CN111915090A - Prediction method and device based on knowledge graph, electronic equipment and storage medium - Google Patents

Prediction method and device based on knowledge graph, electronic equipment and storage medium Download PDF

Info

Publication number
CN111915090A
CN111915090A CN202010796498.2A CN202010796498A CN111915090A CN 111915090 A CN111915090 A CN 111915090A CN 202010796498 A CN202010796498 A CN 202010796498A CN 111915090 A CN111915090 A CN 111915090A
Authority
CN
China
Prior art keywords
entity
knowledge graph
information
prediction
relationship
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010796498.2A
Other languages
Chinese (zh)
Inventor
李佳楠
赵超
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Antian Science And Technology Group Co ltd
Harbin Antiy Technology Group Co Ltd
Original Assignee
Harbin Antian Science And Technology Group Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Antian Science And Technology Group Co ltd filed Critical Harbin Antian Science And Technology Group Co ltd
Priority to CN202010796498.2A priority Critical patent/CN111915090A/en
Publication of CN111915090A publication Critical patent/CN111915090A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/04Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • G06F16/288Entity relationship models
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Business, Economics & Management (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Economics (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Biophysics (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • Health & Medical Sciences (AREA)
  • Strategic Management (AREA)
  • Molecular Biology (AREA)
  • Human Resources & Organizations (AREA)
  • Game Theory and Decision Science (AREA)
  • Development Economics (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Marketing (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • Animal Behavior & Ethology (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The embodiment of the invention provides a prediction method, a prediction device, electronic equipment and a storage medium based on a knowledge graph, which are used for solving the problems that the existing network space target behavior prediction technology is not mature, and the established model and the used algorithm are not systematic. The method comprises the following steps: constructing a knowledge graph, wherein the basic unit of the knowledge graph is a triple; the knowledge graph comprises a mode layer and a data layer, and the triples are time sequence triples; and predicting the relation between a certain entity and other entities in the network space based on the knowledge graph.

