Addressing the “alert fatigue” challenge faced by Security Operations Centers (SOCs) and the limitations of existing methods, this paper proposes AlertSAGE, a Semantic-Aware Alert Graph Embedding framework for automated incident discovery. The framework first combines deep semantic encoding with sliding time windows to efficiently compress discrete alerts into context-rich “meta-alerts”. Second, modeling these meta-alerts as graph nodes, it introduces a self-supervised Top-K Graph Transformer model that captures attack correlations and filters noise through dynamic graph learning and attention sparsification mechanisms. Finally, it utilizes an improved density clustering algorithm to identify attack incidents and supports human-in-the-loop verification. Experiments on the corrected CIC-IDS-2017 dataset demonstrate that AlertSAGE exhibits strong robustness in high false positive (43.8%) scenarios, achieving an overall noise reduction rate of 96.28% with recall of 99.97%, effectively supporting efficient noise reduction and attack tracing for NIDS alerts.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

AlertSAGE: Semantic-Aware Alert Graph Embedding for Cybersecurity Incident Discovery

  • Shuang Jiang,
  • Zhicheng Liu,
  • Yijing Wang,
  • Zhihao Zhang,
  • Han Wang,
  • Yueyue Hu

摘要

Addressing the “alert fatigue” challenge faced by Security Operations Centers (SOCs) and the limitations of existing methods, this paper proposes AlertSAGE, a Semantic-Aware Alert Graph Embedding framework for automated incident discovery. The framework first combines deep semantic encoding with sliding time windows to efficiently compress discrete alerts into context-rich “meta-alerts”. Second, modeling these meta-alerts as graph nodes, it introduces a self-supervised Top-K Graph Transformer model that captures attack correlations and filters noise through dynamic graph learning and attention sparsification mechanisms. Finally, it utilizes an improved density clustering algorithm to identify attack incidents and supports human-in-the-loop verification. Experiments on the corrected CIC-IDS-2017 dataset demonstrate that AlertSAGE exhibits strong robustness in high false positive (43.8%) scenarios, achieving an overall noise reduction rate of 96.28% with recall of 99.97%, effectively supporting efficient noise reduction and attack tracing for NIDS alerts.