Anomal-E: A self-supervised network intrusion detection system based on graph neural networks

被引:86
作者
Caville, Evan [1 ]
Lo, Wai Weng [1 ]
Layeghy, Siamak [1 ]
Portmann, Marius [1 ]
机构
[1] Univ Queensland, Sch ITEE, Brisbane, Australia
关键词
Graph neural network; Network intrusion detection system; Self supervised; Graph representation learning; Anomaly detection;
D O I
10.1016/j.knosys.2022.110030
中图分类号
TP18 [人工智能理论];
学科分类号
081104 ; 0812 ; 0835 ; 1405 ;
摘要
This paper investigates graph neural networks (GNNs) applied for self-supervised intrusion and anomaly detection in computer networks. GNNs are a deep learning approach for graph-based data that incorporate graph structures into learning to generalise graph representations and output embeddings. As traffic flows in computer networks naturally exhibit a graph structure, GNNs are a suitable fit in this context. The majority of current implementations of GNN-based network intrusion detection systems (NIDSs) rely on labelled network traffic. This limits the volume and structure of input traffic and restricts the NIDSs' potential to adapt to unseen attacks. These systems also rely on the use of node features, which may reduce the detection accuracy of these systems, as important edge (packet-level) information is not leveraged. To overcome these restrictions, we present Anomal-E, a GNN approach to intrusion and anomaly detection that leverages edge features and a graph topological structure in a self-supervised manner. This approach is, to the best of our knowledge, the first successful and practical approach to network intrusion detection that utilises network flows in a self-supervised, edge -leveraging GNN. Experimental results on two modern benchmark NIDS datasets display a significant improvement when using Anomal-E compared to raw features and other baseline algorithms. This additionally posits the potential Anomal-E has for intrusion detection on real-world network traffic. (c) 2022 Elsevier B.V. All rights reserved.
引用
收藏
页数:11
相关论文
共 32 条
[1]   A parameter-free graph reduction for spectral clustering and SpectralNet [J].
Alshammari, Mashaan ;
Stavrakakis, John ;
Takatsuka, Masahiro .
ARRAY, 2022, 15
[2]  
Bhuyan MH, 2012, PROCEEDINGS OF THE 2012 INTERNATIONAL CONFERENCE ON ADVANCES IN COMPUTING, COMMUNICATIONS AND INFORMATICS (ICACCI'12), P533
[3]   A Comprehensive Survey of Graph Embedding: Problems, Techniques, and Applications [J].
Cai, HongYun ;
Zheng, Vincent W. ;
Chang, Kevin Chen-Chuan .
IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, 2018, 30 (09) :1616-1637
[4]   Unsupervised Network Intrusion Detection Systems: Detecting the Unknown without Knowledge [J].
Casas, Pedro ;
Mazel, Johan ;
Owezarski, Philippe .
COMPUTER COMMUNICATIONS, 2012, 35 (07) :772-783
[5]  
Claise B., 2004, Cisco Systems NetFlow Services Export Version 9, DOI [10.17487/rfc3954, DOI 10.17487/RFC3954]
[6]  
Fedus W. L., 2019, P ICLR, P1
[7]  
Goldstein M, 2012, KI-2012: poster and demo track, P59
[8]   node2vec: Scalable Feature Learning for Networks [J].
Grover, Aditya ;
Leskovec, Jure .
KDD'16: PROCEEDINGS OF THE 22ND ACM SIGKDD INTERNATIONAL CONFERENCE ON KNOWLEDGE DISCOVERY AND DATA MINING, 2016, :855-864
[9]  
Hamilton WL, 2017, ADV NEUR IN, V30
[10]   Discovering cluster-based local outliers [J].
He, ZY ;
Xu, XF ;
Deng, SC .
PATTERN RECOGNITION LETTERS, 2003, 24 (9-10) :1641-1650