Abstract: In recent years, knowledge graphs have been widely applied in the field of malware analysis, but most scholars have focused on constructing malware API knowledge graphs and using them to detect malicious code. However, the interpretability of API knowledge graphs is relatively weak, and they require a high level of expertise. To address these issues, this paper proposes using a named entity recognition (NER) model to extract text entity information such as malware names and discovery locations, thereby constructing a malware knowledge graph. This graph is then used to discover the diversity, evolution paths, threat methods, and classification associations of malware. Firstly, this paper studies the construction method of a malware knowledge graph, completing data preprocessing, schema layer construction, and data layer construction. Secondly, it identifies and standardizes entities in structured and semi-structured malware data to complete ontology construction (entities, relationships, and additional attributes). Guided by the schema layer, the data layer uses the BERT-BiLSTM-CRF model for knowledge extraction. Finally, the Neo4j graph database is utilized for storing and visualizing the knowledge graph. Simultaneously, the proposed model is validated through simulations using virus database data. Experimental results show that this model outperforms similar models in terms of effectiveness and performance indicators, and it is of great significance for simplifying cybersecurity knowledge and promoting the popularization of defense system knowledge.

Key words: knowledge graph, malware, knowledge extraction