基于动态时空图神经网络的网络流量入侵检测方法

doi:10.19678/j.issn.1000-3428.0070520

摘要/Abstract

摘要：

网络攻击形式日益多样化, 传统的入侵检测方法在捕捉复杂网络流量中的时空特征方面存在一定局限性。大多数传统方法主要依赖于静态特征分析, 难以适应动态网络环境下的多变入侵行为。同时, 现有的深度学习方法在分析网络流量时, 往往忽视了网络节点间的拓扑结构以及流量的时间动态变化。因此, 提出一种基于动态时空图神经网络(GNN)的入侵检测方法DSTG-IDS。通过时间窗口对网络流量进行分段, 将每个时间段内的数据包建模为图中的节点, 并基于源IP和目标IP的关系建立连接, 构建出时序上的动态图序列。为了更好地捕捉流量的时序特征, 对图数据进行时间位置编码, 以增强不同时间段内节点的时序信息表达能力。在模型设计上, 首先利用图卷积网络(GCN)提取网络流量的空间特征, 并结合图注意力网络(GAT)提升对关键节点信息的关注能力; 其次, 通过双向门控循环单元(Bidirectional GRU)对流量的时间序列进行建模, 有效捕捉数据随时间变化的动态特征; 最后, 利用多头注意力机制融合时空特征并进行分类。在BoT-IoT、ToN-IoT和NF-CSE-CIC-IDS2018这3个广泛使用的数据集上进行实验, 结果表明, 在多分类实验中, DSTG-IDS的准确率分别达到了99.69%、98.61%和93.26%, 相较其他入侵检测方法, DSTG-IDS在准确率、召回率、误报率(FAR)、F1值等指标上均具有明显优势。

关键词: 入侵检测, 时空图神经网络, 双向门控循环单元, 图注意力网络, 动态时空图, 多头注意力机制

Abstract:

Cyberattacks are becoming increasingly diverse, and traditional intrusion detection methods exhibit limitations in capturing the spatio-temporal characteristics of complex network traffic. Most traditional methods rely primarily on static feature analysis, making it difficult to adapt to the ever-changing intrusion behaviors in dynamic network environments. When analyzing network traffic, existing deep learning methods often overlook the topological structure between network nodes and the temporal dynamics of traffic. To address these issues, this paper proposes a novel intrusion detection method based on a dynamic spatio-temporal Graph Neural Network (GNN), named DSTG-IDS. By segmenting network traffic through time windows, data packets within each time period are modeled as nodes in a graph, and connections are established based on the relationship between the source and destination IP, thereby constructing a sequence of dynamic graphs over time. To better capture the temporal characteristics of traffic, graph data are encoded with a temporal position to enhance the temporal information expression ability of the nodes within different time periods. In terms of model design, first, Graph Convolutional Network (GCN) are utilized to extract the spatial features of network traffic, and Graph Attention Network (GAT) are incorporated to enhance the focus on key node information. Second, Bidirectional Gated Recurrent Unit (Bidirectional GRU) are employed to model the temporal sequence of traffic, effectively capturing the dynamic characteristics of data changes over time. Finally, a multi-head attention mechanism is utilized to fuse spatio-temporal features and perform classification. Experiments on three widely used datasets—BoT-IoT, ToN-IoT, and NF-CSE-CIC-IDS2018—demonstrate that DSTG-IDS achieves accuracies of 99.69%, 98.61%, and 93.26%, respectively. Compared with other intrusion detection methods, DSTG-IDS exhibits significant advantages in terms of accuracy, recall, False Alarm Rate (FAR), and F1 value.

Key words: intrusion detection, spatio-temporal Graph Neural Network (GNN), Bidirectional Gated Recurrent Unit (Bidirectional GRU), Graph Attention Network (GAT), dynamic spatio-temporal graph, multi-head attention mechanism

罗恒, 万良. 基于动态时空图神经网络的网络流量入侵检测方法[J]. 计算机工程, 2026, 52(6): 202-213.

LUO Heng, WAN Liang. Network Traffic Intrusion Detection Method Based on Dynamic Spatio-Temporal Graph Neural Network[J]. Computer Engineering, 2026, 52(6): 202-213.

