Skip to main content
Springer Nature Link
Log in

TBA-GNN: A Traffic Behavior Analysis Model with Graph Neural Networks for Malicious Traffic Detection

  • Conference paper
  • First Online:
Wireless Artificial Intelligent Computing Systems and Applications (WASA 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14997))

  • 275 Accesses

Abstract

Given the surge in network attack behavior, detecting malicious traffic has become a pivotal cybersecurity task. Many existing methods for malicious traffic detection rely on machine learning and deep learning, but they exhibit certain shortcomings: A considerable number of these methods rely on statistical features, which may lose their relevance as networks evolve and lead to the loss of important information. Additionally, Convolutional Neural Networks (CNN) and Recurrent Neural Networks (RNN) face limitations in extracting features from network traffic, specifically, their inability to capture traffic interaction behavior information within a network flow. In this paper, we propose a Traffic Behavior Analysis model with Graph Neural Networks (TBA-GNN), which works directly with raw bytes and leverages the hierarchy structure of traffic (byte-packet-flow) to delve into valuable information. Firstly, we devise the PacketCNN to extract packet-level features from raw bytes. Subsequently, we construct a network flow as a Traffic Interaction Graph, containing both the traffic interaction behavior information and packet-level traffic information, and utilize the GNN to extract flow-level features. Finally, we perform a classification task to detect malicious traffic. We conduct extensive experiments on the ISCXIDS2012 and CICIDS2017 datasets, and the experimental results demonstrate that our model effectively identifies malicious traffic, outperforming baselines significantly.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Li, Q., et al.: Dynamic network security function enforcement via joint flow and function scheduling. IEEE Trans. Inf. Forensics Secur. 17, 486–499 (2022)

    Article  Google Scholar 

  2. Kilincer, I.F., Ertam, F., Sengur, A.: Machine learning methods for cyber security intrusion detection: datasets and comparative study. Comput. Netw. 188, 107840 (2021)

    Article  Google Scholar 

  3. Wang, Z., Jiang, D., Huo, L., Yang, W.: An efficient network intrusion detection approach based on deep learning. Wireless Networks, pp. 1–14 (2021)

    Google Scholar 

  4. Elsayed, M.S., Le-Khac, N.-A., Dev, S., Jurcut, A.D.: DDosnet: a deep-learning model for detecting network attacks. In: IEEE 21st International Symposium on A World of Wireless, Mobile and Multimedia Networks (WoWMoM), pp. 391–396 . IEEE (2020)

    Google Scholar 

  5. Dogan, G.: Protru: a provenance-based trust architecture for wireless sensor networks. Int. J. Network Manage 26(2), 131–151 (2016)

    Article  MathSciNet  Google Scholar 

  6. Liu, J., Tian, Z., Zheng, R., Liu, L.: A distance-based method for building an encrypted malware traffic identification framework. IEEE Access 7, 100 014-100 028 (2019)

    Article  Google Scholar 

  7. Hou, J., Liu, F., Lu, H., Tan, Z., Zhuang, X., Tian, Z.: A novel flow-vector generation approach for malicious traffic detection. J. Parallel Distribut. Comput. 169, 72–86 (2022)

    Article  Google Scholar 

  8. Wang, W., Zhu, M., Zeng, X., Ye, X., Sheng, Y.: Malware traffic classification using convolutional neural network for representation learning. In, International Conference on Information Networking (ICOIN), pp. 712–717. IEEE (2017)

    Google Scholar 

  9. Wang, W., et al.: Hast-ids: learning hierarchical spatial-temporal features using deep neural networks to improve intrusion detection. IEEE access 6, 1792–1806 (2017)

    Article  Google Scholar 

  10. Lin, P., Ye, K., Xu, C.-Z.: Dynamic network anomaly detection system by using deep learning techniques. In: Da Silva, D., Wang, Q., Zhang, L.-J. (eds.) CLOUD 2019. LNCS, vol. 11513, pp. 161–176. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-23502-4_12

    Chapter  Google Scholar 

  11. Jiang, T., Yin, W., Cai, B., Zhang, K.: Encrypted malicious traffic identification based on hierarchical spatiotemporal feature and multi-head attention. Comput. Eng. 47, 101–108 (2021)

