Temporal Multi-Query Subgraph Matching in Cybersecurity

Abstract

Regarding attack scenarios as query graphs and conducting subgraph matching on the data system is an important approach to identify and detect cyber threats. However, existing subgraph matching methods are not suitable for detecting time-evolving attacks since they either focus on single-query graphs or ignore the temporal constraints between multiple queries. In this paper, we model the time-evolving attack detection as a novel temporal multi-query subgraph matching problem and propose an efficient algorithm to address this problem. We first give a compact representation of the temporal query graph by merging all queries into one. Based on the temporal query graph, we propose a concise auxiliary data structure to maintain partial solutions. In addition, we employ a query matching tree to generate an efficient matching order and enumerate matchings based on the order. Extensive experiments over real-world datasets confirm the effectiveness and efficiency of our approach.

1. Introduction

Cyber security is one of the most significant technical challenges in current times. Detecting cyber attacks and preventing the spread of threat is a high priority for commercial companies and government agencies around the world. In a study titled “Data Breach Investigations Report”, US communications company Verizon analyzed 100,000 security incidents from the past decade and concluded that 90% of the incidents fell into ten attack patterns [1]. A number of these attacks can be described as subgraph patterns. This motivates us to model cyber attack detection as a subgraph matching problem.

Recently, some graph-matching-based cyber attack detection methods have been proposed [2,3,4,5,6,7]. These studies extract attack behavior patterns from Cyber Threat Intelligence (shorted as CTI) reports and conduct graph pattern matching to hunt suspicious threats. However, all of these methods only focus on the detection of single static attack patterns and ignore the time-evolving characteristic of attacks, which is very critical for attack detection. With the fast development of cyber attack technologies, in some attack scenarios, attackers choose to change attack patterns over time in order to evade detection. For example, Figure 1 shows an attack scenario where attack patterns change over time. In this case, attack behavior cannot be regarded as a single query graph but a series of query graphs with specified temporal constraints. Such a time-evolving cyber attack detection variant task can be modeled as a temporal multi-query subgraph matching (shorted as TMQSM) problem.

An intuitive idea to handle TMQSM is to separately search for matchings of each query pattern using existing methods and then check whether the matching result satisfies the specified temporal constraints. However, this method faces obvious drawbacks. First, it is costly to search for matchings of each query separately as it is NP-hard to conduct subgraph isomorphism. Moreover, a lot of candidate matchings cannot satisfy the specified temporal constraints, so searching for these false candidates and checking temporal constraints on these false candidate matchings waste both time and memory. Therefore, a novel and efficient subgraph matching method is critical and in demand.

In this paper, we propose a novel and efficient temporal multi-query subgraph matching approach. First, as stated above, it is not sensible to search for matchings of each query separately. Thus, we want to search for all matchings of multiple queries simultaneously. We introduce a compact representation of multiple queries. We merge all query graphs into a single graph and record temporal constraints on the edges. The merged graph is regarded as a new query graph for subsequent subgraph matching. Then, we design a novel index structure called a temporal candidate graph (shorted as TCG) to store the candidate results for enumerating matchings. In general, TCG is a directed temporal graph where vertices are the same as the data graph and a directed edge $u\to v$ indicates v appearing in at least one partial match of u. If two vertices u and v coexist in a match of a query graph, there must be a bidirectional edge between u and v (i.e., $u\leftrightarrow v$). In addition, each bidirectional edge is associated with a time set that denotes the timestamps of the edge existing and satisfying specified temporal constraints. This can be used as an efficient pruning rule for subsequent enumerating process. In addition, we develop an efficient subgraph matching enumerating algorithm based on the TCG. We first generate an effective matching order by constructing a query matching tree. Then, we enumerate all matchings by expanding partial matchings following the matching order.

In summary, the major contributions include the following: (1) We propose a novel temporal multi-query subgraph matching problem by considering the temporal constraints between multiple queries. (2) We design an efficient index structure TCG to maintain candidate results and support subsequent enumeration processes. (3) We build a query matching tree to generate an efficient matching order, which helps to efficiently enumerate subgraph matchings. (4) We conducted comprehensive experiments to evaluate our techniques.

2. Preliminaries

In this section, we define the problem and review related work.

2.1. Problem Definition

In this paper, we focus on undirected and vertex-labeled graphs. Our techniques can be easily extended to edge-labeled and directed graphs. Let $𝒢=(𝒱,\mathcal{E},𝓛)$ be a temporal graph with $|𝒱|$ vertices and $\left|\mathcal{E}\right|$ temporal edges, and $𝓛:𝒱\to \mathrm{\Sigma }$ is a function that assigns a label to each vertex, where $\mathrm{\Sigma }$ is a set of labels. Each temporal edge $e\in \mathcal{E}$ is a triplet $(u,v,t)$, where u and v are vertices in $𝒱$, and t is the timestamp. We use $t(u,v)$ to represent the existence of the timestamps of $(u,v)$. Let $N\left(u\right)=\{v\in V|(u,v)\in \mathcal{E}\}$ be the set of neighbor vertices of u, and $d\left(u\right)=\left|N\right(u\left)\right|$ be the degree of u. A graph ${𝒢}_S=({𝒱}_S,{\mathcal{E}}_S,{𝓛}_S)$ is a temporal subgraph of $𝒢$ if ${𝒱}_S\subseteq 𝒱,{\mathcal{E}}_S\in \mathcal{E}$, and ${𝓛}_S=𝓛$. A temporal graph $𝒢$ can be extracted into a series of snapshots $𝒢=$$\{G_1,G_2\dots G_{|𝒯|}\}$, where $𝒯=\left\{t\right|(u,v,t)\in \mathcal{E}\}$ is the set of timestamps. Figure 2a,b show a temporal graph and its snapshots within the time span $[1,6]$.

Definition 1

(Subgraph isomorphism). Given a query graph $q=(V_q,E_q,L_q)$ and a data graph $g=(V_g,E_g,L_g)$, q is subgraph isomorphic to g if and only if there exists an injective mapping $M:V_q\to V_g$, such that (1) $\forall u\in V_q,L_q\left(u\right)=L_g\left(M\left(u\right)\right)$, and (2) $\forall (u,v)\in E_q,(M\left(u\right),M\left(v\right))\in E_g$.

