Graph-Structured Network Traffic Modelling for Anomaly-Based Intrusion Detection

Abstract

The increasing complexity of cyber threats demands more advanced network intrusion detection systems (NIDS) capable of identifying both known and emerging attack patterns. In this study, we propose a graph-based anomaly detection approach for network intrusion detection, where network traffic is modeled as graph structures capturing both attribute and topological information. Five graph anomaly detection models—DOMINANT, OCGNN, AnomalyDAE, GAE, and CONAD—are implemented and evaluated on the UNSW-NB15 dataset. The constructed graphs use info_message attributes as nodes, with edges representing sequential traffic relationships. Experimental results show that the Graph Autoencoder (GAE) and Dual Autoencoder (AnomalyDAE) models outperform other methods, achieving F1-scores of 0.8728 and 0.7939, respectively. These findings demonstrate that reconstruction-based approaches effectively capture complex network behaviors, highlighting the potential of graph-based methods to enhance the robustness and accuracy of modern NIDS. Future work will explore dynamic graph modeling, attention mechanisms, and optimization techniques to further improve detection capabilities.