Intrusion Detection Systems generate large volumes of security alerts. This makes the effective interpretation of these events a critical challenge for cybersecurity analysts. While recent advances in large language models (LLMs) offer promising capabilities for the automated explanation of complex alerts, their outputs often lack domain-specific knowledge and may contain factual inaccuracies. This paper presents a heterogeneous graph retrieval approach guided by an ontology that uses a knowledge graph enriched with cybersecurity ontologies to provide reliable and explainable interpretations of Suricata alerts. First, we construct an ontology-based knowledge graph that links Suricata alert data to the MITRE ATT&CK framework. Then, we train a heterogeneous graph neural network (HGNN) to generate context-rich embeddings. A retrieval-augmented generation (RAG) pipeline then provides a local LLM with relevant context, thereby improving the quality and accuracy of the generated explanations. Experimental evaluation on a dataset of 30,000 Suricata alerts shows that our approach greatly improves explanation accuracy and reduces hallucination rates compared to standard methods. The proposed system bridges the gap between low-level IDS events and high-level adversarial techniques, thus advancing the state of explainable AI in network security.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Ontology-Guided Heterogeneous Graph Retrieval for Large-Language-Model Interpretation of Suricata Events

  • Igor Kotenko,
  • Georgii Abramenko

摘要

Intrusion Detection Systems generate large volumes of security alerts. This makes the effective interpretation of these events a critical challenge for cybersecurity analysts. While recent advances in large language models (LLMs) offer promising capabilities for the automated explanation of complex alerts, their outputs often lack domain-specific knowledge and may contain factual inaccuracies. This paper presents a heterogeneous graph retrieval approach guided by an ontology that uses a knowledge graph enriched with cybersecurity ontologies to provide reliable and explainable interpretations of Suricata alerts. First, we construct an ontology-based knowledge graph that links Suricata alert data to the MITRE ATT&CK framework. Then, we train a heterogeneous graph neural network (HGNN) to generate context-rich embeddings. A retrieval-augmented generation (RAG) pipeline then provides a local LLM with relevant context, thereby improving the quality and accuracy of the generated explanations. Experimental evaluation on a dataset of 30,000 Suricata alerts shows that our approach greatly improves explanation accuracy and reduces hallucination rates compared to standard methods. The proposed system bridges the gap between low-level IDS events and high-level adversarial techniques, thus advancing the state of explainable AI in network security.