Description

Prediction method and device based on knowledge graph, electronic equipment and storage medium
Technical Field
The invention relates to the technical field of network security, in particular to a prediction method and device based on a knowledge graph, electronic equipment and a storage medium.
Background
The network space target behavior prediction is used as an important link for realizing the prediction and emergency response of the security situation of the military network, can help military network managers to timely and accurately master the security situation of the military network, and predict the attack hazard which the network may face in the future so as to reasonably configure the resources and security facilities of the military network system. In order to cope with increasingly sophisticated network behavior, its technology is also evolving. At present, the research on the network space target behavior prediction technology at home and abroad achieves certain results and progresses, but there are many places needing research and improvement. The traditional prediction methods such as a probability-based prediction method and a fuzzy theory-based prediction method have specific application ranges, the former has strict requirements on network security situation data samples used for prediction, the samples are required to have higher distribution rules, and the network security situation data samples have high randomness under general conditions, so that the method is difficult to obtain predicted values with higher precision; the accuracy of calculating the predicted value by using the fuzzy theory depends on the experience and the ability level of a person who executes the prediction, and the subjectivity is strong. At present, technologies capable of predicting network space target behaviors are not mature, established models and used algorithms are not systematic, and the method can be applied to practical network security management to implement situation prediction rarely and has unsatisfactory effect.
Knowledge Graph (Knowledge Graph) is a new method for representing Knowledge in recent years, belongs to the category of semantic networks, can describe various entities and concepts existing in the real world, displays the mutual relations among the entities and the concepts by using a visualization technology, and explores and presents the semantic relations among the concepts in a specific field. In recent years, knowledge maps have also gained wide attention and importance in the computer field. The knowledge graph link prediction is an important technology for learning and complementing the knowledge graph, and the core idea is to predict the possible association relation among all entities in the knowledge graph and realize the discovery and restoration of the missing information in the knowledge graph. At present, the mainstream methods for predicting knowledge graph links include tensor neural networks, graph volume networks, path-based modeling and the like, but the methods only achieve good effects on general knowledge graphs, and the general knowledge graphs mainly aim at common knowledge without time attributes and can be applied to business scenes such as internet-oriented search, recommendation, question answering and the like. In contrast, the behavior development of the cyberspace target is an evolving process, and the target behavior knowledge is time-efficient. Taking phishing mails as an example, in the process of carrying out attack by an attacker, operations such as disguising emails, guiding a receiver to link to a special webpage, guiding the receiver to input an account password and the like are all marked with time each time. Most of the existing knowledge graph link prediction methods aim at static data, wherein the fact cannot change along with time, and structured knowledge may only be established in a specific time period, so that time sequence information is very important, and accurate prediction cannot be made on the knowledge graph without considering that a large amount of dynamic time sequence information is contained in the knowledge graph.
In addition, when the intention of the network space target or the next action is predicted, various factors such as action, flow, equipment logs and the like need to be comprehensively considered, and all the factors change along with time and are not fixed constant knowledge. Therefore, when the previous link prediction method is applied to the field of target behavior prediction in a network space, the incidence relation between the non-time sequence node prediction and other nodes through a single line is difficult to make accurate prediction.
Disclosure of Invention
The embodiment of the invention provides a prediction method, a prediction device, electronic equipment and a storage medium based on a knowledge graph, and aims to solve the problems that the existing network space target behavior prediction technology is not mature, and the established model and the used algorithm are not systematic.
Based on the above problem, the prediction method based on the knowledge graph provided by the embodiment of the invention includes:
constructing a knowledge graph, wherein the basic unit of the knowledge graph is a triple; the knowledge graph comprises a mode layer and a data layer, and the triples are time sequence triples; and predicting the relation between a certain entity and other entities in the network space based on the knowledge graph.
Further, the triplet of the schema layer is (head entity, relationship | timing information, tail entity) or (entity, attribute value), wherein the attribute includes timing information and/or spatial information, and the timing information includes relationship establishment time, relationship deadline, and/or relationship elimination time.
Further, the data layer is established according to the established mode layer, and the data layer performs entity extraction, attribute extraction and relationship extraction from sources of unstructured data, semi-structured data and structured data, and integrates and disambiguates data from different sources.
Further, collecting various information X of a certain entity X in a network space based on the knowledge graph(m)Each item of information X(m)Including behavior information, traffic information and device log information associated with the entity X, denoted X(m)=X(m) t1,X(m) t2,…,X(m) tn(m ═ 1,2, …, N, m defined as some item of relevant information related to the entity); through link prediction, whether a relation Y exists between the output and other entities Z or not can be represented as (X, whether a relation Y and Z exists or not), and the prediction process is represented as P ═ { X, Y } ═ X(1),X(2),…, X(N)Y, wherein P is the predicted result.
Further, collecting each item of information X of a certain entity in the network space based on the knowledge graph(m)Through link prediction, whether a relation exists between the output and other entities is specifically as follows: collecting each item of information X of a certain entity in a network space based on the knowledge graph(m)Performing quantization processing by using a TransR conversion model; vectorizing X based on TransR conversion model(m)Carrying out incremental learning on the afferent time recurrent neural network model; and performing sequence increment combination on the output of the time recurrent neural network model, and then entering result classification, wherein if the result classification shows that a relation exists between the output of the time recurrent neural network model and other entities, the two entities are considered to be related.
