Next Article in Journal
A Review of Deep Learning Model Approach for Pain Assessment in Infant Cry Sounds
Previous Article in Journal
Towards Reliable LLM Grading Through Self-Consistency and Selective Human Review: Higher Accuracy, Less Work
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
MAKE
Volume 8
Issue 3
10.3390/make8030075
make-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

ActivityRDI: A Centralized Solution Framework for Activity Retrieval and Detection Intelligence Based on Knowledge Graphs, Large Language Models, and Imbalanced Learning

by
Lili Zhang
1 and
Quanyan Zhu
2,*
1
Data, Analytics, and AI Organization, Hewlett Packard Enterprise, 5555 Windward Pkwy, Alpharetta, GA 30004, USA
2
Department of Electrical and Computer Engineering, New York University, 50 West 4th Street, New York, NY 10012, USA
*
Author to whom correspondence should be addressed.
Mach. Learn. Knowl. Extr. 2026, 8(3), 75; https://doi.org/10.3390/make8030075
Submission received: 11 January 2026 / Revised: 9 March 2026 / Accepted: 12 March 2026 / Published: 18 March 2026
Browse Figures
Versions Notes

Abstract

We propose a centralized Activity Retrieval and Detection Intelligence (ActivityRDI) solution framework, demonstrate its application performance in network threat detection in detail, and show its generalization to other domains. Network threat detection is challenging owing to the complex nature of attack activities and the limited historically revealed threat data from which to learn. To help enhance the existing methods (e.g., analytics, machine learning, and artificial intelligence) to detect the network threats, we propose a multi-agent AI solution for agile threat detection. In this solution, a knowledge graph is used to analyze changes in user activity patterns and calculate the risk of unknown threats. Then, an imbalanced learning model is used to prune and weight the knowledge graph and to calculate the risk of known threats. Finally, a large language model (LLM) is used to retrieve and interpret the risk associated with user activities from the knowledge graph and the imbalanced learning model. The preliminary results show that the solution improves the threat capture rate by 3–4% and adds natural language interpretations of the risk predictions based on user activities with 95% accuracy. Furthermore, a demonstration application has been built to show how the proposed solution framework can be deployed and used. The generalizability of the proposed solution in other domains is also shown through an application to customer engagement, with 97% accuracy.

1. Introduction

Activity-based intelligence (ABI) discovers insights and patterns in activities associated with entities of interest through intelligent algorithmic analysis [1,2,3,4]. Thanks to technological advancement, activities in various systems are now widely captured. This wealth of information brings opportunities and challenges in activity analysis across different domains. An important domain is network threat detection, which is challenging owing to the complex nature of attack activities and the limited historically revealed threat data from which to learn despite the abundance of activity data in general.
Network threats have brought about significant financial losses and public safety issues in recent years. The total reported loss from cybercrimes in the US was more than $12.5 billion in 2023, according to the FBI’s Internet Crime Complaint Center (IC3) report [5]. In addition, public safety systems face increasing disruption in emergency communication systems and operations due to malicious attacks [6]. These are caused by new and increasingly complicated network attack activities that are not detected in time [7]. This presents a significant need for agile threat detection, which aims to identify and respond to evolving threats rapidly and proactively [8].
Analytical, machine learning (ML) and artificial intelligence (AI) methods have been widely used by researchers and practitioners to discover the patterns of known threats and detect unusual signals of unknown threats from the activities of users. Traditional ML/AI models typically need to learn from extensive historical data to guarantee good model performance. However, there are very limited historical data on known threats that have been observed but are not detected every time they occur. Furthermore, there are no data on unknown threats that have never been observed before. These two types of network threats are challenging for traditional ML/AI models to predict accurately.
Compared to other ML/AI models alone, the addition of knowledge graphs increases efficiency in analyzing user activities and their relationships to discover abnormalities. However, it has three challenges. The first is to prune and weight the information properly in the graph to filter out weak or redundant information about network threats. The second is to include large texts as part of graphs and graph analysis. The third is to unravel, diagnose, and interpret the complex activities and relationships of the users in the graph.
To overcome the challenges above, we propose Activity Retrieval and Detection Intelligence (ActivityRDI), a centralized and principled framework for activity-based intelligence that integrates dynamic knowledge graphs, imbalanced learning, and large language models. Unlike existing approaches, which apply these components independently, ActivityRDI tightly couples them in a closed-loop architecture, where learning outcomes actively shape activity representations and support real-time retrieval and interpretation. The framework is designed to address both known and unknown threats while producing human-interpretable explanations suitable for analyst decision-making.
In this framework, a knowledge graph is used to analyze changes in the user activity pattern and calculate the risk of unknown threats, an imbalanced learning model is used to prune and weight the knowledge graph and to calculate the risk of known threats, and an LLM is used to retrieve and interpret the user activities from the knowledge graph and the imbalanced learning model.
Using LLMs empowered by knowledge graphs enhanced with imbalanced learning as a set of AI agents, an adaptive and real-time monitoring framework can be implemented to achieve fast and early detection of malicious behaviors. This approach integrates the strengths of LLMs in contextual reasoning with the structured relationship modeling capabilities of knowledge graphs to monitor, predict, and explain potential threats as they unfold. The synergy between these components ensures both depth and immediacy in threat detection, making the system highly effective in dynamic environments.
Activity-based intelligence emphasizes understanding intent and risk through the analysis of observed activities rather than isolated events. ActivityRDI directly operationalizes this principle by representing activities as evolving relational structures, detecting deviations in activity patterns over time, and translating these deviations into actionable intelligence. In our framework, activities are captured and structured in a dynamic knowledge graph, changes in activity patterns are assessed through graph evolution and similarity measures, and risk hypotheses are quantified using imbalanced learning. Large language models then enable retrieval, synthesis, and interpretation of activity-level intelligence, supporting effective human-in-the-loop analysis. We demonstrate the effectiveness of ActivityRDI in network threat detection and further show that the framework naturally generalizes to other activity-centered domains.

