Graph-Based AI/ML Algorithms for Real-Time Security Event Correlation and Attack Campaign Detection

Graph-Based AI/ML Algorithms for Real-Time Security Event Correlation and Attack Campaign Detection

Authors

  • Vincent Kanka Vincent Kanka, Homesite, USA
  • Akhil Reddy Bairi Akhil Reddy Bairi, Nelnet Business Solutions, USA
  • Abdul Samad Mohammed Abdul Samad Mohammed, Dominos, USA

Downloads

Keywords:

graph-based learning, knowledge graphs, real-time detection

Abstract

The exponential growth of cybersecurity threats and the increasing sophistication of attack campaigns necessitate the development of advanced methodologies for detecting and mitigating malicious activities in real-time. Traditional intrusion detection systems and security information and event management (SIEM) tools often fall short in effectively correlating distributed security events, particularly in the context of coordinated and multi-vector attack chains. This paper explores the application of graph-based artificial intelligence (AI) and machine learning (ML) algorithms, combined with knowledge graphs, as a transformative approach for real-time security event correlation and attack campaign detection.

Graph-based learning models, inherently capable of representing and analyzing relationships in complex datasets, offer significant advantages in identifying hidden patterns, dependencies, and anomalies across distributed security events. Knowledge graphs, on the other hand, provide a robust framework for integrating disparate sources of information, enabling the establishment of contextual relationships between entities such as IP addresses, user accounts, and system events. This synergistic application of graph-based AI/ML and knowledge graphs facilitates the construction of a comprehensive security ontology, thereby enhancing the accuracy and efficiency of event correlation and attack detection.

The study emphasizes the deployment of graph neural networks (GNNs), community detection algorithms, and graph-based clustering techniques as core components of advanced security analytics. Practical implementations leveraging tools like Splunk AI and Elastic Security are discussed, highlighting their capabilities in ingesting, processing, and visualizing graph-structured data for actionable insights. Specifically, Splunk AI's ability to integrate machine learning pipelines with graph analytics and Elastic Security's scalability in handling large volumes of graph data are demonstrated as pivotal in addressing real-world cybersecurity challenges.

A comparative evaluation of these tools is presented, supported by experimental results on benchmark datasets and synthetic attack scenarios. The findings illustrate the efficacy of graph-based methods in detecting coordinated attack campaigns, such as advanced persistent threats (APTs), lateral movement, and data exfiltration, with reduced false positives and improved response times compared to conventional methods. Moreover, the integration of real-time event correlation with predictive modeling capabilities enables proactive threat hunting and incident response, significantly enhancing the overall security posture of organizations.

The paper also delves into the technical challenges associated with implementing graph-based security analytics, including computational complexity, scalability, and the need for high-quality, labeled datasets. Strategies for overcoming these challenges, such as leveraging distributed graph processing frameworks and employing semi-supervised learning techniques, are discussed in detail. Furthermore, the ethical implications and privacy concerns arising from the use of sensitive data in graph-based security models are critically examined, along with recommendations for ensuring compliance with data protection regulations.

Downloads

Download data is not yet available.

References

S. M. Chowdhury, M. S. Alam, and M. R. Islam, "Graph-based anomaly detection in cybersecurity," IEEE Access, vol. 9, pp. 110125-110137, 2021.

A. S. Andreou and S. A. Theodoridis, "Machine learning methods for event correlation in cybersecurity," IEEE Transactions on Network and Service Management, vol. 18, no. 2, pp. 1645-1659, June 2021.

A. T. Nguyen, S. Wang, and T. L. P. Nguyen, "Graph neural networks for security event detection," IEEE Transactions on Network and Service Management, vol. 18, no. 3, pp. 1415-1428, Sept. 2021.

M. Shafiq, Z. M. Fadlullah, and N. A. Khan, "Event correlation and attack detection using deep learning on graph-based models," IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 4, pp. 1297-1309, July-August 2022.

J. Lee, H. Kim, and Y. Choi, "Graph-based machine learning methods for cybersecurity event correlation: A survey," IEEE Communications Surveys & Tutorials, vol. 23, no. 3, pp. 1910-1932, 2021.

F. M. Saeed, J. Zhang, and B. Benatallah, "Graph-based event correlation for detecting cyberattacks in enterprise networks," IEEE Transactions on Cloud Computing, vol. 9, no. 6, pp. 1-12, Nov.-Dec. 2021.

Y. Wang, X. Liao, and P. Li, "A graph-based approach for real-time cyberattack detection and response," IEEE Transactions on Information Forensics and Security, vol. 17, pp. 1129-1138, Mar. 2022.

B. A. Rego and A. H. da Silva, "Using graph theory for cybersecurity event correlation and analysis," IEEE Security & Privacy, vol. 18, no. 5, pp. 12-21, 2020.

L. Tang, L. Zhang, and H. Lin, "Graph-based deep learning for cybersecurity: A survey," IEEE Transactions on Industrial Informatics, vol. 18, no. 2, pp. 957-967, Feb. 2022.

M. A. Shankar, W. P. Goh, and J. K. Solanki, "Graph neural network-based detection of cybersecurity threats and anomalous events," IEEE Access, vol. 10, pp. 18043-18056, 2022.

Y. Zhang and Y. Zhang, "Deep learning for event correlation in cybersecurity using graph representations," IEEE Transactions on Artificial Intelligence, vol. 3, no. 4, pp. 1513-1523, 2022.