The embodiment of the invention provides a prediction device based on a knowledge graph, which comprises:
a knowledge graph construction module: the knowledge graph is constructed, and the basic unit of the knowledge graph is a triad; the knowledge graph comprises a mode layer and a data layer, and the triples are time sequence triples; a prediction module: and the system is used for predicting the relation between a certain entity and other entities in the network space based on the knowledge graph.
Further, the triplet of the schema layer is (head entity, relationship | timing information, tail entity) or (entity, attribute value), wherein the attribute includes timing information and/or spatial information, and the timing information includes relationship establishment time, relationship deadline, and/or relationship elimination time.
Further, the data layer is established according to the established mode layer, and the data layer performs entity extraction, attribute extraction and relationship extraction from sources of unstructured data, semi-structured data and structured data, and integrates and disambiguates data from different sources.
Further, the prediction module further comprises an information collection module: for collecting information X of an entity X in a network space based on the knowledge graph(m)Each item of information X(m)Including the entity X related behavior information, traffic information and device log information, denoted X(m)=X(m) t1,X(m) t2,…,X(m) tn(m ═ 1,2, …, N, m defined as some item of relevant information related to the entity); a result output module: for link prediction, the existence of a relationship Y between the output and other entities Z can be represented as (X, existence of a relationship Y, Z), and the prediction process is represented as P ═ { X, Y } ═ X(1),X(2),…,X(N)Y, wherein P is the predicted result.
Further, the prediction module is specifically configured to: collecting each item of information X of an entity in a network space based on the knowledge graph(m)Vectorizing by using a TransR conversion model; vectorizing X based on TransR conversion model(m)Carrying out incremental learning on the afferent time recurrent neural network model; and performing sequence increment combination on the output of the time recurrent neural network model, then entering result classification, and if the result classification shows that a relation exists between the result classification and other entities, considering that the two entities are related.
The embodiment of the invention also discloses an electronic device based on prediction of the knowledge graph, which comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing any of the aforementioned knowledge-graph based prediction methods.
Embodiments of the present invention provide a computer readable storage medium having stored thereon one or more programs executable by one or more processors to implement any of the aforementioned knowledge-graph based prediction methods.
Compared with the prior art, the prediction method, the prediction device, the electronic equipment and the storage medium based on the knowledge graph provided by the embodiment of the invention at least realize the following beneficial effects: the method solves the problems of mining and predicting the target behavior rule of the network space, realizes the short-term prediction and the medium-and-long-term trend study and judgment of the network security situation, provides effective prediction information for assisting decision in time for commanders of our army, and reduces decision errors.
Drawings
FIG. 1 is a flow chart of a prediction method based on knowledge-graph according to an embodiment of the present invention;
FIG. 2 is a sample knowledge graph provided by an embodiment of the present invention;
FIG. 3 is a flow chart of yet another knowledge-graph based prediction method provided by an embodiment of the present invention;
FIG. 4 is a flow chart of another knowledge-graph based prediction method provided by an embodiment of the invention;
FIG. 5 is a knowledge-graph-linked prediction model based on incremental learning of LSTM sequences according to an embodiment of the present invention;
FIG. 6 is a block diagram of a knowledge-graph based prediction apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The following describes specific embodiments of a prediction method, a prediction apparatus, an electronic device, and a storage medium based on a knowledge graph according to embodiments of the present invention with reference to the accompanying drawings.
The prediction method based on the knowledge graph provided by the embodiment of the invention, as shown in fig. 1, specifically comprises the following steps:
s101, constructing a knowledge graph, wherein the knowledge graph comprises a mode layer and a data layer;
in 2012, google provides the concept of a knowledge graph, wherein the knowledge graph aims at describing the concept, entity, event and the relationship among the concept, entity and event of objective time, and the knowledge graph is essentially a knowledge base called a semantic network, namely a knowledge base with a directed graph structure; in the knowledge graph, if a Relationship exists between two nodes, the two nodes are connected together by an edge, and then the node is called an Entity (Entity), and the edge between the two nodes is called a Relationship (Relationship); the example of a knowledge graph is shown in figure 2.
The basic unit of the knowledge graph is a triple, the triple is a time sequence triple, the triple of the mode layer is (a head entity, a relation | time sequence information, a tail entity) or (an entity, an attribute value), wherein the attribute comprises time sequence information and/or space information, and the time sequence information comprises relation establishment time, a relation limited term and/or relation elimination time; and establishing the data layer according to the established mode layer, wherein the data layer performs entity extraction, attribute extraction and relationship extraction from sources of unstructured data, semi-structured data and structured data, and integrates and disambiguates data from different sources.
S102, predicting the relation between an entity and other entities in a network space based on the knowledge graph;
collecting various items of information X of a certain entity X in a network space based on the knowledge graph(m)Each item of information X(m)Including but not limited to that entity X is relatedBehavior information, traffic information, and device log information, denoted X(m)=X(m) t1,X(m) t2,…,X(m) tn(m ═ 1,2, …, N, m defined as some item of relevant information related to the entity); through link prediction, whether a relation Y exists between the output and other entities Z or not can be represented as (X, whether a relation Y and Z exists or not), and the prediction process is represented as P ═ { X, Y } ═ X(1),X(2),…, X(N)Y, where P is the predicted outcome;