2. Related Work

2.1. Knowledge Graphs

A knowledge graph is a data structure that encodes entities as nodes and relations as edges, often with rich attributes for both. By capturing complex multi-relational data, knowledge graphs facilitate reasoning about connections [9]. In addition, knowledge graphs are extremely efficient in representing sparse big data on the basis of their relationships and discovering abnormal patterns [10,11].
Different algorithms (e.g., similarity, centrality, community detection, pathfinding, shortest path, and link prediction) can be selected and run flexibly on graph data structures. Knowledge graphs have become popular in many domains [12,13,14,15], including cybersecurity, to integrate heterogeneous logs, documents and threat intelligence [16,17,18,19,20,21]. In a security context, a knowledge graph might include nodes for entities (e.g., users, hosts, processes, and files) and edges for actions (e.g., logons and file accesses), enabling graph algorithms to detect suspicious patterns.
Despite all these advantages of knowledge graphs, weak or redundant information in the graph can create challenges. Furthermore, it is not an efficient practice to include extensive text data on either nodes or edges of a graph, for example, actual article text that a user reads. In addition, it requires a great deal of expert knowledge and experience to interpret the information in the graph and diagnose problems accordingly. The following are three practical implementation challenges:
  • First, how can the activity nodes and edges in a large graph be pruned and weighted properly?
  • Second, how can large amounts of content be incorporated into the activity graph analysis?
  • Third, how can information from both a graph and an imbalanced learning model be retrieved and interpreted efficiently?
The above challenges can be overcome by combining a knowledge graph with imbalanced learning and a large language model.

2.2. Imbalanced Learning

In cybersecurity, malicious events are typically rare compared to benign events; this pattern is referred to as imbalanced data, where a dataset has far fewer observations in the minority class (e.g., malicious event, threat) than in the majority class (e.g., benign event, non-threat) [22]. Imbalanced learning is the process of learning patterns from imbalanced data.
Imbalanced learning aims to eliminate the bias in the learning processes of traditional ML/AI models on imbalanced data. Traditional models maximize overall accuracy, while imbalanced learning pays more attention to the accuracy of the minority class and maintains overall accuracy at a reasonable range. To adapt ML/AI models to imbalanced data, imbalanced learning techniques such as sampling, weighting, and thresholding are commonly used [23].
With extremely imbalanced data (for example, a dataset whose minority class constitutes less than 1% of the sample), the weighting approach, also called cost-sensitive or weighted classification, generally works better, especially when combined with thresholding approaches [24]. The main reason is that the number of observations in the minority class is too small to conduct the sampling in a representative manner. In a weighting approach, the observations in the minority class are given higher penalty weights in the loss function, indicating greater losses if they are misclassified than if observations in the majority class are misclassified. For example, in logistic regression, one can use a weighted log-likelihood loss that assigns an increased penalty weight of greater than one to threat observations and a weight of one to benign observations [25], where the penalty weight values are determined on the basis of heuristic rules. Another approach is algorithmic learning of both penalty weights and model coefficients from the training data using a custom log-likelihood function [24], as shown in Equation (1), where i is the training sample index, y i is the dependent variable value of the training sample i, x i is the independent variable vector value of the training sample i, and β is the coefficient vector of independent variables. The mathematical derivation, implementation, and experiments of this custom log-likelihood function can be found in [26].
min β , λ i = 1 m [ λ i y i l o g ( π ( β T x i ) ) + ( 1 y i ) l o g ( 1 π ( β T x i ) ) ]
In our problem, imbalanced learning techniques are used to prune and weight the nodes and edges of the graph on the basis of their relationships to the network threat. Generally speaking, a graph is pruned and weighed on the basis of the importance of the information represented on the nodes and edges in the graph. This typically depends on the problems that are being solved and the algorithms that are used. Wu used a graph hierarchy inference method based on the Agony model to eliminate noisy nodes and edges in the graph [27]. Chong derived the graph weights from the graph adjacency structure [28]. Jarnac used bootstrapping via zero-shot analogical pruning to select relevant nodes or edges within the graph [29]. Given that our objective is to prune and weight the nodes and edges of the graph on the basis of their relationships to the network threat, a supervised learning approach is more suitable for our problem. Furthermore, because the historical data consist of less than 1% threat observations and more than 99% non-threat observations, the imbalanced learning techniques are specifically used in our solution.

2.3. Large Language Models (LLMs)

Large language models are neural networks that are trained on massive text corpora and can understand and generate natural language [30,31,32]. Existing LLMs include ChatGPT, LLaMA, Gemini, Claude, etc. [33]. LLMs have been used for applications including summarizing (e.g., summarizing user reviews for brevity), inferring (e.g., sentiment classification, topic extraction), transforming text (e.g., translation, spelling, and grammar correction), expanding (e.g., automatically writing emails), and retrieval-augmented generation (RAG, e.g., reference on a knowledge base beyond the training data before response) [34]. However, the standard LLM retrieval process is based on similarity [35], where the similarity between the user’s question and the documents in the database is measured and the most similar documents are selected to answer the user’s question, as shown in Figure 1.
Recent work has explored multi-agent LLM systems where multiple models collaborate to solve tasks. These agents can pose natural-language queries to each other and to external data sources [36,37]. This enables dynamically intelligent interactions and collaborations among LLMs and other models and tools that are typically required to work together to solve problems [37,38]. For example, to solve mechanical problems, the multi-agent AI platform MechAgents was developed with a comprehensive intelligent ability to retrieve and integrate relevant knowledge, theory and data; construct and execute code; and analyze results using multiple numerical methods [37]. Another example is that multi-agent AI systems are used to enhance the decision support for smart city management, combining LLMs with existing urban information systems to process complex routing queries and generate contextually relevant responses, achieving 94–99% accuracy [39].
In our framework, LLM agents serve as query and reasoning engines: they translate user questions into graph queries, iteratively refine the queries, and interpret the results as human-readable explanations. For example, an agent might summarize a subgraph or explain the rationale behind a flagged anomaly.

2.4. Graph Anomaly Detection

Detecting anomalies in graphs that evolve over time is a well-studied problem [40]. We focus on measures such as the weighted Jaccard similarity between successive graph snapshots. Given two weighted graphs G and H in the same node set, we define their weighted similarity in Equation (2), whose solutions are in the range [ 0 , 1 ] . J = 1 if the graphs are identical, and smaller values indicate a structural change. If at time t we have graph G t and at t + 1 we add some edges or weights to obtain G t + 1 , then J ( G t , G t + 1 ) quantifies how much the graph changed. Intuitively, if few edges change, J stays close to unity, but a surge of new edges (an anomaly) will markedly decrease J.
J ( G , H ) = e min ( w G ( e ) , w H ( e ) ) e max ( w G ( e ) , w H ( e ) )
In summary, our work integrates a graph backbone, imbalanced learning, and cooperative LLM reasoning into one framework; this undertaking is the first of its kind, despite that the individual metrics have been examined separately in many studies and for many applications. Knowledge-graph-based methods have been applied to security analytics and threat intelligence. Graph-based semi-supervised learning and bootstrap methods have been used to handle noisy security data. Imbalanced learning approaches have been adopted for rare-event detection and for activity log anomaly detection. In parallel, transformer-based models have been explored in cybersecurity. Recent work on multi-agent LLMs highlights that cooperative LLM systems can solve complex tasks through natural-language dialog, but their use in security has been limited.

3. Proposed Methodology

ActivityRDI has three core components: a knowledge graph, imbalanced learning, and a large language model. These components serve distinct and complementary roles. Knowledge graphs provide a natural representation for heterogeneous activities and their temporal relationships, but on their own, they can suffer from noise and redundancy. Imbalanced learning is therefore used not only for threat classification but also to prune and weight the knowledge graph, ensuring that activity representations emphasize threat-relevant signals under extreme class imbalance. Graph similarity measures enable the detection of anomalous behavioral shifts, allowing the system to identify potential unknown threats that are not captured by supervised models. Large language models are deliberately positioned outside the prediction loop and instead act as reasoning, retrieval, and explanation agents, translating structured activity intelligence into forms suitable for analyst understanding without requiring task-specific fine-tuning.
From an implementation perspective, this framework consists of three cooperating LLM agents: two collaborators and one supervisor, as shown in Figure 2. Collaborator 1 maintains a dynamic knowledge graph. At each time step t, it adds new events Δ E t as edges to form G t + 1 = G t Δ E t , ensuring efficient online updates. Collaborator 2 trains and applies the weighted classifier on features derived from graph entities (e.g., node degrees, subgraph patterns) to estimate the likelihoods of threats. The two collaborators interact: if Collaborator 2 assigns high risk to certain events or nodes, Collaborator 1 increases their edge weights or marks them as unusual. In contrast, edges with low risk may be pruned to focus the graph on likely threats.
Periodically, Collaborator 1 also computes graph similarity by measuring the weighted Jaccard similarity between the current user graph G t and a reference graph (e.g., G t τ or a baseline). A drop in this similarity score signals an anomalous shift in user behavior, even if the classifier did not flag it. These signals are stored for reporting.
The supervisor agent handles user interaction. Upon receiving a user query (e.g., ‘What recent user behaviors look suspicious?’), the supervisor LLM generates structured queries for the graph database (using standard query languages or prompt-based retrieval). It may ask Collaborator 1 to list subgraphs around suspicious nodes or ask Collaborator 2 for classification probabilities. It then synthesizes these into a human-readable interpretation (e.g., ‘User X’s recent file access pattern is unusual given their history’ or ‘A new device connection to server Y matches no known normal behavior’). The supervisor thus bridges the gap between automated graph analytics and analyst understanding.
Figure 3 illustrates how agents exchange information through natural language and graph queries. Each agent can translate between text and data operations: graph queries, classifier invocations, and explanation generation. Through iterative prompting, agents refine their analysis: for example, the supervisor may refine a question such as ‘Why is node X flagged?’ and receive successive clarifications from the collaborators before answering.
Compared to the typical query process of an LLM as shown in Figure 1, the following additional functionalities are added to our multi-agent LLM query process:
  • Multiple types of knowledge bases are used, including a user activity knowledge graph and documents. This ensures more comprehensive information to be considered.
  • Interpretations are drawn from analytic models including graph similarity and imbalanced learning. This avoids the fine-tuning of an LLM for specific purposes, thus saving money and improving efficiency.
Compared to existing solutions, our proposed solution improves the detection of network threats by introducing the novel features listed in Table 1.
The representative works summarized above constitute the current state of the art in knowledge-graph-based threat detection, imbalanced learning, and LLM-driven cyberintelligence. Table 1 provides a structured comparison between these existing approaches and the proposed ActivityRDI framework along key methodological dimensions.

4. Experiments and Results

4.1. Data

The evaluation of the proposed solution in this paper is performed on the CERT Insider Threat Test Dataset [53]. This public dataset simulates enterprise user activities (logons, file accesses, emails, etc.) for a set of users and devices, with labeled insider threats at the logon level. Although the data are synthetic, the authors of the data set use a well-rounded approach to achieve realism [54], including detailed activity logs and ground-truth threat labels at the logon level, as listed in Table 2; this realism makes it suitable and widely used for the research, development, and testing of many threat detection frameworks. All experiments in this paper use this dataset.

4.2. Knowledge Graph Creation

A graph G uses the nodes and edges to represent relational information about users, computing devices, and activities, as shown in Figure 4.
  • Nodes V: A node represents a user, user role, device, activity type (i.e., logon, email, file access, removable connect, removable disconnect, web visit, logoff) or activity time.
  • Edges E: The edges connect the user, the user role, the device, the activity type, and the activity time, indicating which user performed what activity on the device at what time.

4.3. Graph Pruning and Graph Weighting Using Imbalanced Learning Techniques

To reduce redundant and insignificant information in the knowledge graph and improve the algorithm’s efficiency, we prune and weight the graph using imbalanced learning techniques, which evaluate how the information represented by the nodes and edges in the graph are related to the threats in the historical data. First, the numerical representations of the user activities in the graph and the historical threats are created as independent variables (i.e., features) and a dependent variable, respectively. Then, their relationships are examined through information value, and variable clustering techniques filter out the independent variables with weak predictive power or redundant information. The nodes and edges representing weak or redundant information are pruned from the graph. Lastly, a predictive model is trained with a customized imbalanced learning technique to predict whether a logon session is a threat. The predicted value from this predictive model is used to weight the nodes in the graph.

4.3.1. Feature Creation

In the predictive model, the dependent variable is a binary variable with 1 indicating a threat logon and 0 indicating a normal logon. The independent variables are 56 variables (that is, features) representing the current and past activities of the users, such as the number of executable files running in the current session and the number of executable files running in the past sessions.

4.3.2. Feature Selection

The relationships between these independent variables and the dependent variable are then examined through the information value, and the interrelationships among these independent variables are examined through the clustering of variables. Sixteen independent variables are selected to be used in modeling.

