Anomaly Encrypted Traffic Detection Method Based on Graph Attention Network

Abstract

Abstract: In response to the limitations of poor feature extraction, insufficient consideration of topological features, class imbalance, and lack of interpretability in existing anomaly encrypted traffic detection methods, this paper proposes an encrypted traffic detection model EGARNet that integrates a graph attention network (GAT) with edge feature embedding and residual networks. First, traffic data is preprocessed, and the network’s fivetuple information is used to construct graph nodes, with the remaining flow features treated as edge features, transforming encrypted traffic data into graph data. To adapt to the GAT algorithm, a new network traffic graph is constructed where new nodes correspond to edges in the original graph, and shared vertices in the original graph correspond to edges between two nodes, transforming the traffic detection problem into a node classification problem. Next, the attention coefficient for each node is calculated through the GAT algorithm to aggregate and update features. Finally, residual connections of the original nodes are added to the algorithm to improve the performance for minority classes. Experimental results on the CICDarkNet dataset demonstrate that the method effectively addresses the class imbalance issue in anomaly detection of encrypted traffic, with significant improvements in detection metrics for both binary and multiclass scenarios.

Key words: cybersecurity, encrypted traffic detection, graph neural network, graph attention network (GAT)

摘要： 针对现有的异常加密流量检测方法存在特征提取效果不好、拓扑特征不明显、类不平衡、缺乏可解释性等问题，提出一种融合图注意力网络、边特征嵌入的残差网络加密流量检测模型EGARNet.首先，对流量进行预处理，基于网络五元组信息组合图的节点，将剩余的流特征作为边特征，使加密流量数据转化为图数据.为了适应图注意力网络算法，构建新的网络流量图，新节点对应于原图的边，原图中共享顶点对应2个节点之间的边，流量检测问题转化为节点分类问题.其次，通过图注意力网络算法，计算出每个节点的注意力系数，聚合和更新特征.最后，在算法中添加原始节点的残差连接，提高少数分类的性能.在数据集CICDarkNet上的实验结果表明，该方法可以有效处理异常加密流量检测中类不平衡问题，在2分类和多分类场景下各项检测指标均有明显提升.

关键词: 网络安全, 加密流量检测, 图神经网络, 图注意力网络, 残差网络

CLC Number:

TP393.08

赵一琳, 贾慰心, 陈伟, . 融合图注意力网络的异常加密流量检测方法[J]. 信息安全研究, 2026, 12(3): 237-.

References

［1］中国互联网络信息中心. 第53次中国互联网络发展状况统计报告［EBOL］. (20240322) ［20250209］. https:www.cnnic.net.cnn420240322c8810964.html［2］Velan P, ermák M, eleda P, et al. A survey of methods for encrypted traffic classification and analysis［J］. International Journal of Network Management, 2015, 25(5): 355374［3］Azab A, Khasawneh M, Alrabaee S, et al. Network traffic classification: Techniques, datasets, and challenges［J］. Digital Communications and Networks, 2024, 10(3): 676692［4］Alam S, Sonbhadra S K, Agarwal S, et al. Oneclass support vector classifiers: A survey［J］. KnowledgeBased Systems, 2020, 196(78): 105754［5］Mohammadi M, Rashid T A, Karim S H T, et al. A comprehensive survey and taxonomy of the SVMbased intrusion detection systems［J］. Journal of Network and Computer Applications, 2021, 178: 102983［6］Guezzaz A, Benkirane S, Azrour M, et al. A reliable network intrusion detection approach using decision tree with enhanced data quality［J］. Security and Communication Networks, 2021, 1: 1230593［7］AlOmari M, Rawashdeh M, Qutaishat F, et al. An intelligent treebased intrusion detection model for cyber security［J］. Journal of Network and Systems Management, 2021, 29(2): 20［8］Li L, Zhang H, Peng H, et al. Nearest neighbors based density peaks approach to intrusion detection［J］. Chaos, Solitons & Fractals, 2018, 110: 3340［9］Vinayakumar R, Soman K P, Poornachandran P. Applying convolutional neural network for network intrusion detection［C］ Proc of the 2017 Int Conf on Advances in Computing, Communications and Informatics (ICACCI). Piscataway, NJ: IEEE, 2017: 12221228［10］Park S H, Park H J, Choi Y J. RNNbased prediction for network intrusion detection［C］ Proc of the 2020 Int Conf on Artificial Intelligence in Information and Communication (ICAIIC). Piscataway, NJ: IEEE, 2020: 572574［11］Andresini G, Appice A, Malerba D. Autoencoderbased deep metric learning for network intrusion detection［J］. Information Sciences, 2021, 569: 706727［12］Wang Z. The applications of deep learning on traffic identification［J］. BlackHat USA, 2015, 24(11): 110［13］Wang W, Zhu M, Zeng X, et al. Malware traffic classification using convolutional neural network for representation learning［C］ Proc of the 2017 Int Conf on Information Networking (ICOIN). Piscataway, NJ: IEEE, 2017: 712717［14］Yao H, Gao P, Wang J, et al. Capsule network assisted IoT traffic classification mechanism for smart cities［J］. IEEE Internet of Things Journal, 2019, 6(5): 75157525［15］Zhou X, Liang W, Li W, et al. Hierarchical adversarial attacks against graphneuralnetworkbased IoT network intrusion detection system［J］. IEEE Internet of Things Journal, 2021, 9(12): 93109319［16］Sun B, Yang W, Yan M, et al. An encrypted traffic classification method combining graph convolutional network and autoencoder［C］ Proc of the 39th Int Performance Computing and Communications Conf (IPCCC). Piscataway, NJ: IEEE, 2020: 18［17］Mo S, Wang Y, Xiao D, et al. Encrypted traffic classification using graph convolutional networks［C］ Proc of the 16th Int Conf on Advanced Data Mining and Applications (ADMA 2020). Berlin: Springer, 2020: 207219［18］Lo W W, Layeghy S, Sarhan M, et al. Egraphsage: A graph neural network based intrusion detection system for IoT［C］ Proc of the 2022 IEEEIFIP Network Operations and Management Symp (NOMS 2022). Piscataway, NJ: IEEE, 2022: 19［19］Zhang L, Tan L, Shi H, et al. Malicious traffic classification for IoT based on graph attention network and long shortterm memory network［C］ Proc of the 24th AsiaPacific Network Operations and Management Symposium (APNOMS). Piscataway, NJ: IEEE, 2023: 5459［20］喻晓伟, 陈丹伟. 基于注意力机制的图神经网络加密流量分类研究［J］. 信息安全研究, 2023, 9(1): 1321

