Attributed Graph Edges (ADSAGE)

• Attributed graph edges (ADSAGE) are tuples that combine nodes with feature vectors, enabling fine-grained modeling of event-level interactions.
• The ADSAGE framework employs LSTM sequence encoding and negative sampling to efficiently score events and detect anomalies in real-world logs.
• Unsupervised methods like AttrE2Vec integrate topological and attribute affinities to produce robust edge embeddings for classification and clustering tasks.

Attributed graph edges are a foundational construct for modeling relational data in graphs where both nodes and edges are accompanied by feature vectors encompassing numeric, categorical, or textual information. This paradigm enables algorithms to directly exploit edge-level characteristics and dynamics, which is essential for a range of tasks such as fine-grained anomaly detection, attribution-aware representation learning, and event traceability in enterprise and network security settings. Recent frameworks—most notably ADSAGE and AttrE2Vec—exemplify two distinct but complementary approaches: supervised/unsupervised learning on edge sequences for anomaly detection (Garchery et al., 2020), and unsupervised edge embedding for downstream tasks such as edge classification and clustering (&&&1&&&).

1. Formal Definition and Motivations

An attributed edge in a graph is defined as a tuple $e = (u, v, \mathbf{a})$, where $u, v$ are nodes (e.g., users, devices, domains), and $\mathbf{a}$ is an attribute vector encoding contextual, behavioral, or semantic information. In directed or bipartite/multipartite graphs, this allows events such as logon attempts, email transmissions, or network flows to be modeled precisely at the edge granularity. Edge attributes can include:

• Numeric features (e.g., size, duration)
• Categorical identifiers (e.g., event type, device ID)
• Text fields (e.g., email body), potentially embedded into vector space

This framework enables temporal modeling (by treating event streams as edge sequences) and supports tasks that require precise reasoning about individual interactions rather than node- or graph-level aggregates. In insider threat detection, for example, modeling audit events as attributed edges is critical for associating anomalous behavior with specific user actions (Garchery et al., 2020).

2. Data Representation and Preprocessing for Attributed Edges

Processing attributed edges requires systematic encoding of multimodal features:

• Numeric features are normalized as necessary.
• Categorical features are encoded by one-hot vectors or learned embeddings, especially for high-cardinality spaces.
• Text features are tokenized, mapped to pre-trained embeddings (e.g., GloVe), and pooled to fixed-length vectors.
• Temporal variables (e.g., hour of day, day of week) utilize periodic encoding via sine and cosine transformations:

$$\mathrm{sinTime}=\sin\left(2\pi\,\frac{\text{minutes since midnight}}{1440}\right),\quad \mathrm{cosTime}=\cos\left(2\pi\,\frac{\text{minutes since midnight}}{1440}\right)$$

This preprocessing preserves the heterogeneity and informativeness of edge features, which is essential for subsequent sequence or representation learning. ADSAGE, for example, specifically avoids manual feature engineering or aggregation, using all event attributes directly except for periodic time encodings (Garchery et al., 2020).

3. Methodologies for Learning on Attributed Edges

3.1 ADSAGE: Sequence Modeling for Anomaly Detection

ADSAGE formalizes each audit log event as a directed attributed edge in a time-ordered sequence for each user: $\mathcal{S}_u = (e_1, e_2, \ldots, e_T)$ The model employs an embedding function to encode each event, concatenates node embeddings with attribute vectors, and feeds these into an LSTM sequence encoder. The hidden state is paired with the current event’s embedding and input to a feed-forward network, which produces an anomaly score

$s_t = 1 - p_t = g(\mathbf{h}_{t-1}, \mathbf{e}_t)$

where $p_t$ represents event “validity”. Training combines an event-prediction loss and a negative-sampling-based classification loss, with optimization via Adam. Negative sampling involves generating corrupted edges with plausible but unseen edge pairs to inform the discriminative component of the loss (Garchery et al., 2020).

