本文研究了图形神经网络（GNNS）应用程序，以进行自我监督的网络入侵和异常检测。 GNN是一种基于图的数据的深度学习方法，它将图形结构纳入学习以概括图表和输出嵌入。由于网络流量自然基于图，因此GNN非常适合分析和学习网络行为。基于GNN的网络入侵检测系统（NIDSS）的最新实现很大程度上依赖于标记的网络流量，这不仅可以限制输入流量的数量和结构，还可以限制NIDSS的潜力来适应看不见的攻击。为了克服这些限制，我们提出了异常-E，这是GNN的入侵和异常检测方法，该方法在自我监督过程中利用边缘特征和图形拓扑结构。据我们所知，这种方法是第一种成功且实用的方法来进行网络入侵检测，该方法利用网络流动在自我监督，边缘利用GNN中。两个现代基准NIDS数据集的实验结果不仅清楚地显示了使用Anomal-E嵌入而不是原始功能的改进，而且还显示了对野生网络流量检测的潜在异常-E具有的潜在异常功能。

本文介绍了基于图形神经网络（GNN）的新的网络入侵检测系统（NID）。 GNN是深度神经网络的一个相对较新的子领域，可以利用基于图形数据的固有结构。 NIDS的培训和评估数据通常表示为流记录，其可以自然地以图形格式表示。这建立了探索网络入侵检测GNN的潜在和动力，这是本文的重点。基于机器的基于机器的NIDS的目前的研究只考虑网络流动，而不是考虑其互连的模式。这是检测复杂的物联网网络攻击的关键限制，例如IOT设备推出的DDOS和分布式端口扫描攻击。在本文中，我们提出了一种克服了这种限制的GNN方法，并允许捕获图形的边缘特征以及IOT网络中网络异常检测的拓扑信息。据我们所知，我们的方法是第一次成功，实用，广泛地评估应用图形神经网络对使用流基于流的数据的网络入侵检测问题的方法。我们在最近的四个NIDS基准数据集上进行了广泛的实验评估，表明我们的方法在关键分类指标方面占据了最先进的，这证明了网络入侵检测中GNN的潜力，并提供了进一步研究的动机。

大量越来越复杂的网络威胁是吸引了对网络安全的关注，许多挑战仍未得到解决。即，对于入侵检测，需要更强大，有效，能够使用更多信息的新算法。此外，入侵检测任务面临着与正常和恶意流量之间的极端类别不平衡相关的严重挑战。最近，图形 - 神经网络（GNN）实现了最先进的性能，以在网络安全任务中模拟网络拓扑。但是，使用GNN只有少数作品来解决入侵检测问题。此外，还探索了其他有前途的途径，例如应用注意机制。本文介绍了两种基于图形的入侵检测解决方案，改进的电子图形和电子ResgAtthorithms分别依赖于已建立的Graphsage和Cablent Network网络（GAT）。关键的想法是将剩余学习集成到利用可用图信息的GNN中。剩余连接作为处理高级不平衡的策略，旨在保留原始信息并提高少数群体课程的表现。最近四个入侵检测数据集的广泛实验评估显示了我们方法的优异性能，特别是在预测少数阶级时。

在本文中，我们提出了XG-Bot，这是一种可解释的深层图神经网络模型，用于僵尸网络淋巴结检测。所提出的模型主要由僵尸网络检测器和自动取证的解释器组成。XG机器人检测器可以有效检测大型网络下的恶意僵尸网络节点。具体而言，它利用与图同构网络的分组可逆残差连接从僵尸网络通信图中学习表达性节点表示。XG机器人中的解释器可以通过突出可疑网络流和相关的僵尸网络节点来执行自动网络取证。我们评估了现实世界中的大规模僵尸网络网络图。总体而言，就评估指标而言，XG机器人能够超越最先进的方法。此外，我们表明XG机器人解释器可以基于自动网络取证的Gnnexplainer生成有用的解释。

