value sensitive nodes, it is determined to be abnormal expansion.
[0056] For entities and their associated paths that meet the criteria for abnormal expansion, the system invokes a correction function to increase their risk assessment priority. The correction function is defined as follows: in, The basic risk score calculated in step S402, This is the expansion factor, which takes a value between 0 and 2, and is calculated based on the growth rate of the number of new connections. The preset weighting factor is set to 0.5. This adjustment allows attack paths that move laterally at high speeds to receive a higher risk score, thereby enabling probabilistic modeling of the entire process of "reconnaissance-intrusion-lateral movement-data leakage".
[0057] Step S404: Training setup for attention mechanism and link prediction. In order for the above attention mechanism and link prediction model to accurately predict risks, they need to be trained together.
[0058] The training data is constructed as follows: A sequence of labeled hidden state vectors is extracted from a historical security event database. Each training sample contains a continuous sequence of hidden state vectors. The sequence of hidden state vectors at each time step (k) and their corresponding ground truth labels. The ground truth labels are binary matrices with dimension (k). , of which elements Indicates the time of prediction entity With entity If an illegal connection exists between the two entities, the value is 0; otherwise, it is 0. Positive samples are taken from edges in confirmed attack chains, while negative samples are randomly sampled from unrelated entity pairs, with a quantity three times that of positive samples.
[0059] The loss function used is binary cross-entropy loss, and the calculation formula is as follows: in, The total number of all entities. For real labels, This refers to the probability values predicted by the model in step S402. The training objective is to optimize the loss function. The goal is to minimize, even if the model predicts illegal associations as accurately as possible. The system uses the Adam optimizer with a learning rate of 0.0005, 50 training epochs, and employs an early stopping strategy to prevent overfitting.
[0060] Weighting coefficients in attention mechanisms It contains no additional trainable parameters; its training is implicitly accomplished through backpropagation of the linked prediction loss, since the attention weights influence the final generated background vector. This, in turn, affects the hidden state vector. and The quality.
[0061] Step S4 first utilizes an attention mechanism to enhance the feature representation of historical key events. Then, it calculates the probability of future illegal associations between entities through link prediction and prioritizes risk paths based on the speed of behavioral expansion, ultimately obtaining a risk evolution score. This score integrates spatiotemporal characteristics, historical key events, and attack expansion trends. Next, step S5 will trigger an alert based on this score and provide a visual representation.
[0062] Finally, in step S5, the risk evolution score output from step S4 is used as input. It is compared in real-time with preset grading thresholds. An early warning is triggered when the threshold is exceeded, and a visualized risk path map is generated. Simultaneously, a closed-loop response is achieved through multi-channel notifications and automated linkage. The specific implementation steps are as follows.
[0063] Step S501: Setting and Real-time Comparison of Tiered Risk Thresholds. The system pre-sets differentiated risk thresholds based on the importance level of the protected assets. For core assets, such as core database servers, root certificate servers, and domain controllers, a lower first preset risk threshold is set, where an alarm is triggered when the risk score reaches 60.
[0064] For ordinary assets, such as general office terminals and ordinary application servers, a higher second preset risk threshold should be set, where an alarm is triggered only when the risk score reaches 85. For important assets that fall between these two thresholds, an intermediate threshold, such as 75, can be set.
[0065] The system receives the risk evolution score calculated in step S402 in real time, which has been normalized to the range of 0 to 100. The risk score of each entity or entity pair is compared with the risk threshold of the corresponding asset level. If the score reaches or exceeds the threshold, an alert is triggered.
[0066] Step S502: Automatic generation and display of the risk path map. When the risk evolution score exceeds a preset threshold, the system automatically generates a path map reflecting the risk's evolution from its initial stage to its final state. This map is displayed on the security management terminal in the form of a dynamic topology graph. Specifically, the generation method is as follows: starting from the entity node that triggered the warning, the system traces back its associated historical paths, including entities corresponding to historical events with high attention weights in step S401 and nodes involved in abnormal expansion in step S403, and overlays the future associated edges predicted in step S402.
[0067] The visual encoding rules for the network graph are as follows: Each node represents a network entity, and the depth of the node's background color represents the degree of threat, for example, a gradient from light yellow to dark red, with darker colors indicating higher risk. The shape of the node's icon represents the entity type; for example, firewalls use a shield shape, virtual machines use a cube shape, and privileged accounts use a key shape.