3.2 AttrE2Vec: Unsupervised Edge Embedding

AttrE2Vec addresses edge representation learning in attributed networks by synthesizing:

• Topological proximity: Edges are neighbors if co-occurring in short random walks.
• Attribute affinity: An edge embedding should reconstruct its feature vector.
• Feature similarity: Edges are similar if their neighborhoods yield analogous aggregated attributes.

The encoder aggregates random walk contexts from both edge endpoints, processes these with configurable aggregators (average, GRU, etc.), and combines them with edge features via self-attention-weighted fusion: $$h_{uv} = \text{Enc}(f_{uv}, S_u, S_v) = [\alpha_1 f_{uv} \| \alpha_2 S_u \| \alpha_3 S_v] W + b$$ Training minimizes a convex combination of cosine similarity loss (aligning close neighbors) and MSE feature reconstruction loss; the framework is inductive and unsupervised (Bielak et al., 2020).

4. Evaluation Protocols and Empirical Results

Both ADSAGE and AttrE2Vec validate the expressiveness of attributed edge modeling via carefully designed experiments and metrics.

ADSAGE:

• Tested on CERT v6.2 (logon, email, web) and LANL (real authentications), evaluation uses daily investigation budgets and recall-based metrics:

$$R_k = \frac{1}{|\mathcal{D}|}\sum_{d\in\mathcal{D}} R_k(d)$$

$CR_k = \frac{1}{k}\sum_{i=1}^{k} R_i$

• Achieves $CR_{4000}=0.981$ for logon events and $CR_{4000}=0.930$ for email-based threats, outperforming baselines in most scenarios but underperforming on web data where simple rules or SedanSpot methods prove more effective (Garchery et al., 2020).

AttrE2Vec:

• Evaluated on citation networks (Cora, Citeseer, Pubmed) for edge classification (AUC) and clustering accuracy, using a small labeled training set per class.
• Reports superior inductive AUC and clustering accuracy versus baselines (e.g., node2vec, Line2vec):
  • Citeseer: AttrE2Vec(Avg) AUC = 88.97 vs. 86.21 (best transductive competitor)
  • Cora: AttrE2Vec(Avg) AUC = 93.43 vs. 91.75
  • AttrE2Vec achieves best or near-best performance across metrics for edge-level tasks (Bielak et al., 2020).

5. Impact, Limitations, and Future Directions

The emergence of attributed edge frameworks marks a substantive advance for:

• Event-level detection and traceability: Scoring events individually enables pinpoint alerting with high interpretability, essential for practical forensics (Garchery et al., 2020).
• Discriminative representation learning: Incorporation of edge and neighborhood attributes yields more informative embeddings, enabling complex downstream inference (Bielak et al., 2020).

However, limitations exist:

• In ADSAGE, negative sampling strategies are fixed and multilogs are handled in isolation; shared encoders or tuned sampling rates could yield improvements.
• AttrE2Vec’s reliance on random walks is computationally intensive on large graphs; scalability enhancements and incorporations of heterogeneous edges or temporal order remain open challenges.

Continued work is suggested in joint modeling of synchronized logs, faster edge context sampling, and the integration of richer edge feature modalities, including full-text content and higher-order relational structures.

6. Distinction from Node-Centric and Structure-Only Graph Methods

Attributed edge modeling diverges from traditional node-centric, structure-only, and graph-level learning frameworks in several critical respects:

• Node methods (e.g., node2vec, GraphSAGE) aggregate information to the node, limiting granularity for event-driven tasks and failing to leverage edge-specific features.
• Structure-only edge methods (e.g., Line2vec) miss informative attribute-driven context necessary for semantic tasks such as edge classification or fine-grained anomaly localization.
• Attributed edge frameworks enable both supervised and unsupervised models to synthesize topological, attribute, and temporal signals at the event (edge) resolution, supporting tasks impossible for node- or structure-only paradigms (Garchery et al., 2020, Bielak et al., 2020).