Semantic Knowledge Graph Framework for Intelligent Security Analytics in Next-Generation Cloud Systems

Next-generation cloud environments have a security posture that is more complex than ever before, requiring analytics that are more comprehensive than signature based or shallow machine learning. The Semantic Knowledge Graph-based Intelligent Security Analytics (SKG-ISA) is a new threat detection architecture on Semantic Knowledge Graphs, that combines OWL 2 ontologies with multi-relational graph embeddings and stream-aware inference engines to allow for contextual and real-time threat detection across a multitude of cloud stacks. SKG-ISA represents cloud resources, network traffic, user activities, and vulnerability knowledge all as a single semantic graph, and introduces a new graph-convolutional anomaly scoring function, Semantic Threat Quotient (STQ), to leverage both the topology of the graph and the meaning of each node. We formalize the knowledge-graph construction pipeline, formulate the STQ optimization objective and obtain a convergence bound of the online update scheme. Results from experiments performed on CICIDS-2017, UNSW-NB15, DARPA TC Engagement 5 and a controlled private-cloud testbed show that the mean F1-score is 97.27%, the median detection latency is 42.3 ms and the false-positive rate is 1.12%, which is better than four state-of-the-art baselines on all three metrics. We also performed ablation experiments to verify that each component in the architecture has an additive effect, and scalability experiments to evaluate sub-linear query growth up to 109 graph triples. The SKG-ISA framework brings cloud security analytics to the next level, and serves as a repeatable blueprint of a semantic-graph-driven intrusion intelligence.