Related papers: A Graph-Based Approach to Alert Contextualisation in Security Operations Centres

A Graph-Based Approach to Alert Contextualisation in Security Operations Centres

URL: http://arxiv.org/abs/2509.12923v2
Date: Thu, 18 Sep 2025 08:05:45 GMT
Title: A Graph-Based Approach to Alert Contextualisation in Security Operations Centres
Authors: Magnus Wiik Eckhoff, Peter Marius Flydal, Siem Peters, Martin Eian, Jonas Halvorsen, Vasileios Mavroeidis, Gudmund Grov,
Abstract summary: This paper proposes a graph-based approach to enhance alert contextualisation in a SOC by aggregating alerts into graph-based alert groups.<n>By grouping related alerts, we enable analysis at a higher abstraction level, capturing attack steps more effectively than individual alerts.<n>To show that our format is well suited for downstream machine learning methods, we employ Graph Matching Networks (GMNs) to correlate incoming alert groups with historical incidents.
Score: 0.058633603884542605
License: http://creativecommons.org/licenses/by/4.0/
Abstract: Interpreting the massive volume of security alerts is a significant challenge in Security Operations Centres (SOCs). Effective contextualisation is important, enabling quick distinction between genuine threats and benign activity to prioritise what needs further analysis. This paper proposes a graph-based approach to enhance alert contextualisation in a SOC by aggregating alerts into graph-based alert groups, where nodes represent alerts and edges denote relationships within defined time-windows. By grouping related alerts, we enable analysis at a higher abstraction level, capturing attack steps more effectively than individual alerts. Furthermore, to show that our format is well suited for downstream machine learning methods, we employ Graph Matching Networks (GMNs) to correlate incoming alert groups with historical incidents, providing analysts with additional insights.

Related papers

AlertBERT: A noise-robust alert grouping framework for simultaneous cyber attacks [3.0540687763044123]
High numbers of security alerts issued by intrusion detection systems lead to alert fatigue among analysts.<n>Time-based alert grouping solutions are unsuitable for large scale computer networks characterised by high levels of false positive alerts and simultaneously occurring attacks.<n>We propose AlertBERT, a self-language framework designed to group alerts from isolated or concurrent attacks in noisy environments.
arXiv Detail & Related papers (2026-02-06T09:39:47Z)
DGP: A Dual-Granularity Prompting Framework for Fraud Detection with Graph-Enhanced LLMs [55.13817504780764]
Real-world fraud detection applications benefit from graph learning techniques that jointly exploit node features, often rich in textual data, and graph structural information.<n>Graph-Enhanced LLMs emerge as a promising graph learning approach that converts graph information into prompts.<n>We propose Dual Granularity Prompting (DGP), which mitigates information overload by preserving fine-grained textual details for the target node.
arXiv Detail & Related papers (2025-07-29T10:10:47Z)
Automated Alert Classification and Triage (AACT): An Intelligent System for the Prioritisation of Cybersecurity Alerts [0.0]
AACT learns from analysts' triage actions on cybersecurity alerts.<n>It accurately predicts triage decisions in real time.<n>This reduces the SOC queue allowing analysts to focus on the most severe, relevant or ambiguous threats.
arXiv Detail & Related papers (2025-05-14T23:02:32Z)
Cluster-Aware Attacks on Graph Watermarks [50.19105800063768]
We introduce a cluster-aware threat model in which adversaries apply community-guided modifications to evade detection.<n>Our results show that cluster-aware attacks can reduce attribution accuracy by up to 80% more than random baselines.<n>We propose a lightweight embedding enhancement that distributes watermark nodes across graph communities.
arXiv Detail & Related papers (2025-04-24T22:49:28Z)
Forecasting Attacker Actions using Alert-driven Attack Graphs [1.3812010983144802]
This paper builds an action forecasting capability on top of the alert-driven AG framework for predicting the next likely attacker action. We also modify the framework to build AGs in real time, as new alerts are triggered. This way, we convert alert-driven AGs into an early warning system that enables analysts circumvent ongoing attacks and break the cyber killchain.
arXiv Detail & Related papers (2024-08-19T11:04:47Z)
Carbon Filter: Real-time Alert Triage Using Large Scale Clustering and Fast Search [6.830322979559498]
"Alert fatigue" is one of the biggest challenges faced by the Security Operations Center (SOC) today. We present Carbon Filter, a statistical learning based system that dramatically reduces the number of alerts analysts need to manually review.
arXiv Detail & Related papers (2024-05-07T22:06:24Z)
Hierarchical and Incremental Structural Entropy Minimization for Unsupervised Social Event Detection [61.87480191351659]
Graph neural network (GNN)-based methods enable a fusion of natural language semantics and the complex social network structural information. In this work, we address social event detection via graph structural entropy (SE) minimization. While keeping the merits of the GNN-based methods, the proposed framework, HISEvent, constructs more informative message graphs.
arXiv Detail & Related papers (2023-12-19T06:28:32Z)
Critical Path Prioritization Dashboard for Alert-driven Attack Graphs [3.4000567392487127]
This paper proposes a querying and prioritization-enabled visual analytics dashboard for SAGE. We describe the utility of the proposed dashboard using intrusion alerts collected from a distributed multi-stage team-based attack scenario. We find that the dashboard is useful in depicting attacker strategies and attack progression, but can be improved in terms of usability.
arXiv Detail & Related papers (2023-10-19T18:16:04Z)
Toward Enhanced Robustness in Unsupervised Graph Representation Learning: A Graph Information Bottleneck Perspective [48.01303380298564]
We propose a novel unbiased robust UGRL method called Robust Graph Information Bottleneck (RGIB) Our RGIB attempts to learn robust node representations against adversarial perturbations by preserving the original information in the benign graph while eliminating the adversarial information in the adversarial graph.
arXiv Detail & Related papers (2022-01-21T06:26:50Z)
SAGE: Intrusion Alert-driven Attack Graph Extractor [4.530678016396476]
Attack graphs (AGs) are used to assess pathways availed by cyber adversaries to penetrate a network. We propose to automatically learn AGs based on actions observed through intrusion alerts, without prior expert knowledge.
arXiv Detail & Related papers (2021-07-06T17:45:02Z)
Information Obfuscation of Graph Neural Networks [96.8421624921384]
We study the problem of protecting sensitive attributes by information obfuscation when learning with graph structured data. We propose a framework to locally filter out pre-determined sensitive attributes via adversarial training with the total variation and the Wasserstein distance.
arXiv Detail & Related papers (2020-09-28T17:55:04Z)
Graph Backdoor [53.70971502299977]
We present GTA, the first backdoor attack on graph neural networks (GNNs) GTA departs in significant ways: it defines triggers as specific subgraphs, including both topological structures and descriptive features. It can be instantiated for both transductive (e.g., node classification) and inductive (e.g., graph classification) tasks.
arXiv Detail & Related papers (2020-06-21T19:45:30Z)
Structural Temporal Graph Neural Networks for Anomaly Detection in Dynamic Graphs [54.13919050090926]
We propose an end-to-end structural temporal Graph Neural Network model for detecting anomalous edges in dynamic graphs. In particular, we first extract the $h$-hop enclosing subgraph centered on the target edge and propose the node labeling function to identify the role of each node in the subgraph. Based on the extracted features, we utilize Gated recurrent units (GRUs) to capture the temporal information for anomaly detection.
arXiv Detail & Related papers (2020-05-15T09:17:08Z)

This list is automatically generated from the titles and abstracts of the papers in this site.