HyperLAC: Hypergraph-based Large-scale Alert Classification with spatial-temporal context enhancement

•We propose HyperLAC, a hypergraph-based large-scale alerts classification with spatialtemporal context enhancement.•We introduce AIHC, an efficient hypergraph clustering algorithm for security event extraction.•We demonstrate a feature-centric approach enables lightweight models to achieve state of...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:Knowledge-based systems Ročník 330; s. 114712
Hlavní autoři: Zhang, Shilong, Luo, Zian, Ren, Zehua, Zhu, Yumeng, Zhang, Haichuan, Liu, Yang
Médium: Journal Article
Jazyk:angličtina
Vydáno: Elsevier B.V 25.11.2025
Témata:
Alert classification
Alert correlation
Hypergraph clustering
Spatial-temporal context
Hypergraph clustering
Alert classification
Spatial-temporal context
Alert correlation
ISSN:0950-7051
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Popis
Shrnutí:•We propose HyperLAC, a hypergraph-based large-scale alerts classification with spatialtemporal context enhancement.•We introduce AIHC, an efficient hypergraph clustering algorithm for security event extraction.•We demonstrate a feature-centric approach enables lightweight models to achieve state of-the-art accuracy.•Experiments on large-scale, real-world datasets validate our method’s effectiveness and robustness. Alert fatigue is a persistent problem in security operation centers. Machine learning (ML)-based algorithms are widely adopted to help dispose alerts automatically. However, security analysts find it difficult to comprehend security events owing to the complicated relationship between alerts. Moreover, the performance of ML-based algorithms heavily relies on large amounts of labeled data, which are hard to obtain in a real network environment. Herein, we propose HyperLAC, a hypergraph-based large-scale alert classification method, to dispose massive alerts using context-enhanced features. We represent the nonlinear and multivariate relationships between alerts by constructing an alert hypergraph based on the alerts’ attribute correlation. Subsequently, we propose an adaptive incremental hypergraph clustering algorithm to efficiently extract potential security events from alert clusters. By enhancing the features of each alert using its spatial-temporal contextual features obtained from security events, we can train an effective alert classifier based on few lightweight, conventional classifiers. Results from public and real datasets show that HyperLAC can classify massive alerts accurately and cost-effectively.
ISSN:0950-7051
DOI:10.1016/j.knosys.2025.114712