Multi-stage Attack Detection and Prediction Using Graph Neural Networks: An IoT Feasibility Study

TL;DR

This paper introduces a three-stage graph neural network-based intrusion detection system inspired by the cyber kill chain, demonstrating high accuracy and potential for real-world IoT security applications.

Contribution

It presents a novel multi-stage detection framework using GNNs for IoT attack prediction, outperforming traditional methods and exploring attack prediction feasibility.

Findings

Achieved 94% average F1-Score across stages

Outperformed Random-forest benchmark approaches

Demonstrated potential for real-world IoT intrusion detection

Abstract

With the ever-increasing reliance on digital networks for various aspects of modern life, ensuring their security has become a critical challenge. Intrusion Detection Systems play a crucial role in ensuring network security, actively identifying and mitigating malicious behaviours. However, the relentless advancement of cyber-threats has rendered traditional/classical approaches insufficient in addressing the sophistication and complexity of attacks. This paper proposes a novel 3-stage intrusion detection system inspired by a simplified version of the Lockheed Martin cyber kill chain to detect advanced multi-step attacks. The proposed approach consists of three models, each responsible for detecting a group of attacks with common characteristics. The detection outcome of the first two stages is used to conduct a feasibility study on the possibility of predicting attacks in the third stage. Using the ToN IoT dataset, we achieved an average of 94% F1-Score among different stages, outperforming the benchmark approaches based on Random-forest model. Finally, we comment on the feasibility of this approach to be integrated in a real-world system and propose various possible future work.