GTCN-G: A Residual Graph-Temporal Fusion Network for Imbalanced Intrusion Detection (Preprint)

TL;DR

The paper tackles intrusion detection under severe class imbalance by proposing GTCN-G, a hybrid architecture that blends a Gated Temporal Convolutional Network (G-TCN) for temporal patterns with an adaptive Graph Convolutional Network (GCN) on a line-graph representation, augmented by a residual Graph Attention Network to preserve original features. It combines a Graph-SAGE-inspired edge representation with a four-branch processing pipeline (Temporal, Spatial, Attention, and Residual) to capture both temporal and topological signals, and learns a dynamic adjacency with $A_{adp} = SoftMax(ReLU(E_1 E_2^T))$ alongside diffusion-based propagation. Evaluations on UNSW-NB15 and ToN-IoT using F1-score show state-of-the-art performance for both binary and multi-class tasks, with strong improvements in minority-class detection as demonstrated by confusion matrices. The results underscore the value of tightly integrating temporal and graph-based learning while explicitly addressing data imbalance for robust, real-world NIDS applications.

Abstract

The escalating complexity of network threats and the inherent class imbalance in traffic data present formidable challenges for modern Intrusion Detection Systems (IDS). While Graph Neural Networks (GNNs) excel in modeling topological structures and Temporal Convolutional Networks (TCNs) are proficient in capturing time-series dependencies, a framework that synergistically integrates both while explicitly addressing data imbalance remains an open challenge. This paper introduces a novel deep learning framework, named Gated Temporal Convolutional Network and Graph (GTCN-G), engineered to overcome these limitations. Our model uniquely fuses a Gated TCN (G-TCN) for extracting hierarchical temporal features from network flows with a Graph Convolutional Network (GCN) designed to learn from the underlying graph structure. The core innovation lies in the integration of a residual learning mechanism, implemented via a Graph Attention Network (GAT). This mechanism preserves original feature information through residual connections, which is critical for mitigating the class imbalance problem and enhancing detection sensitivity for rare malicious activities (minority classes). We conducted extensive experiments on two public benchmark datasets, UNSW-NB15 and ToN-IoT, to validate our approach. The empirical results demonstrate that the proposed GTCN-G model achieves state-of-the-art performance, significantly outperforming existing baseline models in both binary and multi-class classification tasks.

Figures (6)

• Figure 1: Architecture of the proposed GTCN-G and Graph-SAGE-based intrusion detection method.
• Figure 2: Bipartite Graph to Line Graph Transformation for Network Flow Edge Classification.
• Figure 3: GTCN-G network structure diagram.
• Figure 4: The detailed architecture of the proposed GTCN-G model. Input data, represented as a line graph, is processed through four parallel feature-learning branches: (a) a Temporal Branch using Gated TCNs to capture time-series dependencies; (b) a Spatial Branch using an adaptive graph convolution to learn topological patterns; (c) an Attention Branch employing multi-head attention for weighted neighbor aggregation; and (d) a Residual Branch that preserves original node features to combat class imbalance. The outputs from these branches are then fused for final classification.
• Figure 5: Multi-class confusion matrix for the UNSW-NB15 dataset.