research-article

PhoGAD: Graph-based Anomaly Behavior Detection with Persistent Homology Optimization

Authors:

Jianxin LiAuthors Info & Claims

WSDM '24: Proceedings of the 17th ACM International Conference on Web Search and Data Mining

Pages 920 - 929

https://doi.org/10.1145/3616855.3635783

Published: 04 March 2024 Publication History

Abstract

A multitude of toxic online behaviors, ranging from network attacks to anonymous traffic and spam, have severely disrupted the smooth operation of networks. Due to the inherent sender-receiver nature of network behaviors, graph-based frameworks are commonly used for detecting anomalous behaviors. However, in real-world scenarios, the boundary between normal and anomalous behaviors tends to be ambiguous. The local heterophily of graphs interferes with the detection, and existing methods based on nodes or edges introduce unwanted noise into representation results, thereby impacting the effectiveness of detection. To address these issues, we propose PhoGAD, a graph-based anomaly detection framework. PhoGAD leverages persistent homology optimization to clarify behavioral boundaries. Building upon this, the weights of adjacent edges are designed to mitigate the effects of local heterophily. Subsequently, to tackle the noise problem, we conduct a formal analysis and propose a disentangled representation-based explicit embedding method, ultimately achieving anomaly behavior detection. Experiments on intrusion, traffic, and spam datasets verify that PhoGAD has surpassed the performance of state-of-the-art (SOTA) frameworks in detection efficacy. Notably, PhoGAD demonstrates robust detection even with diminished anomaly proportions, highlighting its applicability to real-world scenarios. The analysis of persistent homology demonstrates its effectiveness in capturing the topological structure formed by normal edge features. Additionally, ablation experiments validate the effectiveness of the innovative mechanisms integrated within PhoGAD.

References

[1]

Sambaran Bandyopadhyay, Lokesh N, Saley Vishal Vivek, and M. Narasimha Murty. 2020. Outlier Resistant Unsupervised Deep Architectures for Attributed Network Embedding. In WSDM. ACM, 25--33.

[2]

Kamal Berahmand, Elahe Nasiri, Mehrdad Rostami, and Saman Forouzandeh. 2021. A modified DeepWalk method for link prediction in attributed social network. Computing, Vol. 103, 10 (2021), 2227--2249.

Digital Library

[3]

Evan Caville, Wai Weng Lo, Siamak Layeghy, and Marius Portmann. 2022. Anomal-E: A self-supervised network intrusion detection system based on graph neural networks. Knowl. Based Syst., Vol. 258 (2022), 110030.

Digital Library

[4]

Ting Chen, Lu-An Tang, Yizhou Sun, Zhengzhang Chen, and Kai Zhang. 2016. Entity Embedding-Based Anomaly Detection for Heterogeneous Categorical Events. In IJCAI. IJCAI/AAAI Press, 1396--1403.

Digital Library

[5]

Yixiang Chen, Linhao Ye, Yufeng Ye, Peng Zhang, and Qinfeng Tan. 2022. Anomaly Detection from Log Data Sequences with Perturbations. In DSC. IEEE, 183--190.

[6]

Min Du, Feifei Li, Guineng Zheng, and Vivek Srikumar. 2017. DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning. In CCS. ACM, 1285--1298.

[7]

Dongsheng Duan, Lingling Tong, Yangxi Li, Jie Lu, Lei Shi, and Cheng Zhang. 2020. AANE: Anomaly Aware Network Embedding For Anomalous Link Detection. In ICDM. IEEE, 1002--1007.

[8]

Haoyi Fan, Fengbin Zhang, and Zuoyong Li. 2020. Anomalydae: Dual Autoencoder for Anomaly Detection on Attributed Networks. In ICASSP. IEEE, 5685--5689.

[9]

Apache Software Foundation. 2005. SpamAssassin. [Online]. Available: https://spamassassin.apache.org/old/publiccorpus. Accessed: June 15, 2023.

[10]

Yuan Gao, Xiang Wang, Xiangnan He, Zhenguang Liu, Huamin Feng, and Yongdong Zhang. 2023. Alleviating Structural Distribution Shift in Graph Anomaly Detection. In WSDM. ACM, 357--365.