in more detail, information X of an entity in a network space is collected based on the knowledge graph(m)Vectorizing by using a TransR conversion model; vectorizing X based on TransR conversion model(m)Carrying out incremental learning on the afferent time recurrent neural network model; and performing sequence increment combination on the output of the time recurrent neural network model, then entering result classification, and if the result classification shows that the relation exists between the output of the time recurrent neural network model and other entities, considering that the two entities are related.
The embodiment of the invention fully considers the elements of multidimensional attribute, communication mode, target behavior characteristic and the like of the network space target, combines the clear advantage that the knowledge map can objectively describe entities, concepts and incidence relation in the real world, and mainly solves the problems of mining and intention prediction of the network space target behavior rule by researching the construction of the knowledge map oriented to the network space target behavior, thereby realizing the research and judgment of short-term prediction and medium-term trend of network security situation, providing effective prediction information for assisting decision in time for commanders of our army and reducing decision errors.
As shown in fig. 3, the other prediction method based on the knowledge graph provided in the embodiment of the present invention specifically includes the following steps:
s201, constructing a knowledge graph, wherein the knowledge graph comprises a mode layer and a data layer;
in general, there are two methods for knowledge graph construction: in the embodiment of the invention, a knowledge graph is constructed in a top-down construction mode, namely, the top-down construction is realized by extracting ontology and mode information from high-quality data by means of structured data sources such as encyclopedic websites and the like and adding the ontology and mode information into a knowledge base;
the knowledge graph comprises a mode layer and a data layer, the mode layer is established firstly, the data layer is established continuously according to the mode layer, in the embodiment of the invention, an ontology base is adopted to manage the mode layer of the knowledge graph, the ontology is a concept template of a structured knowledge base, and the knowledge base formed by the ontology base has a stronger hierarchical structure and smaller redundancy;
the embodiment of the invention also considers the time sequence characteristic of the development of the target behavior along with the time in the network space, and from the practical data, by combining the experience and knowledge of the network security engineer, the inference problem of knowledge graph time sequence information is researched by utilizing the triple with time annotation, for example, the common triple is expanded into a time sequence triple (H, R | tau, T), wherein H is a head entity, R is a relation, T is a tail entity, and tau provides additional time sequence information about when the fact is established. In practical applications, the behavior triple sequence of the target host a may be X(1){ (host a, behavior |2020, 3 month, 1 day 14:10, masquerading email), (host a, behavior |2020, 3 month, 1 day 16:44, directing recipient to link to tailored web page), (host a, behavior |2020, 3 month, 2 day 10:27, directing recipient to enter account password), … … }.
S202, collecting various information X of a certain entity in a network space based on the knowledge graph(m)
Whether an entity (such as a host, a router, a printer, a server) in a network space has an association relationship with other entities is judged, the judgment cannot be completed only by a behavior sequence, and the judgment needs to be completed by combining a traffic sequence, an equipment log sequence and the like, wherein the other entities can include a certain intention (such as internal investigation, password modification, right lifting and service denial) or next-step behaviors. For example, a sequence of time-series triples X characterizing the target-related dynamic information will be shown in the following table(m)As input, X(m)And representing a triple sequence with time labels corresponding to the characteristics of behavior, flow and the like related to the target.
Figure BDA0002625827610000071
Figure BDA0002625827610000081
Then the sequence of dynamic timing triples for host a may be represented as X ═ X(1),X(2),X(3)When a phishing attack is performed, the intent prediction process may be expressed as P ═ X, Y ═ X(1),X(2),X(3)(host a, whether there is a relationship, implements phishing attack) }.
S203, predicting whether there is a relationship Y between the output and the other entity Z, Y may be represented as (X, whether there is a relationship Y, Z), and the prediction process is represented as P ═ { X, Y } ═ X ═ Y ═ X(1),X(2),…,X(N)Y, where P is the predicted outcome;
according to the table, Y can be expressed as (whether the host a has the relationship Y to implement phishing mail attack), it can be easily inferred that the host a is started up, then network connection is performed, an electronic mailbox is disguised to guide a receiver to be linked to a specific webpage, then a series of operations such as guiding the receiver to input an account password are performed, and finally the device is shut down after the behavior is finished, and the action is finished. This is very consistent with the characteristics of the phishing mail attack process, and the prediction result P can be deduced: host a has this intent. Then the equipment node of the 'host A' can be connected with the intention node of 'implementing phishing mail attack' in the knowledge graph to complete the reasoning, and the processes are all automated without manual intervention.
The embodiment of the invention considers that the behavior related information of the network space target can be established only in a specific time period, expands the common knowledge domain into the time sequence knowledge domain, utilizes the ternary group with time labels to research the reasoning problem of the time sequence information of the network space target behavior knowledge domain, and makes up the defect that the existing knowledge domain link prediction method is difficult to predict the time sequence information in the network space domain knowledge domain.
Another prediction method based on a knowledge graph provided in the embodiment of the present invention, as shown in fig. 4, specifically includes the following steps:
s301, constructing a knowledge graph, wherein the knowledge graph comprises a mode layer and a data layer;
s302, collecting various information X of a certain entity in a network space based on the knowledge graph(m)
S303, linking a prediction model based on the knowledge graph of LSTM sequence incremental learning, and enabling each item of information X(m)Vectorizing by using a TransR conversion model;
the knowledge-graph link prediction model for incremental learning of the LSTM sequence comprises the following steps: a triple sequence input layer, an incremental computation layer, an LSTM sequence combination layer, and a result output layer, as shown in fig. 5;
all the information X(m)And performing vectorization processing by using a TransR conversion model, and then using the vectorized vector as a triple sequence input layer of the model.
