E-GraphSAGE: A Graph Neural Network based Intrusion Detection System

This paper presents a new Network Intrusion Detection System (NIDS) based on Graph Neural Networks (GNNs). GNNs are a relatively new sub-field of deep neural networks, which can leverage the inherent structure of graph-based data. Training and evaluation data for NIDSs are typically represented as flow records, which can naturally be represented in a graph format. This establishes the potential and motivation for exploring GNNs for network intrusion detection, which is the focus of this paper. Current approaches to graph representation learning can only consider topological information and/or node features, but not edge features. This is a key limitation for the use of current GNN models for network intrusion detection, since critical flow information for the detection of anomalous or malicious traffic, e.g. flow size, flow duration, etc., is represented as edge features in a graph representation. In this paper, we propose E-GraphSAGE, a first GNN approach which overcomes this limitation and which allows capturing the edge features of a graph, in addition to node features and topological information. We present a novel NIDS based on E-GraphSAGE, and our extensive experimental evaluation on six recent NIDS benchmark datasets shows that it outperforms the state-of-the-art in regards to key classification metrics in four out of six cases, and closely matches it in the other two cases. Our research and initial basic system demonstrates the potential of GNNs for network intrusion detection, and provides motivation for further research.