Recent works have demonstrated the potential of Graph Neural Networks (GNN) for network intrusion detection. Despite their advantages, a significant gap persists between real-world scenarios, where detection speed is critical, and existing proposals, which operate on large graphs representing several hours of traffic. This gap results in unrealistic operational conditions and impractical detection delays. Moreover, existing models do not generalize well across different networks, hampering their deployment in production environments. To address these issues, we introduce PPTGNN, a practical spatio-temporal GNN for intrusion detection. PPTGNN enables near real-time predictions, while better capturing the spatio-temporal dynamics of network attacks. PPTGNN employs self-supervised pre-training for improved performance and reduced dependency on labeled data. We evaluate PPTGNN on three public datasets and show that it significantly outperforms state-of-the-art models, such as E-ResGAT and E-GraphSAGE, with an average accuracy improvement of 10.38%. Finally, we show that a pre-trained PPTGNN can easily be fine-tuned to unseen networks with minimal labeled examples. This highlights the potential of PPTGNN as a general, large-scale pre-trained model that can effectively operate in diverse network environments.
翻译:近期研究已证明图神经网络(GNN)在网络入侵检测中的潜力。尽管具备优势,现实场景(检测速度至关重要)与现有方案(基于代表数小时流量的大图运行)之间仍存在显著差距。此差距导致不切实际的操作条件和不可行的检测延迟。此外,现有模型在不同网络间泛化能力不足,阻碍了其在生产环境中的部署。为解决这些问题,我们提出PPTGNN,一种实用的时空图神经网络用于入侵检测。PPTGNN能够实现近实时预测,同时更好地捕捉网络攻击的时空动态特性。该模型采用自监督预训练以提升性能并降低对标注数据的依赖。我们在三个公开数据集上评估PPTGNN,结果表明其显著优于E-ResGAT和E-GraphSAGE等先进模型,平均准确率提升达10.38%。最后,我们证明预训练的PPTGNN可通过少量标注样本轻松微调以适应未知网络,这凸显了PPTGNN作为通用大规模预训练模型在多样化网络环境中有效运行的潜力。