Table of Contents
Fetching ...

GPML: Graph Processing for Machine Learning

Majed Jaber, Julien Michel, Nicolas Boutry, Pierre Parrend

TL;DR

GPML presents a Python-based library that transforms raw network traffic into graph representations to enable graph-analytic attack detection in dynamic networks. It combines Dynamic Graph Community (DGC) metrics and spectral metrics (SPECTRA) to capture evolving interaction patterns and topological changes over time, aided by time-windowed processing and visualization. The authors detail architecture, implementation, and functionality for data preparation, feature extraction, and visualization, and demonstrate improvements on datasets such as UGR16, TonIoT, and Botnet, highlighting the value of graph-based insights for security tasks. The work positions GPML as a scalable platform for real-time and forensic network analysis and outlines future directions toward AI-driven threat detection and integration with broader security workflows.

Abstract

The dramatic increase of complex, multi-step, and rapidly evolving attacks in dynamic networks involves advanced cyber-threat detectors. The GPML (Graph Processing for Machine Learning) library addresses this need by transforming raw network traffic traces into graph representations, enabling advanced insights into network behaviors. The library provides tools to detect anomalies in interaction and community shifts in dynamic networks. GPML supports community and spectral metrics extraction, enhancing both real-time detection and historical forensics analysis. This library supports modern cybersecurity challenges with a robust, graph-based approach.

GPML: Graph Processing for Machine Learning

TL;DR

GPML presents a Python-based library that transforms raw network traffic into graph representations to enable graph-analytic attack detection in dynamic networks. It combines Dynamic Graph Community (DGC) metrics and spectral metrics (SPECTRA) to capture evolving interaction patterns and topological changes over time, aided by time-windowed processing and visualization. The authors detail architecture, implementation, and functionality for data preparation, feature extraction, and visualization, and demonstrate improvements on datasets such as UGR16, TonIoT, and Botnet, highlighting the value of graph-based insights for security tasks. The work positions GPML as a scalable platform for real-time and forensic network analysis and outlines future directions toward AI-driven threat detection and integration with broader security workflows.

Abstract

The dramatic increase of complex, multi-step, and rapidly evolving attacks in dynamic networks involves advanced cyber-threat detectors. The GPML (Graph Processing for Machine Learning) library addresses this need by transforming raw network traffic traces into graph representations, enabling advanced insights into network behaviors. The library provides tools to detect anomalies in interaction and community shifts in dynamic networks. GPML supports community and spectral metrics extraction, enhancing both real-time detection and historical forensics analysis. This library supports modern cybersecurity challenges with a robust, graph-based approach.
Paper Structure (12 sections, 6 figures, 5 tables)

This paper contains 12 sections, 6 figures, 5 tables.

Figures (6)

  • Figure 1: UML diagram showing the structure of the GPML library
  • Figure 2: UML workflow diagram community strategy
  • Figure 3: UML workflow diagram for spectral graph strategy
  • Figure 4: Ransomware attack in Ton-IoT dataset presented via HTML using graphviz function that exist in GPML library
  • Figure 5: Comparison of graph community approaches with baseline on UGR16 dataset with 5-folds evaluation using XGboost. Base set is original dataset feature space, the other one are the same dataset enriched with incrementally: graph metrics, graph community metrics and dynamic graphe community metrics.
  • ...and 1 more figures