Analyzing the Semantic Structure of Network Flow: A Threat Detection Method With Independent Generalization Capabilities

Network threat detection and identification remain fundamental tasks in cyberspace defence. Existing graph-based detection methods exhibit limited capabilities in transformability and independence, necessitating a redefinition of network behaviour to enhance their applicability in scenarios such as...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on network science and engineering 2025-01, Vol.12 (1), p.28-43
Main Authors: Luo, Yiqing, He, Mingshu, Wang, Xiaojuan
Format: Article
Language:English
Subjects:
Analytical models
Correlation
Cyberspace
Data analysis
Data models
Data structures
Feature extraction
Flow mapping
independent generalization ability
Libraries
Representation learning
semantic association features
Semantics
Threat assessment
Threat detection
Topology
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Network threat detection and identification remain fundamental tasks in cyberspace defence. Existing graph-based detection methods exhibit limited capabilities in transformability and independence, necessitating a redefinition of network behaviour to enhance their applicability in scenarios such as unknown threat discovery and low sample detection. In response to these challenges, we propose a fine-grained threat detection method based on flow semantic structure, with independent generalization capabilities, to refine the definition of flow and behaviour representation in data analysis. By constructing a semantic association topology map for each flow, the proposed method utilizes behavioural data structure information to extract semantic structure features independently. Subsequently, it aggregates updated graph node information into flow-level semantic embeddings, facilitating behaviour prediction. The final evaluation results show that this method outperforms existing state-of-the-art models, achieving detection accuracies of 97.86%, 95.76%, and 99.62% on three publicly datasets, respectively. In addition, the evaluation through simulating real threat detection environments at different concentrations shows that this method can still maintain a high detection rate with a small amount of data involved in training, and has certain generalization ability for new samples.
ISSN:2327-4697
2334-329X
DOI:10.1109/TNSE.2024.3483216