本文提出了一种基于图形神经网络（GNN）的新的Android恶意软件检测方法，并具有跳跃知识（JK）。Android函数呼叫图（FCGS）由一组程序功能及其术间调用组成。因此，本文提出了一种基于GNN的方法，用于通过捕获有意义的心理内呼叫路径模式来检测Android恶意软件的检测方法。此外，采用跳跃知识技术来最大程度地减少过度平滑问题的效果，这在GNN中很常见。该方法已使用两个基准数据集对所提出的方法进行了广泛的评估。结果表明，与关键分类指标相比，与最先进的方法相比，我们的方法的优越性，这证明了GNN在Android恶意软件检测和分类中的潜力。

Machine Learning (ML) approaches have been used to enhance the detection capabilities of Network Intrusion Detection Systems (NIDSs). Recent work has achieved near-perfect performance by following binary- and multi-class network anomaly detection tasks. Such systems depend on the availability of both (benign and malicious) network data classes during the training phase. However, attack data samples are often challenging to collect in most organisations due to security controls preventing the penetration of known malicious traffic to their networks. Therefore, this paper proposes a Deep One-Class (DOC) classifier for network intrusion detection by only training on benign network data samples. The novel one-class classification architecture consists of a histogram-based deep feed-forward classifier to extract useful network data features and use efficient outlier detection. The DOC classifier has been extensively evaluated using two benchmark NIDS datasets. The results demonstrate its superiority over current state-of-the-art one-class classifiers in terms of detection and false positive rates.

互联的战地信息共享设备的扩散，称为战场互联网（Iobt），介绍了几个安全挑战。 Iobt运营环境所固有的是对抗机器学习的实践，试图规避机器学习模型。这项工作探讨了在网络入侵检测系统设置中对异常检测的成本效益无监督学习和基于图形的方法的可行性，并利用了集合方法来监督异常检测问题的学习。我们在培训监督模型时纳入了一个现实的对抗性培训机制，以实现对抗性环境的强大分类性能。结果表明，无监督和基于图形的方法在通过两个级别的监督堆叠集合方法检测异常（恶意活动）时表现优于检测异常（恶意活动）。该模型由第一级别的三个不同的分类器组成，然后是第二级的天真贝叶斯或决策树分类器。对于所有测试水平的两个分类器，该模型将在0.97高于0.97以上的F1分数。值得注意的是，天真贝叶斯是最快的两个分类器平均1.12秒，而决策树保持最高的AUC评分为0.98。

Graph Neural Networks (GNNs) have been widely applied to different tasks such as bioinformatics, drug design, and social networks. However, recent studies have shown that GNNs are vulnerable to adversarial attacks which aim to mislead the node or subgraph classification prediction by adding subtle perturbations. Detecting these attacks is challenging due to the small magnitude of perturbation and the discrete nature of graph data. In this paper, we propose a general adversarial edge detection pipeline EDoG without requiring knowledge of the attack strategies based on graph generation. Specifically, we propose a novel graph generation approach combined with link prediction to detect suspicious adversarial edges. To effectively train the graph generative model, we sample several sub-graphs from the given graph data. We show that since the number of adversarial edges is usually low in practice, with low probability the sampled sub-graphs will contain adversarial edges based on the union bound. In addition, considering the strong attacks which perturb a large number of edges, we propose a set of novel features to perform outlier detection as the preprocessing for our detection. Extensive experimental results on three real-world graph datasets including a private transaction rule dataset from a major company and two types of synthetic graphs with controlled properties show that EDoG can achieve above 0.8 AUC against four state-of-the-art unseen attack strategies without requiring any knowledge about the attack type; and around 0.85 with knowledge of the attack type. EDoG significantly outperforms traditional malicious edge detection baselines. We also show that an adaptive attack with full knowledge of our detection pipeline is difficult to bypass it.

