CyberGFM: Graph Foundation Models for Lateral Movement Detection in Enterprise Networks

TL;DR

CyberGFM leverages transformer-based foundation models to enhance network anomaly detection by combining the efficiency of random walks with deep semantic representations, achieving state-of-the-art results.

Contribution

The paper introduces CyberGFM, a novel transformer-based graph foundation model that improves lateral movement detection in enterprise networks by integrating rich edge data and efficient training.

Findings

Achieved up to 2× improvement in average precision on benchmark datasets.

Outperformed prior unsupervised link prediction methods with similar parameters.

Demonstrated efficiency comparable to previous best approaches.

Abstract

Representing networks as a graph and training a link prediction model using benign connections is an effective method of anomaly-based intrusion detection. Existing works using this technique have shown great success using temporal graph neural networks and skip-gram-based approaches on random walks. However, random walk-based approaches are unable to incorporate rich edge data, while the GNN-based approaches require large amounts of memory to train. In this work, we propose extending the original insight from random walk-based skip-grams--that random walks through a graph are analogous to sentences in a corpus--to the more modern transformer-based foundation models. Using language models that take advantage of GPU optimizations, we can quickly train a graph foundation model to predict missing tokens in random walks through a network of computers. The graph foundation model is then finetuned for link prediction and used as a network anomaly detector. This new approach allows us to combine the efficiency of random walk-based methods and the rich semantic representation of deep learning methods. This system, which we call CyberGFM, achieved state-of-the-art results on three widely used network anomaly detection datasets, delivering a up to 2$\times$ improvement in average precision. We found that CyberGFM outperforms all prior works in unsupervised link prediction for network anomaly detection, using the same number of parameters, and with equal or better efficiency than the previous best approaches.