Deep GraphSAGE enhancements for intrusion detection: Analyzing attention mechanisms and GCN integration

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2025-03-11 DOI:10.1016/j.jisa.2025.104013

Samia Saidane , Francesco Telch , Kussai Shahin , Fabrizio Granelli

{"title":"Deep GraphSAGE enhancements for intrusion detection: Analyzing attention mechanisms and GCN integration","authors":"Samia Saidane , Francesco Telch , Kussai Shahin , Fabrizio Granelli","doi":"10.1016/j.jisa.2025.104013","DOIUrl":null,"url":null,"abstract":"<div><div>Intrusion Detection Systems (IDSs) are evolving to utilize machine learning techniques more frequently, in order to effectively and reliably identify even attacks with small footprints on the network traffic. This paper presents a detailed evaluation of two advanced graph neural network models, D-GSAGE-MARC and GFN-GA, for intrusion detection across a diverse range of IoT and cybersecurity datasets, including CIC-ToN-IoT, NF-UQ-NIDS, WUSTL-IIOT-2021, InSDN, etc. By integrating multi-head attention mechanisms and Graph Attention Network (GAT) layers into the D-GSAGE-MARC model, we effectively capture complex relationships within graph-structured data while leveraging residual connections to enhance performance. Our comprehensive analysis employs multiple performance metrics to assess both models in multi-class and binary classification scenarios, highlighting their capabilities and shortcomings in identifying different types of cyber-attacks. The results show that the D-GSAGE-MARC model achieves remarkable performance, achieving an accuracy of 99.97% recall of 99.97%, and an F1 score of 99.97% on the WUSTL-IIOT-2021 dataset, establishing it as a highly effective solution for intrusion detection. Meanwhile, GFN-GA excels in detecting frequent threats. Additionally, we visualize the learned embeddings using Uniform Manifold Approximation and Projection (UMAP) techniques to elucidate feature representations utilized during classification. The results highlight the models’ stability and adaptability across different datasets, particularly in addressing imbalanced data and rare attack detection.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"90 ","pages":"Article 104013"},"PeriodicalIF":3.8000,"publicationDate":"2025-03-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625000511","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Intrusion Detection Systems (IDSs) are evolving to utilize machine learning techniques more frequently, in order to effectively and reliably identify even attacks with small footprints on the network traffic. This paper presents a detailed evaluation of two advanced graph neural network models, D-GSAGE-MARC and GFN-GA, for intrusion detection across a diverse range of IoT and cybersecurity datasets, including CIC-ToN-IoT, NF-UQ-NIDS, WUSTL-IIOT-2021, InSDN, etc. By integrating multi-head attention mechanisms and Graph Attention Network (GAT) layers into the D-GSAGE-MARC model, we effectively capture complex relationships within graph-structured data while leveraging residual connections to enhance performance. Our comprehensive analysis employs multiple performance metrics to assess both models in multi-class and binary classification scenarios, highlighting their capabilities and shortcomings in identifying different types of cyber-attacks. The results show that the D-GSAGE-MARC model achieves remarkable performance, achieving an accuracy of 99.97% recall of 99.97%, and an F1 score of 99.97% on the WUSTL-IIOT-2021 dataset, establishing it as a highly effective solution for intrusion detection. Meanwhile, GFN-GA excels in detecting frequent threats. Additionally, we visualize the learned embeddings using Uniform Manifold Approximation and Projection (UMAP) techniques to elucidate feature representations utilized during classification. The results highlight the models’ stability and adaptability across different datasets, particularly in addressing imbalanced data and rare attack detection.

查看原文本刊更多论文

用于入侵检测的深度GraphSAGE增强：分析注意机制和GCN集成

入侵检测系统（ids）正在不断发展，以更频繁地利用机器学习技术，以便有效可靠地识别即使是在网络流量上占用很小的攻击。本文详细评估了两种先进的图神经网络模型D-GSAGE-MARC和GFN-GA，用于跨各种物联网和网络安全数据集的入侵检测，包括CIC-ToN-IoT， NF-UQ-NIDS, WUSTL-IIOT-2021， InSDN等。通过将多头注意机制和图注意网络（GAT）层集成到D-GSAGE-MARC模型中，我们有效地捕获图结构数据中的复杂关系，同时利用剩余连接来提高性能。我们的综合分析采用了多种性能指标来评估两种模型在多类别和二元分类场景下的性能，突出了它们在识别不同类型网络攻击方面的能力和缺点。结果表明，D-GSAGE-MARC模型取得了显著的性能，在WUSTL-IIOT-2021数据集上，准确率达到99.97%，召回率达到99.97%，F1分数达到99.97%，是一种高效的入侵检测解决方案。同时，GFN-GA在检测频繁威胁方面表现出色。此外，我们使用均匀流形逼近和投影（UMAP）技术将学习到的嵌入可视化，以阐明分类过程中使用的特征表示。结果突出了模型在不同数据集上的稳定性和适应性，特别是在解决不平衡数据和罕见攻击检测方面。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.