S304, vectorizing X based on TransR conversion model(m)Carrying out incremental learning on the afferent time recurrent neural network model;
s305, performing sequence increment combination on the output of the time recurrent neural network model;
output V of time recursive neural network model(m)And performing sequence increment combination to obtain V, wherein the principle is that if the latter vector and the former vector have values at the same position, the feature is enhanced in an increment superposition mode, and the enhanced feature is used as the next input to continue operation, as shown in FIG. 5, a rectangular box in the figure represents each bit of the vector, different colors represent different values, wherein white represents no data, white oblique lines represent data, gray oblique lines represent enhanced data after two white oblique lines are superposed, and black represents that the bit has been subjected to multiple increment combinations.
S306, entering result classification, and if the result classification indicates that the relation exists between the two entities, considering that the two entities are related, otherwise, considering that the two entities are unrelated.
The embodiment of the invention provides a prediction method of a knowledge graph link prediction model based on LSTM sequence incremental learning, which further perfects the discovery and reasoning process of missing information in a network space target behavior knowledge graph.
An embodiment of the present invention further provides a prediction apparatus based on a knowledge graph, as shown in fig. 6, including:
knowledge graph building module 401: the knowledge graph is used for constructing a knowledge graph, and the basic unit of the knowledge graph is a triple; the knowledge graph comprises a mode layer and a data layer, and the triples are time sequence triples;
the prediction module 402: and the system is used for predicting the relation between a certain entity and other entities in the network space based on the knowledge graph.
Further, the triplet of the schema layer is (head entity, relationship | timing information, tail entity) or (entity, attribute value), wherein the attribute includes timing information and/or spatial information, and the timing information includes relationship establishment time, relationship deadline, and/or relationship elimination time.
Further, the data layer is established according to the established mode layer, and the data layer performs entity extraction, attribute extraction and relationship extraction from sources of unstructured data, semi-structured data and structured data, and integrates and disambiguates data from different sources.
Further, the prediction module further comprises an information collection module: for collecting information X of an entity X in a network space based on the knowledge graph(m)Each item of information X(m)Including the entity X related behavior information, traffic information and device log information, denoted X(m)=X(m) t1,X(m) t2,…,X(m) tn(m ═ 1,2, …, N, m defined as some item of relevant information related to the entity); a result output module: for link prediction, the relation Y between the output and other entity Z may be represented as (X, Y, Z), and the prediction process is represented as P ═ { X, Y } ═ X(1),X(2),…,X(N)Y, wherein P is the predicted result.
Further, the prediction module is specifically configured to: collecting each item of information X of an entity in a network space based on the knowledge graph(m)Vectorizing by using a TransR conversion model; vectorizing X based on TransR conversion model(m)Carrying out incremental learning on the afferent time recurrent neural network model; and performing sequence increment combination on the output of the time recurrent neural network model, then entering result classification, and if the result classification shows that a relation exists between the result classification and other entities, considering that the two entities are related.
The embodiment of the invention fully considers the elements of multidimensional attribute, communication mode, target behavior characteristic and the like of the network space target, combines the clear advantage that the knowledge map can objectively describe entities, concepts and incidence relation in the real world, and mainly solves the problems of mining and intention prediction of the network space target behavior rule by researching the construction of the knowledge map oriented to the network space target behavior, thereby realizing the research and judgment of short-term prediction and medium-term trend of network security situation, providing effective prediction information for assisting decision in time for commanders of our army and reducing decision errors.
An embodiment of the present invention further provides an electronic device, fig. 7 is a schematic structural diagram of an embodiment of the electronic device of the present invention, and a flow of the embodiments shown in fig. 1 to 5 of the present invention can be implemented, as shown in fig. 7, where the electronic device may include: the device comprises a shell 51, a processor 52, a memory 53, a circuit board 54 and a power circuit 55, wherein the circuit board 54 is arranged inside a space enclosed by the shell 51, and the processor 52 and the memory 53 are arranged on the circuit board 54; a power supply circuit 55 for supplying power to each circuit or device of the electronic apparatus; the memory 53 is used to store executable program code; the processor 52 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 53, so as to execute the method for detecting a port scan attack according to any one of the foregoing embodiments.
The specific execution process of the above steps by the processor 52 and the steps further executed by the processor 52 by running the executable program code may refer to the description of the embodiment shown in fig. 1 to 5 of the present invention, and are not described herein again.
The electronic device exists in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted for providing voice and data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of equipment comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing computing service, the server comprises a processor, a hard disk, a memory, a system bus and the like, the server is similar to a general computer architecture, but the server needs to provide highly reliable service, so the requirements on processing capability, stability, reliability, safety, expandability, manageability and the like are high.
(5) And other electronic equipment with data interaction function.
Embodiments of the present invention also provide a computer-readable storage medium, wherein the computer-readable storage medium stores one or more programs, which are executable by one or more processors to implement the aforementioned prediction method.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and similar parts between the embodiments may be referred to each other, and each embodiment focuses on differences from other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. However, the functionality of the units/modules may be implemented in one or more software and/or hardware when implementing the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (12)

1. A prediction method based on knowledge graph is characterized by comprising the following steps:
constructing a knowledge graph, wherein the basic unit of the knowledge graph is a triple;
the knowledge graph comprises a mode layer and a data layer, and the triples are time sequence triples;
and predicting the relation between a certain entity and other entities in the network space based on the knowledge graph.
2. The method of claim 1, wherein the triplets of the schema layer are (head entity, relationship | timing information, tail entity) or (entity, attribute value), wherein the attribute comprises timing information and/or spatial information, and wherein the timing information comprises relationship establishment time, a finite term of a relationship, and/or relationship elimination time.
3. The method of claim 2, wherein the data layer is built according to the built schema layer, and the data layer performs entity extraction, attribute extraction and relationship extraction from unstructured data, semi-structured data and structured data sources, and integrates and disambiguates data from different sources.
4. The method of claim 3, wherein the relationship between an entity and other entities in the cyberspace is predicted based on the knowledge-graph by:
collecting various items of information X of a certain entity X in a network space based on the knowledge graph(m)Each item of information X(m)Including behavior information, traffic information and device log information associated with the entity X, denoted X(m)=X(m) t1,X(m) t2,…,X(m) tn(m ═ 1,2, …, N, m defined as some item of relevant information related to the entity);
through link prediction, output andif there is a relationship Y between other entities Z, Y can be expressed as (X, and if there is a relationship Y, Z), and the prediction process is expressed as P ═ { X, Y } ═ X ═ Y ═ X(1),X(2),…,X(N)Y, wherein P is the predicted result.
5. The method of claim 4, wherein each item of information X of an entity in a network space is collected based on the knowledge-graph(m)Through link prediction, whether a relation exists between the output and other entities is specifically as follows:
collecting each item of information X of an entity in a network space based on the knowledge graph(m)Vectorizing by using a TransR conversion model;
vectorizing X based on TransR conversion model(m)Carrying out incremental learning on the afferent time recurrent neural network model;
and performing sequence increment combination on the output of the time recurrent neural network model, then entering result classification, and if the result classification shows that a relation exists between the output of the time recurrent neural network model and other entities, considering that the two entities are related.
6. A prediction apparatus based on a knowledge-graph, comprising:
a knowledge graph construction module: the knowledge graph is used for constructing a knowledge graph, and the basic unit of the knowledge graph is a triple; the knowledge graph comprises a mode layer and a data layer, and the triples are time sequence triples;
a prediction module: and the system is used for predicting the relation between a certain entity and other entities in the network space based on the knowledge graph.
7. The apparatus of claim 6, in which the triplets of the schema layer are (head entity, relationship | timing information, tail entity) or (entity, attribute value), in which the attribute includes timing information and/or spatial information, and the timing information includes relationship establishment time, finite term of relationship, and/or relationship elimination time.
8. The apparatus of claim 7, wherein the data layer is built according to the built schema layer, and the data layer performs entity extraction, attribute extraction and relationship extraction from unstructured data, semi-structured data and structured data sources, and integrates and disambiguates data from different sources.
9. The apparatus of claim 8, wherein the prediction module further comprises,
an information collection module: for collecting information X of an entity X in a network space based on the knowledge graph(m)Each item of information X(m)Including behavior information, traffic information and device log information associated with the entity X, denoted X(m)=X(m) t1,X(m) t2,…,X(m) tn(m ═ 1,2, …, N, m defined as some item of relevant information related to the entity);
a result output module: for link prediction, the existence of a relationship Y between the output and other entities Z can be represented as (X, existence of a relationship Y, Z), and the prediction process is represented as P ═ { X, Y } ═ X(1),X(2),…,X(N)Y, wherein P is the predicted result.
10. The apparatus of claim 9, wherein the prediction module is specifically configured to:
collecting each item of information X of an entity in a network space based on the knowledge graph(m)Vectorizing by using a TransR conversion model;
vectorizing X based on TransR conversion model(m)Carrying out incremental learning on the afferent time recurrent neural network model;
and performing sequence increment combination on the output of the time recurrent neural network model, then entering result classification, and if the result classification shows that a relation exists between the output of the time recurrent neural network model and other entities, considering that the two entities are related.
11. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for performing the knowledge-graph based prediction method of any one of the preceding claims 1 to 5.
12. A computer readable storage medium, characterized in that the computer readable storage medium stores one or more programs which are executable by one or more processors to implement the method of knowledge-graph based prediction of any of the preceding claims 1 to 5.
CN202010796498.2A 2020-08-10 2020-08-10 Prediction method and device based on knowledge graph, electronic equipment and storage medium Pending CN111915090A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010796498.2A CN111915090A (en) 2020-08-10 2020-08-10 Prediction method and device based on knowledge graph, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010796498.2A CN111915090A (en) 2020-08-10 2020-08-10 Prediction method and device based on knowledge graph, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN111915090A true CN111915090A (en) 2020-11-10