对于由硬件和软件组件组成的复杂分布式系统而言，异常检测是一个重要的问题。对此类系统的异常检测的要求和挑战的透彻理解对于系统的安全性至关重要，尤其是对于现实世界的部署。尽管有许多解决问题的研究领域和应用领域，但很少有人试图对这种系统进行深入研究。大多数异常检测技术是针对某些应用域的专门开发的，而其他检测技术则更为通用。在这项调查中，我们探讨了基于图的算法在复杂分布式异质系统中识别和减轻不同类型异常的重要潜力。我们的主要重点是在分布在复杂分布式系统上的异质计算设备上应用时，可深入了解图。这项研究分析，比较和对比该领域的最新研究文章。首先，我们描述了现实世界分布式系统的特征及其在复杂网络中的异常检测的特定挑战，例如数据和评估，异常的性质以及现实世界的要求。稍后，我们讨论了为什么可以在此类系统中利用图形以及使用图的好处。然后，我们将恰当地深入研究最先进的方法，并突出它们的优势和劣势。最后，我们评估和比较这些方法，并指出可能改进的领域。

日志分析是工程师用来解决大规模软件系统故障的主要技术之一。在过去的几十年中，已经提出了许多日志分析方法来检测日志反映的系统异常。他们通常将日志事件计数或顺序日志事件作为输入，并利用机器学习算法，包括深度学习模型来检测系统异常。这些异常通常被确定为对数序列中对数事件的定量关系模式或顺序模式的违反。但是，现有方法无法利用日志事件之间的空间结构关系，从而导致潜在的错误警报和不稳定的性能。在这项研究中，我们提出了一种新型的基于图的对数异常检测方法loggd，以通过将日志序列转换为图来有效解决问题。我们利用了图形变压器神经网络的强大功能，该网络结合了图结构和基于日志异常检测的节点语义。我们在四个广泛使用的公共日志数据集上评估了建议的方法。实验结果表明，Loggd可以胜过最先进的基于定量和基于序列的方法，并在不同的窗口大小设置下实现稳定的性能。结果证实LOGGD在基于对数的异常检测中有效。

时间图代表实体之间的动态关系，并发生在许多现实生活中的应用中，例如社交网络，电子商务，通信，道路网络，生物系统等。他们需要根据其生成建模和表示学习的研究超出与静态图有关的研究。在这项调查中，我们全面回顾了近期针对处理时间图提出的神经时间依赖图表的学习和生成建模方法。最后，我们确定了现有方法的弱点，并讨论了我们最近发表的论文提格的研究建议[24]。

图表表示学习（GRL）对于图形结构数据分析至关重要。然而，大多数现有的图形神经网络（GNNS）严重依赖于标签信息，这通常是在现实世界中获得的昂贵。现有无监督的GRL方法遭受某些限制，例如对单调对比和可扩展性有限的沉重依赖。为了克服上述问题，鉴于最近的图表对比学习的进步，我们通过曲线图介绍了一种新颖的自我监控图形表示学习算法，即通过利用所提出的调整变焦方案来学习节点表示来学习节点表示。具体地，该机制使G-Zoom能够从多个尺度的图表中探索和提取自我监督信号：MICRO（即，节点级别），MESO（即，邻域级）和宏（即，子图级） 。首先，我们通过两个不同的图形增强生成输入图的两个增强视图。然后，我们逐渐地从节点，邻近逐渐为上述三个尺度建立三种不同的对比度，在那里我们最大限度地提高了横跨尺度的图形表示之间的协议。虽然我们可以从微距和宏观视角上从给定图中提取有价值的线索，但是邻域级对比度基于我们的调整后的缩放方案提供了可自定义选项的能力，以便手动选择位于微观和介于微观之间的最佳视点宏观透视更好地理解图数据。此外，为了使我们的模型可扩展到大图，我们采用了并行图形扩散方法来从图形尺寸下解耦模型训练。我们对现实世界数据集进行了广泛的实验，结果表明，我们所提出的模型始终始终优于最先进的方法。

