Research on Network Intrusion Detection Based on Temporal Information Graph Autoencoders

doi:10.19678/j.issn.1000-3428.0253107

Abstract

Abstract: In recent years, cyberattacks have become increasingly frequent and sophisticated, causing economic losses and security risks for both nations and enterprises. Traditional attack detection methods analyze attack behaviors by constructing source graphs, but this approach loses some semantic information when describing attack behaviors as simple graphs, leading to poor detection performance. This study proposes a network intrusion detection model based on temporal information graph autoencoders, abbreviated as TIGAE. TIGAE generates multiple source graphs through a refined graph construction method, comprehensively recording the interaction behaviors of system entities. Subsequently, an improved linear graph algorithm was devised to transform complex graphs into simpler ones, enhancing the graph structure while preserving the original system behaviour information. A graph autoencoder was then employed to learn benign system behaviour. The experimental results on the three datasets show that the Precision increases by an average of 0.65%, the F1-Score increases by an average of 0.68%, the Recall increases by an average of 1.07%, and the FPR decreases by an average of 0.40%. Experiments demonstrate that TIGAE outperforms existing state-of-the-art methods across multiple attack detection metrics.

摘要： 近年来，网络攻击日益频繁且手段日益复杂，给国家和企业造成经济损失与安全风险。传统攻击检测方法通过构建来源图分析攻击行为，但这种方法将攻击行为描述为简单图时会丢失部分语义信息，导致检测性能不佳。本研究提出一种基于时序信息图自编码器的网络入侵检测模型，简称TIGAE。TIGAE通过细化图构建方法生成多重来源图，完整记录系统实体交互行为。随后改进了线型图算法将多重图转换为简单图，在增强图结构的同时保留原始系统行为信息，并运用图自编码器学习良性系统行为。在三个数据集上的实验结果显示，Precision平均提升0.65%，F1-Score平均提升0.68%，Recall平均提升1.07%，FPR则平均降低0.40%。实验证明，TIGAE在多项攻击检测指标上均优于现有最先进方法。

Zhang Anqing, Zhuang Zhiqi, Li Zijian, Zhang Ting. Research on Network Intrusion Detection Based on Temporal Information Graph Autoencoders[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0253107.

张安勤, 庄志琦, 李梓健, 张挺. 基于时序信息图自编码器的网络入侵检测研究[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0253107.

