Detecting Anomalous Network Communication Patterns Using Graph Convolutional Networks

TL;DR

This paper introduces GCNetOmaly, a graph convolutional network-based variational autoencoder that detects anomalous network communication patterns by analyzing connection graphs and machine features, effectively identifying cyber threats.

Contribution

The paper presents a novel GCN-based VAE model for anomaly detection in network communication data, combining structural and feature information for improved cyberattack detection.

Findings

Effective detection of anomalous machine behavior in large-scale data

Successful evaluation on real-world financial organization data

Demonstrated effectiveness in unsupervised anomaly detection

Abstract

To protect an organizations' endpoints from sophisticated cyberattacks, advanced detection methods are required. In this research, we present GCNetOmaly: a graph convolutional network (GCN)-based variational autoencoder (VAE) anomaly detector trained on data that include connection events among internal and external machines. As input, the proposed GCN-based VAE model receives two matrices: (i) the normalized adjacency matrix, which represents the connections among the machines, and (ii) the feature matrix, which includes various features (demographic, statistical, process-related, and Node2vec structural features) that are used to profile the individual nodes/machines. After training the model on data collected for a predefined time window, the model is applied on the same data; the reconstruction score obtained by the model for a given machine then serves as the machine's anomaly score. GCNetOmaly was evaluated on real, large-scale data logged by Carbon Black EDR from a large financial organization's automated teller machines (ATMs) as well as communication with Active Directory (AD) servers in two setups: unsupervised and supervised. The results of our evaluation demonstrate GCNetOmaly's effectiveness in detecting anomalous behavior of machines on unsupervised data.