基于图的异常检测已被广泛用于检测现实世界应用中的恶意活动。迄今为止，现有的解决此问题的尝试集中在二进制分类制度中的结构特征工程或学习上。在这项工作中，我们建议利用图形对比编码，并提出监督的GCCAD模型，以将异常节点与正常节点的距离与全球环境（例如所有节点的平均值）相比。为了使用稀缺标签处理场景，我们通过设计用于生成合成节点标签的图形损坏策略，进一步使GCCAD成为一个自制的框架。为了实现对比目标，我们设计了一个图形神经网络编码器，该编码器可以在消息传递过程中推断并进一步删除可疑链接，并了解输入图的全局上下文。我们在四个公共数据集上进行了广泛的实验，表明1）GCCAD显着且始终如一地超过各种高级基线，2）其自我监督版本没有微调可以通过其完全监督的版本来实现可比性的性能。

Deep learning has revolutionized many machine learning tasks in recent years, ranging from image classification and video processing to speech recognition and natural language understanding. The data in these tasks are typically represented in the Euclidean space. However, there is an increasing number of applications where data are generated from non-Euclidean domains and are represented as graphs with complex relationships and interdependency between objects. The complexity of graph data has imposed significant challenges on existing machine learning algorithms. Recently, many studies on extending deep learning approaches for graph data have emerged. In this survey, we provide a comprehensive overview of graph neural networks (GNNs) in data mining and machine learning fields. We propose a new taxonomy to divide the state-of-the-art graph neural networks into four categories, namely recurrent graph neural networks, convolutional graph neural networks, graph autoencoders, and spatial-temporal graph neural networks. We further discuss the applications of graph neural networks across various domains and summarize the open source codes, benchmark data sets, and model evaluation of graph neural networks. Finally, we propose potential research directions in this rapidly growing field.

Time series anomaly detection has applications in a wide range of research fields and applications, including manufacturing and healthcare. The presence of anomalies can indicate novel or unexpected events, such as production faults, system defects, or heart fluttering, and is therefore of particular interest. The large size and complex patterns of time series have led researchers to develop specialised deep learning models for detecting anomalous patterns. This survey focuses on providing structured and comprehensive state-of-the-art time series anomaly detection models through the use of deep learning. It providing a taxonomy based on the factors that divide anomaly detection models into different categories. Aside from describing the basic anomaly detection technique for each category, the advantages and limitations are also discussed. Furthermore, this study includes examples of deep anomaly detection in time series across various application domains in recent years. It finally summarises open issues in research and challenges faced while adopting deep anomaly detection models.

与其他图表相比，图形级异常检测（GAD）描述了检测其结构和/或其节点特征的图表的问题。GAD中的一个挑战是制定图表表示，该图表示能够检测本地和全局 - 异常图，即它们的细粒度（节点级）或整体（图级）属性异常的图形，分别。为了解决这一挑战，我们介绍了一种新的深度异常检测方法，用于通过图表和节点表示的联合随机蒸馏学习丰富的全球和局部正常模式信息。通过训练一个GNN来实现随机初始化网络权重的另一GNN来实现随机蒸馏。来自各种域的16个真实图形数据集的广泛实验表明，我们的模型显着优于七种最先进的模型。代码和数据集可以在https://git.io/llocalkd中获得。

Recently, graph neural networks (GNNs) have revolutionized the field of graph representation learning through effectively learned node embeddings, and achieved state-of-the-art results in tasks such as node classification and link prediction. However, current GNN methods are inherently flat and do not learn hierarchical representations of graphs-a limitation that is especially problematic for the task of graph classification, where the goal is to predict the label associated with an entire graph. Here we propose DIFFPOOL, a differentiable graph pooling module that can generate hierarchical representations of graphs and can be combined with various graph neural network architectures in an end-to-end fashion. DIFFPOOL learns a differentiable soft cluster assignment for nodes at each layer of a deep GNN, mapping nodes to a set of clusters, which then form the coarsened input for the next GNN layer. Our experimental results show that combining existing GNN methods with DIFFPOOL yields an average improvement of 5-10% accuracy on graph classification benchmarks, compared to all existing pooling approaches, achieving a new state-of-the-art on four out of five benchmark data sets.

