I'm trying to model a collection of security alerts into graph representation. Each alert consists of 0 or more objects that represent IP addresses, users, hostnames and so on. I consider two objects as edge-related if they both appear in the same alert. The result of this representation is a disconnected graph, as I do not get all traffic in the network, only suspicious traffic raising an alert.
In addition, I am 'enriching' those objects with information from third party tools. For instance, an IP address can have a 'country' property attached to it, a hostname can have an associated IP address as a property and so on.
I would like to 'enhance' my graph's connectivity by attempting to create a new type of relation (Edge) - The enrichment relation. Ideally, the hostname we found associated to a specific IP address that is already present on the graph should be related, as they are most likely the same object (with different representations). An other example could be file hashes. Say I have two systems raising alerts on files, one uses SHA256 and the other uses MD5. Both alert on the same file, but since each one of them uses different hash function it appears as two separate objects. Assuming I've got information on one of them, say the SHA256, that the file it was calculated on also produced the same MD5 I already have on the graph, I would like to be able to connect those two objects.
My question boils down to the following: Is there an automated way to 'run' through all those new properties (no guarantee each object has the same properties) and figure out which could be used as a new connection and with what 'intencity'?
