Guanghan Duan,Hongwu Lv,Huiqiang Wang,Guangsheng Feng,Xiaoli Li

DOI: https://doi.org/10.1109/tifs.2024.3385321

IF: 7.231

2024-05-10

IEEE Transactions on Information Forensics and Security

Abstract:Deep learning (DL) greatly enhances cyber anomaly detection capabilities through effective statistical network characteristic. However, previous methods have not fully addressed two real-world scenario-driven challenges. 1) Frequent node access and disconnection sourced from free-bounded 5G/B5G cyberspace introduce unfamiliar communication behavior patterns, reducing the detection ability of the pre-trained DL model. 2) Low-frequency or sporadic communication behaviors lack stable patterns, posing a challenge for existing AI-driven models, including DL-based detection methods. To address these issues, we propose a cyber anomaly detection framework based on Continuous Temporal Graph (CTG) neural network from a new interaction-centered perspective. The proposed framework refines the concrete information interaction between network entities into the CTG evolution process, thereby naturally incorporating new node access behaviors into feature extraction on CTG neural network. We furthermore present a message aggregation scheme on CTG with fusion of spatio-temporal neighborhood, the actual time distribution and the historical state, thus transforming communication into a more stable pattern for the learning of low-frequency interactions. Extensive experiments on 4 novel datasets, including ToN-IoT, UNSWNB15, CIC-Dark2020, J.P. Morgan payment, demonstrate that our approach outperforms state-of-the-art methods, particularly in detecting new access and low-frequency behaviors.

computer science, theory & methods,engineering, electrical & electronic

Rui Wen,Jianyu Wang,Chunming Wu,Jian Xiong

DOI: https://doi.org/10.1145/3366424.3391266

2020-01-01

Abstract:Given a large graph with millions of vertices and different types, how can we spot anomalies and find potential adversaries in time? Most graph-based fraud detection algorithms focus on finding dense blocks, discovering local subgraphs, designing belief propagation, and latent factor models. However, as fraudsters in online social networks gradually become adversarial, distributed, and invisible, it is easy for them to evade traditional detection methods. Even worse, existing detection systems are fragile to the new attacks. Once attackers update their tragedies, they will be inefficient. Our focus is to detect potential adversaries as soon as possible. We design and propose ASA (Adversary Situation Awareness), a system that (a) uncovers potential adversaries in time, (b) utilizes heterogeneous information in the graph, and (c)is effective in real-world data. We do experiments on a heterogeneous graph including 198,541 nodes with five types and 224,384 edges. The result shows that ASA can spot potential adversaries and successfully recovers 60 of potential abnormal users within a few minutes. Additionally, after two months we deployed it, ASA could achieve 90 recall, which means ASA can well discover a small number of adversaries with a latent period in time.

Jinfu Chen,Yemin Yin,Saihua Cai,Weijia Wang,Shengran Wang,Jiming Chen

DOI: https://doi.org/10.1016/j.scico.2024.103156

IF: 1.039

2024-01-01

Science of Computer Programming

Abstract:Software vulnerability detection is a challenging task in the security field, the boom of deep learning technology promotes the development of automatic vulnerability detection. Compared with sequence-based deep learning models, graph neural network (GNN) can learn the structural features of code, it performs well in the field of vulnerability detection for source code. However, different GNNs have different detection results for the same code, and using a single kind of GNN may lead to high false positive rate and false negative rate. In addition, the complex structure of source code causes single GNN model cannot effectively learn their depth feature, thereby leading to low detection accuracy. To solve these limitations, we propose a software vulnerability detection model called iGnnVD based on the integrated graph neural networks. In the proposed iGnnVD model, the base detectors including GCN, GAT and APPNP are first constructed to capture the bidirectional information in the code graph structure with bidirectional structure; And then, the residual connection is used to aggregate the features while retaining the features each time; Finally, the convolutional layer is used to perform the aggregated classification. In addition, an integration module that analyses the detection results of three detectors for final classification is designed using a voting strategy to solve the problem of high false positive rate and false negative rate caused by using a single kind of base detector. We perform extensive experiments on three datasets and experimental results show that the proposed iGnnVD model can improve the detection accuracy of vulnerabilities in source code as well as reduce the false positive rate and false negative rate compared with existing deep learning-based vulnerability detection models, it also has good stability.

