HyperLAC: Hypergraph-based Large-scale Alert Classification with spatial-temporal context enhancement

•We propose HyperLAC, a hypergraph-based large-scale alerts classification with spatialtemporal context enhancement.•We introduce AIHC, an efficient hypergraph clustering algorithm for security event extraction.•We demonstrate a feature-centric approach enables lightweight models to achieve state of...

Full description

Saved in:
Bibliographic Details
Published in:Knowledge-based systems Vol. 330; p. 114712
Main Authors: Zhang, Shilong, Luo, Zian, Ren, Zehua, Zhu, Yumeng, Zhang, Haichuan, Liu, Yang
Format: Journal Article
Language:English
Published: Elsevier B.V 25.11.2025
Subjects:
Alert classification
Alert correlation
Hypergraph clustering
Spatial-temporal context
Hypergraph clustering
Alert classification
Spatial-temporal context
Alert correlation
ISSN:0950-7051
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:•We propose HyperLAC, a hypergraph-based large-scale alerts classification with spatialtemporal context enhancement.•We introduce AIHC, an efficient hypergraph clustering algorithm for security event extraction.•We demonstrate a feature-centric approach enables lightweight models to achieve state of-the-art accuracy.•Experiments on large-scale, real-world datasets validate our method’s effectiveness and robustness. Alert fatigue is a persistent problem in security operation centers. Machine learning (ML)-based algorithms are widely adopted to help dispose alerts automatically. However, security analysts find it difficult to comprehend security events owing to the complicated relationship between alerts. Moreover, the performance of ML-based algorithms heavily relies on large amounts of labeled data, which are hard to obtain in a real network environment. Herein, we propose HyperLAC, a hypergraph-based large-scale alert classification method, to dispose massive alerts using context-enhanced features. We represent the nonlinear and multivariate relationships between alerts by constructing an alert hypergraph based on the alerts’ attribute correlation. Subsequently, we propose an adaptive incremental hypergraph clustering algorithm to efficiently extract potential security events from alert clusters. By enhancing the features of each alert using its spatial-temporal contextual features obtained from security events, we can train an effective alert classifier based on few lightweight, conventional classifiers. Results from public and real datasets show that HyperLAC can classify massive alerts accurately and cost-effectively.
ISSN:0950-7051
DOI:10.1016/j.knosys.2025.114712