Efficient Network Representation for GNN-based Intrusion Detection
This work addresses the problem of improving intrusion detection for cybersecurity systems, though it appears incremental as it builds on existing GNN methods with a new graph structure.
The authors tackled network intrusion detection by proposing a novel graph representation of flows to capture malicious behavior patterns and multi-step attack relations, and developed a GNN-based framework that outperformed classical machine learning and previous GNN solutions.
The last decades have seen a growth in the number of cyber-attacks with severe economic and privacy damages, which reveals the need for network intrusion detection approaches to assist in preventing cyber-attacks and reducing their risks. In this work, we propose a novel network representation as a graph of flows that aims to provide relevant topological information for the intrusion detection task, such as malicious behavior patterns, the relation between phases of multi-step attacks, and the relation between spoofed and pre-spoofed attackers activities. In addition, we present a Graph Neural Network (GNN) based framework responsible for exploiting the proposed graph structure to classify communication flows by assigning them a maliciousness score. The framework comprises three main steps that aim to embed nodes features and learn relevant attack patterns from the network representation. Finally, we highlight a potential data leakage issue with classical evaluation procedures and suggest a solution to ensure a reliable validation of intrusion detection systems performance. We implement the proposed framework and prove that exploiting the flow-based graph structure outperforms the classical machine learning-based and the previous GNN-based solutions.