<p>Network intrusion detection systems play crucial role in securing the environments of industrial control systems and Internet-of-Things (IoT). However, traditional statistical and graph-based methods remain limited to pairwise interactions alone. As a result, they fail to capture the higher-order and multi-scale dependencies which are characteristic of coordinated cyberattacks. To address this gap, our work introduces a mathematically grounded framework combining theory of visibility graph, modeling via hypergraph and multi-scale linegraph analysis. First, the temporal sequences of flow-level features from the network traffic are transformed into natural visibility graphs (NVGs). Second, hypergraph is constructed by defining maximal cliques from NVG as hyperedges, thus encoding groups of mutually visible time points as collective temporal structures. Third, from such an higher-order representation, we then construct a hierarchy of <i>s</i>-linegraphs <InlineEquation ID="IEq1"> <EquationSource Format="TEX">\(L_s(H)\)</EquationSource> <EquationSource Format="MATHML"><math> <mrow> <msub> <mi>L</mi> <mi>s</mi> </msub> <mrow> <mo stretchy="false">(</mo> <mi>H</mi> <mo stretchy="false">)</mo> </mrow> </mrow> </math></EquationSource> </InlineEquation> such that vertices are connected if they co-occur in at least <i>s</i> hyperedges. Finally, two interpretable topological descriptors, i.e., maximum degree and graph density, are extracted across increasing values of <i>s</i>. The method is evaluated on two complementary NetFlow-based benchmarks, i.e., NF-BoT-IoT-v3 and UNSW-NB15 and the compact ten-feature set enables a random forest classifier to achieve 97.8% accuracy (<i>F</i>1-score 0.978) and 95.8% accuracy (<i>F</i>1-score 0.957), respectively. This framework provides operational insights which is quite straightforward. Benign traffic is characterized by the stable and smoothly decaying topological profiles, while attack-induced disruptions in the traffic are characterized by abrupt fragmentations and degree centralizations. Overall, by transforming the temporal irregularities into structural perturbations that could be measured, our method establishes higher-order topological analysis as a principled, transparent, and highly effective for intrusion detection in complex cyber-physical systems.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Higher-order linegraph topology for intrusion detection: a hypergraph approach

  • Karan K. H. Manjunatha,
  • Sergio Iglesias-Pérez,
  • Regino Criado

摘要

Network intrusion detection systems play crucial role in securing the environments of industrial control systems and Internet-of-Things (IoT). However, traditional statistical and graph-based methods remain limited to pairwise interactions alone. As a result, they fail to capture the higher-order and multi-scale dependencies which are characteristic of coordinated cyberattacks. To address this gap, our work introduces a mathematically grounded framework combining theory of visibility graph, modeling via hypergraph and multi-scale linegraph analysis. First, the temporal sequences of flow-level features from the network traffic are transformed into natural visibility graphs (NVGs). Second, hypergraph is constructed by defining maximal cliques from NVG as hyperedges, thus encoding groups of mutually visible time points as collective temporal structures. Third, from such an higher-order representation, we then construct a hierarchy of s-linegraphs \(L_s(H)\) L s ( H ) such that vertices are connected if they co-occur in at least s hyperedges. Finally, two interpretable topological descriptors, i.e., maximum degree and graph density, are extracted across increasing values of s. The method is evaluated on two complementary NetFlow-based benchmarks, i.e., NF-BoT-IoT-v3 and UNSW-NB15 and the compact ten-feature set enables a random forest classifier to achieve 97.8% accuracy (F1-score 0.978) and 95.8% accuracy (F1-score 0.957), respectively. This framework provides operational insights which is quite straightforward. Benign traffic is characterized by the stable and smoothly decaying topological profiles, while attack-induced disruptions in the traffic are characterized by abrupt fragmentations and degree centralizations. Overall, by transforming the temporal irregularities into structural perturbations that could be measured, our method establishes higher-order topological analysis as a principled, transparent, and highly effective for intrusion detection in complex cyber-physical systems.