Deep GraphSAGE enhancements for intrusion detection: Analyzing attention mechanisms and GCN integration

Intrusion Detection Systems (IDSs) are evolving to utilize machine learning techniques more frequently, in order to effectively and reliably identify even attacks with small footprints on the network traffic. This paper presents a detailed evaluation of two advanced graph neural network models, D-GSAGE-MARC and GFN-GA, for intrusion detection across a diverse range of IoT and cybersecurity datasets, including CIC-ToN-IoT, NF-UQ-NIDS, WUSTL-IIOT-2021, InSDN, etc. By integrating multi-head attention mechanisms and Graph Attention Network (GAT) layers into the D-GSAGE-MARC model, we effectively capture complex relationships within graph-structured data while leveraging residual connections to enhance performance. Our comprehensive analysis employs multiple performance metrics to assess both models in multi-class and binary classification scenarios, highlighting their capabilities and shortcomings in identifying different types of cyber-attacks. The results show that the D-GSAGE-MARC model achieves remarkable performance, achieving an accuracy of 99.97% recall of 99.97%, and an F1 score of 99.97% on the WUSTL-IIOT-2021 dataset, establishing it as a highly effective solution for intrusion detection. Meanwhile, GFN-GA excels in detecting frequent threats. Additionally, we visualize the learned embeddings using Uniform Manifold Approximation and Projection (UMAP) techniques to elucidate feature representations utilized during classification. The results highlight the models’ stability and adaptability across different datasets, particularly in addressing imbalanced data and rare attack detection.