AutoGraphAD: Unsupervised network anomaly detection using Variational Graph Autoencoders

TL;DR

AutoGraphAD introduces an unsupervised, contrastive learning-based method using Variational Graph Autoencoders for network anomaly detection, eliminating the need for labeled data and enabling faster training and inference.

Contribution

It presents AutoGraphAD, a novel unsupervised approach operating on heterogeneous graphs that outperforms some existing methods without requiring labeled datasets.

Findings

AutoGraphAD achieves comparable or better results than Anomal-E.

It reduces training time by approximately 1.18 orders of magnitude.

Inference time is reduced by about 1.03 orders of magnitude.

Abstract

Network Intrusion Detection Systems (NIDS) are essential tools for detecting network attacks and intrusions. While extensive research has explored the use of supervised Machine Learning for attack detection and characterisation, these methods require accurately labelled datasets, which are very costly to obtain. Moreover, existing public datasets have limited and/or outdated attacks, and many of them suffer from mislabelled data. To reduce the reliance on labelled data, we propose AutoGraphAD, a novel unsupervised anomaly detection based on a Heterogeneous Variational Graph Autoencoder. AutoGraphAD operates on heterogeneous graphs, made from connection and IP nodes that represent network activity. The model is trained using unsupervised and contrastive learning, without relying on any labelled data. The model's losses are then weighted and combined in an anomaly score used for anomaly detection. Overall, AutoGraphAD yields the same, and in some cases better, results than Anomal-E, but without requiring costly downstream anomaly detectors. As a result, AutoGraphAD achieves around 1.18 orders of magnitude faster training and 1.03 orders of magnitude faster inference, which represents a significant advantage for operational deployment.