We call the subgraph induced by M a matching of q in g.

There is only one query graph in the traditional subgraph matching problem. In this paper, we consider multiple queries with the temporal constraints between queries. Let $\mathcal{Q}=\{Q_1,\dots ,Q_n\}(n\ge 2)$ be a set of query graphs. And $F:\mathcal{Q}\to \mathbb{N}$ is a function defined to specify the temporal constraints of queries. Note that F defines orders and time intervals between queries. We call $(\mathcal{Q}=\{Q_1,\dots ,Q_n\},F)$ a temporal query set. Figure 3 shows a temporal query set containing three query graphs. The function F defines the temporal order and time intervals between queries. That is, query $Q_1$ appears before $Q_2$ with time interval $F\left(Q_2\right)-F\left(Q_1\right)=3-1=2$, and $Q_2$ appears before $Q_3$ with time interval $F\left(Q_3\right)-F\left(Q_2\right)=4-3=1$.

Definition 2

(Temporal multi-query subgraph isomorphism). Given a temporal query set $(\mathcal{Q}=\{Q_1,\dots ,Q_n\},F)$ and a temporal graph $𝒢=\{G_1,G_2\dots G_{|𝒯|}\}$, we check whether a graph set $\mathcal{M}=\{M_{i_1},M_{i_2}\dots M_{i_n}\}$ satisfies the following: (1) $\forall j\in \{1,\dots ,n\}$, $M_{i_j}$ is a subgraph of $G_{i_j}$ and $M_{i_j}$ is subgraph isomorphic to $Q_j$; (2) $\forall j\in \{2,\dots ,n\}$, $i_j-i_{j-1}=F\left(Q_j\right)-F\left(Q_{j-1}\right)$; and (3) $\forall j,k\in \{1,\dots ,n\},v_j\in V_{Q_j},v_k\in V_{Q_k}$, and if $v_j=v_k$, then $v_j^{\prime }=v_k^{\prime }$, where $v_j^{\prime }\in V_{M_{i_j}}$ and $v_k^{\prime }\in V_{M_{i_k}}$ are matchings of $v_j$ and $v_k$. If so, we call $\mathcal{M}$ a temporal multi-query matching of $(\mathcal{Q}=\{Q_1,\dots ,Q_n\},F)$.

Problem Statement. 

Given a temporal query set $(\mathcal{Q}=\{Q_1,\dots ,Q_n\},F)$ and a data graph $𝒢$, the problem of temporal multi-query subgraph matching is to find all temporal multi-query matchings of $(\mathcal{Q}=\{Q_1,\dots ,Q_n\},F)$ in $𝒢$.

Example 1.

Consider the temporal query set in Figure 3 and temporal graph snapshots in Figure 2b. The subgraphs marked in red and the subgraphs marked in blue are two temporal multi-query matchings that not only match the query graphs in the temporal query set but also satisfy the temporal constraints. Thus, we obtain two matching results, i.e., $\{<u_1,v_1>,<u_2,v_2>,<u_3,v_3>,<u_4,v_4>,<u_5,v_{10}>\}$ and $\{<u_1,v_5>,<u_2,v_7>,<u_3,v_9>,<u_4,v_8>,<u_5,v_{12}>\}$.

2.2. Related Work

We summarize the related work as follows.

Graph-Matching-based Attack Detection. Prior works have implemented graph matching methods to detect cyber attacks. ThreatRaptor [8] extracts threat behaviors from open source Cyber Threat Intelligence as the query graph and conducts exact query matching to hunt threats. POIROT [5] formulates threat hunting as a graph pattern matching problem and conducts approximation matching. DeepHunter [7] detects APTs using graph similarity matching between extracted subgraphs and attack query graphs. MEGR-APT [2] discovers APTs by conducting subgraph matching between a provenance graph and query graph. ACMA [4] applies subgraph matching techniques to detect cyber attacks in smart cities. However, those systems only focus on a single-attack query scenario, which cannot meet the needs of complex time-evolving attack detection.

Subgraph Matching on Static Graph. A lot of subgraph matching algorithms have been proposed on static graphs in recent decades. Ullmann [9] first proposed a backtracking algorithm to solve this problem in 1976, which iteratively maps the vertices from a query graph to a data graph by following the given order of query vertices. The VF2 algorithm [10] generates the matching order by selecting a vertex connected to an already matched one, which can prune many false-positive candidates early. QuickSI [11] determines the matching order using the infrequency information of vertices and edges to filter invalid candidates efficiently. GraphQL [12] and SPath [13] exploit a neighborhood-based filtering strategy to prune infeasible candidates of query vertices. TurboISO [14] defines the concept of neighborhood equivalence class and merges similar vertices to avoid useless computations. BoostIso [15] further improves the performance of TurboISO by compressing the data graph. CFL-Match [16] converts the query graph into a spanning tree to find candidates for query vertices and applies path-ordering techniques to postpone Cartesian products. DAF [17] uses a directed acyclic graph instead of a spanning tree to obtain candidates and utilizes the knowledge gained from past computations to prune redundant computations. VEQ [18,19] leverages vertex equivalence to reduce the candidate matching space. RI+ [20] improves the matching time using candidate region-based decomposition and ordering techniques. SUFF [21] generates a structure filtering framework to prune the search space using historical matching results. However, the algorithms mentioned above were adapted to static graphs and cannot be directly used to solve the subgraph matching problem on temporal graphs.

Multi-query Subgraph Matching. Recently, some solutions have been proposed to process multiple queries. GraphflowDB [22] calculates subgraph matching for multiple query graphs using a worst-case optimal join algorithm. The performance heavily relies on the decomposition of the multi-query graph and join order. TRIC+ [23] decomposes queries into a series of minimum covering paths and tries to index the common parts of those paths. It maintains materialized views to store intermediate matching results and conducts join operations to obtain matching results. However, this method is limited by the expensive join cost and maintenance cost of materialized views. IncMQO [24] merges all queries into a large query graph and uses a tree index to store intermediate results. But it still enumerates each query graph separately to obtain matching results. MQ-Match [25] proposes a data-centric index structure to store partial results and uses the computation-sharing method to calculate matchings. However, none of the above methods take temporal constraints between multiple queries into consideration, and the definition of our problem is different from those of the above problems, so none of these existing methods can be applied to solve our problem.