[11]

Abdallah Ghourabi and Manar Alohaly. 2023. Enhancing Spam Message Classification and Detection Using Transformer-Based Embedding and Ensemble Learning. Sensors, Vol. 23, 8 (2023), 3861.

[12]

Klaus Greff, Rupesh Kumar Srivastava, Jan Koutn'i k, Bas R. Steunebrink, and Jü rgen Schmidhuber. 2017. LSTM: A Search Space Odyssey. IEEE Trans. Neural Networks Learn. Syst., Vol. 28, 10 (2017), 2222--2232.

[13]

Hongcheng Guo, Yuhui Guo, Jian Yang, Jiaheng Liu, Zhoujun Li, Tieqiao Zheng, Liangfan Zheng, Weichao Hou, and Bo Zhang. 2023. LogLG: Weakly Supervised Log Anomaly Detection via Log-Event Graph Construction. In DASFAA (4) (Lecture Notes in Computer Science, Vol. 13946). Springer, 490--501.

[14]

William L. Hamilton, Zhitao Ying, and Jure Leskovec. 2017. Inductive Representation Learning on Large Graphs. In NIPS. 1024--1034.

[15]

Thomas N. Kipf and Max Welling. 2017. Semi-Supervised Classification with Graph Convolutional Networks. In ICLR (Poster). OpenReview.net.

[16]

Georgios Kollias, Vasileios Kalantzis, Tsuyoshi Idé, Auré lie C. Lozano, and Naoki Abe. 2022. Directed Graph Auto-Encoders. In AAAI. AAAI Press, 7211--7219.

[17]

Atsutoshi Kumagai, Tomoharu Iwata, and Yasuhiro Fujiwara. 2021. Semi-supervised Anomaly Detection on Attributed Graphs. In IJCNN. IEEE, 1--8.

[18]

Arash Habibi Lashkari, Gerard Draper-Gil, Mohammad Saiful Islam Mamun, and Ali A. Ghorbani. 2017. Characterization of Tor Traffic using Time based Features. In ICISSP. SciTePress, 253--262.

[19]

Haoyuan Li and Yifan Li. 2023. Anomaly detection methods based on GAN: a survey. Appl. Intell., Vol. 53, 7 (2023), 8209--8231.

Digital Library

[20]

Xiaolin Li, Li Xu, Hongyan Zhang, and Qikui Xu. 2023. Differential privacy preservation for graph auto-encoders: A novel anonymous graph publishing model. Neurocomputing, Vol. 521 (2023), 113--125.

Digital Library

[21]

Zhixun Li, Dingshuo Chen, Qiang Liu, and Shu Wu. 2022. The Devil is in the Conflict: Disentangled Information Graph Neural Networks for Fraud Detection. In ICDM. IEEE, 1059--1064.

[22]

Tsung-Yi Lin, Priya Goyal, Ross B. Girshick, Kaiming He, and Piotr Dollá r. 2020. Focal Loss for Dense Object Detection. IEEE Trans. Pattern Anal. Mach. Intell., Vol. 42, 2 (2020), 318--327.

[23]

Yixin Liu, Zhao Li, Shirui Pan, Chen Gong, Chuan Zhou, and George Karypis. 2022. Anomaly Detection on Attributed Networks via Contrastive Self-Supervised Learning. IEEE Trans. Neural Networks Learn. Syst., Vol. 33, 6 (2022), 2378--2392.

[24]

Sushil Kumar Maurya, Dinesh Singh, and Ashish Kumar Maurya. 2023. Deceptive opinion spam detection approaches: a literature survey. Appl. Intell., Vol. 53, 2 (2023), 2189--2234.

Digital Library

[25]

Nour Moustafa and Jill Slay. 2015. UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In MilCIS. IEEE, 1--6.

[26]

Audun Myers, Elizabeth Munch, and Firas A. Khasawneh. 2019. Persistent homology of complex networks for dynamic state detection. Phys. Rev. E, Vol. 100 (Aug 2019), 022314. Issue 2.

