Towards a graph-based foundation model for network traffic analysis

TL;DR

This paper introduces a novel graph-based foundation model for network traffic analysis that captures dynamic spatial-temporal patterns and improves downstream task performance with minimal fine-tuning.

Contribution

It proposes a new flow-level, graph-based approach with self-supervised pretraining, advancing beyond tokenized packet data and transformer architectures.

Findings

Achieved an average 6.87% performance increase in downstream tasks.

Demonstrated effective learning of network traffic dynamics during pretraining.

Validated the approach on intrusion detection, traffic classification, and botnet detection.

Abstract

Foundation models have shown great promise in various fields of study. A potential application of such models is in computer network traffic analysis, where these models can grasp the complexities of network traffic dynamics and adapt to any specific task or network environment with minimal fine-tuning. Previous approaches have used tokenized hex-level packet data and the model architecture of large language transformer models. We propose a new, efficient graph-based alternative at the flow-level. Our approach represents network traffic as a dynamic spatio-temporal graph, employing a self-supervised link prediction pretraining task to capture the spatial and temporal dynamics in this network graph framework. To evaluate the effectiveness of our approach, we conduct a few-shot learning experiment for three distinct downstream network tasks: intrusion detection, traffic classification, and botnet classification. Models finetuned from our pretrained base achieve an average performance increase of 6.87\% over training from scratch, demonstrating their ability to effectively learn general network traffic dynamics during pretraining. This success suggests the potential for a large-scale version to serve as an operational foundational model.