3. Overview of Our Algorithm

To solve TMQSM, we first give a compact representation of the temporal query set and then give an overview of our algorithm for finding matchings.

As stated in Section 1, it is not advisable to search for matchings of each query separately. Therefore, we want to compute matchings of all queries simultaneously using a compact representation of a temporal query set. Inspired by [26], we merge all queries in the temporal query set into a single graph and record the temporal constraints on the edges. We call the merged graph the temporal query pattern, and regard the temporal query pattern as a new query q. Specifically, $(\mathcal{Q}=\{Q_1,\dots ,Q_n\},F)$ can be represented as a graph $q=(V_q,E_q,L_q)$, where $V_q=V_{\mathcal{Q}},E_q={\bigcup }_{i=1,\dots ,n}{E}_{Q_i}$. Each edge $e\in E_q$ is associated with a time set $T_e$. $T_e$ is obtained as follows. Initially, $T_e$ is empty. Next, for each $Q_i\in \mathcal{Q}$, $T_e\leftarrow T_e+F\left(Q_i\right)$ if $e\in E_{Q_i}$. Figure 4 shows the representation of the temporal query pattern generated by the temporal query set in Figure 3. Note that the time set on the edges of the temporal query pattern only represents the temporal constraints and does not specify the concrete time instances. For example, the set $[1,3,4]$ on edge $(u_1,u_2)$ indicates that the edge $(u_1,u_2)$ exists in three queries where the time intervals between these queries is 2 and 1, respectively. In the rest of this paper, we use q to represent the temporal query pattern.

Example 2.

Reconsider the temporal graph in Figure 2a and temporal query pattern in Figure 4, where the temporal multi-query matchings are marked in red and blue. And the corresponding timestamps on the data edges that satisfy the temporal constraints defined on the query edges are also colored red and blue.

Given query q and data graph $𝒢$, Algorithm 1 summarizes our $\mathsf{TMQ}$ algorithm for finding matchings, which consists of two phases:

• Phase 1 (Construction of index structure). In this phase, we build a novel index structure called the temporal candidate graph based on the query graph and data graph. The TCG stores all necessary information required for enumerating matchings. The details about Phase 1 will be presented in Section 4.
• Phase 2 (Enumeration of matchings). In this phase, we first construct a query matching tree for generating a matching order. Then, we enumerate all matchings on the TCG by following the matching order. Details about Phase 2 will be presented in Section 5.

Algorithm 1: TMQ($(\mathcal{Q}=\{Q_1,\dots ,Q_n\},F)$, $𝒢$)

Input : A temporal query set $(\mathcal{Q}=\{Q_1,\dots ,Q_n\},F)$ and a data graph $𝒢$.

Output : All matchings of $(\mathcal{Q}=\{Q_1,\dots ,Q_n\},F)$ in $𝒢$.

1  $q\leftarrow$ the new query graph merged by $(\mathcal{Q}=\{Q_1,\dots ,Q_n\},F)$; 2  $TCG\leftarrow$BuildTCG(q, $𝒢$); 3  $QT\leftarrow$BuildQueryMatchingTree(q, $TCG$); 4  SearchMatch($QT$, $TCG$);

4. Construction of Index Structure

Previous studies [11,12,14,15,16] have proved that index structure is crucial to improve the performance of searching for candidates. A good index structure should be (1) compact and memory-friendly, (2) powerful in filtering unpromising candidates, and (3) complete enough to support matching enumeration. In this section, we propose the temporal candidate graph, a concise and efficient index structure with which to maintain valid candidates for enumeration.

In general, TCG is a directed temporal graph where vertices are the same as in the data graph and a directed edge $u\to v$ indicates v appearing in at least one partial match of u. If two vertices u and v coexist in a match of the query graph, there must be a bidirectional edge between u and v. In addition, each bidirectional edge is associated with a time set, which denotes the existing timestamps of an edge and satisfies specified temporal constraints. Thus, a data vertex is a valid candidate if it has at least one bidirectional edge in the TCG. In this section, we first determine the state of candidate vertices and then construct the TCG.

4.1. Vertex State Determination

We designed a novel auxiliary data structure, called the temporal neighborhood matching graph (TNMG), to determine the state of vertices in the data graph.

Definition 3

(Temporal Neighborhood Matching Graph (shorted as TNMG)). Given a query q and a data graph $𝒢$, for a vertex $v\in 𝒢$, the TNMG of v, denoted as $TNM\left(v\right)=({\mathbb{V}}_1,\mathbb{L},{\mathbb{V}}_2,\mathbb{T},\mathbb{E})$, is constructed as follows:

1. 

${\mathbb{V}}_1$: A set of query vertices with the same label as v, i.e., ${\mathbb{V}}_1=\left\{u\right|u\in V_q\wedge L\left(u\right)=L\left(v\right)\}$.

2. 

$\mathbb{L}$: A label set of neighbors of vertices in ${\mathbb{V}}_1$, i.e., $\mathbb{L}=\left\{L\left(w\right)\right|w\in N\left(u\right)\wedge u\in {\mathbb{V}}_1\}$.

3. 

${\mathbb{V}}_2$: A set of neighbors of v in $𝒢$ that have a label in $\mathbb{L}$, i.e., ${\mathbb{V}}_2=\left\{w\right|w\in N\left(v\right)\wedge L\left(w\right)\in \mathbb{L}\}$.

4. 

$\mathbb{T}$: A time set recording the timestamps of the edge connecting v and each vertex in ${\mathbb{V}}_2$, i.e., $\mathbb{T}=\left\{t(w,v)\right|w\in {\mathbb{V}}_2\}$.

5. 

$\mathbb{E}$: First, for each vertex $w\in {\mathbb{V}}_2$, add an edge $(w,t(w,v\left)\right)$ between w and its time set in $\mathbb{T}$ if $t(w,v)$ passes through the  $\mathsf{TE}-\mathsf{Filter}$  check; then, add an edge $(L,w)$ between w and its label $L\in \mathbb{L}$ if w is connected with a time set; then, for each vertex $u\in {\mathbb{V}}_1$ and its neighbors’ label $L\in \mathbb{L}$, add an edge $(u,L)$ if L has at least τ neighbors in ${\mathbb{V}}_2$, where τ is the number of neighbors of u with label L in the query graph.