Jun Zhao,Minglai Shao,Hong Wang,Xiaomei Yu,Bo Li,Xudong Liu

DOI: https://doi.org/10.1016/j.knosys.2021.108086

2022-03-01

Abstract:Predicting cyber threats is crucial for uncovering underlying security risks and proactively preventing malicious attacks. However, predicting cyber threats and demystifying the evolutionary patterns are challenging due to the heterogeneity and dynamics of cyber threats. In this paper, we propose CTP-DHGL, a novel Cyber Threat Prediction model based on Dynamic Heterogeneous Graph Learning, to predict the potential cyber threats by investigating public security-related data (e.g., CVE details, ExploitDB). Particularly, we first characterize the interactive relationships among different types of cyber threat objects with a heterogeneous graph. We then formalize cyber threat prediction as a dynamic link prediction task on the heterogeneous graph and propose an end-to-end dynamic heterogeneous graph embedding method to learn the dynamic evolutionary patterns of the graph. As a result, CTP-DHGL can infer potential link relationships based on the evolving graph embedding sequences learned from previous snapshots to infer stealthy cyber threats. The experimental results on real-world datasets verify that CTP-DHGL outperforms the baseline models in learning the evolutionary patterns of cyber threats and predicting potential cyber risks.

computer science, artificial intelligence

Weiyong Yang,Peng Gao,Hao Huang,Xingshen Wei,Haotian Zhang,Zhihao Qu

DOI: https://doi.org/10.1109/globecom48099.2022.10001486

2022-01-01

Abstract:Advanced persistent threat (APT) attacks have caused severe damage to many core information infrastructures. To tackle this issue, the graph-based methods have been proposed due to their ability for learning complex interaction patterns of network entities with discrete graph snapshots. However, such methods are challenged by the computer networking model characterized by a natural continuous-time dynamic heterogeneous graph. In this paper, we propose a heterogeneous graph neural network based APT detection method in smart grid clouds. Our model is an encoder-decoder structure. The encoder uses heterogeneous temporal memory and attention embedding modules to capture contextual information of interactions of network entities from the time and spatial dimensions respectively. We implement a prototype and conduct extensive experiments on real-world cyber-security datasets with more than 10 million records. Experimental results show that our method can achieve superior detection performance than state-of-the-art methods.

Mai Ye,Shiming Men,Lei Xie,Bing Chen

DOI: https://doi.org/10.1145/3605801.3605807

2023-01-01

Abstract:APT(Advanced Persistent Threat) are known for their stealth, persistence, and sophistication, often carried out by skilled and well-funded attackers. To detect and investigate APT attacks at the host-level, scholars have extensively studied the provenance graph, which preserves the complete attack context. However, existing methods have impractical requirements for data collection and threshold setting, severely impacting their real-world performance. In this paper, we propose GCA (Graph Competitive Autoencoder), a GNN-based graph-level anomaly detection system. We first extract entities and their interactions from host logs to construct a provenance graph. Subsequently, we utilize GNN (Graph Neural Network) as a graph encoder to obtain graph-level embeddings. In the anomaly detection part, we use the competitive autoencoder and mutual information maximization to identify the attack graph. With this model, we can conduct graph-level anomaly detection even when the training data is partially contaminated, without manually setting the threshold. We deploy and evaluate our model on the public dataset StreamSpot. Our results show that GCA outperforms existing methods in terms of accuracy and practicality.

Sichen Ding,Gaiyun Liu,Li Yin,Jianzhou Wang,Zhiwu Li

DOI: https://doi.org/10.3390/math12172635

IF: 2.4

2024-08-27

Mathematics

Abstract:This paper addresses the problem of cyber-attack detection in a discrete event system by proposing a novel model. The model utilizes graph convolutional networks to extract spatial features from event sequences. Subsequently, it employs gated recurrent units to re-extract spatio-temporal features from these spatial features. The obtained spatio-temporal features are then fed into an attention model. This approach enables the model to learn the importance of different event sequences, ensuring that it is sufficiently general for identifying cyber-attacks, obviating the need to specify attack types. Compared with traditional methods that rely on synchronous product computations to synthesize diagnosers, our deep learning-based model circumvents state explosion problems. Our method facilitates real-time and efficient cyber-attack detection, eliminating the necessity to specifically identify system states or distinguish attack types, thereby significantly simplifying the diagnostic process. Additionally, we set an adjustable probability threshold to determine whether an event sequence has been compromised, allowing for customization to meet diverse requirements. Experimental results demonstrate that the proposed method performs well in cyber-attack detection, achieving over 99.9% accuracy at a 1% threshold and a weighted F1-score of 0.8126, validating its superior performance.

