Graph Neural Network (GNN): Technology for Detecting Anomalous Network Traffic

Graph-based machine learning for context-aware network anomaly detection.
Technology No. CW-25-22

Technology Summary

The Graph Neural Network (GNN) Model uses machine learning to detect unusual or potentially malicious network activity by analyzing communication patterns as a graph rather than isolated events. The code converts raw network logs into a sparse hypergraph that represents both temporal edges (when communications occur) and device-connection edges (which systems interact). Using a graph convolutional autoencoder, the model learns what “normal” traffic looks like and flags anomalous connections that deviate from these learned patterns. The result is a scalable, interpretable anomaly detection framework that supports both operational analysis and research reproducibility.

Solution

  • Graph-Based Network Modeling: Constructs a sparse hypergraph of network interactions to preserve both device relationships and timing.
  • Unsupervised GNN Approach: Employs a graph convolutional autoencoder to learn normal behavior and detect anomalies via reconstruction error.
  • Role-Specific Integration:
  • Cyber analysts use the results to interpret anomaly scores and investigate suspicious network subgraphs.
  • ML data scientists use the codebase to train, adapt, and apply the GNN model to their own datasets.
  • Public Release for Reproducibility: Designed to advance transparency, validation, and extension of graph-based anomaly detection methods.

Key Advantages

  • Context-Rich Detection: Captures both temporal and relational dynamics within the same model.
  • Unified Representation: Combines time-based and structural signals without losing sparse efficiency.
  • Scalable Performance: Sparse hypergraph design supports large network environments.
  • Flexible Outputs: Provides interpretable anomaly scores suitable for integration with SIEM or SOAR systems.
  • Open and Extensible: Public availability enables research validation and community-driven development.
  • Actionable Insights: Local graph context clarifies why an interaction appears anomalous.

Market Applications

  • Security Operations Centers (SOCs): Enhance detection of abnormal communication patterns.
  • Managed Security Service Providers (MSSPs): Integrate into continuous monitoring pipelines.
  • Enterprise & Cloud Networks: Identify unusual east–west and north–south traffic behaviors.
  • Critical Infrastructure Networks: Detect deviations in operational technology (OT) systems.
  • Academic and Research Use: Facilitate reproducible experiments in graph-based cyber analytics.

Access

This software is available as open-source. For more information and access, please visit the software's GitHub Page

  • expand_more mode_edit Authors (4)
    Anna T Quach
    Dempsey D Rogers
    Jacob Brue
    Alexander Katopodis
  • expand_more cloud_download Supporting documents (1)
    Product brochure
    Graph Neural Network (GNN): Technology for Detecting Anomalous Network Traffic.pdf
    DOWNLOAD