Hypergraph-Based Time-Aware Modeling for Multi-Phase Cyber Threat Simulation and Anomaly Detection

This research uses a time-aware hypergraph design and anomaly-detection methods to simulate cyberattack sequences. Multi-phase cyber-attacks have high-order interactions, concurrency, and unpredictable timing that traditional directed graph models cannot describe. To overcome this constraint, we create hypergraphs with cyber kill-chain stages including reconnaissance, initial access, execution, persistence, privilege escalation, and exfiltration as nodes and hyperedges for logical and temporal groups.

Randomized temporal information is added to each simulated phase to create a two-hour enemy timeline. Repetitive simulations introduce regulated phase length and sequence ordering diversity. Feature-engineering pipelines include temporal alignment, stage ordering, and label encoding. Scatter-based anomaly plots and frequency-distribution histograms show aberrant phase lengths from an Isolation Forest model. A transition-probability matrix quantifies hypergraph stage-to-stage movement and better models adversarial behavior.

Structured datasets from simulations are provided for IDS training, red-team emulation, and threat-analysis investigations. The proposed time-aware hypergraph better reconstructs Advanced Persistent Threat (APT) behavior by capturing overlapping phases, higher-order relationships, and temporal uncertainty than DAG-based representations. The research compares the proposed hypergraph model to a baseline DAG model using the same synthetic dataset to demonstrate demonstrable changes in anomaly-detection performance and IDS-dataset quality to assure scientific validity. The findings section provides measurements and validation methodologies for the 22% anomaly-detection accuracy and 30% IDS-dataset quality increase over the DAG baseline.