mathematics

Mingqi Lv,Chengyu Dong,Tieming Chen,Tiantian Zhu,Qijie Song,Yuan Fan

DOI: https://doi.org/10.48550/arXiv.2112.08986

2021-12-17

Abstract:A cyber-attack is a malicious attempt by experienced hackers to breach the target information system. Usually, the cyber-attacks are characterized as hybrid TTPs (Tactics, Techniques, and Procedures) and long-term adversarial behaviors, making the traditional intrusion detection methods ineffective. Most existing cyber-attack detection systems are implemented based on manually designed rules by referring to domain knowledge (e.g., threat models, threat intelligences). However, this process is lack of intelligence and generalization ability. Aiming at this limitation, this paper proposes an intelligent cyber-attack detection method based on provenance data. To effective and efficient detect cyber-attacks from a huge number of system events in the provenance data, we firstly model the provenance data by a heterogeneous graph to capture the rich context information of each system entities (e.g., process, file, socket, etc.), and learns a semantic vector representation for each system entity. Then, we perform online cyber-attack detection by sampling a small and compact local graph from the heterogeneous graph, and classifying the key system entities as malicious or benign. We conducted a series of experiments on two provenance datasets with real cyber-attacks. The experiment results show that the proposed method outperforms other learning based detection models, and has competitive performance against state-of-the-art rule based cyber-attack detection systems.

Cryptography and Security,Machine Learning

Linghui Li,Yali Gao,Xiaoyong Li,Shui Yu,Jie Yuan,Ximing Li,Jia Jia

DOI: https://doi.org/10.1109/TIFS.2023.3245413

IF: 7.231

IEEE Transactions on Information Forensics and Security

Abstract:Insider threat is destructive and concealable, making addressing it a challenging task in cybersecurity. Most existing methods transform user behavior into sequential information and analyze user behavior while neglecting structural information among users, resulting in high false positives. To solve this problem, in this paper, we propose Dual-Domain Graph Convolutional Network (referred to as DD-GCN), a graph-based modularized method for high accuracy and adaptive insider threat detection. The central idea is to convert user features and structural information into heterogeneous graphs in the light of various relationships and take user behavior and relationship into account together. To this end, a weighted feature similarity mechanism is applied to balance the feature similarity of users and original linkages among them so as to generate the fused structure. Next, specific graph embeddings are extracted from the original topology structure and fused structure simultaneously, which convert behavior information into high-level representations. Furthermore, an attention mechanism is applied to learn the adaptive importance weights of the user’s features in the corresponding embedding. The combination and difference constraints are proposed to enhance the learned embeddings’ commonality and the ability to capture different information. Extensive experiments on two real-world datasets clearly show that our proposed DD-GCN extracts the most correlated information from structural topology and feature information substantially, and achieves improved accuracy with a clear margin.

Computer Science

Zitong Li,Xiang Cheng,Lixiao Sun,Ji Zhang,Bing Chen

DOI: https://doi.org/10.1155/2021/9961342

IF: 1.968

2021-05-04

Security and Communication Networks

Abstract:Advanced Persistent Threats (APTs) are the most sophisticated attacks for modern information systems. Currently, more and more researchers begin to focus on graph-based anomaly detection methods that leverage graph data to model normal behaviors and detect outliers for defending against APTs. However, previous studies of provenance graphs mainly concentrate on system calls, leading to difficulties in modeling network behaviors. Coarse-grained correlation graphs depend on handcrafted graph construction rules and, thus, cannot adequately explore log node attributes. Besides, the traditional Graph Neural Networks (GNNs) fail to consider meaningful edge features and are difficult to perform heterogeneous graphs embedding. To overcome the limitations of the existing approaches, we present a hierarchical approach for APT detection with novel attention-based GNNs. We propose a metapath aggregated GNN for provenance graph embedding and an edge enhanced GNN for host interactive graph embedding; thus, APT behaviors can be captured at both the system and network levels. A novel enhancement mechanism is also introduced to dynamically update the detection model in the hierarchical detection framework. Evaluations show that the proposed method outperforms the state-of-the-art baselines in APT detection.

