多模态混合网络流量检测的通用动态拓扑自适应演化模型

IF 4.6 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Networks Pub Date : 2025-05-29 DOI:10.1016/j.comnet.2025.111380

Linghao Ren , Sijia Wang , Shengwei Zhong , Yiyuan Li , Bo Tang

{"title":"多模态混合网络流量检测的通用动态拓扑自适应演化模型","authors":"Linghao Ren , Sijia Wang , Shengwei Zhong , Yiyuan Li , Bo Tang","doi":"10.1016/j.comnet.2025.111380","DOIUrl":null,"url":null,"abstract":"<div><div>Modern network traffic detection systems face significant challenges in accurately classifying sophisticated cyber attacks. Traditional approaches relying on static traffic features (e.g., port numbers and packet sizes) prove inadequate for capturing the dynamic topological evolution inherent in Advanced Persistent Threats (APTs) and complex intrusions. This limitation stems from overlooking temporal correlations and structural dynamics within network traffic flows. Our investigation identifies this oversight as the primary cause of suboptimal performance in multi-modal traffic recognition, hybrid attack detection, and analysis with incomplete or anomalous data. To address this critical gap, we propose a novel dynamic topology-based method that quantifies evolving network structures through traffic pattern distribution transformations. Departing from traditional attention-based anomaly detection paradigms, our streamlined architecture introduces a dual-thread framework with multi-level feature fusion. This innovative design effectively integrates explicit statistical features with implicit dynamic topology information, achieving improved intrusion detection accuracy while reducing computational complexity. By modeling intrinsic interactions between statistical and topological characteristics, our method reveals latent intrusion patterns through three key innovations: (1) quantitative modeling of network topological dynamics, (2) a lightweight dual-thread architecture for efficient feature fusion, and (3) robust detection mechanisms under data scarcity. To our knowledge, this represents the first universal network intrusion detection framework that efficiently combines dynamic topological analysis with conventional statistical features. Extensive benchmark evaluations demonstrate state-of-the-art performance with significant improvements in AUC (5.8%<span><math><mi>↑</mi></math></span>) and macro-averaged AUC (7.2%<span><math><mi>↑</mi></math></span>) over existing methods, while maintaining a 23% lower computational overhead. Our solution establishes a foundation for next-generation intrusion detection systems, providing a generalizable and resource-efficient approach to counter evolving cyber threats. <strong>The code and dataset are available at</strong> <span><span>https://github.com/vjkgll/ROEN.git</span><svg><path></path></svg></span>.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"268 ","pages":"Article 111380"},"PeriodicalIF":4.6000,"publicationDate":"2025-05-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"ROEN: Universal dynamic topology-adaptive evolution model for multi-modal mixed network traffic detection\",\"authors\":\"Linghao Ren , Sijia Wang , Shengwei Zhong , Yiyuan Li , Bo Tang\",\"doi\":\"10.1016/j.comnet.2025.111380\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Modern network traffic detection systems face significant challenges in accurately classifying sophisticated cyber attacks. Traditional approaches relying on static traffic features (e.g., port numbers and packet sizes) prove inadequate for capturing the dynamic topological evolution inherent in Advanced Persistent Threats (APTs) and complex intrusions. This limitation stems from overlooking temporal correlations and structural dynamics within network traffic flows. Our investigation identifies this oversight as the primary cause of suboptimal performance in multi-modal traffic recognition, hybrid attack detection, and analysis with incomplete or anomalous data. To address this critical gap, we propose a novel dynamic topology-based method that quantifies evolving network structures through traffic pattern distribution transformations. Departing from traditional attention-based anomaly detection paradigms, our streamlined architecture introduces a dual-thread framework with multi-level feature fusion. This innovative design effectively integrates explicit statistical features with implicit dynamic topology information, achieving improved intrusion detection accuracy while reducing computational complexity. By modeling intrinsic interactions between statistical and topological characteristics, our method reveals latent intrusion patterns through three key innovations: (1) quantitative modeling of network topological dynamics, (2) a lightweight dual-thread architecture for efficient feature fusion, and (3) robust detection mechanisms under data scarcity. To our knowledge, this represents the first universal network intrusion detection framework that efficiently combines dynamic topological analysis with conventional statistical features. Extensive benchmark evaluations demonstrate state-of-the-art performance with significant improvements in AUC (5.8%<span><math><mi>↑</mi></math></span>) and macro-averaged AUC (7.2%<span><math><mi>↑</mi></math></span>) over existing methods, while maintaining a 23% lower computational overhead. Our solution establishes a foundation for next-generation intrusion detection systems, providing a generalizable and resource-efficient approach to counter evolving cyber threats. <strong>The code and dataset are available at</strong> <span><span>https://github.com/vjkgll/ROEN.git</span><svg><path></path></svg></span>.</div></div>\",\"PeriodicalId\":50637,\"journal\":{\"name\":\"Computer Networks\",\"volume\":\"268 \",\"pages\":\"Article 111380\"},\"PeriodicalIF\":4.6000,\"publicationDate\":\"2025-05-29\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computer Networks\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S1389128625003470\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128625003470","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