4.3.3. Imbalanced Learning

The historical data are split into a training set (70%) to train the model and a validation set (30%) to evaluate the model performance later in a stratified manner, ensuring that the percentage of threats in the training and validation data is the same as in the historical data. In historical data, the percentage of threats detected is 0.34%. To mitigate data bias, the weight of each training sample λ i is first learned through the custom log-likelihood in Equation (1) from the training data; the code for this implementation can be found in [55]. The learned sample weights λ i are then applied to the machine learning model training process (e.g., a gradient boosting model). Based on our previous research results in [24,26], we have chosen to build a gradient boosting model trained without learnable weights and with learnable weights in this experiment. Their performance is evaluated on the validation set using the gain and the area under the precision–recall curve, as shown in Table 3.
The models are as follows:
  • Model 1: gradient boosting model trained without learnable weights.
  • Model 2: gradient boosting model trained with learnable weights from Equation (1).
Compared to Model 1, Model 2 trained with learnable weights can capture 4% more true threats in the top 3% of predicted risky logons and 3% more true threats in the top 30% of predicted risky logons. The overall improvement is approximately 2% under different probability cut-off points used to convert the predicted threat probability into binary values. Given the better performance of Model 2, the variables and their importance in Model 2 are used to prune and weight the corresponding nodes of the activity graph built on the graph schema in Figure 4. For example, the variable “removable device connection” shows higher importance, and so the node “Removable Connect” in the graph is given a greater weight based on the variable importance value.
Although the absolute performance improvements of Model 2 appear modest, they are significant in the context of insider threat detection, where malicious events account for less than one percent of observed activity. Even a small increase in early threat capture can substantially reduce missed detections, lower analyst workload, and enable earlier intervention. Therefore, the observed 3–4% improvement represents a significant operational gain in real-world detection environments characterized by extreme class imbalance. This can potentially prevent the loss of $0.2 billion in 2021, $0.3 billion in 2022, and $0.4 billion in 2023 [5].

4.3.4. Graph Similarity

To measure the change in user activity over time, we first build the current activity graph and the previous activity graph. Then, the weighted similarity (e.g., weighted Jaccard similarity) between these two graphs is computed.
To show the result, take the user CSC0217 as an example in Figure 5. Its current activity graph shows that it logs onto the PC5866 device in the afternoon and connects to a removable device, and its previous activity graph shows that it logs onto the PC3742, PC6377, and PC2288 devices in the morning and visits some websites. The Jaccard similarity score between these two graphs is very small, resulting in a high activity change score, as expected. The activity change score, combined with the explanation of activity changes from the LLM retriever and interpreter in Section 4.4.2, identifies the risk of unknown threats.

4.4. Graph Retrieval and Interpretation Using Large Language Models

To better understand why the user’s activities are detected as known threats or unknown threats in Section 4.3.3 and Section 4.3.4, we extend the knowledge graph to incorporate the semantic contents of the user’s email, files, and web visits, and we then integrate the knowledge graph with an LLM retriever agent and interpret the user’s activities in a structured and explainable manner. While Section 4.3.3 and Section 4.3.4 quantify risk through supervised imbalanced learning and graph similarity measures, this section focuses on transforming those quantitative outputs into human-understandable activity intelligence.

4.4.1. Graph Schema Creation Extended

In traditional graph representations, nodes and edges efficiently encode relational information such as users, devices, timestamps, and activity types. However, the textual content associated with emails, files, and web visits is long and semantically rich and therefore cannot be directly incorporated into the graph without affecting storage efficiency and query performance.
To address this limitation, we adopt a hybrid design in which the textual contents are embedded into dense vector representations and stored in a vector database, while the structured relational metadata remain in the graph database, as shown in Figure 6. Each content object is associated with its embedding through a unique identifier, allowing the knowledge graph to reference the semantic information without storing the raw text directly. This design enables efficient integration of large textual information into the activity graph while preserving scalability and query performance.

4.4.2. Large Language Model as Retriever and Interpreter

Once the knowledge graph is extended with content embeddings, the LLM acts as a retriever and interpreter that bridges natural language queries and structured graph operations. When a user submits a query, such as requesting a comparison of activity patterns between two time periods, the LLM first translates the natural language question into a graph query. This translation maps the query into the corresponding graph database language to retrieve the relevant subgraphs, including user nodes, device connections, activity types, timestamps, and weighted risk values derived from the imbalanced learning model. If the query involves semantic understanding of content, the LLM also retrieves the relevant embeddings from the vector database on the basis of a similarity search and incorporates the associated textual summaries into its reasoning process.
The retrieved graph data include both the predicted likelihood of being a known threat, obtained from the imbalanced learning model in Section 4.3.3, and the activity change score, derived from the weighted Jaccard similarity in Section 4.3.4. These quantitative signals continue to be generated by their respective analytical modules to ensure reproducibility and consistency. The LLM does not replace these models; instead, it interprets their outputs by synthesizing relational structure, historical comparisons, and semantic content. For example, if a user suddenly connects to a removable device after historically performing only web browsing activities and the supervised model assigns a high threat probability to removable connections the LLM explains that the elevated risk arises from both structural deviation and historically significant features. In this way, the explanation is grounded in observable graph evolution and model-derived importance measures rather than speculative inference.
The interaction among the three agents described in Section 3 becomes particularly important in this stage. The collaborator responsible for maintaining the dynamic knowledge graph provides updated structural information, the collaborator responsible for imbalanced learning supplies threat probabilities and feature importance values, and the supervisor LLM orchestrates the retrieval process and generates coherent interpretations. Through iterative prompting, the supervisor may refine its queries to gather additional context, such as requesting a breakdown of recent device connections or identifying which activity types contributed most to the threat score. This iterative reasoning process allows the system to move beyond static question answering and toward interactive analytical support.
In this experiment, an application demonstration is built to ask about a user’s activity changes in the current time period compared with a historical time period or reference time period and return the answers about the user’s activity summaries, changes, and risk interpretations, as shown in Figure 7.
For example, as shown in Figure 8, we ask about the user Lisa’s activity change in January 2024 compared to December 2023. In the generated answer, we learn that Lisa’s activity changes by shifting from a mix of web visits and logon/logoffs in December 2023 to solely logon/logoffs with removable connection and disconnection on different devices, which explains why its likelihood of unknown threat is 80% and its likelihood of known threat is 70%.
To evaluate the accuracy of the LLM retriever and interpreter, we generated 100 questions concerning user activities, temporal changes, and associated risk levels. Ground-truth answers were constructed directly from the knowledge graph and analytical outputs. The LLM-generated answers were then compared with the ground truth by a human evaluator. An answer was considered correct if it accurately reflected the graph structure, aligned with the risk probabilities produced by the imbalanced learning and similarity modules, and provided logically consistent interpretation of the activity change. The results show that 95% of the responses were consistent with the ground-truth answers. This metric reflects interpretative accuracy rather than predictive accuracy and demonstrates that the LLM component effectively translates structured activity intelligence into reliable explanations.
Regarding the implementation, the open-source graph database NebulaGraph is used to construct and store the user activity graph, the Python (Python 3.13.5) package llama-index is used to index and interface with the graph and vector database, the Text-embedding-3-large model is used to generate content embeddings, and the GPT-4o mini model is used to perform retrieval and interpretation. The average response time of approximately four seconds per query indicates that the retrieval and interpretation layer can operate nearly in real time without interfering with the prediction pipeline. Additionally, to build the content nodes in the graph, we use online public documents instead of the content text data in the Insider Threat Test Dataset, because the latter data appear to be a mix of random words and phrases that do not form coherent sentences or convey a clear message, making it difficult to interpret any specific meaning.