computer science, information systems,telecommunications

Yi Li,Zhangbing Zhou,Shuiguang Deng,Xiao Sun,Xiao Xue,Sami Yangui,Walid Gaaloul

DOI: https://doi.org/10.1109/icws62655.2024.00077

2024-01-01

Abstract:Anomaly detection is a long-standing research topic to support the prompt remedy of potential risks for dependency-aware tasks, where Graph Neural Networks (GNNs) models have been adopted to differentiate anomalies from normal patterns. Generally, GNN models utilize time series data to construct graph structures for capturing task dependencies between Internet of Things (IoT) devices, such that deviations from predicted behaviours are assumed as anomalies. Current forecasting-based anomaly detection methods can hardly detect anomalies, which are uncovered by historical sensory data, but are explicitly specified by domain knowledge. To solve this issue, this paper proposes a Knowledge-enhanced graph attention-based Anomaly Detection (KeAD) method. Specifically, a knowledge-enhanced graph structure is constructed by incorporating domain-specific knowledge to represent spatio-temporal dependencies between IoT devices. Thereafter, a knowledge-enhanced graph attention-based forecasting network is developed to predict future behaviours of IoT devices. Anomalies are detected by analyzing deviations from these predicted behaviours, taking domain-specific knowledge into account. Extensive experiments are conducted based on publicly-available datasets, and evaluation results demonstrate that our KeAD outperform the state-of-the-art techniques in terms of the accuracy of anomaly detection.

Shen Wang,Zhengzhang Chen,Xiao Yu,Ding Li,Jingchao Ni,Lu-An Tang,Jiaping Gui,Zhichun Li,Haifeng Chen,Philip S. Yu

DOI: https://doi.org/10.24963/ijcai.2019/522

2019-08-01

Abstract:Information systems have widely been the target of malware attacks. Traditional signature-based malicious program detection algorithms can only detect known malware and are prone to evasion techniques such as binary obfuscation, while behavior-based approaches highly rely on the malware training samples and incur prohibitively high training cost. To address the limitations of existing techniques, we propose MatchGNet, a heterogeneous Graph Matching Network model to learn the graph representation and similarity metric simultaneously based on the invariant graph modeling of the program's execution behaviors. We conduct a systematic evaluation of our model and show that it is accurate in detecting malicious program behavior and can help detect malware attacks with less false positives. MatchGNet outperforms the state-of-the-art algorithms in malware detection by generating 50% less false positives while keeping zero false negatives.

Jiaxi Li,Mohammad-Reza Namazi-Rad,Ling Chen,Guansong Pang

DOI: https://doi.org/10.1109/DSAA60987.2023.10302626

2023-08-28

Abstract:This work considers the problem of heterogeneous graph-level anomaly detection. Heterogeneous graphs are commonly used to represent behaviours between different types of entities in complex industrial systems for capturing as much information about the system operations as possible. Detecting anomalous heterogeneous graphs from a large set of system behaviour graphs is crucial for many real-world applications like online web/mobile service and cloud access control. To address the problem, we propose HRGCN, an unsupervised deep heterogeneous graph neural network, to model complex heterogeneous relations between different entities in the system for effectively identifying these anomalous behaviour graphs. HRGCN trains a hierarchical relation-augmented Heterogeneous Graph Neural Network (HetGNN), which learns better graph representations by modelling the interactions among all the system entities and considering both source-to-destination entity (node) types and their relation (edge) types. Extensive evaluation on two real-world application datasets shows that HRGCN outperforms state-of-the-art competing anomaly detection approaches. We further present a real-world industrial case study to justify the effectiveness of HRGCN in detecting anomalous (e.g., congested) network devices in a mobile communication service. HRGCN is available at https://github.com/jiaxililearn/HRGCN.

Computer Science

Guanghan Duan,Hongwu Lv,Huiqiang Wang,Guangsheng Feng

DOI: https://doi.org/10.1109/tifs.2022.3228493

IF: 7.231

2022-12-24

IEEE Transactions on Information Forensics and Security

Abstract:Deep learning (DL) greatly enhances binary anomaly detection capabilities through effective statistical network characterization; nevertheless, the intrusion class differentiation performance is still insufficient. Two related challenges have not been fully explored. 1) Statistical attack characteristics are overemphasized while ignoring inherent attack topologies; sequence features are extracted from whole traffic flows, but the interaction evolution of each IP pair over time is rarely considered, such as in long short-term memory (LSTM) and gated recurrent units (GRUs). 2) Meeting the need for many high-quality labeled data samples is an expensive and labor-intensive task in large-scale, complex, and heterogeneous networks. To address these issues, we propose a dynamic line graph neural network (DLGNN)-based intrusion detection method with semisupervised learning. Our model converts network traffic into a series of spatiotemporal graphs. A dynamic GNN (DGNN) is employed to extract spatial information from each discrete snapshot and capture the contextual evolution of communication between IP pairs through consecutive snapshots. Moreover, a line graph realizes edge embedding expressions corresponding to network communications and strengthens the message aggregation ability of graph convolution. Experiments on 6 novel datasets demonstrate that our approach achieves 98.15–99.8% accuracy in abnormality detection with fewer labeled samples. Meanwhile, state-of-the-art multiclass performance is achieved, e.g., the average detection accuracy for DDoS across the 6 datasets reaches 95.32%.

