融合动态图嵌入和Transformer自编码器的网络异常检测

doi:10.19678/j.issn.1000-3428.0070231

摘要/Abstract

摘要：

网络异常检测的目的在于及时识别并响应网络中的恶意活动和潜在威胁。大多数基于图嵌入的异常检测方法主要用于静态图, 忽略了细粒度的时间信息, 无法捕获动态网络行为的连续性, 从而降低了网络异常检测性能。为了提高动态网络异常检测的效率和准确性, 提出一个融合动态图嵌入和Transformer自编码器的网络异常检测方法。该方法利用时间游走的图嵌入技术捕获网络拓扑结构和细粒度的时间信息, 结合对比损失的Transformer自编码器来优化节点嵌入表示并捕获长期依赖和全局信息, 增强了模型对动态网络的感知能力, 能更好地捕捉动态网络中随时间变化的事件, 识别网络中的恶意行为。在公开的网络安全领域数据集上进行的大量实验结果表明, 该方法在LANL-2015数据集上的真阳率(TPR)为94.3%、假阳率(FPR)为5.7%、曲线下面积(AUC)为98.3%, 在OpTC数据集上的TPR为99.9%、FPR为0.01%、AUC为99.9%, 异常检测结果优于基准方法。上述结果说明了该方法可以有效地学习动态网络中的拓扑和长短期时间依赖信息, 识别网络中的异常行为。

关键词: 动态图嵌入, Transformer自编码器, 网络异常检测, 恶意行为, 长短期时间依赖

Abstract:

Network anomaly detection aims to promptly identify and respond to malicious activities and potential threats within networks. Most existing graph-embedding-based methods are designed for static graphs and neglect fine-grained temporal information, thus failing to capture the continuity of dynamic network behaviors and diminishing the effectiveness of network anomaly detection. To enhance the efficiency and accuracy of dynamic network anomaly detection, this study proposes a novel method integrating dynamic graph embedding and Transformer autoencoders. This method leverages temporal-walk-based graph embedding to capture the topological structure and detailed temporal information of the network. It incorporates a Transformer autoencoder with contrastive loss to optimize node embeddings and effectively capture long-term dependencies and global information. This integration enhances the model's ability to perceive dynamic networks, facilitating better detection of time-evolving events and the identification of malicious behaviors. The effectiveness of this method is validated through extensive experiments conducted on two publicly available datasets in network security. Its superior performance on the LANL-2015 dataset is indicated with a True Positive Rate (TPR) of 94.3%, False Positive Rate (FPR) of 5.7%, and an Area Under the Curve (AUC) of 98.3%. Further, on the OpTC dataset, the method achieves a TPR of 99.9%, a FPR of 0.01%, and an AUC of 99.9%. These results demonstrate that the proposed method effectively learns the topology and temporal dependencies of dynamic networks, thereby accurately identifying network anomalies.

Key words: dynamic graph embedding, Transformer autoencoder, network anomaly detection, malicious behavior, long and short-term time-dependence

张安勤, 丁志锋. 融合动态图嵌入和Transformer自编码器的网络异常检测[J]. 计算机工程, 2025, 51(4): 47-56.

ZHANG Anqin, DING Zhifeng. Network Anomaly Detection Integrating Dynamic Graph Embedding and Transformer Autoencoder[J]. Computer Engineering, 2025, 51(4): 47-56.

