Given their effectiveness in modeling the relational structure among network traffic flows, graph neural networks (GNNs) have been widely adopted in network intrusion detection systems (NIDSs). However, most existing GNN-based NIDS approaches focus on the relational structure of traffic flows, and treat them as temporally independent, which limits their ability to cope with evolving attack behaviors. Moreover, their reliance on supervised or semi-supervised learning often restricts generalization to unseen attacks. To address these limitations, we propose a novel self-supervised GNN-based framework. To the best of our knowledge, the proposed model is among the first self-supervised GNN-based NIDS models to explicitly leverage real timestamps, which provides faithful temporal dependencies for representation learning. We first construct a series of temporal graphs from network traffic flows according to their timestamps, and then employ an E-GraphSAGE and LSTM based encoder to fully extract temporal information and spatial dependencies of network traffic, without introducing time-costly attention mechanisms. A multi-view graph contrastive learning (GCL) scheme is introduced, where temporal, spatial, and feature contrasts are jointly performed to capture temporal continuity, preserve structural consistency, and improve the generalization and robustness of the learned representations, respectively. In addition, a gradient-norm-based adaptive weighting strategy is designed to optimize the contrastive loss weights. Experimental results on four representative NIDS datasets with real timestamps demonstrate that our method significantly outperforms existing self-supervised approaches and achieves performance comparable to the supervised state-of-the-art GNN method, while maintaining high computational efficiency.

翻译：鉴于图神经网络（GNNs）在建模网络流量间关系结构方面的有效性，它们已被广泛应用于网络入侵检测系统（NIDSs）。然而，现有基于GNN的NIDS方法大多聚焦于流量间的关联结构，并将其视为时间独立实体，这限制了其应对演化攻击行为的能力。此外，这些方法对监督或半监督学习的依赖常常限制其对未知攻击的泛化能力。为解决上述局限，我们提出了一种新颖的基于自监督GNN的框架。据我们所知，所提模型是首批显式利用真实时间戳的自监督GNN基NIDS模型之一，为表示学习提供了忠实的时间依赖性。我们首先根据网络流量的时间戳构建一系列时序图，随后采用基于E-GraphSAGE与LSTM的编码器，在不引入耗时注意力机制的前提下，充分提取网络流量的时间信息与空间依赖性。引入一种多视图图对比学习（GCL）方案，其中联合执行时间、空间与特征对比，分别捕捉时间连续性、保持结构一致性以及提升学习表示的泛化能力与鲁棒性。此外，设计了一种基于梯度范数的自适应加权策略以优化对比损失权重。在四个包含真实时间戳的代表性NIDS数据集上的实验结果表明，我们的方法显著优于现有自监督方法，且能达到与监督式最先进GNN方法相媲美的性能，同时保持较高的计算效率。