[27]

Linshu Ouyang, Yongzheng Zhang, and Yipeng Wang. 2020. Unified Graph Embedding-Based Anomalous Edge Detection. In IJCNN. IEEE, 1--8.

[28]

David Pujol-Perich, José Suá rez-Varela, Albert Cabellos-Aparicio, and Pere Barlet-Ros. 2022. Unveiling the potential of Graph Neural Networks for robust Intrusion Detection. SIGMETRICS Perform. Evaluation Rev., Vol. 49, 4 (2022), 111--117.

Digital Library

[29]

Nitesh Suresh Sehwani. 2022. No Features Needed: Using BPE Sequence Embeddings for Web Log Anomaly Detection. In IWSPA@CODASPY. ACM, 78--85.

[30]

Rohit P. Singh and Philip A. Wilsey. 2022. Polytopal Complex Construction and Use in Persistent Homology. In ICDM (Workshops). IEEE, 634--641.

[31]

Qingyun Sun, Jianxin Li, Hao Peng, Jia Wu, Xingcheng Fu, Cheng Ji, and Philip S. Yu. 2022a. Graph Structure Learning with Variational Information Bottleneck. In AAAI. AAAI Press, 4165--4174.

[32]

Qingyun Sun, Jianxin Li, Hao Peng, Jia Wu, Yuanxing Ning, Philip S. Yu, and Lifang He. 2021. SUGAR: Subgraph Neural Network with Reinforcement Pooling and Self-Supervised Mutual Information Mechanism. In WWW. ACM / IW3C2, 2081--2091.

[33]

Qingyun Sun, Jianxin Li, Haonan Yuan, Xingcheng Fu, Hao Peng, Cheng Ji, Qian Li, and Philip S. Yu. 2022b. Position-aware Structure Learning for Graph Topology-imbalance by Relieving Under-reaching and Over-squashing. In CIKM. ACM, 1848--1857.

[34]

Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N. Gomez, Lukasz Kaiser, and Illia Polosukhin. 2017. Attention is All you Need. In NIPS. 5998--6008.

[35]

Petar Velickovic, William Fedus, William L. Hamilton, Pietro Liò, Yoshua Bengio, and R. Devon Hjelm. 2019. Deep Graph Infomax. In ICLR (Poster). OpenReview.net.

[36]

Xuhong Wang, Baihong Jin, Ying Du, Ping Cui, Yingshui Tan, and Yupu Yang. 2021. One-class graph neural networks for anomaly detection in attributed networks. Neural Comput. Appl., Vol. 33, 18 (2021), 12073--12085.

Digital Library

[37]

Xiaolei Wang, Lin Yang, Dongyang Li, Linru Ma, Yongzhong He, Junchao Xiao, Jiyuan Liu, and Yuexiang Yang. 2022. MADDC: Multi-Scale Anomaly Detection, Diagnosis and Correction for Discrete Event Logs. In ACSAC. ACM, 769--784.

[38]

Guangxia Xu, Daiqi Zhou, and Jun Liu. 2021. Social Network Spam Detection Based on ALBERT and Combination of Bi-LSTM with Self-Attention. Secur. Commun. Networks, Vol. 2021 (2021), 5567991:1--5567991:11.

Digital Library

[39]

Junjie Xu, Enyan Dai, Xiang Zhang, and Suhang Wang. 2022. HP-GMN: Graph Memory Networks for Heterophilous Graphs. In ICDM. IEEE, 1263--1268.

[40]

Linchuan Xu, Xiaokai Wei, Jiannong Cao, and Philip S. Yu. 2020. ICANE: interaction content-aware network embedding via co-embedding of nodes and edges. Int. J. Data Sci. Anal., Vol. 9, 4 (2020), 401--414.

[41]

Ting Yang, Yucheng Hou, Yachuang Liu, Feng Zhai, and Rongze Niu. 2021. WPD-ResNeSt: Substation station level network anomaly traffic detection based on deep transfer learning. CSEE Journal of Power and Energy Systems (2021).

