Machine learning on knowledge graphs for context-aware security monitoring
This addresses alert overload in cybersecurity monitoring, particularly for industrial systems, but appears incremental as it builds on existing knowledge graph and link-prediction techniques.
The paper tackles the problem of generating too many irrelevant alerts in intrusion detection by applying machine learning on knowledge graphs, resulting in a method that produces well-calibrated and interpretable alerts for industrial systems.
Machine learning techniques are gaining attention in the context of intrusion detection due to the increasing amounts of data generated by monitoring tools, as well as the sophistication displayed by attackers in hiding their activity. However, existing methods often exhibit important limitations in terms of the quantity and relevance of the generated alerts. Recently, knowledge graphs are finding application in the cybersecurity domain, showing the potential to alleviate some of these drawbacks thanks to their ability to seamlessly integrate data from multiple domains using human-understandable vocabularies. We discuss the application of machine learning on knowledge graphs for intrusion detection and experimentally evaluate a link-prediction method for scoring anomalous activity in industrial systems. After initial unsupervised training, the proposed method is shown to produce intuitively well-calibrated and interpretable alerts in a diverse range of scenarios, hinting at the potential benefits of relational machine learning on knowledge graphs for intrusion detection purposes.