https://www.ecice06.com/CN/Y2025/V51/I4/47

图/表 9

图1 DGATE-NAD方法框架

Fig.1 Framework DGATE-NAD method

图2 动态网络示例

Fig.2 Dynamic network example

图3 Transformer自编码器结构

Fig.3 Transformer autoencoder structure

图4 DGATE-NAD和基线方法的AUC曲线

Fig.4 AUC curves of DGATE-NAD and baseline methods

图5 不同嵌入维度下异常检测的精度

Fig.5 Accuracy of anomaly detection under different embedding dimensions

图6 不同支持集尺寸下异常检测的精度

Fig.6 Accuracy of anomaly detection under different support set sizes

参考文献 27

1	ESWARAN D, FALOUTSOS C. SedanSpot: detecting anomalies in edge streams[C]//Proceedings of the IEEE International Conference on Data Mining (ICDM). Washington D.C., USA: IEEE Press, 2018: 953-958.
2	郭嘉琰, 李荣华, 张岩, 等. 基于图神经网络的动态网络异常检测算法. 软件学报, 2020, 31 (3): 748- 762.
	GUO J Y , LI R H , ZHANG Y , et al. Graph neural network based anomaly detection in dynamic networks. Journal of Software, 2020, 31 (3): 748- 762.
3	CHANG Y Y, LI P, SOSIC R, et al. F-FADE: frequency factorization for anomaly detection in edge streams[C]//Proceedings of the 14th ACM International Conference on Web Search and Data Mining. New York, USA: ACM Press, 2021: 589-597.
4	RANSHOUS S, HARENBERG S, SHARMA K, et al. A scalable approach for outlier detection in edge streams using sketch-based approximations[C]//Proceedings of the 2016 SIAM International Conference on Data Mining. Philadelphia, USA: Society for Industrial and Applied Mathematics, 2016: 189-197.
5	TIAN S, DONG J H, LI J T, et al. SAD: semi-supervised anomaly detection on dynamic graphs[EB/OL]. [2024-07-11]. https://arxiv.org/abs/2305.13573.
6	YUAN Z R , SHAO M L , YAN Q B . Motif-level anomaly detection in dynamic graphs. IEEE Transactions on Information Forensics and Security, 2023, 18, 2870- 2882. doi: 10.1109/TIFS.2023.3272731
7	LIU Y X , PAN S R , WANG Y G , et al. Anomaly detection in dynamic graphs via Transformer. IEEE Transactions on Knowledge and Data Engineering, 2023, 35 (12): 12081- 12094. doi: 10.1109/TKDE.2021.3124061
8	LOU S Q, ZHANG Q Y, YANG S J, et al. GADY: unsupervised anomaly detection on dynamic graphs[EB/OL]. [2024-07-11]. http://arxiv.org/abs/2310.16376v1.
9	KHOSHRAFTAR S , AN A J . A survey on graph representation learning methods. ACM Transactions on Intelligent Systems and Technology, 2024, 15 (1): 1- 55.
10	BOWMAN B, LAPRADE C, JI Y D, et al. Detecting lateral movement in enterprise computer networks with unsupervised graph AI[EB/OL]. [2024-07-11]. https://www.usenix.org/system/files/raid20-bowman.pdf.
11	LIU F C, WEN Y, ZHANG D X, et al. Log2Vec: a heterogeneous graph embedding based approach for detecting cyber threats within enterprise[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2019: 1777-1794.
12	张子宣, 宗学军, 何戡, 等. 基于CVAE-CatBoost的工业控制网络异常流量检测研究. 计算机工程, 2023, 49 (5): 173- 180. doi: 10.19678/j.issn.1000-3428.0065478
	ZHANG Z X , ZONG X J , HE K , et al. Research on abnormal traffic detection in industrial control network based on CVAE-CatBoost. Computer Engineering, 2023, 49 (5): 173- 180. doi: 10.19678/j.issn.1000-3428.0065478
13	FRIJI H, OLIVEREAU A, SARKISS M. Efficient network representation for GNN-based intrusion detection[C]//Proceedings of International Conference on Applied Cryptography and Network Security. Berlin, Germany: Springer, 2023: 532-554.
14	JIANG W W . Graph-based deep learning for communication networks: a survey. Computer Communications, 2022, 185, 40- 54. doi: 10.1016/j.comcom.2021.12.015
15	CAVILLE E , LO W W , LAYEGHY S , et al. Anomal-E: a self-supervised network intrusion detection system based on graph neural networks. Knowledge-Based Systems, 2022, 258, 110030. doi: 10.1016/j.knosys.2022.110030
16	王振东, 徐振宇, 李大海, 等. 面向入侵检测的元图神经网络构建与分析. 自动化学报, 2023, 49 (7): 1530- 1548.
	WANG Z D , XU Z Y , LI D H , et al. Metagraph neural network construction and analysis for intrusion detection. Acta Automatica Sinica, 2023, 49 (7): 1530- 1548.
17	郑海潇, 马梦帅, 文斌, 等. 基于GATv2的网络入侵异常检测方法. 数据与计算发展前沿, 2024, 6 (1): 179- 190.
	ZHENG H X , MA M S , WEN B , et al. Network intrusion anomaly detection method based on GATv2. Frontiers of Data and Computing, 2024, 6 (1): 179- 190.
18	YU W C, CHENG W, AGGARWAL C C, et al. NetWalk: a flexible deep embedding approach for anomaly detection in dynamic networks[C]//Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery&Data Mining. New York, USA: ACM Press, 2018: 2672-2681.
19	CAI L, CHEN Z Z, LUO C, et al. Structural temporal graph neural networks for anomaly detection in dynamic graphs[C]//Proceedings of the 30th ACM International Conference on Information&Knowledge Management. New York, USA: ACM Press, 2021: 3747-3756.
20	ZHENG L, LI Z P, LI J, et al. AddGraph: anomaly detection in dynamic graph using attention-based temporal GCN[C]//Proceedings of the 28th International Joint Conference on Artificial Intelligence. [S. l. ]: International Joint Conferences on Artificial Intelligence Organization, 2019: 4419-4425.
21	PAUDEL R, HUANG H H. PIKACHU: temporal walk based dynamic graph embedding for network anomaly detection[C]//Proceedings of the IEEE/IFIP Network Operations and Management Symposium (NOMS). Washington D.C., USA: IEEE Press, 2022: 1-7.
22	MIKOLOV T, CHEN K, CORRADO G, et al. Efficient estimation of word representations in vector space[EB/OL]. [2024-07-11]. https://arxiv.org/abs/1301.3781
23	PENG H , LI J X , YAN H , et al. Dynamic network embedding via incremental skip-gram with negative sampling. Science China Information Sciences, 2020, 63 (10): 202103. doi: 10.1007/s11432-018-9943-9
24	VASWANI A, SHAZEER N, PARMAR N, et al. Attention is all you need[EB/OL]. [2024-07-11]. https://arxiv.org/abs/1706.03762.
25	OUYANG L S, ZHANG Y Z, WANG Y P. Unified graph embedding-based anomalous edge detection[C]//Proceedings of the International Joint Conference on Neural Networks (IJCNN). Washington D.C., USA: IEEE Press, 2020: 1-8.
26	KENT A. Comprehensive, multi-source cyber-security events data set[EB/OL]. [2024-07-11]. https://csr.lanl.gov/data/cyber1/.
27	WEIR D C, ARANTES R, HANNON H, et al. Operationally Transparent Cyber (OpTC)[EB/OL]. [2024-07-11]. https://dx.doi.org/10.21227/edq8-nk5.