/ Recommend / Download Citations

URL: https://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0253107

References

[1] Chen P, Desmet L, Huygens C. A study on advanced persistent threats[C]//IFIP international conference on communications and multimedia security. Berlin, Heidelberg: Springer Berlin Heidelberg, 2014: 63-72.
[2] Hodges J L, Fix E. Nonparametric discrimination: consistency properties[J]. USAF School of Aviation Medicine, 1951.
[3] Kipf T N. Semi-supervised classification with graph convolutional networks[J]. arXiv preprint arXiv:1609.02907, 2016.
[4] Veličković P, Cucurull G, Casanova A, et al. Graph attention networks[J]. arXiv preprint arXiv:1710.10903, 2017.
[5] Hamilton W, Ying Z, Leskovec J. Inductive representation learning on large graphs[J]. Advances in neural information processing systems, 2017, 30.
[6] Rossi E, Chamberlain B, Frasca F, et al. Temporal graph networks for deep learning on dynamic graphs[J]. arXiv preprint arXiv:2006.10637, 2020.
[7] Ding K, Li J, Bhanushali R, et al. Deep anomaly detection on attributed networks[C]//Proceedings of the 2019 SIAM international conference on data mining. Society for Industrial and Applied Mathematics, 2019: 594-602.
[8] Peng Z, Luo M, Li J, et al. ANOMALOUS: A joint modeling approach for anomaly detection on attributed networks[C]//IJCAI. 2018, 18: 3513-3519.
[9] Liu Y, Li Z, Pan S, et al. Anomaly detection on attributed networks via contrastive self-supervised learning[J]. IEEE transactions on neural networks and learning systems, 2021, 33(6): 2378-2392.
[10] Milajerdi S M, Eshete B, Gjomemo R, et al. Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting[C]//Proceedings of the 2019 ACM SIGSAC conference on computer and communications security. 2019: 1795-1812.
[11] Li T, Liu X, Qiao W, et al. T-trace: Constructing the apts provenance graphs through multiple syslogs correlation[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 21(3): 1179-1195.
[12] Han X , Pasquier T , Bates A ,et al.UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats[J]. 2020.DOI:10.14722/ndss.2020.24046. [13] Gao Y, Li X, Peng H, et al. Hincti: A cyber threat intelligence modeling and identification system based on heterogeneous information network[J]. IEEE Transactions on Knowledge and Data Engineering, 2020, 34(2): 708-722.
[14] Duan G, Lv H, Wang H, et al. Application of a dynamic line graph neural network for intrusion detection with semisupervised learning[J]. IEEE Transactions on Information Forensics and Security, 2022, 18: 699-714.
[15] Duan G, Lv H, Wang H, et al. Practical cyber attack detection with continuous temporal graph in dynamic network system[J]. IEEE Transactions on Information Forensics and Security, 2024, 19: 4851-4864.
[16] Deng X, Zhu J, Pei X, et al. Flow topology-based graph convolutional network for intrusion detection in label-limited IoT networks[J]. IEEE Transactions on Network and Service Management, 2022, 20(1): 684-696.
[17] Caville E, Lo W W, Layeghy S, et al. Anomal-E: A self-supervised network intrusion detection system based on graph neural networks[J]. Knowledge-based systems, 2022, 258: 110030.
[18] Wang S, Wang Z, Zhou T, et al. Threatrace: Detecting and tracing host-based threats in node level through provenance graph learning[J]. IEEE Transactions on Information Forensics and Security, 2022, 17: 3972-3987.
[19] 郑海潇,马梦帅,文斌,等. 基于GATv2的网络入侵异常检测方法 [J]. 数据与计算发展前沿, 2024, 6 (01):179-190. DOI:CNKI:SUN:KYXH.0.2024-01-016. Zheng H X, Ma M S, Wen B, et al. A network intrusion anomaly detection method based on GATv2[J]. Frontiers of Data & Computing, 2024, 6(01): 179-190. DOI: CNKI:SUN:KYXH.0.2024-01-016.
[20] 王振东,徐振宇,李大海,等.面向入侵检测的元图神经网络构建与分析[J].自动化学报,2023,49(07):1530-1548.DOI:10.16383/j.aas.c200819. Wang Z D, Xu Z Y, Li D H, et al. Construction and analysis of meta-graph neural network for intrusion detection[J]. Acta Automatica Sinica, 2023, 49(07): 1530-1548. DOI: 10.16383/j.aas.c200819.
[21] Pei X, Deng X, Tian S, et al. A privacy-preserving graph neural network for network intrusion detection[J]. IEEE Transactions on Dependable and Secure Computing, 2024, 22(1): 740-756.
[22] 张子宣,宗学军,何戡,等.基于CVAE-CatBoost的工业控制网络异常流量检测研究[J].计算机工程,2023,49(05):173-180.DOI:10.19678/j.issn.1000-3428.0065478. Zhang Z X, Zong X J, He K, et al. Research on industrial control network abnormal traffic detection based on CVAE-CatBoost[J]. Computer Engineering, 2023, 49(05): 173-180. DOI: 10.19678/j.issn.1000-3428.0065478.
[23] Wang C, Zhu H. Wrongdoing monitor: A graph-based behavioral anomaly detection in cyber security[J]. IEEE Transactions on Information Forensics and Security, 2022, 17: 2703-2718.
[24] Li T, Jiang Y, Lin C, et al. Deepag: Attack graph construction and threats prediction with bi-directional deep learning[J]. IEEE Transactions on Dependable and Secure Computing, 2022, 20(1): 740-757.
[25] Aly A, Iqbal S, Youssef A, et al. Megr-apt: A memory-efficient apt hunting system based on attack representation learning[J]. IEEE Transactions on Information Forensics and Security, 2024, 19: 5257-5271. [26] Soliman H M, Sovilj D, Salmon G, et al. Rank: Ai-assisted end-to-end architecture for detecting persistent attacks in enterprise networks[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 21(4): 3834-3850. [27] Zhou X, Liang W, Li W, et al. Hierarchical adversarial attacks against graph-neural-network-based IoT network intrusion detection system[J]. IEEE Internet of Things Journal, 2021, 9(12): 9310-9319. [28] Hu X, Gao W, Cheng G, et al. Toward early and accurate network intrusion detection using graph embedding[J]. IEEE Transactions on Information Forensics and Security, 2023, 18: 5817-5831. [29] 郭嘉琰,李荣华,张岩,等.基于图神经网络的动态网络异常检测算法[J].软件学报,2020,31(03):748-762.DOI:10.13328/j.cnki.jos.005903. Guo J Y, Li R H, Zhang Y, et al. Anomaly detection algorithm for dynamic networks based on graph neural networks[J]. Journal of Software, 2020, 31(03): 748-762. DOI: 10.13328/j.cnki.jos.005903. [30] Wang X, Wang X, He M, et al. Spatial-temporal graph model based on attention mechanism for anomalous IoT intrusion detection[J]. IEEE Transactions on Industrial Informatics, 2023, 20(3): 3497-3509. [31] The streamspot dataset, https://github.com/sbustreamspot/sbustreamspot-data [32] The Unicorn Wget dataset, https://dataverse.harvard.edu/dataset.xhtml?persistentId=doi:10.7910/DVN/IA8UOS [33] The Darpa Tc dataset, https://drive.google.com/drive/folders/1QlbUFWAGq3Hpl8wVdzOdIoZLFxkII4EK [34] Manzoor E , Milajerdi S M , Akoglu L .Fast Memory-efficient Anomaly Detection in Streaming Heterogeneous Graphs[J].ACM, 2016.DOI:10.1145/2939672.2939783. [35] Du M , Li F , Zheng G ,et al.DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning[J].Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017.DOI:10.1145/3133956.3134015. [36] Liu F, Wen Y, Zhang D, et al. Log2vec: A heterogeneous graph embedding based approach for detecting cyber threats within enterprise[C]//Proceedings of the 2019 ACM SIGSAC conference on computer and communications security. 2019: 1777-1794. [37] Jia Z, Xiong Y, Nan Y, et al. {MAGIC}: Detecting advanced persistent threats via masked graph representation learning[C]//33rd USENIX Security Symposium (USENIX Security 24). 2024: 5197-5214.

Please choose a citation manager

Content to export