AlertStar: Path-Aware Alert Prediction on Hyper-Relational Knowledge Graphs

Abstract

Cyber-attacks continue to grow in scale and sophistication, yet existing network intrusion detection approaches lack the semantic depth required for path reasoning over attacker-victim interactions. We address this by first modelling network alerts as a knowledge graph, then formulating hyper-relational alert prediction as a hyper-relational knowledge graph completion (HR-KGC) problem, representing each network alert as a qualified statement (h, r, t, Q), where h and t are source and destination IPs, r denotes the attack type, and Q encodes flow-level metadata such as timestamps, ports, protocols, and attack intensity, going beyond standard KGC binary triples (h, r, t) that would discard this contextual richness. We introduce five models across three contributions: first, Hyper-relational Neural Bellman-Ford (HR-NBFNet) extends Neural Bellman-Ford Networks to the hyper-relational setting with qualifier-aware multi-hop path reasoning, while its multi-task variant MT-HR-NBFNet jointly predicts tail, relation, and qualifier-value within a single traversal pass; second, AlertStar fuses qualifier context and structural path information entirely in embedding space via cross-attention and learned path composition, and its multi-task extension MT-AlertStar eliminates the overhead of full knowledge graph propagation; third, HR-NBFNet-CQ extends qualifier-aware representations to answer complex first-order logic queries, including one-hop, two-hop chain, two-anchor intersection, and union, enabling multi-condition threat reasoning over the alert knowledge graph. Evaluated inductively on the Warden and UNSW-NB15 benchmarks across three qualifier-density regimes, AlertStar and MT-AlertStar achieve superior MR, MRR, and Hits@k, demonstrating that local qualifier fusion is both sufficient and more efficient than global path propagation for hyper-relational alert prediction.

Figures (6)

• Figure 1: Three representational levels: (A) triple-based facts, (B) hyper-relational facts, (C) path-based hyper-relational reasoning.
• Figure 2: HR-NBFNet combines StarE qualifier encoding galkin2020message with NBFNet Bellman-Ford propagation zhu2021neural. Qualifier pairs are composed via $\phi_q$, aggregated, projected by $\mathbf{W}_q$, and merged with $\mathbf{h}_r$ via $\gamma$, injecting flow-level context into the pair representation $\mathbf{h}_{uvqq'}^{(t)}$ at every layer. Inverse edges $(t, r^{-1}, h)$ enable bidirectional propagation for both tail and head prediction.
• Figure 3: Architecture of AlertStar. Qualifier pairs are aggregated into $\mathbf{U}_\mathcal{Q}$ and used as key/value in MHA with $\mathbf{e}_r$ as query, producing $\tilde{\mathbf{e}}_r$. Two branches --- cross-attention and path-composition --- are fused via a trainable gate $\alpha = \sigma(g)$ into $\mathbf{z}$, scored against candidate tails via dot product.
• Figure 4: Architecture of MT-AlertStar. The masked token sequence $\mathbf{X}$ is encoded by a Transformer, whose relation-token output $\mathbf{h}_r = \mathbf{H}[1]$ serves as shared context for three MLP heads predicting tail, relation, and qualifier value jointly.
• Figure 5: Hyper-relational query templates. Qualifier pairs on each edge may vary from $0$ to $n$.

Theorems & Definitions (4)

• Definition 2.1: Knowledge Graph
• Definition 2.2: Knowledge Graph Completion
• Definition 2.3: Hyper-Relational Knowledge Graph
• Definition 2.4: Pair Representation