[1]	林中霖, 时金桥, 王美琪, 王学宾, 王雨燕. 基于应用行为划分的Android恶意应用检测技术[J]. 计算机工程, 2023, 49(9): 125-136.
[2]	陈良臣, 高曙, 刘宝旭, 陶明峰. 网络流量异常检测中的维数约简研究[J]. 计算机工程, 2020, 46(2): 11-20.
[3]	卢正军,方勇,刘亮,张文杰,左政. 基于上下文信息的Android恶意行为检测方法[J]. 计算机工程, 2018, 44(7): 150-155.
[4]	李向军,张华薇,郑思维,霍艳丽,张新萍. 基于相对邻域熵的直推式网络异常检测算法[J]. 计算机工程, 2015, 41(8): 132-139.
[5]	金戈,薛质,齐开悦. 基于磁盘隐藏PE 文件搜索的Bootkit 检测方法[J]. 计算机工程, 2015, 41(6): 116-120.
[6]	韩志耕,陈耿,王良民,蒋健. 一种基于时滞弱化策略的通用信度重估模型[J]. 计算机工程, 2015, 41(5): 163-168.
[7]	张一弛, 庞建民, 范学斌, 姚鑫磊. 基于模型检测的程序恶意行为识别方法[J]. 计算机工程, 2012, 38(18): 107-110.
[8]	王新志, 孙乐昌, 张旻, 陈韬. 基于序列模式发现的恶意行为检测方法[J]. 计算机工程, 2011, 37(24): 1-3.
[9]	刘潇逸, 崔翔, 郑东华, 李善. 一种基于Android系统的手机僵尸网络[J]. 计算机工程, 2011, 37(22): 1-4.
[10]	黄强盛;程久军;康钦马. 基于高阶AR模型的网络异常检测[J]. 计算机工程, 2010, 36(3): 174-176.
[11]	宿娇娜;李程;李巍;唐发根;李云春. 基于改进NB分类方法的网络异常检测模型[J]. 计算机工程, 2008, 34(5): 148-149,.

选择文件类型/文献管理软件名称

选择包含的内容