TY - GEN
T1 - MGCRL
T2 - 2025 IEEE Global Communications Conference, GLOBECOM 2025
AU - Al-Sabri, Raeed
AU - Albaseer, Abdullatif
AU - Abdallah, Mohamed
AU - Al-Fuqaha, Ala
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - Graph neural networks (GNNs) have recently garnered significant attention for use in network intrusion detection systems (NIDS), owing to their ability to model network traffic as graphs and capture complex dependencies between flows. However, existing GNN-based methods face critical limitations: their reliance on labeled data, often scarce or noisy in practice, and their inability to address multi-scale threats, such as localized node anomalies (e.g., port scanning), coordinated subnet-work attacks (e.g., botnets), and global network-wide campaigns (e.g., DDoS attacks). To bridge this gap, we propose Multi-Scale Graph Contrastive Representation Learning (MGCRL), a semi-supervised framework that hierarchically integrates three perspectives to model network intrusions. At the node level, MGCRL constructs semantic subnetworks around individual traffic flows to capture fine-grained behavioral deviations. For subnetwork-level threats, it employs substructure-aware pooling to identify coordinated anomalies, such as clusters of devices exhibiting synchronized malicious activity. Finally, at the global level, MGCRL derives representations that reflect the holistic state of the network, enabling detection of large-scale threats, such as distributed malware propagation. MGCRL couples a shared GNN encoder with a multi-level contrastive loss to align multi-scale representations while largely eliminating label dependence. It learns discriminative features from unlabeled traffic, sharpens decision boundaries with minimal supervision, and exposes anomalies that surface in a hierarchical network context by contrasting related and unrelated nodes at each scale. Extensive experiments on three benchmark datasets for multi-class classification show that MGCRL consistently outperforms SOTA methods, particularly under severe label scarcity and class imbalance.
AB - Graph neural networks (GNNs) have recently garnered significant attention for use in network intrusion detection systems (NIDS), owing to their ability to model network traffic as graphs and capture complex dependencies between flows. However, existing GNN-based methods face critical limitations: their reliance on labeled data, often scarce or noisy in practice, and their inability to address multi-scale threats, such as localized node anomalies (e.g., port scanning), coordinated subnet-work attacks (e.g., botnets), and global network-wide campaigns (e.g., DDoS attacks). To bridge this gap, we propose Multi-Scale Graph Contrastive Representation Learning (MGCRL), a semi-supervised framework that hierarchically integrates three perspectives to model network intrusions. At the node level, MGCRL constructs semantic subnetworks around individual traffic flows to capture fine-grained behavioral deviations. For subnetwork-level threats, it employs substructure-aware pooling to identify coordinated anomalies, such as clusters of devices exhibiting synchronized malicious activity. Finally, at the global level, MGCRL derives representations that reflect the holistic state of the network, enabling detection of large-scale threats, such as distributed malware propagation. MGCRL couples a shared GNN encoder with a multi-level contrastive loss to align multi-scale representations while largely eliminating label dependence. It learns discriminative features from unlabeled traffic, sharpens decision boundaries with minimal supervision, and exposes anomalies that surface in a hierarchical network context by contrasting related and unrelated nodes at each scale. Extensive experiments on three benchmark datasets for multi-class classification show that MGCRL consistently outperforms SOTA methods, particularly under severe label scarcity and class imbalance.
KW - Graph contrastive learning
KW - Graph neural networks
KW - Multiscale contrastive learning
KW - Network intrusion detection systems
KW - Security and privacy in networks
UR - https://www.scopus.com/pages/publications/105036292433
U2 - 10.1109/GLOBECOM59602.2025.11431646
DO - 10.1109/GLOBECOM59602.2025.11431646
M3 - Conference contribution
AN - SCOPUS:105036292433
T3 - Proceedings - IEEE Global Communications Conference, GLOBECOM
SP - 3158
EP - 3163
BT - GLOBECOM 2025 - 2025 IEEE Global Communications Conference
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 8 December 2025 through 12 December 2025
ER -