Yalu Wang,Jie Li,Wei Zhao,Zhijie Han,Hang Zhao,Lei Wang,Xin He

DOI: https://doi.org/10.3390/rs15143611

IF: 5

2023-07-21

Remote Sensing

Abstract:With the rapid development of the Internet of Things (IoT)-based near-Earth remote sensing technology, the problem of network intrusion for near-Earth remote sensing systems has become more complex and large-scale. Therefore, seeking an intelligent, automated, and robust network intrusion detection method is essential. Many researchers have researched network intrusion detection methods, such as traditional feature-based and machine learning methods. In recent years, network intrusion detection methods based on graph neural networks (GNNs) have been proposed. However, there are still some practical issues with these methods. For example, they have not taken into consideration the characteristics of near-Earth remote sensing systems, the state of the nodes, and the temporal features. Therefore, this article analyzes the factors of existing near-Earth remote sensing systems and proposes a spatio-temporal graph attention network (N-STGAT) that considers the state of nodes and applies them to the network intrusion detection of near-Earth remote sensing systems. Finally, the proposed method in this article is validated using the latest flow-based datasets NF-BoT-IoT-v2 and NF-ToN-IoT-v2. The results demonstrate that the binary classification accuracy for network intrusion detection exceeds 99%, while the multi-classification accuracy exceeds 93%. These findings provide substantial evidence that the proposed method outperforms existing intrusion detection techniques.

environmental sciences,imaging science & photographic technology,remote sensing,geosciences, multidisciplinary

Jun Zhao,Xudong Liu,Qiben Yan,Bo Li,Minglai Shao,Hao Peng

DOI: https://doi.org/10.1016/j.ins.2020.03.113

IF: 8.1

2020-10-01

Information Sciences

Abstract:<p>Bot detection is a fundamental and crucial task for tracing and mitigating cyber threats in the Internet. This paper aims to address two major limitations of current bot detection systems. First, existing flow-based bot detection approaches ignore structural information of botnets, which lead to false detection. Second, they cannot identify the interactive behavioral patterns among heterogeneous botnet objects. In this paper, we propose a novel bot detection framework, namely Bot-AHGCN, which models fine-grained network flow objects (e.g., IP, response) as a multi-attributed heterogeneous graph and transforms bot detection problem into a semi-supervised node classification task on the graph. Particularly, we first build a multi-attributed heterogeneous information network (AHIN) to model the interdependent relationships among botnet objects. Second, we present a weight-learning based node embedding method, which learns the interactive behavioral patterns among bots and integrates them into weighted similarity graphs. Finally, we perform graph convolution on the learned similarity graphs to characterize more comprehensive and discriminative features of bots, and feed them into a forward neural network to identify bots. The overall experimental results on two real-world datasets confirm that Bot-AHGCN outperforms the existing state-of-the-art approaches, and presents better interpretability by introducing meaningful meta-paths and meta-graphs.</p>

computer science, information systems

Yalu Wang,Jie Li,Wei Zhao,Zhijie Han,Hang Zhao,Lei Wang,Xin He

DOI: https://doi.org/10.3390/rs15143611

IF: 5

2023-01-01

Remote Sensing

Abstract:With the rapid development of the Internet of Things (IoT)-based near-Earth remote sensing technology, the problem of network intrusion for near-Earth remote sensing systems has become more complex and large-scale. Therefore, seeking an intelligent, automated, and robust network intrusion detection method is essential. Many researchers have researched network intrusion detection methods, such as traditional feature-based and machine learning methods. In recent years, network intrusion detection methods based on graph neural networks (GNNs) have been proposed. However, there are still some practical issues with these methods. For example, they have not taken into consideration the characteristics of near-Earth remote sensing systems, the state of the nodes, and the temporal features. Therefore, this article analyzes the factors of existing near-Earth remote sensing systems and proposes a spatio-temporal graph attention network (N-STGAT) that considers the state of nodes and applies them to the network intrusion detection of near-Earth remote sensing systems. Finally, the proposed method in this article is validated using the latest flow-based datasets NF-BoT-IoT-v2 and NF-ToN-IoT-v2. The results demonstrate that the binary classification accuracy for network intrusion detection exceeds 99%, while the multi-classification accuracy exceeds 93%. These findings provide substantial evidence that the proposed method outperforms existing intrusion detection techniques.