A. M. Mashhadi and S. T. Shalchi, "Knowledge graphs for advanced persistent threat detection in cybersecurity," IEEE Transactions on Knowledge and Data Engineering, vol. 34, no. 1, pp. 57-70, Jan. 2022.

S. S. Anwar, R. A. Khokhar, and J. Qadir, "AI-driven anomaly detection using graph-based techniques for cyberattack detection," IEEE Transactions on Network and Service Management, vol. 20, no. 4, pp. 3499-3511, Dec. 2022.

H. L. Chang and M. K. Liu, "Graph-based models for integrated event correlation in cybersecurity," IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 52, no. 3, pp. 1301-1312, Mar. 2022.

Z. Li, T. Liu, and X. Xu, "Graph convolutional networks for event correlation in cybersecurity," IEEE Transactions on Cybernetics, vol. 52, no. 8, pp. 8564-8575, Aug. 2022.

Y. Chen, S. Y. Li, and X. Liu, "Graph-based machine learning for threat detection and analysis in cybersecurity," IEEE Access, vol. 10, pp. 29053-29064, 2022.

A. K. Singh and R. C. Goh, "Graph theory in cybersecurity: A survey of applications and research directions," IEEE Transactions on Network and Service Management, vol. 19, no. 1, pp. 60-73, Mar. 2021.

C. K. Chang and D. A. Wright, "Scalable graph-based cybersecurity event detection using distributed systems," IEEE Transactions on Parallel and Distributed Systems, vol. 33, no. 5, pp. 1189-1203, May 2022.

S. W. Yoon and H. H. Choi, "Event correlation using graph-based AI models for advanced threat detection," IEEE Transactions on Neural Networks and Learning Systems, vol. 34, no. 7, pp. 3211-3224, July 2021.

A. D. Hossain and S. T. Shah, "Graph-based AI techniques for analyzing cybersecurity event logs," IEEE Transactions on Big Data, vol. 8, no. 3, pp. 2551-2564, Mar. 2022.

Cover

Downloads

Published

23-12-2022

How to Cite

Vincent Kanka, Akhil Reddy Bairi, and Abdul Samad Mohammed. “Graph-Based AI/ML Algorithms for Real-Time Security Event Correlation and Attack Campaign Detection”. Journal of Science & Technology, vol. 3, no. 6, Dec. 2022, pp. 113-56, https://thesciencebrigade.com/jst/article/view/567.
PlumX Metrics

Issue

Vol. 3 No. 6 (2022): Journal of Science & Technology

Section

Research Articles

License

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

License Terms

Ownership and Licensing:

Authors of this research paper submitted to the journal owned and operated by The Science Brigade Group retain the copyright of their work while granting the journal certain rights. Authors maintain ownership of the copyright and have granted the journal a right of first publication. Simultaneously, authors agreed to license their research papers under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) License.

License Permissions:

Under the CC BY-NC-SA 4.0 License, others are permitted to share and adapt the work, as long as proper attribution is given to the authors and acknowledgement is made of the initial publication in the Journal. This license allows for the broad dissemination and utilization of research papers.

Additional Distribution Arrangements:

Authors are free to enter into separate contractual arrangements for the non-exclusive distribution of the journal's published version of the work. This may include posting the work to institutional repositories, publishing it in journals or books, or other forms of dissemination. In such cases, authors are requested to acknowledge the initial publication of the work in this Journal.

Online Posting:

Authors are encouraged to share their work online, including in institutional repositories, disciplinary repositories, or on their personal websites. This permission applies both prior to and during the submission process to the Journal. Online sharing enhances the visibility and accessibility of the research papers.

Responsibility and Liability:

Authors are responsible for ensuring that their research papers do not infringe upon the copyright, privacy, or other rights of any third party. The Science Brigade Publishers disclaim any liability or responsibility for any copyright infringement or violation of third-party rights in the research papers.

Plaudit

License Terms

Ownership and Licensing:

Authors of this research paper submitted to the Journal of Science & Technology retain the copyright of their work while granting the journal certain rights. Authors maintain ownership of the copyright and have granted the journal a right of first publication. Simultaneously, authors agreed to license their research papers under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) License.

License Permissions:

Under the CC BY-NC-SA 4.0 License, others are permitted to share and adapt the work, as long as proper attribution is given to the authors and acknowledgement is made of the initial publication in the Journal of Science & Technology. This license allows for the broad dissemination and utilization of research papers.

Additional Distribution Arrangements:

Authors are free to enter into separate contractual arrangements for the non-exclusive distribution of the journal's published version of the work. This may include posting the work to institutional repositories, publishing it in journals or books, or other forms of dissemination. In such cases, authors are requested to acknowledge the initial publication of the work in the Journal of Science & Technology.

Online Posting:

Authors are encouraged to share their work online, including in institutional repositories, disciplinary repositories, or on their personal websites. This permission applies both prior to and during the submission process to the Journal of Science & Technology. Online sharing enhances the visibility and accessibility of the research papers.

Responsibility and Liability:

Authors are responsible for ensuring that their research papers do not infringe upon the copyright, privacy, or other rights of any third party. The Journal of Science & Technology and The Science Brigade Publishers disclaim any liability or responsibility for any copyright infringement or violation of third-party rights in the research papers.