E-GraphSAGE: A Graph Neural Network based Intrusion Detection System

介绍

总之,本文的主要贡献有两个:

• 我们提出并实现了 E-GraphSAGE,它是 GraphSAGE 的扩展,它允许结合边缘特征/属性进行图表示学习。 这一贡献适用于一系列 GNN 用例,其中边缘特征代表关键信息。
• 我们将 E-GraphSAGE 应用于网络入侵检测和网络流分类,并通过广泛的实验评估证明其潜力。
本文的其余部分安排如下。 第二节讨论了关键的相关工作,第三节提供了 GNN 和 GraphSAGE 的相关背景。 我们提出的 E-GraphSAGE 算法和相应的 NIDS 在第四节中介绍。 实验评估结果在第六节中介绍,第七节总结了论文。

翻译

训练阶段

在我们的实施过程中使用的神经网络模型由两个egraphsage层组成,这意味着邻居信息是由一个两跳的邻域聚集成的。对于聚集函数AGG,就像在公式5中展示的那样,我们使用平均数方法,他简单寻找基于元素的平均值,这个平均值是从样本的邻居中的边缘嵌入的平均值。在egraphsage中的平均值聚类方法的定义提供在下面

\[h^k_{N(v)}=\sum\limits_{{u\in N(v),\atop uv\in \epsilon}} \frac{h^{k-1}_{uv}}{\lvert N(v)\rvert _e} \]

这里,\(\lvert N(v)\rvert _e\)代表在样本邻域的边缘的数量,\(h^{k-1}_{uv}\)代表他们的嵌入在k-1。为了我们的实现,我们选择全邻域样本,这意味着在一个节点的邻域的全部边缘的平均值信息被聚合

在两个egraphsage层中,对于每层的隐特征大小的表示在公式3中,我们使用128个隐藏节点,同时他们也是节点嵌入的维度。对于非线性的转换,我们使用ReLU激活函数,并且为了规则化的提出,我们在两个egraphsage层中,使用一个比率为0.2的退出机制。我们使用交叉熵损失函数,并且在反向传播阶段的梯度下降阶段使用亚当优化器执行,学习率为0.001

在egraphsage最后一层中生成节点嵌入时,他们转换成对应的边缘嵌入。因为边缘嵌入通过拼接两个节点产生的,所以边缘嵌入的大小是256维。

GNN

A common task performed by GNNs is to generating node embeddings [16], which aims to encode nodes as low-dimensional vectors, while maintaining their key relationships and graph position in the original format. A pair of node embeddings can be concatenated together to form edge embeddings to represent the edges. Node or edge embedding is typically a key precursor to ’downstream tasks such as node and edge classification or link prediction [16]. GNNs have recently received a lot of attention due to their convincing performance and high interpretability of the results through the visualisation of the graph embeddings [17].

GraphSAGE

为了推广CNN的强大能力到非欧空间结构的数据上,GNNs使用了消息传递的概念。为此,图节点的邻居的特征通常被聚合或者作为传递到那个节点上的一个消息。这个过程在一些迭代中多次重复,以从网络节点中传播信息。最终的结果,即在每个节点中获取的聚合信息,被称作节点嵌入。

如果从每个迭代的每个节点的邻居收集信息,就像在很多GNN中提议的那样,这个方法受到可扩展性的限制,同样也有在大型图中无法预测的存储和计算资源的需求

Batch Size定义:一次训练所选取的样本数。

Forward Propagation - Node Embedding

当前第k层v节点的嵌入等于激活函数下 权重乘 k-1层的v的嵌入拼接k-1层v的邻居的嵌入

重要文献

Q. Xiao, J. Liu, Q. Wang, Z. Jiang, X. Wang, and Y. Yao, “Towards Network Anomaly Detection Using
Graph Embedding,” in Computational Science – ICCS 2020, V. V. Krzhizhanovskaya, G. Závodszky, M. H. Lees, J. J. Dongarra, P. M. A. Sloot, S. Brissos, and J. Teixeira, Eds., Cham: Springer International Publishing, 2020, pp. 156–169, ISBN : 978-3-030-50423-6.


Xiao et al. [11] proposed a graph embedding approach to perform anomaly detection on network flows. The authors first converted the network flows into a first-order and secondorder graph. The first-order graph learns the latent features from the perspective of a single host by using its IP address and port number. The second-order graph aims to learn the latent features from a global perspective by using source IP addresses, source ports, destination IP addresses, as well as destination ports. The extracted graph embeddings and the raw features are then used to train a Random Forest classifier to detect network attacks. The evaluation is limited to only two NIDS datasets, namely CICIDS 2017 [12] and CIDDS001 [13]. In contrast, the evaluation of E-GraphSAGE-based NIDS considers six recent benchmark datasets. Moreover, a more significant limitation of this approach is its use of a traditional transductive graph embedding method [6], which limits its ability to classify samples with graph nodes, e.g. IP addresses and port numbers, which were not seen during the training phase. This makes the approach unsuitable for most practical NIDS application scenarios, as we cannot assume that all local and remote IP addresses and port numbers in the network are known at training time. In contrast, the EGraphSAGE approach presented in this paper uses an inductive graph neural learning approach, which does not suffer from this limitation.