LGSMOTE-IDS: Line Graph based Weighted-Distance SMOTE for imbalanced network traffic detection

Abstract

The application of Graph Neural Networks (GNNs) to Network Intrusion Detection Systems (NIDS) has become a prominent research focus. However, NIDS often struggles to classify minority attack samples due to the severe class imbalance in NIDS datasets, where the number of samples varies significantly across classes. Additionally, prior studies have frequently overlooked the importance of edge features in GNNs. To address these challenges, we propose LGSMOTE-IDS, a novel framework that integrates a Line Graph based Weighted-Distance SMOTE for Intrusion Detection Systems. First, we define the fine-grained protocol service graph ($PSG$) and transform it into its corresponding protocol service line graph ($L\left(PSG\right)$). This transformation provides a novel perspective for describing network traffic interactions and enables the conversion of the edge classification task into a node classification task. Second, we introduce Weighted-Distance SMOTE, an oversampling algorithm specifically tailored to NIDS datasets, which employs an improved interpolation strategy to generate synthetic minority class samples. Finally, we utilize a GNN-based classifier to predict labels for all samples. We conduct experiments on three widely used datasets—NF-UNSW-NB15, NF-BoT-IoT, and NF-ToN-IoT. LGSMOTE-IDS achieves average increases of 18.11%, 45.91%, and 36.41% in weighted F1-scores for five, one, and three minority classes across the three datasets, respectively, compared to baseline method. Moreover, LGSMOTE-IDS successfully detects attack types that previous models fail to recognize. To the best of our knowledge, LGSMOTE-IDS is the first framework to integrate GNNs with an oversampling algorithm to address the class imbalance issue in NIDS datasets.