Detecting Anomalous Network Communication Patterns Using Graph Convolutional Networks
This addresses the problem of protecting organizational endpoints from cyberattacks for cybersecurity professionals, but it is incremental as it combines existing GCN and VAE methods.
The paper tackled detecting anomalous network communication patterns in cybersecurity by proposing GCNetOmaly, a graph convolutional network-based variational autoencoder, and demonstrated its effectiveness in detecting anomalous machine behavior on unsupervised real-world data from a financial organization's ATMs and Active Directory servers.
To protect an organizations' endpoints from sophisticated cyberattacks, advanced detection methods are required. In this research, we present GCNetOmaly: a graph convolutional network (GCN)-based variational autoencoder (VAE) anomaly detector trained on data that include connection events among internal and external machines. As input, the proposed GCN-based VAE model receives two matrices: (i) the normalized adjacency matrix, which represents the connections among the machines, and (ii) the feature matrix, which includes various features (demographic, statistical, process-related, and Node2vec structural features) that are used to profile the individual nodes/machines. After training the model on data collected for a predefined time window, the model is applied on the same data; the reconstruction score obtained by the model for a given machine then serves as the machine's anomaly score. GCNetOmaly was evaluated on real, large-scale data logged by Carbon Black EDR from a large financial organization's automated teller machines (ATMs) as well as communication with Active Directory (AD) servers in two setups: unsupervised and supervised. The results of our evaluation demonstrate GCNetOmaly's effectiveness in detecting anomalous behavior of machines on unsupervised data.