Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Applying Self-supervised Learning to Network Intrusion Detection for Network Flows with Graph Neural Network

Renjie Xu, Guangwei Wu, Weiping Wang, Xing Gao, An He, Zhengpeng Zhang

TL;DR

The paper tackles the challenge of network intrusion detection with limited labeled data by proposing a fully self-supervised, edge-centered GNN framework. It introduces NEGAT, an edge-featureed Graph Attention Network, and NEGSC, a graph-contrastive learning scheme that uses Wasserstein- and Gromov-Wasserstein-based losses to discriminate edge-level network flows and their local topology. Key contributions include the design of an edge-focused encoder, the adaptation of a Generative Subgraph Contrast mechanism for edge-centric NIDS, and extensive experiments on four NetFlow-based datasets showing strong binary and multiclass performance without labels. The approach reduces labeling requirements while achieving robust attack-type identification, with potential applicability to other edge-centered graph tasks in cybersecurity and beyond.

Abstract

Graph Neural Networks (GNNs) have garnered intensive attention for Network Intrusion Detection System (NIDS) due to their suitability for representing the network traffic flows. However, most present GNN-based methods for NIDS are supervised or semi-supervised. Network flows need to be manually annotated as supervisory labels, a process that is time-consuming or even impossible, making NIDS difficult to adapt to potentially complex attacks, especially in large-scale real-world scenarios. The existing GNN-based self-supervised methods focus on the binary classification of network flow as benign or not, and thus fail to reveal the types of attack in practice. This paper studies the application of GNNs to identify the specific types of network flows in an unsupervised manner. We first design an encoder to obtain graph embedding, that introduces the graph attention mechanism and considers the edge information as the only essential factor. Then, a self-supervised method based on graph contrastive learning is proposed. The method samples center nodes, and for each center node, generates subgraph by it and its direct neighbor nodes, and corresponding contrastive subgraph from the interpolated graph, and finally constructs positive and negative samples from subgraphs. Furthermore, a structured contrastive loss function based on edge features and graph local topology is introduced. To the best of our knowledge, it is the first GNN-based self-supervised method for the multiclass classification of network flows in NIDS. Detailed experiments conducted on four real-world databases (NF-Bot-IoT, NF-Bot-IoT-v2, NF-CSE-CIC-IDS2018, and NF-CSE-CIC-IDS2018-v2) systematically compare our model with the state-of-the-art supervised and self-supervised models, illustrating the considerable potential of our method. Our code is accessible through https://github.com/renj-xu/NEGSC.

Applying Self-supervised Learning to Network Intrusion Detection for Network Flows with Graph Neural Network

TL;DR

The paper tackles the challenge of network intrusion detection with limited labeled data by proposing a fully self-supervised, edge-centered GNN framework. It introduces NEGAT, an edge-featureed Graph Attention Network, and NEGSC, a graph-contrastive learning scheme that uses Wasserstein- and Gromov-Wasserstein-based losses to discriminate edge-level network flows and their local topology. Key contributions include the design of an edge-focused encoder, the adaptation of a Generative Subgraph Contrast mechanism for edge-centric NIDS, and extensive experiments on four NetFlow-based datasets showing strong binary and multiclass performance without labels. The approach reduces labeling requirements while achieving robust attack-type identification, with potential applicability to other edge-centered graph tasks in cybersecurity and beyond.

Abstract

Graph Neural Networks (GNNs) have garnered intensive attention for Network Intrusion Detection System (NIDS) due to their suitability for representing the network traffic flows. However, most present GNN-based methods for NIDS are supervised or semi-supervised. Network flows need to be manually annotated as supervisory labels, a process that is time-consuming or even impossible, making NIDS difficult to adapt to potentially complex attacks, especially in large-scale real-world scenarios. The existing GNN-based self-supervised methods focus on the binary classification of network flow as benign or not, and thus fail to reveal the types of attack in practice. This paper studies the application of GNNs to identify the specific types of network flows in an unsupervised manner. We first design an encoder to obtain graph embedding, that introduces the graph attention mechanism and considers the edge information as the only essential factor. Then, a self-supervised method based on graph contrastive learning is proposed. The method samples center nodes, and for each center node, generates subgraph by it and its direct neighbor nodes, and corresponding contrastive subgraph from the interpolated graph, and finally constructs positive and negative samples from subgraphs. Furthermore, a structured contrastive loss function based on edge features and graph local topology is introduced. To the best of our knowledge, it is the first GNN-based self-supervised method for the multiclass classification of network flows in NIDS. Detailed experiments conducted on four real-world databases (NF-Bot-IoT, NF-Bot-IoT-v2, NF-CSE-CIC-IDS2018, and NF-CSE-CIC-IDS2018-v2) systematically compare our model with the state-of-the-art supervised and self-supervised models, illustrating the considerable potential of our method. Our code is accessible through https://github.com/renj-xu/NEGSC.
Paper Structure (25 sections, 12 equations, 8 figures, 11 tables, 1 algorithm)

This paper contains 25 sections, 12 equations, 8 figures, 11 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. DL-based NIDSs
  4. GNN-based NIDSs
  5. Edge-Featured Approaches
  6. Methodology
  7. Preliminary
  8. Data Preprocessing
  9. Edge-featureed Encoder
  10. Graph Attention Network
  11. The Proposed Encoder NEGAT
  12. The Proposed NEGSC Model
  13. GSC
  14. NEGSC
  15. The Time Complexity Analysis
  16. ...and 10 more sections

Figures (8)

  • Figure 1: Converting Netflow-based data into graph representation. An arrow along with nodes indicates a network traffic flow from the source host to the destination host. Normal and attack flows are denoted by black and red arrows, respectively, where different shades of red arrows indicate different types of attacks.
  • Figure 2: The architecture of NEGAT. $h$ and $e$ represent node features and edge features, respectively. The outputs of the NEGAT layer, $h_v$, are fed to the merged layer to generate the final representation of $e^{out}$. Different colored arrows indicate different attention heads, and the bottom two nodes represent the operation used in our model to concatenate attention heads.
  • Figure 3: The architecture of our method. We first employ the encoder to obtain the graph embedding. Then, we obtain the subgraphs for every sampled center nodes. Next, we use the generation module to generate the contrastive sample of each sampled subgraph, and pair the sampled and generated subgraphs with the same center node as the positive samples while the subgraphs with the different center nodes as the negative samples. Finally, we use the proposed loss function to measure the distance between the topological structures of subgraph pairs in the positive and negative samples.
  • Figure 4: Confusion matrix of multiclass classification results on NF-BoT-IoT.
  • Figure 5: ROC curve of our method on NF-BoT-IoT.
  • ...and 3 more figures