Detecting Contextual Network Anomalies with Graph Neural Networks
This addresses the problem of detecting anomalies in massive, dynamic network traffic for network operators, but it is incremental as it applies an existing method (GNN) to a specific domain.
The paper tackles network traffic anomaly detection by proposing a Graph Neural Network (GNN)-based solution for contextual anomaly detection on origin-destination flows, achieving results that are complementary to baselines with up to 36.33% overlap and manual validation showing 64% of anomalies with high confidence.
Detecting anomalies on network traffic is a complex task due to the massive amount of traffic flows in today's networks, as well as the highly-dynamic nature of traffic over time. In this paper, we propose the use of Graph Neural Networks (GNN) for network traffic anomaly detection. We formulate the problem as contextual anomaly detection on network traffic measurements, and propose a custom GNN-based solution that detects traffic anomalies on origin-destination flows. In our evaluation, we use real-world data from Abilene (6 months), and make a comparison with other widely used methods for the same task (PCA, EWMA, RNN). The results show that the anomalies detected by our solution are quite complementary to those captured by the baselines (with a max. of 36.33% overlapping anomalies for PCA). Moreover, we manually inspect the anomalies detected by our method, and find that a large portion of them can be visually validated by a network expert (64% with high confidence, 18% with mid confidence, 18% normal traffic). Lastly, we analyze the characteristics of the anomalies through two paradigmatic cases that are quite representative of the bulk of anomalies.