Internal network attacks pose a serious security threat to enterprises and organizations, potentially leading to critical information leaks and network system damage. Hosts, as the core data and service bearers, are often primary targets of cyber attacks. Therefore, accurately identifying hosts with malicious behavior in the network is crucial. However, detecting malicious hosts on this intranet presents several challenges. Firstly, the network state is unstructured data that dynamically changes in real-time. Secondly, the large amount of normal traffic in the network drowns out the traces generated by malicious behaviors, leading to the problem of category imbalance. Lastly, the traditional graph neural network model has limitations in processing edge information and is unable to directly learn the information in netflow. To overcome these challenges, this paper proposes a malicious host detection system. The system extracts the Host Communication Graph by time slicing and uses a random undersampling method to balance samples. For malicious host detection, this paper proposes the Relational-Edge Graph Convolutional Network (RE-GCN) model, which can directly aggregate and learn features on edges and use them to accurately classify nodes, compared to other GNN models. Comparative experiments were conducted on various netflow datasets, demonstrating the effectiveness of our approach. Our approach outperformed other common GNN models in detecting malicious hosts.
Read full abstract