Flow Topology-based Graph Convolutional Network for Intrusion Detection in Label-Limited IoT Networks

Given the distributed nature of the massively connected "Things" in IoT, IoT networks have been a primary target for cyberattacks. Although machine learning based network intrusion detection systems (NIDS) can effectively detect abnormal network traffic behaviors, most existing approaches are based on a large amount of labeled traffic flow data, which hinders their implementation in the highly dynamic IoT networks with limited labeling. In this paper, we develop a novel Flow Topology based Graph Convolutional Network (FT-GCN) approach for label-limited IoT network intrusion detection. Our main idea is to leverage the underlying traffic flow patterns, i.e., the flow topological structure, to unlock the full potential of the traffic flow data with limited labeling, where the FT-GCN will be deployed at the edge servers in IoT networks to detect intrusions via software defined network technologies. Specifically, FT-GCN first takes the time correlation of traffic flows into account to construct an interval-constrained traffic graph (ICTG). Besides, a Node-Level Spatial (NLS) attention mechanism is designed to further enhance the key statistical features of traffic flows in ICTG. Finally, the combined representation of statistical flow features and flow topological structure are learned by the cost-effective Topology Adaptive Graph Convolutional Networks (TAGCN) for intrusion identification in IoT networks. Extensive experiments are conducted on three real-world datasets, which demonstrate the effectiveness of the proposed FT-GCN compared to state-of-the-art approaches.