Family

ID=73283611

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010796498.2A Pending CN111915090A (en) 2020-08-10 2020-08-10 Prediction method and device based on knowledge graph, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111915090A (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112508456A (en) * 2020-12-25 2021-03-16 平安国际智慧城市科技股份有限公司 Food safety risk assessment method, system, computer equipment and storage medium
CN112671792A (en) * 2020-12-29 2021-04-16 西安电子科技大学 Network event extraction method and system based on tensor decomposition and knowledge graph
CN112734132A (en) * 2021-01-22 2021-04-30 珠海格力电器股份有限公司 Equipment recommendation method and device, electronic equipment and storage medium
CN113051404A (en) * 2021-01-08 2021-06-29 中国科学院自动化研究所 Knowledge reasoning method, device and equipment based on tensor decomposition
CN113239198A (en) * 2021-05-17 2021-08-10 中南大学 Subway passenger flow prediction method and device and computer storage medium
CN113254674A (en) * 2021-07-12 2021-08-13 深圳市永达电子信息股份有限公司 Network security equipment knowledge inference method, device, system and storage medium
CN113408663A (en) * 2021-07-20 2021-09-17 中国科学院地理科学与资源研究所 Fusion model construction method, fusion model using device and electronic equipment
CN113595994A (en) * 2021-07-12 2021-11-02 深信服科技股份有限公司 Abnormal mail detection method and device, electronic equipment and storage medium
CN113610183A (en) * 2021-08-19 2021-11-05 哈尔滨理工大学 Increment learning method based on triple diversity example set and gradient regularization, computer and storage medium
CN113726545A (en) * 2021-06-23 2021-11-30 清华大学 Network traffic generation method and device for generating countermeasure network based on knowledge enhancement
CN113849659A (en) * 2021-08-18 2021-12-28 国网天津市电力公司 Construction method of audit system time sequence knowledge graph
CN114281940A (en) * 2021-12-07 2022-04-05 江苏联著实业股份有限公司 Computer cognition method and system based on semantic engineering and case learning
CN114330820A (en) * 2021-11-19 2022-04-12 北京明略软件系统有限公司 Patient disease prognosis prediction method, system, storage medium and electronic device
CN115766258A (en) * 2022-11-23 2023-03-07 西安电子科技大学 Multi-stage attack trend prediction method and device based on causal graph and storage medium
CN115964504A (en) * 2021-12-28 2023-04-14 北方工业大学 Food safety risk prediction method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109036546A (en) * 2018-06-08 2018-12-18 浙江捷尚人工智能研究发展有限公司 Link prediction technique and system for clinical field timing knowledge map
CN110489395A (en) * 2019-07-27 2019-11-22 西南电子技术研究所(中国电子科技集团公司第十研究所) Automatically the method for multi-source heterogeneous data knowledge is obtained
CN110990580A (en) * 2019-11-02 2020-04-10 国网辽宁省电力有限公司电力科学研究院 Knowledge graph construction method and device, computer equipment and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109036546A (en) * 2018-06-08 2018-12-18 浙江捷尚人工智能研究发展有限公司 Link prediction technique and system for clinical field timing knowledge map
CN110489395A (en) * 2019-07-27 2019-11-22 西南电子技术研究所(中国电子科技集团公司第十研究所) Automatically the method for multi-source heterogeneous data knowledge is obtained
CN110990580A (en) * 2019-11-02 2020-04-10 国网辽宁省电力有限公司电力科学研究院 Knowledge graph construction method and device, computer equipment and storage medium