Here, $\mathsf{TE}-\mathsf{Filter}$ is a pruning technology used to check the temporal constraints on an edge, which is defined as follows.

Definition 4

(Temporal Edge Filter (TE-Filter)). Given an edge $(u_1,u_2)$ in the query q, let $\{t_1^q,\dots ,t_k^q\}$ be the time set on the edge. Let $\{t_1,\dots ,t_m\}$ be the time set on the data edge $(v_1,v_2)$. We have $L\left(v_1\right)=L\left(u_1\right)$ and $L\left(u_2\right)=L\left(v_2\right)$. We say $(v_1,v_2)$ passes through the $\mathsf{TE}-\mathsf{Filter}$ when $\{t_1,\dots ,t_m\}$ satisfies the following conditions: 1) $k\le m$ and 2) there exists at least one subset $\{t_{i_1},\dots ,t_{i_k}\}\subseteq \{t_1,\dots ,t_m\}$ such that $t_{i_j}-t_{i_{j-1}}=t_j^q-t_{j-1}^q$ for any $j\in \{2,\dots ,k\}$.

Note that, it is not clear that a data edge $(v_1,v_2)$ will be matched to a query edge when searching for candidates. So, we use a relaxed $\mathsf{TE}-\mathsf{Filter}$ to check temporal constraints when constructing the TNMG. Specifically, given an edge $(u_1,u_2)$ in query q, $(L\left(u_1\right),L\left(u_2\right))$ is the label edge of $(u_1,u_2)$. Let $\{t_1^q,\dots ,t_k^q\}$ be the time set on the label edge $(L\left(u_1\right),L\left(u_2\right))$. A label edge might correspond to multiple query edges. Thus, there will be multiple time sets on a label edge. In this case, we say a data edge passes through the $\mathsf{TE}-\mathsf{Filter}$ if it satisfies the above conditions with at least one time set on the label edge.

Example 3.

Consider the temporal data graph in Figure 2a and query graph in Figure 4, where the temporal neighborhood matching graphs of vertices $v_4$ and $v_6$ are constructed as in Figure 5. For $v_4$, ${\mathbb{V}}_1=\{u_2,u_4\}$ because $u_2$ and $u_4$ have the same label B with $v_4$. Then, because the neighbors of $u_2$ and $u_4$ are $\{u_1,u_3,u_4\}$ and $\{u_2,u_3\}$, we have $\mathbb{L}=\{A,B,C\}$ by collecting the labels of these neighbors. Next, we obtain the neighbors of $v_4$ with label A, B, or C; thus ${\mathbb{V}}_2=\{v_2,v_3,v_6\}$. Then, we record the timestamps of $(v_2,v_4)$, $(v_3,v_4)$, and $(v_4,v_6)$ in $\mathbb{T}$, respectively. Lastly, we add edges into $TNM\left(v_4\right)$. For $(v_2,v_4)$, the label edge of $(v_2,v_4)$ is $(B,B)$. For the query graph in Figure 4, the time set on the label edge $(B,B)$ is $[1,3]$. Because the timestamps of edge $(v_2,v_4)$ is $[1,2,3]$, which successfully passes through $\mathsf{TE}-\mathsf{Filter}$, an edge between $v_2$ and $[1,2,3]$ is added. For edge $(v_3,v_4)$ with label edge $(B,C)$, there exist two time sets $[1,3,4]$ and $[1,4]$ on the query label edge $(B,C)$. The timestamp of $(v_3,v_4)$ is $[1,4]$, which can pass through $\mathsf{TE}-\mathsf{Filter}$  with one time set, so we also add an edge between $v_3$ and $[1,4]$. Then, we add edges between $\mathbb{L}$ and ${\mathbb{V}}_2$, that is, $\{(v_2,B),(v_3,C)\}$, and add edges between ${\mathbb{V}}_1$ and $\mathbb{L}$, including $\{(u_2,B),(u_2,C),(u_4,B),(u_4,C)\}$. The temporal neighborhood matching graphs of $v_6$ and other vertices are constructed in the same manner.

Then, we determine the vertex state based on the TNMG.

Definition 5

(Vertex state). For a vertex v in $𝒢$, the state of v, denoted as $s\left(v\right)$, is a binary value represented by “True” or “False”.

Let $TNM\left(v\right)$ be v’s temporal neighborhood matching graph. For a vertex $u\in {\mathbb{V}}_1\left(TNM\left(v\right)\right)$, we say u is completely matched if, for each of its neighbors w in the query graph, there is an edge $(u,L(w\left)\right)$ in $TNM\left(v\right)$. We set $s\left(v\right)$ to “True” if there exists at least one completely matched vertex in ${\mathbb{V}}_1\left(TNM\left(v\right)\right)$, and “False” otherwise. For a vertex v, the “True” state indicates that there exists at least one query vertex u that can be matched to v, and all neighbors of u in the query graph are completely matched by the neighbors of v in the data graph. For example, $u_4$ is completely matched in Figure 5a, so the state of $v_4$, $s\left(v_4\right)$, is “True”. Both $u_2$ and $u_4$ are not completely matched in Figure 5b, so the state of $v_6$, $s\left(v_6\right)$, is “False”.

4.2. Index Construction

After setting the state of vertices in $𝒢$, we construct the index structure TCG.

Definition 6

(Temporal Candidate Graph (TCG)). Given a query q and a data graph $𝒢$, the temporal candidate graph $TCG=(V_{TCG},E_{TCG},T_{TCG})$ is constructed as follows:

1. 

$V_{TCG}=\left\{v\right|v\in V_{𝒢}\wedge L\left(v\right)\in L_q\}$;

2. 

For each $v\in V_{TCG}$, if $s\left(v\right)=$ "True", then add a directed edge $v\to w$ into $E_{TCG}$ for each vertex $w\in {\mathbb{V}}_2\left(TNM\left(v\right)\right)$ if w has at least one edge in $TNM\left(v\right)$, where $TNM\left(v\right)$ is the temporal neighborhood matching graph of v;

3. 

