Detecting intrusions in network traffic is a challenging task, particularly under limited supervision and constantly evolving attack patterns. While recent works have leveraged graph neural networks for network intrusion detection, they often decouple representation learning from anomaly detection, limiting the utility of the embeddings for identifying attacks. We propose GraphIDS, a self-supervised intrusion detection model that unifies these two stages by learning local graph representations of normal communication patterns through a masked autoencoder. An inductive graph neural network embeds each flow with its local topological context to capture typical network behavior, while a Transformer-based encoder-decoder reconstructs these embeddings, implicitly learning global co-occurrence patterns via self-attention without requiring explicit positional information. During inference, flows with unusually high reconstruction errors are flagged as potential intrusions. This end-to-end framework ensures that embeddings are directly optimized for the downstream task, facilitating the recognition of malicious traffic. On diverse NetFlow benchmarks, GraphIDS achieves up to 99.98% PR-AUC and 99.61% macro F1-score, outperforming baselines by 5-25 percentage points.

翻译：网络流量中的入侵检测是一项具有挑战性的任务，尤其是在监督有限且攻击模式不断演变的背景下。尽管近期研究利用图神经网络进行网络入侵检测，但它们通常将表示学习与异常检测解耦，限制了嵌入在识别攻击中的效用。我们提出GraphIDS，一种自监督入侵检测模型，通过掩码自编码器学习正常通信模式的局部图表示，将这两个阶段统一起来。一个归纳图神经网络将每个流与其局部拓扑上下文嵌入，以捕获典型的网络行为；同时，一个基于Transformer的编码器-解码器重建这些嵌入，通过自注意力隐式学习全局共现模式，无需显式位置信息。在推理过程中，重建误差异常高的流被标记为潜在入侵。这种端到端框架确保嵌入直接针对下游任务进行优化，从而促进恶意流量的识别。在多样化的NetFlow基准测试中，GraphIDS实现了高达99.98%的PR-AUC和99.61%的宏F1分数，比基线方法高出5-25个百分点。