Machine learning techniques are gaining attention in the context of intrusion
detection due to the increasing amounts of data generated by monitoring tools,
as well as the sophistication displayed by attackers in hiding their activity.
However, existing methods often exhibit important limitations in terms of the
quantity and relevance of the generated alerts. Recently, knowledge graphs are
finding application in the cybersecurity domain, showing the potential to
alleviate some of these drawbacks thanks to their ability to seamlessly
integrate data from multiple domains using human-understandable vocabularies.
We discuss the application of machine learning on knowledge graphs for
intrusion detection and experimentally evaluate a link-prediction method for
scoring anomalous activity in industrial systems. After initial unsupervised
training, the proposed method is shown to produce intuitively well-calibrated
and interpretable alerts in a diverse range of scenarios, hinting at the
potential benefits of relational machine learning on knowledge graphs for
intrusion detection purposes.