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112508456A (en) * 2020-12-25 2021-03-16 平安国际智慧城市科技股份有限公司 Food safety risk assessment method, system, computer equipment and storage medium
CN112671792A (en) * 2020-12-29 2021-04-16 西安电子科技大学 Network event extraction method and system based on tensor decomposition and knowledge graph
CN113051404A (en) * 2021-01-08 2021-06-29 中国科学院自动化研究所 Knowledge reasoning method, device and equipment based on tensor decomposition
CN113051404B (en) * 2021-01-08 2024-02-06 中国科学院自动化研究所 Knowledge reasoning method, device and equipment based on tensor decomposition
CN112734132A (en) * 2021-01-22 2021-04-30 珠海格力电器股份有限公司 Equipment recommendation method and device, electronic equipment and storage medium
CN113239198A (en) * 2021-05-17 2021-08-10 中南大学 Subway passenger flow prediction method and device and computer storage medium
CN113239198B (en) * 2021-05-17 2023-10-31 中南大学 Subway passenger flow prediction method and device and computer storage medium
CN113726545A (en) * 2021-06-23 2021-11-30 清华大学 Network traffic generation method and device for generating countermeasure network based on knowledge enhancement
CN113254674B (en) * 2021-07-12 2021-11-30 深圳市永达电子信息股份有限公司 Network security equipment knowledge inference method, device, system and storage medium
CN113595994A (en) * 2021-07-12 2021-11-02 深信服科技股份有限公司 Abnormal mail detection method and device, electronic equipment and storage medium
CN113254674A (en) * 2021-07-12 2021-08-13 深圳市永达电子信息股份有限公司 Network security equipment knowledge inference method, device, system and storage medium
CN113408663A (en) * 2021-07-20 2021-09-17 中国科学院地理科学与资源研究所 Fusion model construction method, fusion model using device and electronic equipment
CN113849659A (en) * 2021-08-18 2021-12-28 国网天津市电力公司 Construction method of audit system time sequence knowledge graph
CN113610183A (en) * 2021-08-19 2021-11-05 哈尔滨理工大学 Increment learning method based on triple diversity example set and gradient regularization, computer and storage medium
CN113610183B (en) * 2021-08-19 2022-06-03 哈尔滨理工大学 Increment learning method based on triple diversity example set and gradient regularization
CN114330820A (en) * 2021-11-19 2022-04-12 北京明略软件系统有限公司 Patient disease prognosis prediction method, system, storage medium and electronic device
CN114281940A (en) * 2021-12-07 2022-04-05 江苏联著实业股份有限公司 Computer cognition method and system based on semantic engineering and case learning
CN114281940B (en) * 2021-12-07 2023-04-18 江苏联著实业股份有限公司 Computer cognition method and system based on semantic engineering and case learning
CN115964504B (en) * 2021-12-28 2023-06-30 北方工业大学 Food safety risk prediction method and system
CN115964504A (en) * 2021-12-28 2023-04-14 北方工业大学 Food safety risk prediction method and system
CN115766258A (en) * 2022-11-23 2023-03-07 西安电子科技大学 Multi-stage attack trend prediction method and device based on causal graph and storage medium
CN115766258B (en) * 2022-11-23 2024-02-09 西安电子科技大学 Multi-stage attack trend prediction method, equipment and storage medium based on causal relationship graph

Similar Documents

Publication Publication Date Title
CN111915090A (en) Prediction method and device based on knowledge graph, electronic equipment and storage medium
CN111914569B (en) Fusion map-based prediction method and device, electronic equipment and storage medium
Engin et al. Algorithmic government: Automating public services and supporting civil servants in using data science technologies
Wu et al. Ethical principles and governance technology development of AI in China
Alshammari et al. Cybersecurity for digital twins in the built environment: Current research and future directions
CN106709613B (en) Risk assessment method applicable to industrial control system
CN112749749B (en) Classification decision tree model-based classification method and device and electronic equipment
Shum et al. Towards a global participatory platform Democratising open data, complexity science and collective intelligence
CN112165462A (en) Attack prediction method and device based on portrait, electronic equipment and storage medium
CN112468347B (en) Security management method and device for cloud platform, electronic equipment and storage medium
Hsu et al. Integrating machine learning and open data into social Chatbot for filtering information rumor
Jeong et al. Anomaly teletraffic intrusion detection systems on hadoop-based platforms: A survey of some problems and solutions
CN115796229A (en) Graph node embedding method, system, device and storage medium
Sun et al. Security Attitude Prediction Model of Secret‐Related Computer Information System Based on Distributed Parallel Computing Programming
JP2017037544A (en) Future scenario generation device, method, and computer program
CN111209750A (en) Internet of vehicles threat intelligence modeling method, device and readable storage medium
Teng Industrial Internet of Things Anti‐Intrusion Detection System by Neural Network in the Context of Internet of Things for Privacy Law Security Protection
Babayeva et al. Building an ontology for cyber defence exercises
Wang et al. An Automatic Planning‐Based Attack Path Discovery Approach from IT to OT Networks
Savić Are we ready for the future? Impact of Artificial Intelligence on Grey Literature Management
Cai et al. Research on Information Security Risk Assessment Method Based on Fuzzy Rule Set
Dsouza et al. Social media and fake news detection using adversarial collaboration
CN112396151A (en) Rumor event analysis method, rumor event analysis device, rumor event analysis equipment and computer-readable storage medium
Huang Information dissemination control algorithm of ecological changes in the new media communication environment
Shen The blockchain based system to guarantee the data integrity of IIoT

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Heilongjiang Province (No. 838, Shikun Road)

Applicant after: Antan Technology Group Co.,Ltd.

Address before: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Harbin, Heilongjiang Province (No. 838, Shikun Road)

Applicant before: Harbin Antian Science and Technology Group Co.,Ltd.

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201110