Knogin
[Developers]

Graph Structural Scoring

An investigation graph containing hundreds of entities and thousands of relationships is difficult to read at a glance. Not all nodes carry equal operational significance. Some entities act as connectors between communit

Back to All Modules
Category: InvestigationLast Updated: Apr 14, 2026
investigation

Overview#

An investigation graph containing hundreds of entities and thousands of relationships is difficult to read at a glance. Not all nodes carry equal operational significance. Some entities act as connectors between communities that would otherwise be disconnected. Others sit at the centre of dense clusters. Many are peripheral and have little effect on overall network structure. Identifying which is which -- quickly and reproducibly -- is a core analyst task.

Argus computes structural importance metrics for every entity in an investigation graph using the NetworkX library. Betweenness centrality, closeness centrality, eigenvector centrality, and Burt's structural hole constraint are calculated from the live graph, and each entity is assigned a human-readable structural role (BRIDGE, HUB, PERIPHERAL, or ANOMALOUS). Scores are cached and recomputed automatically when the snapshot is more than an hour old. When an entity transitions from PERIPHERAL to BRIDGE between snapshots, a HITL review request is raised so an analyst can decide whether the change reflects genuine emerging significance.

Last Reviewed: 2026-04-14 Last Updated: 2026-04-14

Key Features#

  • Betweenness Centrality (Freeman 1977): Measures how often an entity appears on the shortest path between other pairs of nodes. High betweenness indicates a broker or chokepoint: removing it would fragment the network or lengthen the shortest paths between communities. Normalised to the 0-1 range.

  • Closeness Centrality: Measures how quickly an entity can reach all other entities in the graph. High closeness indicates a node that can disseminate information or coordinate activity efficiently across the network.

  • Eigenvector Centrality: A node's influence score weighted by the influence of its neighbors. An entity with high eigenvector centrality is well-connected to other well-connected nodes, indicating it sits at the structural core of an important cluster.

  • Burt's Structural Hole Constraint (Burt 1992): A lower constraint value means the entity bridges groups that are otherwise not connected to each other, giving it informational and control advantages that purely dense connections cannot provide. This complements betweenness by detecting structural brokers even in cases where shortest-path counting alone is not decisive.

  • Bridge Node Detection: Entities that lie on bridge edges (edges whose removal would disconnect the graph) are flagged explicitly. Bridge edges are detected using the standard NetworkX algorithm on the undirected projection of the investigation graph.

  • Role Classification: Each entity is assigned one of four roles. BRIDGE is assigned when betweenness exceeds 0.5. CLUSTER_CENTER is assigned when eigenvector centrality exceeds 0.7. PERIPHERAL is the default for entities below both thresholds. ANOMALOUS is recorded when an analyst acknowledges an unexpected role transition.

  • One-Hour Score Cache: Scores are persisted to the structural scores store and reused for up to one hour. Calling the score retrieval function will trigger a fresh computation if the cache is stale, keeping latency low for repeated queries while ensuring scores remain current for active investigations.

  • HITL Role Transition Alerts: When a fresh computation detects that an entity previously classified as PERIPHERAL has become a BRIDGE, a review request is raised via the HITL approval service. An analyst can then assess whether the transition reflects a genuine shift in investigative significance.

  • Structural Role Badge: The frontend badge component displays the role label with a colour scheme matched to operational meaning: amber for BRIDGE, blue for CLUSTER_CENTER (displayed as HUB), gray for PERIPHERAL, and red for ANOMALOUS. Hovering the badge shows a tooltip that explains the role in intelligence terms.

Use Cases#

  • Priority Node Identification: Surface the small number of entities that hold the network together, letting analysts focus attention on the most operationally significant nodes rather than reviewing all entities uniformly.
  • Community Bridging Analysis: Identify entities that connect otherwise separate sub-networks, a pattern consistent with facilitation, coordination, or money-movement roles in criminal investigations.
  • Change Detection: Track shifts in structural position over time to detect emerging relationships or coordinated network reorganization.
  • Briefing Support: Use structural role badges in investigation summaries and briefing packages to communicate network structure to decision-makers without requiring them to interpret raw graph visualisations.

Integration#

  • Investigation Graph: Reads relationship records scoped to a specific investigation and organisation. All queries include organization_id in the WHERE clause.
  • HITL Approval Service: Raises review requests when PERIPHERAL to BRIDGE transitions are detected.
  • Graph Visualisation: Structural role data can be used to size or colour nodes in the 3D and 2D graph views.
  • Briefing Package: Role badges and centrality scores can be included in exported briefing packages.

Open Standards#

  • STIX 2.1 (OASIS): Structured Threat Information Expression defines the entity and relationship model used to represent investigation graph nodes and edges in a portable, interoperable format.
  • W3C PROV-DM (W3C Recommendation): The Provenance Data Model provides a standard vocabulary for recording the derivation and lineage of computed artefacts, applied here to track when and how structural scores were generated.
  • ISO/IEC 27001: Information security management standard governing the confidentiality, integrity, and availability controls applied to investigation data from which graph metrics are derived.
  • GQL (ISO/IEC 39075): The internationally standardised Graph Query Language, relevant to querying the property graph structures over which structural metrics are computed.

Ready to Build?

Get started with our APIs or contact our integration team for support.