[0068] The lines with arrows represent the attacker's evolution path and the predicted next action. The thickness of the lines is proportional to the risk probability predicted in step S402. The annotation information on the lines includes the specific protocol name, timestamp, and feature dimension that triggered the alarm. For example, annotating SSH brute force 2025-03-18 14:23:05 connection dispersion anomaly.
[0069] Step S503: Multi-channel real-time notification and automated linkage. The triggering of the warning signal simultaneously activates the multi-channel real-time notification mechanism. On the security management terminal, a top-level real-time alarm window pops up, displaying a risk summary, a list of affected assets, and recommended handling suggestions. Simultaneously, the system calls a preset notification interface to automatically send instant messages to configured administrator mobile devices, containing the same risk summary, list of affected assets, and recommended handling suggestions.
[0070] This system also includes a northbound interface, through which it interacts with an external automated orchestration system. Upon receiving risk information, the external automated orchestration system automatically marks the affected asset nodes with temporary control policies, such as restricting outbound connections to the node, isolating virtual networks, or suspending login permissions for privileged accounts. In this way, a closed-loop processing flow is formed from risk perception to automated interception.
[0071] In summary, through step S5, the system achieves graded comparison of risk scores and real-time early warning triggering, and displays the complete evolution chain of risks with an intuitive path map. Simultaneously, it completes a closed-loop response through multi-channel notifications and automated linkage. This early warning mechanism can prioritize defense resources on critical assets, provide security operations personnel with clear tracing and analysis basis, and provide triggering conditions for automated handling.
[0072] Furthermore, the method also includes a self-evolving optimization mechanism. The system establishes a security risk knowledge base containing a large-scale historical warning record. Machine learning algorithms are used to automatically label and deeply analyze false alarm samples reported by operations and maintenance personnel. Specifically, samples marked as false alarms by operations and maintenance personnel are used as negative samples, and alarms confirmed as correct within the same time window are used as positive samples, thus constructing a binary classification training dataset.
[0073] Through a feedback mechanism, the system continuously backpropagates errors to optimize the weight parameters in the graph convolution operation and the gating threshold in the recurrent neural network. During backpropagation, the system calculates the cross-entropy loss between the output node category of the graph convolutional network and the corrected label, as well as the classification cross-entropy loss between the predicted risk event category and the true category of the recurrent neural network. The two are then weighted and summed before the network parameters are updated using gradient descent.
[0074] This optimization process continues until the early warning accuracy reaches the preset high accuracy target of 95%. This allows the early warning accuracy to continuously improve over time, thereby combating ever-evolving new network threats.
[0075] The method demonstrates strong time-series analysis capabilities when dealing with Advanced Persistent Threats (APTs). By analyzing specific historical spans, such as snapshot sequences over 30 consecutive days, the system can identify low-frequency, scattered probing behaviors that are not readily apparent within a single window. Through long-term gradient accumulation, it identifies deep causal relationships between these behaviors and eventual privilege escalation or data breach attempts, enabling early warning of latent risks. The warning lead time is typically within a preset timeframe, allowing ample time for emergency response.
[0076] On the other hand, the knowledge graph-based intelligent early warning system for security risks disclosed in this application includes: The data acquisition and quadruple construction module is used to collect multi-source heterogeneous security data, clean and structure the data, and construct a temporal quadruple sequence consisting of subject, predicate, object and occurrence time. The dynamic graph snapshot sequence generation module is used to take the time-series quadruple sequence as input, set a sliding time window, dynamically adjust the step size of the sliding time window according to the ratio of the current network traffic density to a preset density threshold, and divide the time-series quadruple sequence into multiple consecutive graph snapshots in chronological order. A time overlap region of 20% to 50% of the window length is set between two adjacent graph snapshots. The spatiotemporal feature extraction module is used to extract the spatial structure features of each graph snapshot using the graph snapshot sequence as input, obtain a spatial representation vector matrix, and then use a gated recurrent unit to extract the temporal evolution features of the spatial representation vector matrix in chronological order, and output a hidden state vector sequence that integrates spatiotemporal information. The risk prediction and correction module is used to take the hidden state vector sequence as input, generate an enhanced background vector using an attention mechanism, calculate the probability of illegal associations between different entities in the future based on the background vector through link prediction to obtain a basic risk score, and count the changes in new connection relationships of entities within the most recent consecutive predetermined number of time windows. When the number of new connections shows an exponential growth trend and the targets involved include unauthorized network segments or cross-domain operations, the correction function is called to prioritize the correction of the basic risk score to output a risk evolution score. The early warning triggering and display module is used to compare the risk evolution score with the preset classification threshold in real time. When the risk evolution score reaches or exceeds the classification threshold, an early warning is triggered, and a visualized risk path map is generated and displayed.