For $v,w\in V_{TCG}$, if there exists a bidirectional edge between v and w, then add $T_e(v,w)$ into $T_{TCG}$, where $T_e(v,w)$ is a set of time subsets of $t(v,w)$ that satisfy the temporal constraints.

For a vertex v in the TCG, we say it is a valid candidate if it has at least one bidirectional edge.

Example 4.

Figure 6 shows the TCG of the data graph in Figure 2a and query graph in Figure 4. Excluding $v_6$ and $v_{11}$, the state of the other vertices are “True”. Taking $v_4$ as an example, the state of $v_4$ is “True”, and ${\mathbb{V}}_2\left(TNM\left(v_4\right)\right)=\{v_2,v_3,v_6\}$. Because $v_2$ and $v_3$ have connecting edges in $TNM\left(v_4\right)$, we add an outgoing edge from $v_4$ to $v_2$ and $v_3$, respectively. In addition, for each bidirectional edge in the TCG, we add a set to record the time subsets that satisfy the temporal constraints.

Algorithm 2 summarizes the details of constructing the index structure TCG. We first initialize $V_{TCG}$, $E_{TCG}$, and $T_{TCG}$ (Line 1). For each vertex v with a label in the query graphs, we first construct its TNMG and set its state (Lines 2–4). If the state is “True”, we add an outgoing edge from v to each vertex in ${\mathbb{V}}_2\left(TNM\left(v\right)\right)$, which is connected with at least one edge (Lines 5–7). If there exists a bidirectional edge between vertex v and w, we add a time set to $T_{TCG}$ (Lines 8–9). The details for TNMG construction and vertex state determination are illustrated in Lines 11–28 and Lines 29–32, respectively.    

Algorithm 2: BuildTCG(q, $𝒢$)

4.3. Algorithm Analysis

Next, we analyze the time complexity and space complexity of our proposed algorithms.

Proposition 1.

The time complexity of constructing the TNMG for all vertices is $O\left(\right|{\mathcal{E}}_{𝒢}|\ast |T\left|log\right|T|+|E_q|\ast |{𝒱}_{𝒢}\left|\right)$, where $\left|T\right|$ is the number of snapshots in data graph $𝒢$.

Proof. 

For each vertex v, the time to compute vertices in ${\mathbb{V}}_1$, $\mathbb{L}$, ${\mathbb{V}}_2$, and $\mathbb{T}$ is $|V_q|$, ${\displaystyle \frac{|V_q|}{|L_q|}}\ast d_q$, $d\left(v\right)$, and $d\left(v\right)$, where $d_q$ is the average degree of vertices in q. So, the time complexity of computing vertices is $O\left(\right|V_q|+{\displaystyle \frac{|V_q|}{|L_q|}}\ast d_q+d\left(v\right)+d\left(v\right))=O(|V_q|+{\displaystyle \frac{|V_q|}{|L_q|}}\ast d_q+d\left(v\right))$. Meanwhile, the time to check $\mathsf{TE}-\mathsf{Filter}$ for each time set in $\mathbb{T}$ is $\left|T\right|log\left|T\right|$, where $\left|T\right|$ is the number of snapshots in data graph $𝒢$. So the time complexity of adding edges is $O(d\left(v\right)\ast |T\left|log\right|T|+d\left(v\right)+{\displaystyle \frac{|V_q|}{|L_q|}}\ast |L_q|\ast d_q)=O(d\left(v\right)\ast \left|T\right|log\left|T\right|+|E_q\left|\right)$. Thus, the time complexity of constructing TNMG for v is $O\left(\right|V_q|+{\displaystyle \frac{|V_q|}{|L_q|}}\ast d_q+d\left(v\right)+d\left(v\right)\ast \left|T\right|log\left|T\right|+|E_q\left|\right)=O\left(\right|V_q|+{\displaystyle \frac{|V_q|}{|L_q|}}\ast d_q+d\left(v\right)\ast \left|T\right|log\left|T\right|+|E_q\left|\right)$, which is bounded by $O(d\left(v\right)\ast |T\left|log\right|T|+|E_q\left|\right)$. Therefore, the overall time complexity of constructing TNMG for all vertices is $O({\sum }_{v\in {𝒱}_{𝒢}}(d\left(v\right)\ast |T\left|log\right|T|+|E_q\left|\right))=O\left(\right|{\mathcal{E}}_{𝒢}|\ast |T\left|log\right|T|+|E_q|\ast |{𝒱}_{𝒢}\left|\right)$.    □

Proposition 2.

The space complexity of TNMG for all vertices is $O\left(\right|V_q|\ast |{𝒱}_{𝒢}|+|{\mathcal{E}}_{𝒢}\left|\right)$.

Proof. 

For each v, the space cost to store vertices in ${\mathbb{V}}_1$, $\mathbb{L}$, ${\mathbb{V}}_2$, and $\mathbb{T}$ is ${\displaystyle \frac{|V_q|}{|L_q|}}$, $|L_q|$, $d\left(v\right)$, and $d\left(v\right)$, respectively. So the space complexity of storing vertices is $O({\displaystyle \frac{|V_q|}{|L_q|}}+|L_q|+d\left(v\right)+d\left(v\right))=O({\displaystyle \frac{|V_q|}{|L_q|}}+|L_q|+d\left(v\right))$. Then, we need to store edges in TNMG. The number of edges between ${\mathbb{V}}_2$ and $\mathbb{T}$ and the number of edges between $\mathbb{L}$ and ${\mathbb{V}}_2$ are both bounded by $d\left(v\right)$. And the number of edges between ${\mathbb{V}}_1$ and $\mathbb{L}$ is bounded by ${\displaystyle \frac{|V_q|}{|L_q|}}\ast |L_q|=|V_q|$. So, the space complexity of storing edges is $O(d\left(v\right)+d\left(v\right)+|V_q\left|\right)=O(d\left(v\right)+|V_q\left|\right)$. Thus, the space cost of constructing TNMG for v is $O({\displaystyle \frac{|V_q|}{|L_q|}}+|L_q|+d\left(v\right)+|V_q|)$, which is bounded by $O(d\left(v\right)+|V_q\left|\right)$. Therefore, the overall space cost for all vertices is $O({\sum }_{v\in {𝒱}_{𝒢}}(d\left(v\right)+|V_q\left|\right)=O\left(\right|{\mathcal{E}}_{𝒢}|+|V_q|\ast |{𝒱}_{𝒢}\left|\right)$.    □

Proposition 3.