https://www.ecice06.com/CN/Y2026/V52/I6/202

图/表 15

图1 DSTG-IDS整体框架

Fig.1 The overall framework of DSTG-IDS

图2 动态图构建与时间位置编码

Fig.2 Dynamic graph construction and time location coding

图3 DSTG-IDS模型结构

Fig.3 DSTG-IDS model structure

图4 ToN-IoT数据集上的多分类混淆矩阵

Fig.4 Multi-class confusion matrix on the ToN-IoT dataset

图5 ToN-IoT数据集上的多分类特征嵌入

Fig.5 Multi-classification feature embedding on the ToN-IoT dataset

图6 消融实验1的结果

Fig.6 Result of ablation experiment 1

图7 消融实验2的结果

Fig.7 Result of ablation experiment 2

图8 消融实验3的结果

Fig.8 Result of ablation experiment 3

参考文献 28

1	FERRAG M A , MAGLARAS L , MOSCHOYIANNIS S , et al. Deep learning for cyber security intrusion detection: approaches, datasets, and comparative study. Journal of Information Security and Applications, 2020, 50, 102419. doi: 10.1016/j.jisa.2019.102419
2	XU X, WANG X N. An adaptive network intrusion detection method based on PCA and support vector machines[EB/OL]. [2024-09-05]. https://link.springer.com/chapter/10.1007/11527503_82.
3	LIAO H J , RICHARD L C H , LIN Y C , et al. Intrusion detection system: a comprehensive review. Journal of Network and Computer Applications, 2013, 36 (1): 16- 24. doi: 10.1016/j.jnca.2012.09.004
4	CHURCHER A , ULLAH R , AHMAD J , et al. An experimental analysis of attack classification using machine learning in IoT networks. Sensors, 2021, 21 (2): 446. doi: 10.3390/s21020446
5	BOOIJ T M , CHISCOP I , MEEUWISSEN E , et al. ToN-IoT: the role of heterogeneity and the need for standardization of features and attack types in IoT network intrusion data sets. IEEE Internet of Things Journal, 2022, 9 (1): 485- 496. doi: 10.1109/JIOT.2021.3085194
6	XU C Y , SHEN J Z , DU X . A method of few-shot network intrusion detection based on meta-learning framework. IEEE Transactions on Information Forensics and Security, 2020, 15, 3540- 3552. doi: 10.1109/TIFS.2020.2991876
7	ZHOU X K , HU Y Y , LIANG W , et al. Variational LSTM enhanced anomaly detection for industrial big data. IEEE Transactions on Industrial Informatics, 2021, 17 (5): 3469- 3477. doi: 10.1109/TII.2020.3022432
8	IMRANA Y , XIANG Y P , ALI L , et al. A bidirectional LSTM deep learning approach for intrusion detection. Expert Systems with Applications, 2021, 185, 115524. doi: 10.1016/j.eswa.2021.115524
9	AGARAP A F M. A neural network architecture combining Gated Recurrent Unit (GRU) and Support Vector Machine (SVM) for intrusion detection in network traffic data[C]//Proceedings of the 10th International Conference on Machine Learning and Computing. New York, USA: ACM Press, 2018: 26-30.
10	李青, 王一晨, 杜承烈. 图表示学习方法研究综述. 计算机应用研究, 2023, 40 (6): 1601- 1613.
	LI Q , WANG Y C , DU C L . Survey on graph representation learning methods. Application Research of Computers, 2023, 40 (6): 1601- 1613.
11	VINAYAKUMAR R, SOMAN K P, POORNACHANDRAN P. Applying convolutional neural network for network intrusion detection[C]// Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI). Washington D.C., USA: IEEE Press, 2017: 1222-1228.
12	LIU Z , ZHOU J . Introduction to graph neural networks. San Rafael, USA: Morgan & Claypool Publishers, 2022.
13	LEICHTNAM L, TOTEL E, PRIGENT N, et al. Sec2graph: network attack detection based on novelty detection on graph structured data[EB/OL]. [2024-09-05]. https://link.springer.com/chapter/10.1007/978-3-030-52683-2_12.
14	ZERHOUDI S, GRANITZER M, GARCHERY M. Improving intrusion detection systems using zero-shot recognition via graph embeddings[C]//Proceedings of the 44th IEEE Annual Computers, Software, and Applications Conference (COMPSAC). Washington D.C., USA: IEEE Press, 2020: 790-797.
15	ZHOU J W, XU Z Y, RUSH A M, et al. Automating botnet detection with graph neural networks[EB/OL]. [2024-09-05]. https://arxiv.org/abs/2003.06344.
16	LO W W, LAYEGHY S, SARHAN M, et al. E-GraphSAGE: a graph neural network based intrusion detection system for IoT[C]//Proceedings of the IEEE/IFIP Network Operations and Management Symposium. Washington D.C., USA: IEEE Press, 2022: 1-9.
17	VELIČKOVIĆG P, CUCURULL G, CASANOVA A, et al. Graph attention networks[EB/OL]. [2024-09-05]. https://arxiv.org/abs/1710.10903.
18	MANESSI F , ROZZA A , MANZO M . Dynamic graph convolutional networks. Pattern Recognition, 2020, 97, 107000. doi: 10.1016/j.patcog.2019.107000
19	PAREJA A , DOMENICONI G , CHEN J , et al. EvolveGCN: evolving graph convolutional networks for dynamic graphs. Proceedings of the AAAI Conference on Artificial Intelligence, 2020, 34 (4): 5363- 5370. doi: 10.1609/aaai.v34i04.5984
20	沈学利, 刘士枫. 基于图边缘特征注意力的入侵检测模型. 计算机工程, 2024, 50 (11): 236- 245. doi: 10.19678/j.issn.1000-3428.0068390
	SHEN X L , LIU S F . Intrusion detection model based on graph edge feature attention. Computer Engineering, 2024, 50 (11): 236- 245. doi: 10.19678/j.issn.1000-3428.0068390
21	LIU Y X , PAN S R , WANG Y G , et al. Anomaly detection in dynamic graphs via Transformer. IEEE Transactions on Knowledge and Data Engineering, 2023, 35 (12): 12081- 12094. doi: 10.1109/TKDE.2021.3124061
22	CAI L, CHEN Z Z, LUO C, et al. Structural temporal graph neural networks for anomaly detection in dynamic graphs[C]//Proceedings of the 30th ACM International Conference on Information & Knowledge Management. New York, USA: ACM Press, 2021: 3747-3756.
23	XU D, RUAN C W, KORPEOGLU E, et al. Inductive representation learning on temporal graphs[EB/OL]. [2024-09-05]. https://arxiv.org/abs/2002.07962.
24	DUAN G H , LV H W , WANG H Q , et al. Application of a dynamic line graph neural network for intrusion detection with semisupervised learning. IEEE Transactions on Information Forensics and Security, 2023, 18, 699- 714. doi: 10.1109/TIFS.2022.3228493
25	VASWANI A. Attention is all you need[EB/OL]. [2024-09-05]. https://arxiv.org/abs/1706.03762.
26	KORONIOTIS N , MOUSTAFA N , SITNIKOVA E , et al. Towards the development of realistic botnet dataset in the Internet of Things for network forensic analytics: BoT-IoT dataset. Future Generation Computer Systems, 2019, 100, 779- 796. doi: 10.1016/j.future.2019.05.041
27	SARHAN M, LAYEGHY S, MOUSTAFA N, et al. NetFlow datasets for machine learning-based network intrusion detection systems[EB/OL]. [2024-09-05]. https://arxiv.org/abs/2011.09144.
28	李晓佳, 赵国生, 汪洋, 等. 面向CNN和RNN改进的物联网入侵检测模型. 计算机工程与应用, 2023, 59 (14): 242- 250.
	LI X J , ZHAO G S , WANG Y , et al. Improved Internet of Things intrusion detection model for CNN and RNN. Computer Engineering and Applications, 2023, 59 (14): 242- 250.

