Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

PPT-GNN: A Practical Pre-Trained Spatio-Temporal Graph Neural Network for Network Security

Louis Van Langendonck, Ismael Castell-Uroz, Pere Barlet-Ros

TL;DR

PT-GNN is introduced, a practical spatio-temporal GNN that captures the spatio-temporal dynamics of network attacks, enhancing detection performance while being trained under realistic conditions with practical, attainable data features and shows that a pretrained PPT-GNN can easily be fine-tuned to unseen networks with minimal labeled examples.

Abstract

Recent works have demonstrated the potential of Graph Neural Networks (GNN) for network intrusion detection. Despite their advantages, a significant gap persists between real-world scenarios, where detection speed is critical, and existing proposals, which operate on large graphs representing several hours of traffic. This gap results in unrealistic operational conditions and impractical detection delays. Moreover, existing models do not generalize well across different networks, hampering their deployment in production environments. To address these issues, we introduce PPTGNN, a practical spatio-temporal GNN for intrusion detection. PPTGNN enables near real-time predictions, while better capturing the spatio-temporal dynamics of network attacks. PPTGNN employs self-supervised pre-training for improved performance and reduced dependency on labeled data. We evaluate PPTGNN on three public datasets and show that it significantly outperforms state-of-the-art models, such as E-ResGAT and E-GraphSAGE, with an average accuracy improvement of 10.38%. Finally, we show that a pre-trained PPTGNN can easily be fine-tuned to unseen networks with minimal labeled examples. This highlights the potential of PPTGNN as a general, large-scale pre-trained model that can effectively operate in diverse network environments.

PPT-GNN: A Practical Pre-Trained Spatio-Temporal Graph Neural Network for Network Security

TL;DR

PT-GNN is introduced, a practical spatio-temporal GNN that captures the spatio-temporal dynamics of network attacks, enhancing detection performance while being trained under realistic conditions with practical, attainable data features and shows that a pretrained PPT-GNN can easily be fine-tuned to unseen networks with minimal labeled examples.

Abstract

Recent works have demonstrated the potential of Graph Neural Networks (GNN) for network intrusion detection. Despite their advantages, a significant gap persists between real-world scenarios, where detection speed is critical, and existing proposals, which operate on large graphs representing several hours of traffic. This gap results in unrealistic operational conditions and impractical detection delays. Moreover, existing models do not generalize well across different networks, hampering their deployment in production environments. To address these issues, we introduce PPTGNN, a practical spatio-temporal GNN for intrusion detection. PPTGNN enables near real-time predictions, while better capturing the spatio-temporal dynamics of network attacks. PPTGNN employs self-supervised pre-training for improved performance and reduced dependency on labeled data. We evaluate PPTGNN on three public datasets and show that it significantly outperforms state-of-the-art models, such as E-ResGAT and E-GraphSAGE, with an average accuracy improvement of 10.38%. Finally, we show that a pre-trained PPTGNN can easily be fine-tuned to unseen networks with minimal labeled examples. This highlights the potential of PPTGNN as a general, large-scale pre-trained model that can effectively operate in diverse network environments.
Paper Structure (14 sections, 4 equations, 4 figures, 3 tables)

This paper contains 14 sections, 4 equations, 4 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related work
  3. Methodology
  4. Flow Graph Construction
  5. Spatio-temporal Model
  6. Self-supervised Pre-training
  7. Evaluation
  8. Dataset
  9. Performance results
  10. Differential analysis
  11. Pre-training and Fine-tuning results
  12. Conclusions
  13. Hyperparameters
  14. Confusion matrices

Figures (4)

  • Figure 1: Schematic overview of the proposed spatio-temporal PPT-GNN architecture.
  • Figure 2: Performance comparison showing the impact of iteratively adding key components of the PPT-GNN framework for each dataset, and tracking changes in multiclass metrics.
  • Figure 3: Results of few-shot learning experiments: For each pre-training strategy, we train on small training data fractions and track the percentual performance loss in multiclass macro-F1 score relative to the best overall performing PPT-GNN model for each dataset.
  • Figure 4: Confusion matrices. Values are normalized on the model predictions. The diagonal of each matrix represents the match between the actual and the predicted attack.