Anomaly detection of traffic session based on graph neural network

Abstract

In recent years, with the development of network technology, methods of network security threats have emerged in endlessly. Most of the existing network anomaly detection researches cannot meet the requirements of network security detection. The traditional network anomaly detection methods based on static rule matching and machine learning don't perform well in the complex and dynamic network environment, and it is highly dependent on the statistical features designed by the expert in the specific domain. This paper proposes a traffic session anomaly detection method based on graph neural network, called TSGNN, which extracts the protocol features from the original Packet Capture(PACP) file and form the session representation, further use the gate recurrent unit(GRU) to extract the internal characteristics of the traffic data protocol field, then constructs a directed graph from session packet structure relationships and uses the graph neural network model to learn association features between graph nodes, and finally inputs the graph representation feature vector into fully connected network layer for classification. The experimental results show that our method is superior to the existing research in the evaluation indicators on the CSE-CIC-IDS2018 datasets.