Application of a Dynamic Line Graph Neural Network for Intrusion Detection With Semisupervised Learning

Abstract

Deep learning (DL) greatly enhances binary anomaly detection capabilities through effective statistical network characterization; nevertheless, the intrusion class differentiation performance is still insufficient. Two related challenges have not been fully explored. 1) Statistical attack characteristics are overemphasized while ignoring inherent attack topologies; sequence features are extracted from whole traffic flows, but the interaction evolution of each IP pair over time is rarely considered, such as in long short-term memory (LSTM) and gated recurrent units (GRUs). 2) Meeting the need for many high-quality labeled data samples is an expensive and labor-intensive task in large-scale, complex, and heterogeneous networks. To address these issues, we propose a dynamic line graph neural network (DLGNN)-based intrusion detection method with semisupervised learning. Our model converts network traffic into a series of spatiotemporal graphs. A dynamic GNN (DGNN) is employed to extract spatial information from each discrete snapshot and capture the contextual evolution of communication between IP pairs through consecutive snapshots. Moreover, a line graph realizes edge embedding expressions corresponding to network communications and strengthens the message aggregation ability of graph convolution. Experiments on 6 novel datasets demonstrate that our approach achieves 98.15–99.8% accuracy in abnormality detection with fewer labeled samples. Meanwhile, state-of-the-art multiclass performance is achieved, e.g., the average detection accuracy for DDoS across the 6 datasets reaches 95.32%.