Graph Neural Networks on Phase Space Graphs for Cybersecurity

Abstract

Non-linear phase space analysis may be used to represent time-series data as graph data with transitions between states in the time domain. By studying these transitions, we can predict anomalies within the system. Previous research has demonstrated success in learning from phase graphs for malware and seizure detection. These solutions either require extracting global features or converting the graph into an image for convolutional neural networks (CNNs), which adds complexity and limits the potential expressiveness of a graph. To sidestep current limitations, this study proposes Graph Neural Networks (GNNs) for analyzing phase graphs. Unlike CNNs, which must transform graph data into an image representation that may not preserve isomorphism, GNNs operate on the graph data itself through message-passing mechanisms that naturally preserve graph structure. Four GNN architectures were evaluated on two cybersecurity datasets: the Canadian Institute for Cybersecurity Intrusion Detection System (CICIDS) 2017 dataset and a power usage dataset for rootkit detection. The CICIDS dataset was processed at three density levels by varying the symbol parameter. Findings reveal GNNs can be used successfully with phase space graphs, that the type of GNN impacts classification accuracy, and that variance in phase space parameters also impacts accuracy. GIN achieved the most consistent performance across all experiments, while graph density significantly affected results