5. Applications in Other Domains

The applicability of ActivityRDI beyond cybersecurity follows directly from its activity-centric abstraction rather than from domain-specific assumptions. Any domain characterized by heterogeneous entities, temporally evolving activities, rare critical events, and a need for human-interpretable intelligence can benefit from this framework.
To illustrate this generality, we present an application in customer engagement to demonstrate that ActivityRDI supports accurate, scalable, and timely retrieval and interpretation of activity intelligence across multiple systems in a complex real-world data environment.
Customer activity data, including digital activities, in-person event activities, and customer identifier hierarchy at different levels, are captured and stored in 10+ systems. In our solution implementation, we have developed a centralized customer engagement knowledge graph that connects all activities at different identifier levels.
When we added LLM-based natural language query functionality to this customer engagement graph, the preliminary results show a 97% accuracy on the retrieved information in 4 s on average among 700+ tested questions. Accurate, agile, and centralized customer activity retrieval enables faster business actions and better business strategies to convince customers and close deals.

6. Conclusions

Our centralized Activity Retrieval and Detection Intelligence (ActivityRDI) framework enhances existing practices of using analytics, machine learning, and artificial intelligence for network threat detection by integrating knowledge graph modeling, imbalanced learning, and large language model reasoning into a unified architecture. Rather than treating detection, anomaly analysis, and interpretation as separate processes, the proposed framework connects them through a closed-loop design in which structured activity representation, risk quantification, and natural language explanation mutually reinforce one another.
The experimental results demonstrate that incorporating learnable weights in the imbalanced learning model improves the capture rate of true threats by approximately 3–4% in the highest-risk segments. Although the absolute numerical improvement may appear modest, its operational significance is substantial given that insider threats account for only 0.34% of the observed logon sessions in the dataset. In such highly imbalanced environments, even a small improvement in ranking performance at the top predicted risk levels corresponds to a meaningful increase in early interception of malicious behavior. Early identification reduces the probability of missed detections and lowers the downstream cost associated with delayed intervention. Therefore, the reported improvement reflects not merely a statistical gain but an enhancement in prioritization efficiency and risk mitigation capability.
Beyond the supervised detection of known threats, the graph similarity mechanism enables the identification of unknown threats through structural changes in user behavior. By measuring weighted Jaccard similarity between current and historical activity graphs, the framework detects behavioral deviations that may not yet be represented in labeled data. The integration of supervised risk probabilities and unsupervised structural deviation scores provides a dual-layer detection capability. This simultaneous handling of known and unknown threats distinguishes the proposed framework from existing solutions, which typically focus on one dimension independently. The combination ensures that the system remains effective both for historically observed attack patterns and for emerging or previously unseen behaviors.
Equally important is the interpretability achieved through the LLM-based retrieval and explanation layer. The evaluation shows that 95% of the generated interpretations are consistent with the ground-truth graph data and analytical outputs. This high interpretative accuracy indicates that the LLM successfully translates quantitative model outputs and structural graph information into coherent explanations grounded in evidence. In operational environments, accurate interpretation is critical because actionable intelligence depends not only on identifying high-risk activities but also on understanding why they are considered risky. By separating predictive computation from explanation generation, the framework maintains analytical rigor while enabling transparent and human-centered reasoning.
The generalization results further demonstrate that the framework’s effectiveness is not limited to cybersecurity. In the customer engagement application, the centralized knowledge graph combined with LLM-based retrieval achieved 97% accuracy in information retrieval across heterogeneous data sources. This cross-domain performance suggests that ActivityRDI is fundamentally activity-centric rather than domain-specific. Any environment characterized by heterogeneous entities, temporally evolving interactions, rare critical events, and a need for interpretable intelligence can potentially benefit from this design. The underlying abstraction, which captures activities as evolving relational structures, quantifying risk through supervised and structural signals and interpreting results through language-based reasoning, remains valid across application domains.

7. Limitations and Future Work

As with any activity-driven framework, the effectiveness of ActivityRDI depends on the quality and coverage of the observed activity data. In environments where activity logs are sparse or highly noisy, graph similarity measures may be less stable, and LLM-based interpretations may require additional validation. These limitations suggest directions for future work on robustness and adaptive calibration, rather than fundamental constraints of the proposed framework.
Furthermore, the CERT Insider Threat Test Dataset used in the paper consists of synthetic data, which may not capture all characteristics of realistic, real-world data owing to privacy regulations and the subtlety of malicious actions by authorized users. It is a well-known challenge to collect suitable real-world threat data of good quality for the research and development of threat detection [54]. To show the performance of the proposed solution on real-world data, we have extended the proposed solution to applications in other domains where the data are easier to capture, such as customer engagement, as illustrated in Section 5 (Applications in Other Domains). However, we cannot disclose that dataset in this paper because of business confidentiality. In the future, we would like to apply the proposed solution to additional real-world data.

Author Contributions

Conceptualization, L.Z. and Q.Z.; methodology, L.Z. and Q.Z.; software, L.Z.; validation, L.Z. and Q.Z.; formal analysis, L.Z.; investigation, L.Z. and Q.Z.; resources, Q.Z. and L.Z.; data curation, L.Z.; writing—original draft preparation, L.Z.; writing—review and editing, Q.Z.; visualization, L.Z. and Q.Z.; supervision, Q.Z. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

The original data presented in the study are openly available in “Insider Threat Test Dataset”, at https://doi.org/10.1184/R1/12841247.v1 (accessed on 7 March 2026).

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Llinas, J.; Scrofani, J. Foundational Technologies for Activity-Based Intelligence—A Review of the Literature; Naval Postgraduate School: Monterey, CA, USA, 2014. [Google Scholar]
  2. Biltgen, P.; Ryan, S. Activity-Based Intelligence: Principles and Applications; Artech House: London, UK, 2016. [Google Scholar]
  3. Lawrence, J.L. Activity-Based Intelligence: Coping with the “Unknown Unknowns” in Complex and Chaotic Environments. Am. Intell. J. 2016, 33, 17–25. [Google Scholar]
  4. Maksimov, N.; Klimov, V. Natural and Artificial Intelligence: An Activity-Based Approach. In Proceedings of the Biologically Inspired Cognitive Architectures Meeting; Springer: Berlin/Heidelberg, Germany, 2023; pp. 553–565. [Google Scholar]
  5. FBI. Internet Crime Report 2023. 2024. Available online: https://www.ic3.gov/AnnualReport/Reports/2023_IC3Report.pdf (accessed on 1 November 2024).
  6. CISA. Cyber Incident Response to Public Safety Answering Points: A State’s Perspective. 2023. Available online: https://www.cisa.gov/sites/default/files/publications/22_0414_cyber_incident_case_studies_state_final_508c.pdf (accessed on 1 November 2024).
  7. Zhu, Q.; Fung, C.; Boutaba, R.; Basar, T. GUIDEX: A game-theoretic incentive-based mechanism for intrusion detection networks. IEEE J. Sel. Areas Commun. 2012, 30, 2220–2230. [Google Scholar] [CrossRef]
  8. Zhu, Q. Foundations of cyber resilience: The confluence of game, control, and learning theories. arXiv 2024, arXiv:2404.01205. [Google Scholar] [CrossRef]
  9. Hogan, A.; Blomqvist, E.; Cochez, M.; d’Amato, C.; de Melo, G.; Gutiérrez, C.; Neumaier, S.; Polleres, A.; Schurr, A.; Sequeda, J. Knowledge Graphs. ACM Comput. Surv. 2021, 54, 71:1–71:37. [Google Scholar] [CrossRef]
  10. Ma, X.; Wu, J.; Xue, S.; Yang, J.; Zhou, C.; Sheng, Q.Z.; Xiong, H.; Akoglu, L. A comprehensive survey on graph anomaly detection with deep learning. IEEE Trans. Knowl. Data Eng. 2021, 35, 12012–12038. [Google Scholar] [CrossRef]
  11. Janev, V.; Graux, D.; Jabeen, H.; Sallinger, E. Knowledge Graphs and Big Data Processing; Springer Nature: Cham, Switzerland, 2020. [Google Scholar]
  12. Zhou, H.; Shen, T.; Liu, X.; Zhang, Y.; Guo, P.; Zhang, J. Survey of knowledge graph approaches and applications. J. Artif. Intell. 2020, 2, 89–101. [Google Scholar] [CrossRef]
  13. Huang, H.; Chen, Y.; Lou, B.; Hongzhou, Z.; Wu, J.; Yan, K. Constructing knowledge graph from big data of smart grids. In Proceedings of the 2019 10th International Conference on Information Technology in Medicine and Education (ITME); IEEE: New York, NY, USA, 2019; pp. 637–641. [Google Scholar]
  14. Zhao, Q.; Liu, J.; Sullivan, N.; Chang, K.; Spina, J.; Blasch, E.; Chen, G. Anomaly detection of unstructured big data via semantic analysis and dynamic knowledge graph construction. In Proceedings of the Signal Processing, Sensor/Information Fusion, and Target Recognition XXX; SPIE: Boston, MA, USA, 2021; Volume 11756, pp. 126–142. [Google Scholar]
  15. Zhang, L.; Priestley, J.; DeMaio, J.; Ni, S.; Tian, X. Measuring customer similarity and identifying cross-selling products by community detection. Big Data 2021, 9, 132–143. [Google Scholar] [CrossRef] [PubMed]
  16. Ren, Y.; Xiao, Y.; Zhou, Y.; Zhang, Z.; Tian, Z. CSKG4APT: A cybersecurity knowledge graph for advanced persistent threat organization attribution. IEEE Trans. Knowl. Data Eng. 2022, 35, 5695–5709. [Google Scholar] [CrossRef]
  17. Chen, T.; Dong, C.; Lv, M.; Song, Q.; Liu, H.; Zhu, T.; Xu, K.; Chen, L.; Ji, S.; Fan, Y. Apt-kgl: An intelligent apt detection system based on threat knowledge and heterogeneous provenance graph learning. In IEEE Transactions on Dependable and Secure Computing; IEEE: New York, NY, USA, 2022. [Google Scholar]
  18. Sui, Y.; Zhang, Y.; Sun, J.; Xu, T.; Zhang, S.; Li, Z.; Sun, Y.; Guo, F.; Shen, J.; Zhang, Y.; et al. Logkg: Log failure diagnosis through knowledge graph. IEEE Trans. Serv. Comput. 2023, 16, 3493–3507. [Google Scholar] [CrossRef]
  19. Sikos, L.F. Cybersecurity knowledge graphs. Knowl. Inf. Syst. 2023, 65, 3511–3531. [Google Scholar] [CrossRef]
  20. Rastogi, N.; Dutta, S.; Christian, R.; Gridley, J.; Zaki, M.; Gittens, A.; Aggarwal, C. Predicting malware threat intelligence using KGs. arXiv 2021, arXiv:2102.05571. [Google Scholar]
  21. Wang, P.; Zhang, Y.; Zhou, Z.; Wang, Y. SC-LKM: A Semantic Chunking and Large Language Model-Based Cybersecurity Knowledge Graph Construction Method. Electronics 2025, 14, 2878. [Google Scholar] [CrossRef]
  22. Chen, Z.; Yan, Q.; Han, H.; Wang, S.; Peng, L.; Wang, L.; Yang, B. Machine learning based mobile malware detection using highly imbalanced network traffic. Inf. Sci. 2018, 433, 346–364. [Google Scholar] [CrossRef]
  23. He, H.; Ma, Y. Imbalanced Learning: Foundations, Algorithms, and Applications; Wiley-IEEE Press: Hoboken, NJ, USA, 2013. [Google Scholar]
  24. Zhang, L.; Geisler, T.; Ray, H.; Xie, Y. Improving logistic regression on the imbalanced data by a novel penalized log-likelihood function. J. Appl. Stat. 2022, 49, 3257–3277. [Google Scholar] [CrossRef]
  25. Zhang, L.; Ray, H.; Priestley, J.; Tan, S. A descriptive study of variable discretization and cost-sensitive logistic regression on imbalanced credit data. J. Appl. Stat. 2020, 47, 568–581. [Google Scholar] [CrossRef]
  26. Zhang, L. A Novel Penalized Log-likelihood Function for Class Imbalance Problem. Ph.D. Thesis, Kennesaw State University, Marietta, GA, USA, 2020. [Google Scholar]
  27. Wu, C.; Zeng, Z.; Yang, Y.; Chen, M.; Peng, X.; Liu, S. Task-driven cleaning and pruning of noisy knowledge graph. Inf. Sci. 2023, 646, 119406. [Google Scholar] [CrossRef]
