Towards a graph-based foundation model for network traffic analysis
This work addresses the need for adaptable and efficient models in computer network traffic analysis, offering a novel graph-based approach that could serve as a foundational model for operational use, though it is incremental as it builds on existing foundation model concepts.
The paper tackled the problem of network traffic analysis by proposing a graph-based foundation model that represents traffic as a dynamic spatio-temporal graph and uses self-supervised link prediction for pretraining. The result was a 6.87% average performance increase in few-shot learning for downstream tasks like intrusion detection, traffic classification, and botnet classification compared to training from scratch.
Foundation models have shown great promise in various fields of study. A potential application of such models is in computer network traffic analysis, where these models can grasp the complexities of network traffic dynamics and adapt to any specific task or network environment with minimal fine-tuning. Previous approaches have used tokenized hex-level packet data and the model architecture of large language transformer models. We propose a new, efficient graph-based alternative at the flow-level. Our approach represents network traffic as a dynamic spatio-temporal graph, employing a self-supervised link prediction pretraining task to capture the spatial and temporal dynamics in this network graph framework. To evaluate the effectiveness of our approach, we conduct a few-shot learning experiment for three distinct downstream network tasks: intrusion detection, traffic classification, and botnet classification. Models finetuned from our pretrained base achieve an average performance increase of 6.87\% over training from scratch, demonstrating their ability to effectively learn general network traffic dynamics during pretraining. This success suggests the potential for a large-scale version to serve as an operational foundational model.