The time complexity of constructing TCG is $O\left(\right|{\mathcal{E}}_{𝒢}|\ast |T\left|log\right|T|+|E_q|\ast |{𝒱}_{𝒢}\left|\right)$, where $\left|T\right|$ is the number of snapshots in data graph $𝒢$.

Proof. 

For each $v\in V_{TCG}$, the time complexity of constructing TNMG is $O(d\left(v\right)\ast |T\left|log\right|T|+|E_q\left|\right)$ according to Proposition 1. The time complexity to set vertex state is $O({\displaystyle \frac{|V_q|}{|L_q|}}\ast d_q)=O({\displaystyle \frac{|E_q|}{|L_q|}})$. If $s\left(v\right)=$ “True”, the time complexity of adding edges is bounded by $O\left(d\right(v\left)\right)$. For all vertices, the time complexity is $O({\sum }_{v\in {𝒱}_{𝒢}}(d\left(v\right)\ast |T\left|log\right|T|+|E_q|+{\displaystyle \frac{|E_q|}{|L_q|}}+d\left(v\right)\left)\right)=O\left(\right|{\mathcal{E}}_{𝒢}|\ast |T\left|log\right|T|+|E_q|\ast |{𝒱}_{𝒢}\left|\right)$. For all bidirectional edges, the time complexity of adding time sets is bounded by $O\left(\right|{\mathcal{E}}_{𝒢}\left|\right)$. Therefore, the overall time complexity of BuildTCG is $O\left(\right|{\mathcal{E}}_{𝒢}|\ast |T\left|log\right|T|+|E_q|\ast |{𝒱}_{𝒢}|+|{\mathcal{E}}_{𝒢}\left|\right)=O\left(\right|{\mathcal{E}}_{𝒢}| \ast |T\left|log\right|T|+|E_q|\ast |{𝒱}_{𝒢}\left|\right)$, which is dominated by that of constructing TNMG.    □

Proposition 4.

The space cost of TCG is $O\left(\right|V_q|\ast |{𝒱}_{𝒢}|+|{\mathcal{E}}_{𝒢}\left|\right)$.

Proof. 

During the process of BuildTCG, we need to store TCG and TNMG for all vertices. The total space cost of constructing TNMG is $O\left(\right|V_q|\ast |{𝒱}_{𝒢}|+|{\mathcal{E}}_{𝒢}\left|\right)$ according to Proposition 2. The space cost to store vertices in $V_{TCG}$ is bounded by $O\left(\right|{𝒱}_{𝒢}\left|\right)$. The TCG is induced from $𝒢$, so the space cost to store edges is $O\left(\right|{\mathcal{E}}_{𝒢}\left|\right)$. For the bidirectional edges, the space cost to store time set is bounded by $O\left(\right|{\mathcal{E}}_{𝒢}\left|\right)$. Therefore, the overall space complexity is $O\left(\right|V_q|\ast |{𝒱}_{𝒢}|+|{\mathcal{E}}_{𝒢}|+|{𝒱}_{𝒢}|+|{\mathcal{E}}_{𝒢}|+|{\mathcal{E}}_{𝒢}\left|\right)=O\left(\right|V_q|\ast |{𝒱}_{𝒢}|+|{\mathcal{E}}_{𝒢}\left|\right)$, which is also dominated by that of constructing TNMG.    □

5. Enumeration of Matchings

In this section, we present our algorithm to find all matchings of the query graph based on the TCG. We first construct a query matching tree for generating an efficient matching order and then compute all matchings following the matching order.

5.1. Matching Order Generation

Given a query graph, we can find matchings by performing a widely used depth-first search paradigm [27]. The search space is actually a depth-first search tree. Different matching orders can lead to a large search space and affect the performance of the algorithm. In order to save search space, we construct a query matching tree based on the query graph and TCG, which can be used to generate an efficient matching order.

The query matching tree is a DFS spanning tree $QT$ of the query graph. To generate $QT$, we need to select a root and then determine the DFS order. We define the $cost$ of a query vertex u as $cost\left(u\right)=\left|C\right(u\left)\right|/d\left(u\right)$, where $\left|C\right(u\left)\right|$ is the number of valid candidates with the same label as u in the TCG, and $d\left(u\right)$ is the degree of u in the query graph. Intuitively, a vertex with few candidates and a larger degree means it has a smaller search space and higher chance to prune unpromising partial results. So, we select the vertex with the least cost as the root of $QT$. Then, we determine the DFS order. Let u be the vertex currently being visited; if there exist unvisited neighbors of u, we select neighbor w with the least $cost$ as the next vertex to visit and designate u as the parent of w in the $QT$. Otherwise, we backtrack to the parent of u. In addition, for each node u in $QT$, we maintain a set of vertices in the ancestor nodes to record the non-tree edges in the query graph, which is denoted as $u.a$. After constructing the query matching tree, we generate the matching order by performing preorder traversal on $QT$.

Example 5.

For the query graph in Figure 4 and temporal candidate graph in Figure 6, the $cost$ of the vertices $u_1$, $u_2$, $u_3$, $u_4$, and $u_5$ is 2, 4/3, 2/3, 2, and 2, respectively. Thus, $u_3$ is selected as the root. Then, we construct the query matching tree $QT$ by performing DFS backtracking on the query. The $QT$ is shown in Figure 7. The matching order is determined by preorder traversal on $QT$, that is, $u_3$, $u_2$, $u_1$, $u_4$, and $u_5$.

5.2. Matching Enumeration

The TCG contains all necessary information to enumerate matchings; thus, we can directly find all matchings in the TCG by following the matching order.

Algorithm 3 illustrates the details of our matching approach. We first use a hashmap M and $MT$ to store the partial matchings and time instance sets (Line 1). Then, we generate a matching order (Line 2). The root r of $QT$ must be the first matched vertex in the order. Thus, for each valid candidate v with the same label as r in the TCG, we match v to r and call Procedure Expand to generate a matching (Lines 4–6).

