Toward Early and Accurate Network Intrusion Detection Using Graph Embedding

Early and accurate detection of network intrusions is crucial to ensure network security and stability. Existing network intrusion detection methods mainly use conventional machine learning or deep learning technology to classify intrusions based on the statistical features of network flows. The feature extraction relies on expert experience and cannot be performed until the end of network flows, which delays intrusion detection. The existing graph-based intrusion detection methods require global network traffic to construct communication graphs, which is complex and time-consuming. Besides, the existing deep learning-based and graph-based intrusion detection methods resort to massive training samples. This paper proposes Graph2vec+RF, an early and accurate network intrusion detection method based on graph embedding technology. We construct a flow graph from the initial several interactive packets for each bidirectional network flow instead, adopt graph embedding technology, graph2vec, to learn the vector representation of the flow graph and classify the graph vectors with Random Forest (RF). Graph2vec+RF automatically extracts flow graph features using subgraph structures and relies on only a small number of the initial interactive packets per bidirectional network flow without requiring massive training samples to achieve early and accurate network intrusion detection. Our experimental results on the CICIDS2017 and CICIDS2018 datasets show that our proposed Graph2vec+RF outperforms the state-of-the-art methods in terms of accuracy, recall, precision, and F1-score.