Knogin
[Developers]

Neural Event Prediction

An analyst reviewing an entity profile asks a straightforward operational question: when is this entity likely to appear in intelligence again? Answering that question with a fixed date threshold or a generic activity la

Back to All Modules
Category: ModulesLast Updated: Apr 14, 2026
modulesai

Overview#

An analyst reviewing an entity profile asks a straightforward operational question: when is this entity likely to appear in intelligence again? Answering that question with a fixed date threshold or a generic activity label is imprecise. The cadence of entity activity carries its own statistical structure: some entities surface in bursts, others at regular intervals, others sporadically after long silences. A Temporal Point Process model captures that structure directly and converts it into a calibrated probability distribution over future event times.

The Neural Event Prediction module applies a Self-Attentive Hawkes Process (SAHP) to each entity's timestamped event history, learning how past events excite or suppress future activity. The trained model produces three outputs used directly in analyst workflows: expected days until the next event, probability of activity within 14 days, and a full 30-day conditional intensity profile for visualisation. When a trained model is not available or the entity has fewer than 20 observed events, the module falls back automatically to an exponential inter-arrival estimator derived from the EWMA temporal scoring baseline.

Last Reviewed: 2026-04-14 Last Updated: 2026-04-14

Key Features#

  • SAHP Neural Hawkes Process: The prediction engine uses the Self-Attentive Hawkes Process (Zhang et al. 2020, ICML), which replaces the fixed exponential kernel of classical Hawkes processes with a self-attention mechanism. This allows the model to learn long-range temporal dependencies between events and to capture non-stationary activity patterns that simple decay models miss.

  • Calibrated Probability Outputs: The model produces probability estimates for activity within 7, 14, and 30 days, alongside an expected inter-arrival time in days. These outputs are displayed in the the event prediction indicator alongside the existing the temporal score indicator, giving analysts a forward-looking complement to the backward-looking decay score.

  • 30-Day Intensity Profile: The conditional intensity function lambda(t) is sampled at each day over a configurable horizon and returned as an an intensity profile for visualisation. This lets analysts see predicted activity peaks and troughs rather than a single point estimate, supporting temporal targeting and surveillance prioritisation.

  • Graceful Cold-Start Fallback: When an entity has fewer than 20 observed events, or when the neural training stack is unavailable, the module falls back to an exponential inter-arrival estimator derived from the empirical mean gap between events. The badge indicates fallback state clearly so analysts know the confidence level of the estimate.

  • Organisation-Scoped Inference: All event history queries and model training jobs are scoped strictly by organisation_id. Trained model artefacts in R2 are stored under org-specific paths and retrieved only for the requesting user's organisation. Cross-tenant data leakage is prevented at the database, model registry, and GraphQL layers.

  • Background Training, Fast Inference: Model training runs as a background job and writes the artefact to Cloudflare R2 via the the model registry's three-tier cache (memory, disk, and object storage). Inference at query time loads from the memory or disk cache and completes in well under 100 milliseconds for a typical entity history, introducing no perceptible latency to entity profile views.

Use Cases#

  • Analyst Prioritisation: An analyst asks which entities in a watchlist are most likely to generate new intelligence in the next two weeks. The 14-day probability field surfaces the highest-probability entities for prioritisation without manual review of every activity timeline.
  • Surveillance Resource Allocation: A surveillance coordinator uses the 30-day intensity profile to identify predicted activity peaks for high-value entities and schedule observation windows around those peaks, reducing wasted coverage during predicted quiet periods.
  • Early Warning: An operations officer monitoring a previously dormant entity receives a rising-trend signal from the the temporal score indicator combined with a high 7-day probability from the the event prediction indicator, triggering a review of recent collection before the predicted activity window opens.
  • Retrospective Calibration: After an entity reappears in intelligence, analysts can compare the predicted probability from the period before appearance against actual outcomes to assess model accuracy and adjust collection priorities for similar entity profiles.

Integration#

  • Temporal Scoring: The the temporal decay service is augmented directly: when the neural temporal point process service is wired in and an entity has sufficient history, the temporal score record is enriched with prediction_available, predicted_days_until_next, and prob_14d fields at no additional query cost.
  • Entity Profiles: The the event prediction indicator renders alongside the the temporal score indicator in entity profile views, providing a forward-looking prediction next to the backward-looking decay score.
  • GraphQL API: The predictNextEvent and getan intensity profile queries are available via the standard Argus GraphQL endpoint with organisation-scoped access control.
  • Model Registry: Trained SAHP model artefacts are stored in Cloudflare R2 under organisation-scoped paths in object storage, using the existing the model registry's three-tier caching infrastructure.

Open Standards#

  • ISO 8601: International standard for date and time representation; all event timestamps ingested and emitted by the prediction pipeline conform to this format.
  • STIX 2.1 (Structured Threat Intelligence eXpression): OASIS open standard for representing cyber threat and intelligence entities; the entity event histories processed by this module align with STIX observable and sighting object semantics.
  • GraphQL (June 2018 specification): Open specification for API query languages published by the GraphQL Foundation; the predictNextEvent and getIntensityProfile queries are exposed through a conformant GraphQL endpoint.
  • ONNX (Open Neural Network Exchange): Linux Foundation open standard for representing and exchanging machine learning model artefacts; trained model files stored in object storage are portable via ONNX-compatible serialisation formats.
  • W3C PROV-O (Provenance Ontology): W3C recommendation for recording the provenance of data and derived artefacts; model training lineage and inference provenance records follow PROV-O entity-activity-agent semantics.

Ready to Build?

Get started with our APIs or contact our integration team for support.