AlertStar: Path-Aware Alert Prediction on Hyper-Relational Knowledge Graphs
Summary: arXiv:2604.03104v1 Announce Type: cross
Abstract: Cyber-attacks continue to grow in scale and sophistication, yet existing network intrusion detection approaches lack the semantic depth required for path reasoning over attacker-victim interactions. We address this by first modelling network alerts as a knowledge graph, then formulating hyper-relational alert prediction as a hyper-relational knowledge graph completion (HR-KGC) problem, representing each network alert as a qualified statement (h, r, t, Q), where h and t are source and destination IPs, r denotes the attack type, and Q encodes flow-level metadata such as timestamps, ports, protocols, and attack intensity, going beyond standard KGC binary triples (h, r, t) that would discard this contextual richness.
Introduction
The increasing sophistication of cyber-attacks makes it imperative for organizations to adopt advanced detection mechanisms. Traditional network intrusion detection systems (NIDS) often fall short in providing the semantic insights necessary to understand the intricate relationships between attackers and victims. This article discusses a novel approach to enhance alert prediction through the use of hyper-relational knowledge graphs.
Modeling Network Alerts
To adequately capture the complexities of network alerts, we represent them as a knowledge graph. This representation allows for a more nuanced understanding of each alert by incorporating various elements:
- Source IP (h): Represents the origin of the attack.
- Destination IP (t): Indicates the target of the attack.
- Attack Type (r): Describes the nature of the attack.
- Qualifier (Q): Encodes additional flow-level metadata such as timestamps, ports, protocols, and attack intensity.
This rich context enables better reasoning capabilities beyond standard binary representations.
Key Contributions
We introduce five models across three primary contributions:
- Hyper-relational Neural Bellman-Ford (HR-NBFNet): This model extends Neural Bellman-Ford Networks to accommodate hyper-relational structures, allowing for qualifier-aware multi-hop path reasoning. Its multi-task variant, MT-HR-NBFNet, enhances efficiency by jointly predicting tail, relation, and qualifier-value in a single traversal.
- AlertStar: This innovative model fuses qualifier context with structural path information directly in the embedding space using cross-attention and learned path composition. The multi-task extension, MT-AlertStar, further streamlines operations by removing the need for full knowledge graph propagation.
- HR-NBFNet-CQ: This model extends qualifier-aware representations to enable the answering of complex first-order logic queries, including multi-condition threat reasoning that addresses various scenarios in the alert knowledge graph.
Evaluation and Results
The models were evaluated inductively on the Warden and UNSW-NB15 benchmarks across three different qualifier-density regimes. The results showed that both AlertStar and MT-AlertStar achieved superior metrics in Mean Rank (MR), Mean Reciprocal Rank (MRR), and Hits@k. These findings indicate that local qualifier fusion is not only sufficient but also more efficient than traditional global path propagation methods for hyper-relational alert prediction.
Conclusion
In conclusion, the advancements presented in AlertStar and its variants mark a significant leap in the realm of cyber threat detection. By effectively utilizing hyper-relational knowledge graphs, these models offer a promising solution to the challenges posed by increasingly sophisticated cyber threats.