Graph Autoencoders for Detecting Anomalous Intrusions in OT Networks Through Dynamic Link Detection

This paper evaluates the use of graph neural network (GNN) based autoencoders for detecting network intrusions or anomalous traffic in Operational Technology (OT) networks. Traditional intrusion detection methods often struggle to capture the complex relationships and interdependencies found in OT network communications. These spatial relationships can provide information vital for identifying harder to detect attacks (i.e. Advanced Persistent Threats). GNNs are a machine learning technique which operate on graph-structured data and can be used to identify underlying patterns and relationships between the nodes. Graph autoencoders (GAEs) are an unsupervised GNN-based learning technique that incorporates an encoder-decoder architecture and can be used for anomaly detection in graph structured data. This work evaluates the use of graph autoencoders for detecting anomalous edges (extracted from packets) in OT network data. Additionally, we introduce a method for encoding raw network traffic into discrete temporal graphs which can be used to apply GAEs for real-time intrusion detection. The proposed network traffic encoding scheme incorporates multi-dimensional edge attributes in order to capture information for determining the relevance of a given network packet. The approach is evaluated using two OT network datasets each containing labeled examples of commonly encountered malicious attack traffic. Results are compared against baseline anomaly detection methods including K-Nearest Neighbors, Deep Autoencoders, and Isolation Forest. The proposed graph autoencoder outperforms the baseline cases in terms of detection accuracy achieving a 31.05% and 8.64% improvement in F1 scores over the baseline models on the two OT network datasets.