Improving Network Threat Detection by Knowledge Graph, Large Language Model, and Imbalanced Learning
Lili Zhang, Quanyan Zhu, Herman Ray, Ying Xie
TL;DR
This paper tackles agile network threat detection under limited historical threat data by integrating knowledge graphs, imbalanced learning, and large language models within a multi-agent framework. It combines a dynamic knowledge graph to model user activity, a weighted imbalanced classifier to detect threats, and an LLM-driven retriever/interpreter to explain risk, all operating in online sequential mode. The approach yields a 3–4% improvement in threat capture and enhanced interpretability of risk explanations, demonstrated on the CERT Insider Threat dataset with an end-to-end demo. The work advances practical threat detection by uniting structured relational modeling, rare-event handling, and natural-language interpretation for real-time security monitoring in dynamic environments.
Abstract
Network threat detection has been challenging due to the complexities of attack activities and the limitation of historical threat data to learn from. To help enhance the existing practices of using analytics, machine learning, and artificial intelligence methods to detect the network threats, we propose an integrated modelling framework, where Knowledge Graph is used to analyze the users' activity patterns, Imbalanced Learning techniques are used to prune and weigh Knowledge Graph, and LLM is used to retrieve and interpret the users' activities from Knowledge Graph. The proposed framework is applied to Agile Threat Detection through Online Sequential Learning. The preliminary results show the improved threat capture rate by 3%-4% and the increased interpretabilities of risk predictions based on the users' activities.