Due to the issue that existing wireless sensor network (WSN)-based anomaly detection methods only consider and analyze temporal features, in this paper, a self-supervised learning-based anomaly node detection method based on an autoencoder is designed. This method integrates temporal WSN data flow feature extraction, spatial position feature extraction and intermodal WSN correlation feature extraction into the design of the autoencoder to make full use of the spatial and temporal information of the WSN for anomaly detection. First, a fully connected network is used to extract the temporal features of nodes by considering a single mode from a local spatial perspective. Second, a graph neural network (GNN) is used to introduce the WSN topology from a global spatial perspective for anomaly detection and extract the spatial and temporal features of the data flows of nodes and their neighbors by considering a single mode. Then, the adaptive fusion method involving weighted summation is used to extract the relevant features between different models. In addition, this paper introduces a gated recurrent unit (GRU) to solve the long-term dependence problem of the time dimension. Eventually, the reconstructed output of the decoder and the hidden layer representation of the autoencoder are fed into a fully connected network to calculate the anomaly probability of the current system. Since the spatial feature extraction operation is advanced, the designed method can be applied to the task of large-scale network anomaly detection by adding a clustering operation. Experiments show that the designed method outperforms the baselines, and the F1 score reaches 90.6%, which is 5.2% higher than those of the existing anomaly detection methods based on unsupervised reconstruction and prediction. Code and model are available at https://github.com/GuetYe/anomaly_detection/GLSL

基于图的异常检测（GAD）由于图表的强大表示能力以及图形采矿技术的最新进展而变得普遍。然而，这些GAD工具暴露了新的攻击表面，讽刺地是由于能够利用数据之间的关系的独特优势。也就是说，攻击者现在可以操纵那些关系（即图形的结构），以允许一些目标节点逃避检测。在本文中，我们通过将新型的针对性结构中毒攻击设计到奇怪的基于代表回归的GAD系统来利用这种脆弱性。特别是，我们为奇怪的攻击制定了奇怪的攻击，作为双级优化问题，在那里关键的技术挑战是有效地解决离散域中的问题。我们提出了一种基于梯度下降的新型攻击方法称为二进制层。与现有技术相比，BinarizedAttack可以更好地使用梯度信息，使其特别适用于解决组合优化问题。此外，我们通过采用它来攻击其他基于代表学习的GAD系统来调查BinarizedAtch的攻击可转换性。我们的综合实验表明，BinarizedAttack非常有效地使目标节点能够避免基于图形的异常检测工具与有限的攻击者的预算，并且在黑箱转移攻击设置中，BinarizedAtck也有效地测试，特别是可以显着改变GAD系统学习的节点嵌入式。因此，我们的研究开辟了学习新型攻击的门，以依靠图形数据的安全分析工具。

Most existing deep learning models are trained based on the closed-world assumption, where the test data is assumed to be drawn i.i.d. from the same distribution as the training data, known as in-distribution (ID). However, when models are deployed in an open-world scenario, test samples can be out-of-distribution (OOD) and therefore should be handled with caution. To detect such OOD samples drawn from unknown distribution, OOD detection has received increasing attention lately. However, current endeavors mostly focus on grid-structured data and its application for graph-structured data remains under-explored. Considering the fact that data labeling on graphs is commonly time-expensive and labor-intensive, in this work we study the problem of unsupervised graph OOD detection, aiming at detecting OOD graphs solely based on unlabeled ID data. To achieve this goal, we develop a new graph contrastive learning framework GOOD-D for detecting OOD graphs without using any ground-truth labels. By performing hierarchical contrastive learning on the augmented graphs generated by our perturbation-free graph data augmentation method, GOOD-D is able to capture the latent ID patterns and accurately detect OOD graphs based on the semantic inconsistency in different granularities (i.e., node-level, graph-level, and group-level). As a pioneering work in unsupervised graph-level OOD detection, we build a comprehensive benchmark to compare our proposed approach with different state-of-the-art methods. The experiment results demonstrate the superiority of our approach over different methods on various datasets.