This paper investigates Graph Neural Networks (GNNs) application for self-supervised network intrusion and anomaly detection. GNNs are a deep learning approach for graph-based data that incorporate graph structures into learning to generalise graph representations and output embeddings. As network flows are naturally graph-based, GNNs are a suitable fit for analysing and learning network behaviour. The majority of current implementations of GNN-based Network Intrusion Detection Systems (NIDSs) rely heavily on labelled network traffic which can not only restrict the amount and structure of input traffic, but also the NIDSs potential to adapt to unseen attacks. To overcome these restrictions, we present Anomal-E, a GNN approach to intrusion and anomaly detection that leverages edge features and graph topological structure in a self-supervised process. This approach is, to the best our knowledge, the first successful and practical approach to network intrusion detection that utilises network flows in a self-supervised, edge leveraging GNN. Experimental results on two modern benchmark NIDS datasets not only clearly display the improvement of using Anomal-E embeddings rather than raw features, but also the potential Anomal-E has for detection on wild network traffic.

翻译：本文研究图神经网络（GNN）在自我监督网络入侵与异常检测中的应用。GNN是一种针对图结构数据的深度学习方法，通过将图结构融入学习过程来泛化图表示并输出嵌入向量。由于网络流天然具有图结构特性，GNN非常适合用于分析与学习网络行为。当前大多数基于GNN的网络入侵检测系统（NIDS）严重依赖带标签的网络流量，这不仅限制了输入流量的数量与结构，也制约了NIDS对未知攻击的适应能力。为突破这些限制，我们提出Anomal-E——一种利用边特征与图拓扑结构进行自我监督的GNN入侵与异常检测方法。据我们所知，这是首个成功且实用的、在自我监督框架下利用网络流边特征进行GNN网络入侵检测的方法。在两个现代基准NIDS数据集上的实验结果不仅清晰展示了使用Anomal-E嵌入向量相比原始特征的性能提升，也揭示了Anomal-E在真实网络流量检测中的潜力。