GSA-DT: A Malicious Traffic Detection Model Based on Graph Self-Attention Network and Decision Tree

IF 4.7 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Transactions on Network and Service Management Pub Date : 2025-02-12 DOI:10.1109/TNSM.2025.3531885

Saihua Cai;Han Tang;Jinfu Chen;Tianxiang Lv;Wenjun Zhao;Chunlei Huang

{"title":"GSA-DT: A Malicious Traffic Detection Model Based on Graph Self-Attention Network and Decision Tree","authors":"Saihua Cai;Han Tang;Jinfu Chen;Tianxiang Lv;Wenjun Zhao;Chunlei Huang","doi":"10.1109/TNSM.2025.3531885","DOIUrl":null,"url":null,"abstract":"Malicious attack has shown a rapid growth in recent years, it is very important to accurately detect malicious traffic to defend against malicious attacks. Compared with machine learning and deep learning technologies, <underline>graph <underline>convolutional neural <underline>network (GCN) achieves better detection results of malicious traffic due to additional consideration of the correlation between network traffic features. However, existing GCN-based detection models suffer from fixed weight assignment, only focusing on local features, lack the ability to model graph structure and relationships as well as having gradient disappearance. To solve these problems, this paper proposes the GSA-DT model based on <underline>graph <underline>self-<underline>attention network and <underline>decision <underline>tree. GSA-DT first preprocesses the original network traffic to obtain better traffic features and labels, and then uses GCN to extract the topological structure of network traffic as well as capture the correlation relationships among traffic features, where the ReLU activation function is replaced by LeakyReLU to overcome the problems of neuron “death” and gradient disappearance during the training process; It also introduces the self-attention mechanism into GCN to assign larger weights to the key features to reduce the interference of redundant features. Finally, GSA-DT uses decision tree to perform the detection of malicious traffic. Experimental results on four network traffic datasets show that GSA-DT model improves the detection accuracy over 1% on average than seven advanced malicious traffic detection models, and it also performs better in F1-measure, TPR, FPR as well as stability.","PeriodicalId":13423,"journal":{"name":"IEEE Transactions on Network and Service Management","volume":"22 2","pages":"2059-2073"},"PeriodicalIF":4.7000,"publicationDate":"2025-02-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Network and Service Management","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10883334/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Malicious attack has shown a rapid growth in recent years, it is very important to accurately detect malicious traffic to defend against malicious attacks. Compared with machine learning and deep learning technologies, graph convolutional neural network (GCN) achieves better detection results of malicious traffic due to additional consideration of the correlation between network traffic features. However, existing GCN-based detection models suffer from fixed weight assignment, only focusing on local features, lack the ability to model graph structure and relationships as well as having gradient disappearance. To solve these problems, this paper proposes the GSA-DT model based on graph self-attention network and decision tree. GSA-DT first preprocesses the original network traffic to obtain better traffic features and labels, and then uses GCN to extract the topological structure of network traffic as well as capture the correlation relationships among traffic features, where the ReLU activation function is replaced by LeakyReLU to overcome the problems of neuron “death” and gradient disappearance during the training process; It also introduces the self-attention mechanism into GCN to assign larger weights to the key features to reduce the interference of redundant features. Finally, GSA-DT uses decision tree to perform the detection of malicious traffic. Experimental results on four network traffic datasets show that GSA-DT model improves the detection accuracy over 1% on average than seven advanced malicious traffic detection models, and it also performs better in F1-measure, TPR, FPR as well as stability.

查看原文本刊更多论文

基于图自关注网络和决策树的恶意流量检测模型GSA-DT

近年来，恶意攻击呈快速增长趋势，准确检测恶意流量对抵御恶意攻击非常重要。与机器学习和深度学习技术相比，图卷积神经网络（GCN）由于额外考虑了网络流量特征之间的相关性，因此对恶意流量的检测效果更好。然而，现有的基于图卷积神经网络的检测模型存在权重分配固定、只关注局部特征、缺乏对图结构和关系的建模能力以及梯度消失等问题。为了解决这些问题，本文提出了基于图自注意网络和决策树的 GSA-DT 模型。GSA-DT 首先对原始网络流量进行预处理，以获得更好的流量特征和标签，然后使用 GCN 提取网络流量的拓扑结构，并捕捉流量特征之间的相关关系，其中用 LeakyReLU 代替 ReLU 激活函数，以克服训练过程中神经元 "死亡 "和梯度消失的问题；它还在 GCN 中引入自注意机制，为关键特征分配更大的权重，以减少冗余特征的干扰。最后，GSA-DT 利用决策树对恶意流量进行检测。在四个网络流量数据集上的实验结果表明，GSA-DT 模型比七种先进的恶意流量检测模型平均提高了 1%以上的检测准确率，在 F1-measure、TPR、FPR 以及稳定性方面也有更好的表现。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Network and Service Management Computer Science-Computer Networks and Communications

CiteScore

9.30

自引率

15.10%

发文量

325

期刊介绍： IEEE Transactions on Network and Service Management will publish (online only) peerreviewed archival quality papers that advance the state-of-the-art and practical applications of network and service management. Theoretical research contributions (presenting new concepts and techniques) and applied contributions (reporting on experiences and experiments with actual systems) will be encouraged. These transactions will focus on the key technical issues related to: Management Models, Architectures and Frameworks; Service Provisioning, Reliability and Quality Assurance; Management Functions; Enabling Technologies; Information and Communication Models; Policies; Applications and Case Studies; Emerging Technologies and Standards.