[1]	吴沛颖, 李晓慧, 王俊峰. 基于上下文感知语言模型的C2流量检测[J]. 计算机工程, 2026, 52(5): 270-280.
[2]	董方和, 石琼, 师智斌. 基于集成学习与异常检测的对抗流量检测方法[J]. 计算机工程, 2026, 52(2): 275-286.
[3]	马满福, 杨鑫, 李勇, 刘泽政. 基于图注意力网络的多谣言源识别模型[J]. 计算机工程, 2026, 52(2): 101-109.
[4]	吴杰辉, 柳毅. 面向多元时间序列的联合优化异常检测模型[J]. 计算机工程, 2025, 51(9): 166-176.
[5]	马满福, 陈嘉豪, 李勇, 张聪. 基于改进GAT的多特征融合谣言检测模型MFLAN[J]. 计算机工程, 2025, 51(8): 181-189.
[6]	温敏初, 梁炜, 张嘉麟. 面向TDMA无线传感器网络的攻击构造与入侵检测方法研究[J]. 计算机工程, 2025, 51(8): 203-214.
[7]	周莎, 车生兵, 考友琛, 张旭, 郭甚驿. 基于特征选择和时空特征的网络入侵检测[J]. 计算机工程, 2025, 51(7): 223-231.
[8]	亓明凯, 王迪, 张立晔. 基于分层强化学习的在线三维装箱模型[J]. 计算机工程, 2025, 51(6): 136-145.
[9]	陈良臣, 傅德印, 刘宝旭, 高曙, 张煦尧. 面向网络加密流量的增量式入侵检测关键技术研究综述[J]. 计算机工程, 2025, 51(12): 18-30.
[10]	周峥, 张笃振. 基于多注意力机制的视网膜血管分割模型[J]. 计算机工程, 2025, 51(11): 268-282.
[11]	周雪阳, 傅启明, 陈建平, 陈延明, 陆悠, 王蕴哲. 基于证据和图推理的文档级关系抽取方法: 以医学关系为例[J]. 计算机工程, 2025, 51(1): 106-117.
[12]	张慧妍, 梁勇, 兰景宏, 赵强. 基于记忆模块与过滤式生成对抗网络的入侵检测方法[J]. 计算机工程, 2024, 50(6): 197-207.
[13]	余长宏, 许孔豪, 张泽, 高明. 基于分割点改进孤立森林的网络入侵检测方法[J]. 计算机工程, 2024, 50(6): 148-156.
[14]	代巍, 王丰羽, 冀常鹏. 基于情感增强与双图卷积网络的方面级情感分析[J]. 计算机工程, 2024, 50(5): 120-127.
[15]	陈虹, 王瀚文, 金海波. 融合改进自编码器和残差网络的入侵检测模型[J]. 计算机工程, 2024, 50(2): 188-195.

选择文件类型/文献管理软件名称

选择包含的内容