  28. Chong, Y.; Ding, Y.; Yan, Q.; Pan, S. Graph-based semi-supervised learning: A review. Neurocomputing 2020, 408, 216–230. [Google Scholar] [CrossRef]
  29. Jarnac, L.; Couceiro, M.; Monnin, P. Relevant entity selection: Knowledge graph bootstrapping via zero-shot analogical pruning. In Proceedings of the 32nd ACM International Conference on Information and Knowledge Management; Association for Computing Machinery: New York, NY, USA, 2023; pp. 934–944. [Google Scholar]
  30. Min, B.; Ross, H.; Sulem, E.; Veyseh, A.P.B.; Nguyen, T.H.; Sainz, O.; Agirre, E.; Heintz, I.; Roth, D. Recent advances in natural language processing via large pre-trained language models: A survey. ACM Comput. Surv. 2023, 56, 1–40. [Google Scholar] [CrossRef]
  31. Brown, T.B.; Mann, B.; Ryder, N.; Subbiah, M.; Kaplan, J.; Dhariwal, P.; Neelakantan, A.; Shyam, P.; Sastry, G.; Askell, A.; et al. Language Models are Few-Shot Learners. Openai Tech. Rep. 2020, 33, 1877–1901. [Google Scholar]
  32. OpenAI; Achiam, J.; Adler, S.; Agarwal, S.; Ahmad, L.; Akkaya, I.; Aleman, F.L.; Almeida, D.; Altenschmidt, J.; Altman, S.; et al. GPT-4 Technical Report. arXiv 2023, arXiv:2303.08774. [Google Scholar] [CrossRef]
  33. Zhao, W.X.; Zhou, K.; Li, J.; Tang, T.; Wang, X.; Hou, Y.; Min, Y.; Zhang, B.; Zhang, J.; Dong, Z.; et al. A survey of large language models. arXiv 2023, arXiv:2303.18223. [Google Scholar] [PubMed]
  34. Guastalla, M.; Li, Y.; Hekmati, A.; Krishnamachari, B. Application of large language models to ddos attack detection. In Proceedings of the International Conference on Security and Privacy in Cyber-Physical Systems and Smart Vehicles; Springer: Berlin/Heidelberg, Germany, 2023; pp. 83–99. [Google Scholar]
  35. Steck, H.; Ekanadham, C.; Kallus, N. Is cosine-similarity of embeddings really about similarity? In Companion Proceedings of the ACM Web Conference 2024; Association for Computing Machinery: New York, NY, USA, 2024; pp. 887–890. [Google Scholar]
  36. Park, J.S.; O’Brien, J.; Cai, C.J.; Morris, M.R.; Liang, P.; Bernstein, M.S. Generative agents: Interactive simulacra of human behavior. In Proceedings of the 36th Annual Acm Symposium on User Interface Software and Technology; Association for Computing Machinery: New York, NY, USA, 2023; pp. 1–22. [Google Scholar]
  37. Ni, B.; Buehler, M.J. MechAgents: Large language model multi-agent collaborations can solve mechanics problems, generate new data, and integrate knowledge. Extrem. Mech. Lett. 2024, 67, 102131. [Google Scholar] [CrossRef]
  38. Talebirad, Y.; Nadiri, A. Multi-agent collaboration: Harnessing the power of intelligent llm agents. arXiv 2023, arXiv:2306.03314. [Google Scholar] [CrossRef]
  39. Kalyuzhnaya, A.; Mityagin, S.; Lutsenko, E.; Getmanov, A.; Aksenkin, Y.; Fatkhiev, K.; Fedorin, K.; Nikitin, N.O.; Chichkova, N.; Vorona, V.; et al. LLM Agents for Smart City Management: Enhancing Decision Support Through Multi-Agent AI Systems. Smart Cities 2025, 8, 19. [Google Scholar] [CrossRef]
  40. Akoglu, L.; Tong, H.; Koutra, D. Graph-based anomaly detection and description: A survey. Data Min. Knowl. Discov. 2015, 29, 626–688. [Google Scholar] [CrossRef]
  41. Paracha, M.A.; Jamil, S.U.; Shahzad, K.; Khan, M.A.; Rasheed, A. Leveraging ai for network threat detection—a conceptual overview. Electronics 2024, 13, 4611. [Google Scholar] [CrossRef]
  42. Hasan, K.; Hossain, F.; Amin, A.; Sutradhar, Y.; Jeny, I.J.; Mahmud, S. Enhancing proactive cyber defense: A theoretical framework for AI-driven predictive cyber threat intelligence. J. Technol. Inf. Commun. 2025, 5, 33122. [Google Scholar] [CrossRef]
  43. Akuthota, U.C.; Bhargava, L. Transformer-based intrusion detection for IoT networks. IEEE Internet Things J. 2025, 12, 6062–6067. [Google Scholar] [CrossRef]
  44. Adjewa, F.; Esseghir, M.; Merghem-Boulahia, L.; Kacfah, C. Llm-based continuous intrusion detection framework for next-gen networks. In Proceedings of the 2025 International Wireless Communications and Mobile Computing (IWCMC); IEEE: New York, NY, USA, 2025; pp. 1198–1203. [Google Scholar]
  45. Khan, W.A. Balanced weighted extreme learning machine for imbalance learning of credit default risk and manufacturing productivity. Ann. Oper. Res. 2025, 348, 833–861. [Google Scholar] [CrossRef]
  46. Sharma, S.; Gosain, A. Addressing class imbalance in remote sensing using deep learning approaches: A systematic literature review. Evol. Intell. 2025, 18, 23. [Google Scholar] [CrossRef]
  47. Razali, M.N.; Arbaiy, N.; Lin, P.C.; Ismail, S. Optimizing multiclass classification using convolutional neural networks with class weights and early stopping for imbalanced datasets. Electronics 2025, 14, 705. [Google Scholar] [CrossRef]
  48. Altalhan, M.; Algarni, A.; Alouane, M.T.H. Imbalanced data problem in machine learning: A review. IEEE Access 2025, 13, 13686–13699. [Google Scholar] [CrossRef]
  49. Trillo, J.R.; González-López, F.; Morente-Molinera, J.A.; Magán-Carrión, R.; García-Sánchez, P. Evaluation of Explainable, Interpretable and Non-Interpretable Algorithms for Cyber Threat Detection. Electronics 2025, 14, 3073. [Google Scholar] [CrossRef]
  50. Balasubramanian, P.; Liyana, S.; Sankaran, H.; Sivaramakrishnan, S.; Pusuluri, S.; Pirttikangas, S.; Peltonen, E. Generative AI for cyber threat intelligence: Applications, challenges, and analysis of real-world case studies. Artif. Intell. Rev. 2025, 58, 336. [Google Scholar] [CrossRef]
  51. Xing, T.; Chen, F.; Liu, X.; Li, T.; Wang, J.; Zhang, K.; Bian, L.; Hou, M. Knowledge Weighted Method for Enabling Language Representation. In Proceedings of the 2025 IEEE 7th International Conference on Civil Aviation Safety and Information Technology (ICCASIT); IEEE: New York, NY, USA, 2025; pp. 412–417. [Google Scholar]
