Application Of Graph Neural Network In Cyber Threat Detection

With the increasing complexity of the network architecture and the updating and iteration of network applications,the detection and identification of network traffic is becoming more and more difficult.Not only that,the increasingly sophisticated hacker intrusion technology also seriously threatens the security of.the network environment and brings great inconvenience to people’s lives.Therefore,how to identify the abnormal traffic with threats from the huge network traffic is a major challenge in the field of network threat detection.How to maximize the unique advantages of graph neural network in the strong interpretability of graph structure data,how to solve the unbalanced characteristics of traffic samples in real network threat attack scenarios,and how to detect abnormal traffic based on graph neural network and further classify and identify it are based on The problem to be solved by graph neural network for network threat detection is also the focus of this thesis.The main work and contributions of this thesis are as follows:First,in view of the problem that the data imbalance in the network threat detection data samples leads to the low detection rate of attack types with few samples,this thesis proposes a threshold-based SMOTE algorithm to balance the dataset by oversampling the minority class samples,that is,part of the attack traffic.Aiming at the network flow characteristics of data samples in network threat detection,this thesis proposes a graph feature extraction model based on graph-line graph,which realizes the transformation of network flow features into graph structure features.Through experimental comparative analysis on the CIC-IDS2018 dataset,the application of graph neural network is feasible in the offline network threat detection scheme,and the effect is better than the existing machine learning model.Second,Aiming at the time series characteristics of network traffic in network threat detection,this thesis proposes a three-stage dynamic graph neural network-based GraphSAGE-BiLSTM model.The model can process the time window of the entire network flow,obtain the time subgraph,and use Graph SAGE to obtain the spatial features of the time subgraph,and then convert the graph structure features into feature vector sequence groups,and then input them into the bidirectional long-term memory learning network.Temporal characteristics of traffic.After comparative experimental analysis,the classification effect of this model has been significantly improved compared with common anomaly detection models.Third,for the problem of low abnormal traffic detection rate and high false positive rate in network threat detection,this thesis introduces an attention mechanism,namely GraphSAGE-AttBiLSTM,into the temporal feature extraction module in the GraphSAGE-BiLSTM model.According to the node features of the extracted time subgraph,the corresponding weights are assigned to the importance of the detection results,so as to improve the performance of network threat detection without reducing the detection accuracy as much as possible.By comparing the model on the C IC-I DS2018 dataset,the results show that the GraphSAGE-AttBiLSTM model with attention mechanism can effectively improve the accuracy of network abnormal traffic classification.