Haodong Yan,Fudong Li,Jinglong Chen,Zijun Liu,Jun Wang,Yong Feng,Xinwei Zhang

DOI: https://doi.org/10.1016/j.ress.2023.109418

2023-06-09

Abstract:Real-time anomaly detection is essential for the safe launch of some sophisticated equipment, such as liquid rocket engines (LRE), in order to head off disasters. However, the Industrial Internet of Things (IIoT) edge's real-time requirements cannot be addressed by the present methodologies, and the outcome is poor when dealing with a lack of training samples on the device side. We provide a solution for device-side real-time anomaly detection using the architecture known as Graph Embedded in Graph Networks to address these issues (GG-Nets). To fully extract features under insufficient training data, in our method, we learn the temporal relationship of timestamps in the multivariate signal through a time-series graph attention network (T-GAT) and extract features, and use the extracted features to replace the original signal as the information of the sensor attention network (S-GAT) nodes. For efficiency, the signals in the original sample are divided into odd and even sequences, which greatly reduces the number of nodes in the T-GAT. Experiments reveal that the proposed method outperforms other state-of-the-art models on the LRE ignition dataset. Furthermore, the ablation experiment proves that each module of the model improves the effect and extensive discussions explore interpretability. Our code can be found on: https://github.com/yhd-ai/GG-Nets .

engineering, industrial,operations research & management science

Liyan Chang,Paula Branco

DOI: https://doi.org/10.48550/arXiv.2111.13597

2021-11-27

Abstract:The high volume of increasingly sophisticated cyber threats is drawing growing attention to cybersecurity, where many challenges remain unresolved. Namely, for intrusion detection, new algorithms that are more robust, effective, and able to use more information are needed. Moreover, the intrusion detection task faces a serious challenge associated with the extreme class imbalance between normal and malicious traffics. Recently, graph-neural network (GNN) achieved state-of-the-art performance to model the network topology in cybersecurity tasks. However, only a few works exist using GNNs to tackle the intrusion detection problem. Besides, other promising avenues such as applying the attention mechanism are still under-explored. This paper presents two novel graph-based solutions for intrusion detection, the modified E-GraphSAGE, and E-ResGATalgorithms, which rely on the established GraphSAGE and graph attention network (GAT), respectively. The key idea is to integrate residual learning into the GNN leveraging the available graph information. Residual connections are added as a strategy to deal with the high-class imbalance, aiming at retaining the original information and improving the minority classes' performance. An extensive experimental evaluation of four recent intrusion detection datasets shows the excellent performance of our approaches, especially when predicting minority classes.

Cryptography and Security,Machine Learning

Yasir Ali Farrukh,Syed Wali,Irfan Khan,Nathaniel D. Bastian

2024-08-27

Abstract:In the rapidly evolving field of cybersecurity, the integration of flow-level and packet-level information for real-time intrusion detection remains a largely untapped area of research. This paper introduces "XG-NID," a novel framework that, to the best of our knowledge, is the first to fuse flow-level and packet-level data within a heterogeneous graph structure, offering a comprehensive analysis of network traffic. Leveraging a heterogeneous graph neural network (GNN) with graph-level classification, XG-NID uniquely enables real-time inference while effectively capturing the intricate relationships between flow and packet payload data. Unlike traditional GNN-based methodologies that predominantly analyze historical data, XG-NID is designed to accommodate the heterogeneous nature of network traffic, providing a robust and real-time defense mechanism. Our framework extends beyond mere classification; it integrates Large Language Models (LLMs) to generate detailed, human-readable explanations and suggest potential remedial actions, ensuring that the insights produced are both actionable and comprehensible. Additionally, we introduce a new set of flow features based on temporal information, further enhancing the contextual and explainable inferences provided by our model. To facilitate practical application and accessibility, we developed "GNN4ID," an open-source tool that enables the extraction and transformation of raw network traffic into the proposed heterogeneous graph structure, seamlessly integrating flow and packet-level data. Our comprehensive quantitative comparative analysis demonstrates that XG-NID achieves an F1 score of 97\% in multi-class classification, outperforming existing baseline and state-of-the-art methods. This sets a new standard in Network Intrusion Detection Systems by combining innovative data fusion with enhanced interpretability and real-time capabilities.

Cryptography and Security,Artificial Intelligence,Machine Learning