Machine learning on knowledge graphs for context-aware security monitoring

TL;DR

This paper explores the use of machine learning on knowledge graphs to improve context-aware security monitoring and intrusion detection, demonstrating promising results in industrial system scenarios.

Contribution

It introduces a link-prediction method applied to knowledge graphs for anomaly detection, highlighting its interpretability and effectiveness in diverse industrial contexts.

Findings

Well-calibrated and interpretable alerts generated

Effective anomaly scoring in industrial systems

Potential benefits of relational learning for security

Abstract

Machine learning techniques are gaining attention in the context of intrusion detection due to the increasing amounts of data generated by monitoring tools, as well as the sophistication displayed by attackers in hiding their activity. However, existing methods often exhibit important limitations in terms of the quantity and relevance of the generated alerts. Recently, knowledge graphs are finding application in the cybersecurity domain, showing the potential to alleviate some of these drawbacks thanks to their ability to seamlessly integrate data from multiple domains using human-understandable vocabularies. We discuss the application of machine learning on knowledge graphs for intrusion detection and experimentally evaluate a link-prediction method for scoring anomalous activity in industrial systems. After initial unsupervised training, the proposed method is shown to produce intuitively well-calibrated and interpretable alerts in a diverse range of scenarios, hinting at the potential benefits of relational machine learning on knowledge graphs for intrusion detection purposes.