[0077] It will be apparent to those skilled in the art that the present invention is not limited to the details of the exemplary embodiments described above, and that the present invention can be implemented in other specific forms without departing from the spirit or essential characteristics of the present invention. Therefore, the embodiments should be regarded as exemplary and non-limiting in all respects.
[0078] Furthermore, it should be understood that although this specification describes embodiments, not every embodiment contains only one independent technical solution. This narrative style is merely for clarity. Those skilled in the art should consider the specification as a whole, and the technical solutions in each embodiment can also be appropriately combined to form other embodiments that can be understood by those skilled in the art.
Claims
1. A knowledge graph-based intelligent early warning method for security risks, characterized in that, include: S1: Collect multi-source heterogeneous security data, clean and structure it, and construct a time-series quadruple sequence consisting of subject, predicate, object and occurrence time; S2: Using the time-series quadruple sequence as input, a sliding time window is set, and the window step size is dynamically adjusted according to the ratio of the current network traffic density to the preset density threshold. The window length is adjusted within the range of 30 seconds to 300 seconds. The time-series quadruple sequence is divided into multiple consecutive graph snapshots in chronological order, and a time overlap area of 20% to 50% of the window length is provided between adjacent graph snapshots. S3: Using the graph snapshot sequence as input, the spatial structure features of each graph snapshot are extracted using a graph convolutional network to obtain a spatial representation vector matrix. Then, the temporal evolution features are extracted using a gated recurrent unit to output a hidden state vector sequence that integrates spatiotemporal information. S4: Using the hidden state vector sequence as input, an enhanced background vector is generated using an attention mechanism. Based on the background vector, the probability of illegal associations between entities in the future is calculated through link prediction to obtain a basic risk score. The changes in newly added connections of entities within the most recent predetermined number of time windows are statistically analyzed. When the number of new connections grows exponentially and involves unauthorized network segments or cross-domain operations, a correction function is invoked. The basic risk score is prioritized and adjusted to output a risk evolution score, whereby... This is the expansion factor calculated based on the growth rate of new connections; S5: The risk evolution score is compared with the preset grading threshold in real time. When the threshold is reached or exceeded, an early warning is triggered, and a visualized risk path map is generated and displayed.
2. The method according to claim 1, characterized in that, Step S1 further includes: S101: Deploy distributed data acquisition components in the backbone nodes and core switches of the network to acquire multi-source heterogeneous security data in real time. The multi-source heterogeneous security data includes traffic records of boundary protection devices, process monitoring data of terminal hosts, access behavior audit logs of databases, and permission change records of internal networks. S102: Call the data cleaning module to standardize the acquired raw data, use field mapping technology to map log fields from different vendors to a globally unified security model, and use a predefined ontology model to convert unstructured text data into a unified semantic representation. S103: Extract core entities, relationships between entities, and corresponding timestamp information from the cleaned data, and construct a set of time-series quadruples consisting of subject, predicate, object, and occurrence time.
3. The method according to claim 1, characterized in that, In step S2, the step size of the sliding time window is dynamically adjusted according to the ratio of the current network traffic density to a preset density threshold. Specifically, when the number of time-series quadruples generated per unit time exceeds the density threshold, the current window step size is reduced proportionally, and the reduction coefficient is the ratio of the density threshold to the actual density. When the number of time-series quadruples generated per unit time is lower than the density threshold, the current window step size is increased by the same proportion.
4. The method according to claim 1, characterized in that, In step S2, each graph snapshot is mathematically represented using an adjacency matrix. When the element value in the adjacency matrix is non-zero, it indicates that there is an association between nodes. The element value is quantified according to the attributes of the association. At the same time, an initial feature vector is constructed for each entity node. The initial feature vector integrates the static attributes of the node and the real-time interaction features of the node.
