Cyber-attacks continue to grow in scale and sophistication, yet existing network intrusion detection approaches lack the semantic depth required for path reasoning over attacker-victim interactions. We address this by first modelling network alerts as a knowledge graph, then formulating hyper-relational alert prediction as a hyper-relational knowledge graph completion (HR-KGC) problem, representing each network alert as a qualified statement (h, r, t, Q), where h and t are source and destination IPs, r denotes the attack type, and Q encodes flow-level metadata such as timestamps, ports, protocols, and attack intensity, going beyond standard KGC binary triples (h, r, t) that would discard this contextual richness. We introduce five models across three contributions: first, Hyper-relational Neural Bellman-Ford (HR-NBFNet) extends Neural Bellman-Ford Networks to the hyper-relational setting with qualifier-aware multi-hop path reasoning, while its multi-task variant MT-HR-NBFNet jointly predicts tail, relation, and qualifier-value within a single traversal pass; second, AlertStar fuses qualifier context and structural path information entirely in embedding space via cross-attention and learned path composition, and its multi-task extension MT-AlertStar eliminates the overhead of full knowledge graph propagation; third, HR-NBFNet-CQ extends qualifier-aware representations to answer complex first-order logic queries, including one-hop, two-hop chain, two-anchor intersection, and union, enabling multi-condition threat reasoning over the alert knowledge graph. Evaluated inductively on the Warden and UNSW-NB15 benchmarks across three qualifier-density regimes, AlertStar and MT-AlertStar achieve superior MR, MRR, and Hits@k, demonstrating that local qualifier fusion is both sufficient and more efficient than global path propagation for hyper-relational alert prediction.

翻译：[translated abstract in Chinese] 网络攻击在规模和复杂性上持续增长，然而现有的网络入侵检测方法缺乏对攻击者与受害者之间交互进行路径推理所需的语义深度。我们通过首先将网络告警建模为知识图谱，然后将超关系告警预测形式化为超关系知识图谱补全（HR-KGC）问题来应对这一挑战。每个网络告警被表示为一个限定性陈述（h， r， t, Q），其中h和t是源和目标IP地址，r表示攻击类型，而Q编码了流级元数据，例如时间戳、端口、协议和攻击强度，这超越了标准KGC的二元三元组（h， r, t），因为后者会丢弃这种丰富的上下文信息。我们通过三项贡献引入了五个模型：首先，超关系神经贝尔曼-福特（HR-NBFNet）将神经贝尔曼-福特网络扩展到超关系设置，实现了限定符感知的多跳路径推理，而其多任务变体MT-HR-NBFNet在单次遍历中联合预测尾实体、关系和限定符值；其次，AlertStar通过交叉注意力和学习到的路径组合，完全在嵌入空间中融合限定符上下文和结构路径信息，其多任务扩展MT-AlertStar消除了完整知识图谱传播的开销；第三，HR-NBFNet-CQ扩展了限定符感知的表示，以回答复杂的一阶逻辑查询，包括一跳、两跳链、两锚点交和并集，从而实现对告警知识图谱的多条件威胁推理。在Warden和UNSW-NB15基准测试上，跨越三种限定符密度场景的归纳评估表明，AlertStar和MT-AlertStar在MR、MRR和Hits@k指标上取得了更优性能，证明了对于超关系告警预测，局部限定符融合比全局路径传播既更充分也更高效。