[1]	. Model of Insider Threat Behavior Detection Based on Graph Neural Network [J]. Journal of Information Security Reserach, 2025, 11(7): 586-.
[2]	. An Efficient Detection Method of Phishing Email Based on Language Model and LoRA [J]. Journal of Information Security Reserach, 2025, 11(12): 1117-.
[3]	. Robust Malicious Encrypted Traffic Detection Method Based on Dual Confidence Sample Selection [J]. Journal of Information Security Reserach, 2025, 11(10): 924-.
[4]	. A Binary Modularization Approach Based on Graph Community Detection Method [J]. Journal of Information Security Reserach, 2025, 11(1): 43-.
[5]	. Research on the Evaluation of Emergency Response to Cybersecurity Events in the Securities Industry [J]. Journal of Information Security Reserach, 2024, 10(4): 368-.
[6]	. A Survey of Forensic Network Attack Source Traceback [J]. Journal of Information Security Reserach, 2024, 10(4): 302-.
[7]	. Research on Vulnerability Text Feature Classification Technology Based on BERT [J]. Journal of Information Security Reserach, 2023, 9(7): 687-.
[8]	. Research on the Disclosure and Sharing Policy of Cybersecurity Vulnerabilities in China and the United States [J]. Journal of Information Security Reserach, 2023, 9(6): 602-.
[9]	. Research on Intranet Security Integrated Protection Architecture in Energy Enterprises Under Complex Network Threat Environment [J]. Journal of Information Security Reserach, 2023, 9(4): 390-.
[10]	. Research on Encrypted Traffic Classification of Graph Neural Network Based on Attention Mechanism [J]. Journal of Information Security Reserach, 2023, 9(1): 13-.
[11]	. An Overview of Application and Technology of Artificial Intelligence in Cybersecurity [J]. Journal of Information Security Reserach, 2022, 8(2): 110-.
[12]	. Relationship Analysis of Cloud Platform Data Protection and Content Review Obligation [J]. Journal of Information Security Reserach, 2022, 8(11): 1079-.
[13]	. The Knowing, Practices and Thoughts on “Cybersecurity Maps” from CubeSec [J]. Journal of Information Security Reserach, 2021, 7(E1): 140-.
[14]	. Whole Process Solution of Classified Protection 2.0 [J]. Journal of Information Security Reserach, 2021, 7(E1): 182-.
[15]	. The Analysis of National Security Risk in Open Source Software Supply Chain [J]. Journal of Information Security Reserach, 2021, 7(9): 790-794.