5. The method according to claim 1, characterized in that, In step S3, spatial structure features are extracted using a graph convolutional network. Specifically, multiple layers of graph convolution are performed independently for each graph snapshot. Each layer of graph convolution updates the node representation by aggregating the features of the node and its neighboring nodes. The update rule is as follows: Where is the graph adjacency matrix after adding self-joins, and is the corresponding degree matrix. Let l be the node feature matrix of the l-th layer. The weight parameter matrix is a learnable matrix. This is the ReLU activation function.
6. The method according to claim 1, characterized in that, In step S3, the temporal evolution features are extracted using a gated recurrent unit. Specifically, the spatial representation vector matrix of each graph snapshot is flattened into a one-dimensional feature vector and then input into the gated recurrent unit network in chronological order. The gated loop unit controls the proportion of the hidden state from the previous time step retained to the current time step by updating the gate, and determines how to combine the current input with the hidden state from the previous time step by resetting the gate. The update process includes: calculating the update gate. Reset door Candidate hidden states and the current hidden state ,in, It is the sigmoid activation function. This indicates element-wise multiplication.
7. The method according to claim 1, characterized in that, In step S4, the enhanced background vector is generated using an attention mechanism. Specifically, for each target entity, the dot product similarity between its current hidden state vector and its hidden state vectors from multiple historical time points is calculated. The obtained similarity scores are then normalized using a softmax function to obtain the attention weight coefficients. Then, the hidden state vectors at each historical moment are summed by weighting according to the attention weight coefficients to generate the enhanced background vector. ,in This is the length of the backtracking window.
8. The method according to claim 1, characterized in that, In step S4, the probability of illegal associations arising between different entities at future times is calculated through link prediction. Specifically, let the main entity be... The spatiotemporal fusion hidden state vector is object entity The hidden state vector is Define a learnable correlation transformation matrix Then predict the time entity With entity The formula for calculating the probability of an illegal association existing is: ,in, It is the complete set of entities.
9. The method according to claim 1, characterized in that, In step S5, a visualized risk path map is generated and displayed. Specifically, starting from the entity node that triggers the warning, the historical path associated with it is traced back, including the entities corresponding to historical events whose attention weight exceeds a preset threshold and the nodes involved in the abnormal expansion, and the predicted future associated edges are superimposed. In the graph, the depth of the node background color represents the degree of threat, and the thickness of the connecting lines is proportional to the predicted risk probability.
10. A knowledge graph-based intelligent early warning system for security risks, used to execute the method according to any one of claims 1 to 9, characterized in that, include: The data acquisition and quadruple construction module is used to collect multi-source heterogeneous security data, clean and structure the data, and construct a temporal quadruple sequence consisting of subject, predicate, object and occurrence time. The dynamic graph snapshot sequence generation module is used to take the time-series quadruple sequence as input, set a sliding time window, dynamically adjust the step size of the sliding time window according to the ratio of the current network traffic density to a preset density threshold, and divide the time-series quadruple sequence into multiple consecutive graph snapshots in chronological order. A time overlap region of 20% to 50% of the window length is set between two adjacent graph snapshots. The spatiotemporal feature extraction module is used to extract the spatial structure features of each graph snapshot using the graph snapshot sequence as input, obtain a spatial representation vector matrix, and then use a gated recurrent unit to extract the temporal evolution features of the spatial representation vector matrix in chronological order, and output a hidden state vector sequence that integrates spatiotemporal information. The risk prediction and correction module is used to take the hidden state vector sequence as input, generate an enhanced background vector using an attention mechanism, calculate the probability of illegal associations between different entities in the future based on the background vector through link prediction to obtain a basic risk score, and count the changes in new connection relationships of entities within the most recent consecutive predetermined number of time windows. When the number of new connections shows an exponential growth trend and the targets involved include unauthorized network segments or cross-domain operations, the correction function is called to prioritize the correction of the basic risk score to output a risk evolution score. The early warning triggering and display module is used to compare the risk evolution score with the preset classification threshold in real time. When the risk evolution score reaches or exceeds the classification threshold, an early warning is triggered, and a visualized risk path map is generated and displayed.