  52. Wang, L.; Huang, W.; Zhang, M.; Pan, S.; Chang, X.; Su, S.W. Pruning graph neural networks by evaluating edge properties. Knowl.-Based Syst. 2022, 256, 109847. [Google Scholar] [CrossRef]
  53. Lindauer, B. Insider Threat Test Dataset. 2020. Available online: https://kilthub.cmu.edu/articles/dataset/Insider_Threat_Test_Dataset/12841247/1 (accessed on 1 November 2024).
  54. Glasser, J.; Lindauer, B. Bridging the gap: A pragmatic approach to generating insider threat data. In Proceedings of the 2013 IEEE Security and Privacy Workshops; IEEE: New York, NY, USA, 2013; pp. 98–104. [Google Scholar]
  55. Zhang, L. Implementaion of a Novel Penalized Log-likelihood Function fo Class Imbalance Problem. 2019. Available online: https://github.com/Lili-Updating/novel_penalized_log-likelihood_function/blob/main/LogisticRegressionWithLearnableLocalWeights.py (accessed on 1 November 2019).
Make 08 00075 g001
Figure 1. LLM question-answering process.
Figure 1. LLM question-answering process.
Make 08 00075 g001
Make 08 00075 g002
Figure 2. Multi-agent AI framework of network threat detection.
Figure 2. Multi-agent AI framework of network threat detection.
Make 08 00075 g002
Make 08 00075 g003
Figure 3. ActivityRDI: an LLM-based knowledge graph retriever and interpreter.
Figure 3. ActivityRDI: an LLM-based knowledge graph retriever and interpreter.
Make 08 00075 g003
Make 08 00075 g004
Figure 4. User activity knowledge graph schema.
Figure 4. User activity knowledge graph schema.
Make 08 00075 g004
Make 08 00075 g005
Figure 5. User CSC0217 activity graph and change score.
Figure 5. User CSC0217 activity graph and change score.
Make 08 00075 g005
Make 08 00075 g006
Figure 6. User activity knowledge graph schema extended with content texts.
Figure 6. User activity knowledge graph schema extended with content texts.
Make 08 00075 g006
Make 08 00075 g007
Figure 7. Application demonstration data workflow.
Figure 7. Application demonstration data workflow.
Make 08 00075 g007
Make 08 00075 g008
Figure 8. Application demonstration results.
Figure 8. Application demonstration results.
Make 08 00075 g008
Table 1. Summary of Novelties of Proposed Methodology.
Table 1. Summary of Novelties of Proposed Methodology.
NoveltyExisting SolutionsProposed Solution
Detect the known threats and unknown threats at the same timeThe detection of known threats and the detection of unknown threats are studied separately in existing solutions [41,42,43,44].Our solution integrates the detection of known threats and unknown threats through a knowledge graph, imbalanced learning, and an LLM agent simultaneously.
Handle the extreme imbalance of known threat detectionThe penalty weights are determined heuristically in existing solutions [45,46,47,48].The penalty weights are determined algorithmically and learned from data in our solution based on our previous research.
Interpret unknown threats that are detectedThe interpretation of unknown threats is rarely discussed in existing solutions [49,50].Our solution detect activity changes through activity graphs and interpret changes using an LLM agent.
Prune and weight a large activity graph in a practically efficient and effective wayThe pruning and weighting are performed heuristically in existing solutions [51,52].Our solution algorithmically determines the weights of nodes according to their corresponding variable importance from the imbalanced learning model.
Table 2. CERT Insider Threat Test Dataset files and fields.
Table 2. CERT Insider Threat Test Dataset files and fields.
File NameField Names
logonid, datetime, user, pc, activity
deviceid, datetime, user, pc, content, activity
emailid, datetime, user, pc, to, cc, from, activity, size, att, content
httpid, datetime, user, pc, url, content
file accessid, datetime, user, pc, url, activity, to, from, content
psychometricname, email, role, project, dept, team, sup
answers (label)scenario, start_datetime, end_datetime
Table 3. Model performance.
Table 3. Model performance.
Performance MetricModel 1Model 2
% captured true threats at top 3% predicted risky logons
among all true threats (gain)		56%60%
% captured true threats at top 30% predicted risky logons
among all true threats (gain)		95%98%
Area under precision–recall curve0.1860.204
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Zhang, L.; Zhu, Q. ActivityRDI: A Centralized Solution Framework for Activity Retrieval and Detection Intelligence Based on Knowledge Graphs, Large Language Models, and Imbalanced Learning. Mach. Learn. Knowl. Extr. 2026, 8, 75. https://doi.org/10.3390/make8030075

AMA Style

Zhang L, Zhu Q. ActivityRDI: A Centralized Solution Framework for Activity Retrieval and Detection Intelligence Based on Knowledge Graphs, Large Language Models, and Imbalanced Learning. Machine Learning and Knowledge Extraction. 2026; 8(3):75. https://doi.org/10.3390/make8030075

Chicago/Turabian Style

Zhang, Lili, and Quanyan Zhu. 2026. "ActivityRDI: A Centralized Solution Framework for Activity Retrieval and Detection Intelligence Based on Knowledge Graphs, Large Language Models, and Imbalanced Learning" Machine Learning and Knowledge Extraction 8, no. 3: 75. https://doi.org/10.3390/make8030075

APA Style

Zhang, L., & Zhu, Q. (2026). ActivityRDI: A Centralized Solution Framework for Activity Retrieval and Detection Intelligence Based on Knowledge Graphs, Large Language Models, and Imbalanced Learning. Machine Learning and Knowledge Extraction, 8(3), 75. https://doi.org/10.3390/make8030075

Article Metrics

Back to TopTop