Algorithm 3: SearchMatch($QT$, $TCG$)

During the Expand process, once the size of partial matchings equals the number of query vertices, we report M and $MT$ as a result (Line 7). Otherwise, we process the next query vertex n according to the matching order. We determine the matches of n according to the matched result of its parent $n_p$ (Lines 9–12). In this process, we use TE-Filter and NontreeCheck to check the temporal constraints and structure information separately (Lines 13–15). Note that, the TE-Filter only checks the temporal constraints on a single edge. We further use TG-Filter to check the temporal constraints between two edges (Lines 16–21). The temporal graph filter (TG-Filter) is designed as follows. Let $T^{\ast }(u_1,u_2)$ and $T^{\ast }(u_1^{\prime },u_2^{\prime })$ be the time sets on query edges $(u_1,u_2)$ and $(u_1^{\prime },u_2^{\prime })$. Suppose a data edge $(v_1,v_2)$ has been matched to $(u_1,u_2)$. Let $\{t_1,\dots ,t_k\}$ be the time subset on $(v_1,v_2)$ that passes through the TE-Filter, and $t^{\prime }(v_1^{\prime },v_2^{\prime })$ be the time subset on the data edge $(v_1^{\prime },v_2^{\prime })$ that passes through the TE-Filter. If $|T^{\ast }(u_1,u_2)\cap T^{\ast }(u_1^{\prime },u_2^{\prime })|>|\{t_1,\dots ,t_k\}\cap t^{\prime }(v_1^{\prime },v_2^{\prime })|$, then $(v_1^{\prime },v_2^{\prime })$ cannot be matched to $(u_1^{\prime },u_2^{\prime })$. If a candidate passes through all checkings, it is verified as a match of n. We then update the M and $MT$, and execute the next Expand process. The details about NontreeCheck are illustrated in Lines 26–30.

Example 6.

Figure 8 shows the search tree for the query graph in Figure 4 and TCG in Figure 6 according to the matching order $u_3\to u_2\to u_1\to u_4\to u_5$. During the searching process, we use TE-Filter and TG-Filter to prune invalid branches. Finally, we can obtain the matching results for query q, i.e., $\{<u_3,v_3>,<u_2,v_2>,<u_1,v_1>,<u_4,v_4>,<u_5,v_{10}>\}$ and $\{<u_3,v_9>,<u_2,v_7>,<u_1,v_5>,<u_4,v_8>,<u_5,v_{12}>\}$.

6. Experiments

In this section, we evaluate the performance of our proposed TMQ algorithm. All experiments were implemented in C++ and ran on a PC with an Intel(R) Core Ultra 7 1.4 GHz CPU and 16 GB of RAM.

6.1. Experimental Setup

Datasets. 

The experiments were carried out on five real-world temporal graphs: CollegeMsg, MathOverflow, SuperUser, WikiTalk, and StackOverflow (all datasets were obtained from https://snap.stanford.edu/data, accessed on 29 July 2025). Since these temporal graphs are unlabeled, we assigned five labels to the vertices at random. We partitioned the time span of a temporal graph into a series of consecutive non-overlapping time intervals of equal length and merged all edges that occur within a time interval into a snapshot. The edges within a snapshot share the same timestamp. In the experiments, we set the time interval of CollegeMsg as an hour ($60\times 60$ s) and the time interval of other datasets as a day ($24\times 60\times 60$ s). The detailed statistics of the datasets are shown in

Table 1. Statistics of datasets.

Dataset	Vertices	Temporal Edges	Static Edges	Time Span
CollegeMsg (college)	1899	59,835	20,296	193 days
MathOverflow (math)	21,688	107,581	90,489	2350 days
SuperUser (super)	194,085	1,443,339	924,886	2773 days
WikiTalk (wiki)	1,140,149	7,833,140	3,309,592	2320 days
StackOverflow (stack)	2,464,606	17,823,525	16,266,395	2774 days

.

Queries. 

In the experiments, given the desired number of edges $|E_q|$ in the temporal query pattern q and the desired number of queries n in temporal query set $\mathcal{Q}$, we generated the temporal query patterns as connected subgraphs of the data using random walks on the temporal graph. To generate different temporal query patterns, we varied the number of edges $|E_q|$ from five to eight with a default value of six and varied the number of queries n from two to four a with default value of three. For a data graph, we generated 50 temporal query patterns under each specific $|E_q|$ and n.

Comparative algorithm. 

In the experiments, we compared our $\mathsf{TMQ}$ algorithm with a baseline developed based on $\mathsf{VEQ}$ [19], a state-of-the-art subgraph matching algorithm for a single query on static graphs. Given a temporal graph $𝒢$ and a temporal query set $(𝒢=\{Q_1,\dots ,Q_n\},F)$, this algorithm first finds all matchings of each query in $\{Q_1,\dots ,Q_n\}$ on each snapshot of $𝒢$ using $\mathsf{VEQ}$. Then, for each matching result of $\{Q_1,\dots ,Q_n\}$, it checks whether the timestamp order satisfies the temporal constraint defined by function F. If the temporal order satisfies the constraint, the matching is output as a temporal multi-query subgraph matching of $(𝒢=\{Q_1,\dots ,Q_n\},F)$ in $𝒢$. This algorithm is called ${\mathsf{VEQ}}_{\mathsf{T}}$ in our experiments.

Metrics. 

We measured and evaluated (1) the average elapsed time to process a query by varying the number of query edges and the number of queries; (2) the average memory usage to process a query by varying the number of query edges and the number of queries; and (3) the scalability of algorithm. In every experiment, we set the time limit to process a query to 1 h (i.e., $3.6\times {10}^6$ ms). If an algorithm could not finish within the time limit, then we plottef the elapsed time as $\mathsf{INF}$. Each experimental test was repeated five times, and the average metric is reported.

6.2. Processing Time

In this part, we compare our method $\mathsf{TMQ}$ with ${\mathsf{VEQ}}_{\mathsf{T}}$ in terms of the average running time to process a query on five real-world datasets.

