Pro-ZD: A Transferable Graph Neural Network Approach for Proactive Zero-Day Threats Mitigation

TL;DR

Pro-ZD addresses the challenge of proactively mitigating zero-day threats in dynamically structured enterprise networks by learning transferable weighted shortest paths to critical assets with GraphWSP, a stacked GNN combining SPGNN distance ideas with Graph Attention for edge weights. The framework autonomously assesses firewall rule risk and mitigates high-risk connections by adjusting Zero Trust policies, aiming to block exploitable paths without disrupting normal operations. GraphWSP demonstrates strong transferability and outperforms the SPAGAN baseline in both transductive and inductive settings, while Pro-ZD achieves high accuracy and ROC across real and synthetic datasets, indicating practical potential for automated, proactive network defense. The work highlights the value of inductive, structure-aware GNNs in dynamic security environments and provides a concrete pathway for integrating graph-based risk assessment with automated policy updates in real-world deployments.

Abstract

In today's enterprise network landscape, the combination of perimeter and distributed firewall rules governs connectivity. To address challenges arising from increased traffic and diverse network architectures, organizations employ automated tools for firewall rule and access policy generation. Yet, effectively managing risks arising from dynamically generated policies, especially concerning critical asset exposure, remains a major challenge. This challenge is amplified by evolving network structures due to trends like remote users, bring-your-own devices, and cloud integration. This paper introduces a novel graph neural network model for identifying weighted shortest paths. The model aids in detecting network misconfigurations and high-risk connectivity paths that threaten critical assets, potentially exploited in zero-day attacks -- cyber-attacks exploiting undisclosed vulnerabilities. The proposed Pro-ZD framework adopts a proactive approach, automatically fine-tuning firewall rules and access policies to address high-risk connections and prevent unauthorized access. Experimental results highlight the robustness and transferability of Pro-ZD, achieving over 95% average accuracy in detecting high-risk connections. \

Figures (7)

• Figure 1: GraphWSP Architecture. In this diagram, the upper GNN depicts the GAT model employed for acquiring the weighted shortest path embedding. It receives four input features (asset criticality $FD_4$, link to critical asset $FD_7$, edges compliance $FD_8$, and shortest path length computed by the SPGNN $SP$). The lower section illustrates the DNN responsible for the downstream classification task. The output indicates whether the structure feature is activated for the edge under evaluation. The DNN takes as input the GAT output, asset criticality $FD_4$, link to critical asset $FD_7$, edges compliance $FD_8$, and the shortest path length $SP$ computed by the SPGNN.
• Figure 2: Edge Risk Assessment Model Architecture. The model takes as input the predicted weighted shortest path embedding $FS_{1}$ from GraphWSP model and 5 directly encoded features $FD_{i}$
• Figure 3: Train/test cut off for the W-SPGNN based on the F1 score for 4 different datasets
• Figure 4: GraphWSP Cross Entropy loss convergence.
• Figure 5: ROC curves of the PRO-ZD edge classification in the semi-supervised setting.