Network Intrusion Detection Systems (NIDS) are essential tools for detecting network attacks and intrusions. While extensive research has explored the use of supervised Machine Learning for attack detection and characterisation, these methods require accurately labelled datasets, which are very costly to obtain. Moreover, existing public datasets have limited and/or outdated attacks, and many of them suffer from mislabelled data. To reduce the reliance on labelled data, we propose AutoGraphAD, a novel unsupervised anomaly detection based on a Heterogeneous Variational Graph Autoencoder. AutoGraphAD operates on heterogeneous graphs, made from connection and IP nodes that represent network activity. The model is trained using unsupervised and contrastive learning, without relying on any labelled data. The model's losses are then weighted and combined in an anomaly score used for anomaly detection. Overall, AutoGraphAD yields the same, and in some cases better, results than Anomal-E, but without requiring costly downstream anomaly detectors. As a result, AutoGraphAD achieves around 1.18 orders of magnitude faster training and 1.03 orders of magnitude faster inference, which represents a significant advantage for operational deployment.

翻译：网络入侵检测系统（NIDS）是检测网络攻击和入侵的核心工具。尽管大量研究探索了使用有监督机器学习进行攻击检测与特征刻画，但这类方法需要精确标注的数据集，而标注成本极高。此外，现有公开数据集包含的攻击类型有限且/或过时，许多数据还存在标签错误的问题。为降低对标注数据的依赖，我们提出AutoGraphAD——一种基于异构变分图自编码器的无监督异常检测方法。AutoGraphAD作用于由连接节点和IP节点构建的异构图，用以表征网络活动。模型通过无监督学习和对比学习进行训练，无需依赖任何标注数据。随后，模型损失被加权组合为异常分数，用于异常检测。总体而言，AutoGraphAD在性能上与Anomal-E相当，甚至在某些场景下更优，且无需昂贵的有监督下游异常检测器。因此，AutoGraphAD的训练速度提升约1.18个数量级，推理速度提升约1.03个数量级，这为其实际部署带来了显著优势。