Figure 9 shows the experimental results under the default parameter settings over different datasets. We can see that ${\mathsf{VEQ}}_{\mathsf{T}}$ cannot finish within the time limit on the wiki and stack datasets, while our $\mathsf{TMQ}$ can return results within 100 s on all datasets. $\mathsf{TMQ}$ significantly outperforms the competitor on all datasets under the default settings. The processing time of $\mathsf{TMQ}$ is up to three orders of magnitude faster than that of ${\mathsf{VEQ}}_{\mathsf{T}}$, even excluding the cases when ${\mathsf{VEQ}}_{\mathsf{T}}$ cannot finish within the time limit. The reason for this is that ${\mathsf{VEQ}}_{\mathsf{T}}$ needs to process the multiple queries sequentially and check the temporal constraints between queries one by one, which costs a lot of time overhead. $\mathsf{TMQ}$ utilizes an efficient index structure TCG to maintain the partial matchings and uses an effective matching order to enumerate matchings, both of which can efficiently prune a lot of unpromising intermediate results and significantly speed up the querying process.

Figure 10 shows the average processing time of $\mathsf{TMQ}$ and ${\mathsf{VEQ}}_{\mathsf{T}}$ on the college dataset when varying the number of edges $|E_q|$ in the temporal query pattern from five to eight and the number of queries n in the temporal query set from two to four. From Figure 10a, we can see that $\mathsf{TMQ}$ significantly outperforms ${\mathsf{VEQ}}_{\mathsf{T}}$ under all parameter settings and it can improve the processing time by one to three orders of magnitude on the college dataset. The reason is illustrated above. When setting the number of queries n as a default value and varying the number of edges $|E_q|$, the average processing time of $\mathsf{TMQ}$ and ${\mathsf{VEQ}}_{\mathsf{T}}$ is plotted in Figure 10b. When n is fixed, the average execution time of $\mathsf{TMQ}$ to process a query increases as the number of edges $|E_q|$ in a temporal query pattern increases, while the average processing time of ${\mathsf{VEQ}}_{\mathsf{T}}$ changes very smoothly with increasing $|E_q|$. This is because, when $|E_q|$ becomes larger, $\mathsf{TMQ}$ requires more time to construct the index structure and enumerate matchings for more edges. For ${\mathsf{VEQ}}_{\mathsf{T}}$, the process of matching result verification takes up the majority of the execution time; thus the subtle change in edges in a single query will not obviously affect the overall time. For fixed $|E_q|$, the average processing time of $\mathsf{TMQ}$ and ${\mathsf{VEQ}}_{\mathsf{T}}$ when varying n is demonstrated in Figure 10c. The results show that the running time of ${\mathsf{VEQ}}_{\mathsf{T}}$ increases with increasing n, while the running time of $\mathsf{TMQ}$ decreases as n increases. This is because ${\mathsf{VEQ}}_{\mathsf{T}}$ needs to find all subgraph matchings for each query in the temporal query set one by one; thus, the time cost will increase when the number of queries in the temporal query set increases, while $\mathsf{TMQ}$ equipped with filtering techniques can significantly reduce the search space. When n becomes larger, the temporal constraints on the edges of temporal query pattern become stricter, so more unpromising candidates can be filtered, and the time to verify candidates and enumerate results decreases.

Figure 11, Figure 12, Figure 13 and Figure 14 depict the experimental results on the temporal graphs math, super, wiki, and stack, respectively. These experimental results are very similar to those obtained on college. Specifically, $\mathsf{TMQ}$ is up to three orders of magnitude faster than ${\mathsf{VEQ}}_{\mathsf{T}}$ on math and two orders of magnitude faster than ${\mathsf{VEQ}}_{\mathsf{T}}$ on super. For large temporal graphs wiki and stack, ${\mathsf{VEQ}}_{\mathsf{T}}$ cannot terminate within the time limit under most parameter settings, whereas $\mathsf{TMQ}$ can find all matchings and is also several orders of magnitude faster than ${\mathsf{VEQ}}_{\mathsf{T}}$.

6.3. Memory Usage

In this part, we evaluate the performance of $\mathsf{TMQ}$ against ${\mathsf{VEQ}}_{\mathsf{T}}$ based on the aspect of average memory usage to process a query on five different datasets.

Figure 15a–e show the average memory usage of two algorithms on temporal graphs college, math, super, wiki, and stack, respectively. The size of the corresponding temporal graph is marked by the line. In the experiments, we did not record or plot the memory usage if the algorithm could not finish within the time limit. The experimental results show that $\mathsf{TMQ}$ and ${\mathsf{VEQ}}_{\mathsf{T}}$ were close in the memory cost to process a query. This is because $\mathsf{TMQ}$ needs to verify the state of all vertices when constructing the index structure, which uses a lot of memory. As for ${\mathsf{VEQ}}_{\mathsf{T}}$, it takes a lot of memory to store all matchings of each query even if most matchings do not satisfy the temporal constraints.

6.4. Scalability

In this part, we evaluate the scalability of $\mathsf{TMQ}$ and ${\mathsf{VEQ}}_{\mathsf{T}}$ by varying the size of the data graph under default parameter settings.

Figure 16a shows the average running time of the two algorithms when varying the size of the dataset under default parameter settings. It can been seen that ${\mathsf{VEQ}}_{\mathsf{T}}$ cannot finish on large datasets, whereas $\mathsf{TMQ}$ can find all results on all datasets. And the running time of $\mathsf{TMQ}$ increases with increasing dataset size. Figure 16b shows the average memory usage when varying the size of the dataset under default parameter settings. We can see that the memory usage increases linearly as dataset size increases. The above results demonstrate the good scalability of $\mathsf{TMQ}$.

7. Conclusions

In this paper, we model the time-evolving cyber attack detection task as a novel temporal multi-query subgraph matching problem and propose an efficient algorithm to tackle this problem. Specifically, we first merge multiple queries into a new query graph with temporal constraints, which is helps improve the searching efficiency. Then, we design a novel index structure called TCG to maintain valid candidates. During this process, we use an efficient pruning technology TE-Filter to filter unpromising intermediate results by considering the temporal constraints. Lastly, we generate an efficient matching order by constructing a query matching tree and enumerate subgraph matching results based on the matching order. Extensive experiments on five real datasets demonstrate that our method is several orders of magnitude faster than the existing method, while achieving comparable performance in memory consumption.