HyperGLLM: An Efficient Framework for Endpoint Threat Detection via Hypergraph-Enhanced Large Language Models

Authors

  • Hongyi Zhou Department of Computer Science and Technology, Tsinghua University. Beijing, China
  • Jianfeng Pan 360 Security Technology Inc. Beijing, China
  • Min Peng 360 Security Technology Inc. Beijing, China
  • Shaomang Huang 360 Security Technology Inc. Beijing, China
  • Hanzhong Zheng 360 Security Technology Inc. Beijing, China

DOI:

https://doi.org/10.1609/aaai.v40i41.40815

Abstract

Endpoint Detection and Response (EDR) systems are a cornerstone of modern threat detection and endpoint protection. However, conventional heuristic- and learning-based approaches often fail to address sophisticated and continuously evolving attack patterns. Recent advances in large language models (LLMs) offer promising capabilities for behavioral analysis in EDR logs, yet their effectiveness is hindered by the high volume of events and the interleaved nature of behavior sequences---posing significant challenges for long-context modeling and stealthy threat detection. To address these issues, we propose HyperGLLM, a novel detection framework that introduces hypergraph reasoning into LLMs. It first constructs an attribute-value level relation-aware graph to model low-order structural semantics while reducing textual redundancy. Then, it introduces a differential hypergraph module with multi-granularity clustering to capture high-order behavioral dependencies embedded in interleaved events and reinforce threat semantics. Finally, the hypergraph representations are aligned with an LLM for efficient contextual reasoning over potential malicious behaviors. To facilitate empirical evaluation, we curate EDR3.6B-63F, a large-scale EDR dataset containing 3.6 billion events across 63 distinct behavior families. Extensive experiments demonstrate that HyperGLLM significantly outperforms state-of-the-art methods by reducing the false alarm rate to 1.67%, achieving 94.65% accuracy across 63 behavior families, and improving the modeling efficiency of LLMs on long EDR logs. Our framework and dataset provide a solid foundation for future research and support the development of advanced detection solutions in endpoint security.
AAAI-26 / IAAI-26 / EAAI-26 Proceedings Cover

Downloads

Published

2026-03-14

How to Cite

Zhou, H., Pan, J., Peng, M., Huang, S., & Zheng, H. (2026). HyperGLLM: An Efficient Framework for Endpoint Threat Detection via Hypergraph-Enhanced Large Language Models. Proceedings of the AAAI Conference on Artificial Intelligence, 40(41), 35094–35102. https://doi.org/10.1609/aaai.v40i41.40815

Issue

Vol. 40 No. 41: AAAI-26 Technical Tracks 41

Section

AAAI Technical Track on Natural Language Processing VI