[42]

Chunkai Zhang, Xinyu Wang, Hongye Zhang, Jiahua Zhang, Hanyu Zhang, Chuanyi Liu, and Peiyi Han. 2023. LayerLog: Log sequence anomaly detection based on hierarchical semantics. Appl. Soft Comput., Vol. 132 (2023), 109860.

Digital Library

[43]

Haiqi Zhang, Guangquan Lu, Mengmeng Zhan, and Beixian Zhang. 2022b. Semi-Supervised Classification of Graph Convolutional Networks with Laplacian Rank Constraints. Neural Process. Lett., Vol. 54, 4 (2022), 2645--2656.

Digital Library

[44]

Shengming Zhang, Yanchi Liu, Xuchao Zhang, Wei Cheng, Haifeng Chen, and Hui Xiong. 2022a. CAT: Beyond Efficient Transformer for Content-Aware Anomaly Detection in Event Sequences. In KDD. ACM, 4541--4550.

[45]

Li Zheng, Zhenpeng Li, Jian Li, Zhao Li, and Jun Gao. 2019. AddGraph: Anomaly Detection in Dynamic Graph Using Attention-based Temporal GCN. In IJCAI. ijcai.org, 4419--4425.

[46]

Michael Zipperle, Florian Gottwalt, Elizabeth Chang, and Tharam S. Dillon. 2023. Provenance-based Intrusion Detection Systems: A Survey. ACM Comput. Surv., Vol. 55, 7 (2023), 135:1--135:36. io

Cited By

Liu ZHuang XZhang JHao ZSun LPeng HSerra ESpezzano F(2024)Multivariate Time-Series Anomaly Detection based on Enhancing Graph Attention Networks with Topological AnalysisProceedings of the 33rd ACM International Conference on Information and Knowledge Management10.1145/3627673.3679614(1555-1564)Online publication date: 21-Oct-2024
https://dl.acm.org/doi/10.1145/3627673.3679614

Index Terms

PhoGAD: Graph-based Anomaly Behavior Detection with Persistent Homology Optimization

Recommendations

Specification-based anomaly detection: a new approach for detecting network intrusions
CCS '02: Proceedings of the 9th ACM conference on Computer and communications security

Unlike signature or misuse based intrusion detection techniques, anomaly detection is capable of detecting novel attacks. However, the use of anomaly detection in practice is hampered by a high rate of false alarms. Specification-based techniques have ...
Evolutionary neural networks for anomaly detection based on the behavior of a program

The process of learning the behavior of a given program by using machine-learning techniques (based on system-call audit data) is effective to detect intrusions. Rule learning, neural networks, statistics, and hidden Markov models (HMMs) are some of the ...
An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks

In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WSDM '24: Proceedings of the 17th ACM International Conference on Web Search and Data Mining

March 2024

1246 pages

ISBN:9798400703713

DOI:10.1145/3616855

General Chairs:
Luz Angélica
Caudillo Mata (MDA Geointelligence)
,
Silvio Lattanzi
Google Research
,
Andrés Muñoz Medina
Google Research
,
Program Chairs:
Leman Akoglu
CMU
,
Aristides Gionis
KTH
,
Sergei Vassilvitskii
Google Research

Copyright © 2024 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 March 2024

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Natural Science Foundation of China
CAAI-Huawei MindSpore Open Fund

Conference

WSDM '24

Sponsor:

WSDM '24: The 17th ACM International Conference on Web Search and Data Mining

March 4 - 8, 2024

Merida, Mexico

Acceptance Rates

Overall Acceptance Rate 498 of 2,863 submissions, 17%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
174
Total Downloads

Downloads (Last 12 months)174
Downloads (Last 6 weeks)17

Reflects downloads up to 07 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Liu ZHuang XZhang JHao ZSun LPeng HSerra ESpezzano F(2024)Multivariate Time-Series Anomaly Detection based on Enhancing Graph Attention Networks with Topological AnalysisProceedings of the 33rd ACM International Conference on Information and Knowledge Management10.1145/3627673.3679614(1555-1564)Online publication date: 21-Oct-2024
https://dl.acm.org/doi/10.1145/3627673.3679614

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents