Investigation and rectification of NIDS datasets and standardized feature set derivation for network attack detection with graph neural networks

TL;DR

This paper identifies issues in existing NIDS datasets, introduces a refined dataset and standardized features derived from NetFlowv5 data, and demonstrates high accuracy in attack detection using graph neural networks, emphasizing data quality and preprocessing.

Contribution

It presents a new labeled version of ToN-IoT, a standardized feature set for NIDS, and an improved GNN-based classification method for network attack detection.

Findings

High classification accuracy on ToN-IoT-R dataset

Effective normalization approach preserves feature meaning

Importance of careful data collection and preprocessing

Abstract

Network Intrusion and Detection Systems (NIDS) are essential for malicious traffic and cyberattack detection in modern networks. Artificial intelligence-based NIDS are powerful tools that can learn complex data correlations for accurate attack prediction. Graph Neural Networks (GNNs) provide an opportunity to analyze network topology along with flow features which makes them particularly suitable for NIDS applications. However, successful application of such tool requires large amounts of carefully collected and labeled data for training and testing. In this paper we inspect different versions of ToN-IoT dataset and point out inconsistencies in some versions. We filter the full version of ToN-IoT and present a new version labeled ToN-IoT-R. To ensure generalization we propose a new standardized and compact set of flow features which are derived solely from NetFlowv5-compatible data. We separate numeric data and flags into different categories and propose a new dataset-agnostic normalization approach for numeric features. This allows us to preserve meaning of flow flags and we propose to conduct targeted analysis based on, for instance, network protocols. For flow classification we use E-GraphSage algorithm with modified node initialization technique that allows us to add node degree to node features. We achieve high classification accuracy on ToN-IoT-R and compare it with previously published results for ToN-IoT, NF-ToN-IoT, and NF-ToN-IoT-v2. We highlight the importance of careful data collection and labeling and appropriate data preprocessing choice and conclude that the proposed set of features is more applicable for real NIDS due to being less demanding to traffic monitoring equipment while preserving high flow classification accuracy.