摘要

现代网络流量检测系统在准确分类复杂的网络攻击方面面临着重大挑战。依赖静态流量特征（例如，端口号和数据包大小）的传统方法被证明不足以捕获高级持续威胁（apt）和复杂入侵中固有的动态拓扑演变。这种限制源于忽略了网络流量中的时间相关性和结构动态。我们的调查发现，这种疏忽是导致多模式流量识别、混合攻击检测和数据不完整或异常分析的次优性能的主要原因。为了解决这一关键差距，我们提出了一种新的基于动态拓扑的方法，该方法通过流量模式分布转换来量化不断变化的网络结构。与传统的基于注意力的异常检测范式不同，我们的流线型架构引入了一个多线程的多级特征融合框架。这种创新的设计有效地将显式统计特征与隐式动态拓扑信息相结合，在降低计算复杂度的同时提高了入侵检测的准确性。通过建模统计特征和拓扑特征之间的内在相互作用，我们的方法通过三个关键创新揭示了潜在的入侵模式：(1)网络拓扑动态的定量建模，(2)用于有效特征融合的轻量级双线程架构，以及(3)数据稀缺下的鲁棒检测机制。据我们所知，这是第一个将动态拓扑分析与传统统计特征有效结合的通用网络入侵检测框架。广泛的基准评估证明了最先进的性能，与现有方法相比，AUC（5.8%↑）和宏观平均AUC（7.2%↑）有了显著改善，同时计算开销降低了23%。我们的解决方案为下一代入侵检测系统奠定了基础，提供了一种通用的、资源高效的方法来应对不断变化的网络威胁。代码和数据集可从https://github.com/vjkgll/ROEN.git获得。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

ROEN: Universal dynamic topology-adaptive evolution model for multi-modal mixed network traffic detection

Modern network traffic detection systems face significant challenges in accurately classifying sophisticated cyber attacks. Traditional approaches relying on static traffic features (e.g., port numbers and packet sizes) prove inadequate for capturing the dynamic topological evolution inherent in Advanced Persistent Threats (APTs) and complex intrusions. This limitation stems from overlooking temporal correlations and structural dynamics within network traffic flows. Our investigation identifies this oversight as the primary cause of suboptimal performance in multi-modal traffic recognition, hybrid attack detection, and analysis with incomplete or anomalous data. To address this critical gap, we propose a novel dynamic topology-based method that quantifies evolving network structures through traffic pattern distribution transformations. Departing from traditional attention-based anomaly detection paradigms, our streamlined architecture introduces a dual-thread framework with multi-level feature fusion. This innovative design effectively integrates explicit statistical features with implicit dynamic topology information, achieving improved intrusion detection accuracy while reducing computational complexity. By modeling intrinsic interactions between statistical and topological characteristics, our method reveals latent intrusion patterns through three key innovations: (1) quantitative modeling of network topological dynamics, (2) a lightweight dual-thread architecture for efficient feature fusion, and (3) robust detection mechanisms under data scarcity. To our knowledge, this represents the first universal network intrusion detection framework that efficiently combines dynamic topological analysis with conventional statistical features. Extensive benchmark evaluations demonstrate state-of-the-art performance with significant improvements in AUC (5.8%

↑

) and macro-averaged AUC (7.2%

↑

) over existing methods, while maintaining a 23% lower computational overhead. Our solution establishes a foundation for next-generation intrusion detection systems, providing a generalizable and resource-efficient approach to counter evolving cyber threats. The code and dataset are available at https://github.com/vjkgll/ROEN.git.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computer Networks 工程技术-电信学

CiteScore

10.80

自引率

3.60%

发文量

434

审稿时长

8.6 months

期刊介绍： Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.