Efficient Network Representation for GNN-based Intrusion Detection

TL;DR

This paper introduces a novel flow-based graph representation for network intrusion detection and a GNN framework that outperforms traditional methods, while addressing evaluation reliability issues.

Contribution

It proposes a new flow-based graph structure for intrusion detection and a GNN framework that effectively exploits this structure, improving detection performance.

Findings

Flow-based graph representation enhances detection accuracy.

GNN framework outperforms classical machine learning methods.

Addressed data leakage issues in evaluation procedures.

Abstract

The last decades have seen a growth in the number of cyber-attacks with severe economic and privacy damages, which reveals the need for network intrusion detection approaches to assist in preventing cyber-attacks and reducing their risks. In this work, we propose a novel network representation as a graph of flows that aims to provide relevant topological information for the intrusion detection task, such as malicious behavior patterns, the relation between phases of multi-step attacks, and the relation between spoofed and pre-spoofed attackers activities. In addition, we present a Graph Neural Network (GNN) based framework responsible for exploiting the proposed graph structure to classify communication flows by assigning them a maliciousness score. The framework comprises three main steps that aim to embed nodes features and learn relevant attack patterns from the network representation. Finally, we highlight a potential data leakage issue with classical evaluation procedures and suggest a solution to ensure a reliable validation of intrusion detection systems performance. We implement the proposed framework and prove that exploiting the flow-based graph structure outperforms the classical machine learning-based and the previous GNN-based solutions.