    Google Scholar 

  12. Yu, L., et al.: PBCNN: packet bytes-based convolutional neural network for network intrusion detection. Comput. Netw. 194, 108117 (2021)

    Article  Google Scholar 

  13. Lin, K., Xu, X., Xiao, F.: MfFusion: a multi-level features fusion model for malicious traffic detection based on deep learning. Comput. Netw. 202, 108658 (2022)

    Article  Google Scholar 

  14. Ding, Y., Zhu, G., Chen, D., Qin, X., Cao, M., Qin, Z.: Adversarial sample attack and defense method for encrypted traffic data. IEEE Trans. Intell. Transp. Syst. 23(10), 18024–18039 (2022)

    Article  Google Scholar 

  15. Zhang, H., et al.: TFE-GNN: a temporal fusion encoder using graph neural networks for fine-grained encrypted traffic classification. Proc. ACM Web Conf. 2023, 2066–2075 (2023)

    Google Scholar 

  16. Yun, X., Xie, J., Li, S., Zhang, Y., Sun, P.: Detecting unknown http-based malicious communication behavior via generated adversarial flows and hierarchical traffic features. Comput. Secur. 121, 102834 (2022)

    Article  Google Scholar 

  17. Shen, M., Liu, Y., Zhu, L., Du, X., Hu, J.: Fine-grained webpage fingerprinting using only packet length information of encrypted traffic. IEEE Trans. Inf. Forensics Secur. 16, 2046–2059 (2020)

    Article  Google Scholar 

  18. Xing, J., Wu, C.: Detecting anomalies in encrypted traffic via deep dictionary learning. In: IEEE INFOCOM 2020-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). IEEE (2020)

    Google Scholar 

  19. Kim, Y.: Convolutional neural networks for sentence classification. arXiv preprint arXiv:1408.5882 (2014)

  20. Shen, M., Zhang, J., Zhu, L., Xu, K., Du, X.: Accurate decentralized application identification via encrypted traffic analysis using graph neural networks. IEEE Trans. Inf. Forensics Secur. 16, 2367–2380 (2021)

    Article  Google Scholar 

  21. Al-Naami, K., et al.: Adaptive encrypted traffic fingerprinting with bi-directional dependence. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 177–188 (2016)

    Google Scholar 

  22. Velickovic, P., et al.: Graph attention networks. Stat 1050(20), 10–48 550 (2017)

    Google Scholar 

  23. Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31(3), 357–374 (2012)

    Article  Google Scholar 

  24. Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. ICISSp 1, 108–116 (2018)

    Google Scholar 

  25. Wang, W., Zhu, M., Wang, J., Zeng, X., Yang, Z.: End-to-end encrypted traffic classification with one-dimensional convolution neural networks. In: IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 43–48. IEEE (2017)

    Google Scholar 

Download references

Acknowledgement

This work is supported by the National Key R&D Program of China under grant 2021YFB2910110.

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Xinbo Han, Meng Zhang & Zheng Yang

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Xinbo Han & Meng Zhang

Authors
  1. Xinbo Han
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Meng Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zheng Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Meng Zhang .

Editor information

Editors and Affiliations

  1. Georgia State University, Atlanta, GA, USA

    Zhipeng Cai

  2. Old Dominion University, Norfolk, VA, USA

    Daniel Takabi

  3. Beijing University of Posts and Telecommunications, Beijing, China

    Shaoyong Guo

  4. Shandong University, Qingdao, China

    Yifei Zou

Rights and permissions

Reprints and permissions

Copyright information

© 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Han, X., Zhang, M., Yang, Z. (2025). TBA-GNN: A Traffic Behavior Analysis Model with Graph Neural Networks for Malicious Traffic Detection. In: Cai, Z., Takabi, D., Guo, S., Zou, Y. (eds) Wireless Artificial Intelligent Computing Systems and Applications. WASA 2024. Lecture Notes in Computer Science, vol 14997. Springer, Cham. https://doi.org/10.1007/978-3-031-71464-1_31

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-71464-1_31

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-71463-4

  • Online ISBN: 978-3-031-71464-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics