AutoGraphAD: A novel approach using Variational Graph Autoencoders for anomalous network flow detection
This addresses the challenge of costly labeled data in network security for organizations, though it is incremental as it builds on existing unsupervised methods.
The paper tackles the problem of network intrusion detection by proposing AutoGraphAD, an unsupervised anomaly detection method using a Heterogeneous Variational Graph Autoencoder, which achieves comparable or better results than previous approaches while being significantly faster, with around 1.18 orders of magnitude faster training and 1.03 orders of magnitude faster inference.
Network Intrusion Detection Systems (NIDS) are essential tools for detecting network attacks and intrusions. While extensive research has explored the use of supervised Machine Learning for attack detection and characterisation, these methods require accurately labelled datasets, which are very costly to obtain. Moreover, existing public datasets have limited and/or outdated attacks, and many of them suffer from mislabelled data. To reduce the reliance on labelled data, we propose AutoGraphAD, a novel unsupervised anomaly detection approach based on a Heterogeneous Variational Graph Autoencoder. AutoGraphAD operates on heterogeneous graphs, made from connection and IP nodes that capture network activity within a time window. The model is trained using unsupervised and contrastive learning, without relying on any labelled data. The reconstruction, structural loss, and KL divergence are then weighted and combined in an anomaly score that is then used for anomaly detection. Overall, AutoGraphAD yields the same, and in some cases better, results than previous unsupervised approaches, such as Anomal-E, but without requiring costly downstream anomaly detectors. As a result, AutoGraphAD achieves around 1.18 orders of magnitude faster training and 1.03 orders of magnitude faster inference, which represents a significant advantage for operational deployment.