Graph Neural Networks Against APT: Traffic Anomaly Detection

We design and deploy artificial intelligence systems: from prototype to production-ready solutions. Our team combines expertise in machine learning, data engineering and MLOps to make AI work not in the lab, but in real business.
Showing 1 of 1All 1566 services
Graph Neural Networks Against APT: Traffic Anomaly Detection
Complex
~2-4 weeks
Frequently Asked Questions

AI Development Areas

AI Solution Development Stages

Latest works

  • image_website-b2b-advance_0.webp
    B2B ADVANCE company website development
    1317
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1226
  • image_websites_belfingroup_462_0.webp
    Website development for BELFINGROUP
    925
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1156
  • image_logo-advance_0.webp
    B2B Advance company logo design
    620
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    894

A corporate network of 5000 hosts was missing targeted APT attacks: traditional IDS analyzed each flow in isolation, missing the big picture. Snort and Suricata generated thousands of false positives daily, while lateral movement remained undetected. GNN solves this: we deployed a model that detected movement within 45 seconds — with an AUC of 0.96 on real traffic. Over the years, we have completed 50+ ML projects in network security, from banks to telecom operators. With 5+ years of experience, our certified engineers guarantee quality. We will evaluate your project within 5 business days. Pilot projects start at $15,000.

Why GNN Outperforms Traditional IDS

Traditional IDS (Snort, Suricata) rely on signatures and threshold rules for individual packets and flows. Complex cyber attacks are distributed over time and across multiple hosts:

  • APT (Advanced Persistent Threat): slow lateral movement through many hosts
  • Botnet C2: traffic from a single bot looks normal, but the network pattern does not
  • Insider threat: normal traffic, anomalous topology
Aspect Traditional IDS GNN
Zero-day detection Low High
Topology analysis No Yes
Latency Low Medium (30-90s)
Metric Signature-based IDS GNN (ours)
AUC for known attacks 0.3–0.5 0.94–0.97
AUC for zero-day <0.2 0.82–0.88
False positive rate 5–10% <2%

GNN detects zero-day attacks 3 times more accurately than signature-based methods. According to PyTorch Geometric: A Library for Graph Neural Networks (Fey & Lenssen, 2019), graph neural networks provide significant advantages in tasks with topological data.

Representing Traffic as a Graph

Sliding time window (5–15 minutes): all connections form a graph. Nodes = IP addresses (with features: device type, network role, historical profile). Edges = aggregated flow metrics over the window (bytes, packets, ports, protocols, duration).

Node features:

  • Number of outgoing/incoming connections
  • Unique destination IPs/ports
  • Traffic volume by direction
  • Protocol distribution
  • Temporal patterns (burstiness)
  • Deviation from historical baseline

Edge features:

  • Packet size distribution
  • Inter-arrival time statistics
  • Payload entropy (encrypted vs. plaintext)
  • TCP flag patterns
  • Duration and persistence

How GNN Detects Anomalies in Real Time

Link prediction for detecting anomalous connections. The model learns to predict edge probability based on normal network behavior. A new unexpected connection (host A never communicated with host B) → low predicted probability → anomaly.

Node classification: classify nodes as legitimate, C2_server, infected_host, scanner, exfiltration_source. Training on labeled data (known incidents + normal traffic).

Graph-level anomaly detection: for attacks affecting the entire network (DDoS, worm spreading) — compare current graph embedding with historical norm. Variational Graph Autoencoder (VGAE) trained on normal traffic detects deviations.

Which Threats GNN Detects

Botnet detection: bots with synchronous behavior (beaconing), similar communication patterns, hierarchical C2 structure. GNN with temporal attention: detect nodes with similar temporal graph patterns corresponding to botnet membership.

Lateral movement (APT): slow propagation through the network — each hop looks normal, but the sequence of hops does not. Temporal path analysis: GNN with recurrent component to track path patterns over time.

DNS tunneling: unusual DNS patterns — high frequency, long subdomains, atypical record types. Graph-based: DNS server → client edges with anomalous attributes.

Implementation with PyTorch Geometric

PyTorch Geometric is the primary framework. We use GATConv with multi-head attention for weighting neighbors.

from torch_geometric.nn import GATConv, global_mean_pool
from torch_geometric.transforms import NormalizeFeatures

class TrafficGNN(torch.nn.Module):
    def __init__(self):
        super().__init__()
        self.conv1 = GATConv(in_channels=20, out_channels=64, heads=8, dropout=0.2)
        self.conv2 = GATConv(64 * 8, 32, heads=1)
        self.anomaly_head = torch.nn.Linear(32, 1)

    def forward(self, data):
        x, edge_index, edge_attr = data.x, data.edge_index, data.edge_attr
        x = F.elu(self.conv1(x, edge_index, edge_attr))
        x = F.dropout(x, p=0.2, training=self.training)
        x = self.conv2(x, edge_index)
        return torch.sigmoid(self.anomaly_head(x))

Production Architecture

  • Traffic collection: NetFlow/IPFIX/sFlow collectors (Ntopng, PMACCT)
  • Stream processing: Apache Flink (windowed graph construction)
  • Graph DB: Neo4j (real-time neighborhood queries)
  • Inference: TorchServe + PyTorch Geometric
  • Alerting: Elastic SIEM / Splunk integration
  • Visualization: Gephi / Grafana + custom graph UI

Throughput: up to 100k flows/second with incremental graph updates. Alert latency: 30–90 seconds (window size + inference time). Precision/recall on NSL-KDD and real corporate data: AUC 0.94–0.97 for known attack types, 0.82–0.88 for novel attacks (zero-day).

Inference Details We use TorchServe with a custom handler for PyTorch Geometric. Optimization via ONNX Runtime and FP16 inference on NVIDIA T4 ensures p99 latency under 50 ms per batch of 1000 nodes.

What Is Included in GNN System Development?

  1. Infrastructure audit for traffic collection (NetFlow/IPFIX/sFlow).
  2. Data collection and labeling (normal traffic + incidents).
  3. Prototype GNN development on PyTorch Geometric.
  4. Integration with SIEM and alerting systems.
  5. Inference server deployment (TorchServe) with monitoring.
  6. Customer team training (4 hours online) and 3 months of support.
  7. Deliverables: system architecture docs, model training guide, API documentation, admin dashboard access.

Contact us for a consultation and a detailed implementation plan.