A network intrusion usually involves a number of network locations. Data flow (including the data generated by intrusion behaviors) among these locations (usually represented by IP addresses) naturally forms a graph. Thus, graph neural networks (GNNs) have been used in the construction of intrusion detection models in recent years since they have an excellent ability to capture graph topological features of intrusion data flow. However, existing GNN models treat node mean aggregation equally in node information aggregation. In reality, the correlations of nodes and their neighbors as well as the linked edges are different. Assigning higher weights to nodes and edges with high similarity can highlight the correlation among them, which will enhance the accuracy and expressiveness of the model. To this end, this paper proposes novel Edge-Directed Graph Multi-Head Attention Networks (EDGMAT) for network intrusion detection. The proposed EDGMAT model introduces a multi-head attention mechanism into the intrusion detection model. Additional weight learning is realized through the combination of a multi-head attention mechanism and edge features. Weighted aggregation makes better use of the relationship between different network traffic data. Experimental results on four recent NIDS benchmark datasets show that the performance of EDGMAT in terms of weighted F1-Score is significantly better than that of four state-of-the-art models in multi-class detection tasks.

翻译：网络入侵通常涉及多个网络位置。这些位置（通常由IP地址表示）之间的数据流（包括入侵行为产生的数据）自然地构成了一个图。因此，近年来图神经网络（GNNs）因其在捕捉入侵数据流图拓扑特征方面的卓越能力，已被用于构建入侵检测模型。然而，现有的GNN模型在节点信息聚合中采用平均聚合方式处理节点。实际上，节点与其邻域节点以及连接边之间的相关性各不相同。为高相似度的节点和边分配更高的权重，可以凸显它们之间的相关性，从而提升模型的准确性和表达能力。为此，本文提出了一种新颖的边定向图多头注意力网络（EDGMAT）用于网络入侵检测。所提出的EDGMAT模型将多头注意力机制引入入侵检测模型，通过结合多头注意力机制与边特征实现额外的权重学习。加权聚合能够更好地利用不同网络流量数据之间的关系。在四个最新NIDS基准数据集上的实验结果表明，在多类检测任务中，EDGMAT在加权F1分数上的性能显著优于四个最先进模型。