Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Few Edges Are Enough: Few-Shot Network Attack Detection with Graph Neural Networks

Tristan Bilot, Nour El Madhoun, Khaldoun Al Agha, Anis Zouaoui

TL;DR

This paper tackles the challenge of detecting network attacks with Graph Neural Networks under limited labeled data. It introduces FEAE, a three-part architecture (GNN encoder, SSL module, few-shot decoder) that combines contrastive and reconstruction-based self-supervised objectives with a minimal set of labeled attack edges to learn attack-aware edge embeddings. Experimental results on two Netflow datasets show that as few as one malicious edge per attack family can achieve performance competitive with fully supervised methods, and FEAE often outperforms self-supervised baselines. The work demonstrates a practical path to reducing labeling burden while maintaining robust attack detection, with implications for scalable, real-world cybersecurity deployments.

Abstract

Detecting cyberattacks using Graph Neural Networks (GNNs) has seen promising results recently. Most of the state-of-the-art models that leverage these techniques require labeled examples, hard to obtain in many real-world scenarios. To address this issue, unsupervised learning and Self-Supervised Learning (SSL) have emerged as interesting approaches to reduce the dependency on labeled data. Nonetheless, these methods tend to yield more anomalous detection algorithms rather than effective attack detection systems. This paper introduces Few Edges Are Enough (FEAE), a GNN-based architecture trained with SSL and Few-Shot Learning (FSL) to better distinguish between false positive anomalies and actual attacks. To maximize the potential of few-shot examples, our model employs a hybrid self-supervised objective that combines the advantages of contrastive-based and reconstruction-based SSL. By leveraging only a minimal number of labeled attack events, represented as attack edges, FEAE achieves competitive performance on two well-known network datasets compared to both supervised and unsupervised methods. Remarkably, our experimental results unveil that employing only 1 malicious event for each attack type in the dataset is sufficient to achieve substantial improvements. FEAE not only outperforms self-supervised GNN baselines but also surpasses some supervised approaches on one of the datasets.

Few Edges Are Enough: Few-Shot Network Attack Detection with Graph Neural Networks

TL;DR

This paper tackles the challenge of detecting network attacks with Graph Neural Networks under limited labeled data. It introduces FEAE, a three-part architecture (GNN encoder, SSL module, few-shot decoder) that combines contrastive and reconstruction-based self-supervised objectives with a minimal set of labeled attack edges to learn attack-aware edge embeddings. Experimental results on two Netflow datasets show that as few as one malicious edge per attack family can achieve performance competitive with fully supervised methods, and FEAE often outperforms self-supervised baselines. The work demonstrates a practical path to reducing labeling burden while maintaining robust attack detection, with implications for scalable, real-world cybersecurity deployments.

Abstract

Detecting cyberattacks using Graph Neural Networks (GNNs) has seen promising results recently. Most of the state-of-the-art models that leverage these techniques require labeled examples, hard to obtain in many real-world scenarios. To address this issue, unsupervised learning and Self-Supervised Learning (SSL) have emerged as interesting approaches to reduce the dependency on labeled data. Nonetheless, these methods tend to yield more anomalous detection algorithms rather than effective attack detection systems. This paper introduces Few Edges Are Enough (FEAE), a GNN-based architecture trained with SSL and Few-Shot Learning (FSL) to better distinguish between false positive anomalies and actual attacks. To maximize the potential of few-shot examples, our model employs a hybrid self-supervised objective that combines the advantages of contrastive-based and reconstruction-based SSL. By leveraging only a minimal number of labeled attack events, represented as attack edges, FEAE achieves competitive performance on two well-known network datasets compared to both supervised and unsupervised methods. Remarkably, our experimental results unveil that employing only 1 malicious event for each attack type in the dataset is sufficient to achieve substantial improvements. FEAE not only outperforms self-supervised GNN baselines but also surpasses some supervised approaches on one of the datasets.

Paper Structure

This paper contains 23 sections, 13 equations, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Related Works
  3. FEAE
  4. Intuition
  5. Comparison with Other Works
  6. Notations
  7. GNN Encoder
  8. SSL Module
  9. Contrastive-based Loss
  10. Reconstruction-based Loss
  11. Few-Shot Decoder
  12. Experiments
  13. Configurations and Datasets
  14. Performance with Respect to $k$
  15. Baselines
  16. ...and 8 more sections

Figures (3)

  • Figure 1: Illustration of the few-shot aware reconstruction-based loss. a) The GNN encoder first compiles features from the local neighborhood edges to produce edge embeddings. Here, red edges represent malicious few-shot edges, whereas green edges symbolize non-few-shot edges, presumed to contain a high rate of benign edges. b) The SSL module leverages the few-shot edges by maximizing the loss associated with these malicious events. This action compels the encoder to create dissimilar edge embeddings for the malicious few-shot edges, ensuring they are easily distinguishable from benign edges. c) The loss function is also designed to minimize the loss for all non-malicious edges.
  • Figure 2: FEAE performance with respect to $k$. Setting $k=0$ indicates that only benign edges are used for training, without any labeled malicious edge.
  • Figure 3: Left: Some edge embeddings produced by Anomal-E. Note that the few-shot edges are just for comparison as they are not leveraged in the original Anomal-E. Right: Edge embeddings generated by FEAE.