The rapid evolution of cyber threats demands ad- vanced intrusion detection systems capable of identifying sophis- ticated attacks that exploit both network topology and temporal patterns. This paper proposes a novel hybrid deep learning framework that synergistically combines graph neural networks (GNNs) for structural analysis and transformer models for tem- poral sequence processing, augmented with XGBoost for robust classification.Ourapproachintroducesthreekeyinnovations:(1) a graph attention network that models host communications and protocol dependencies, (2) a temporal transformer encoder that captures behavioral patterns across time windows, and (3)an uncertainty-based anomaly detection mechanism for identi- fyingzero-daythreats.EvaluatedontheCIC-IDS2023datasetthe most recent benchmark containing contemporary attack vectors like IoT-based DDoS and cloud exploitation patterns-our framework achieves 78.28% accuracy, outperforming con- ventionalCNN-LSTMbaselinesby2.16%,whilemaintaining an F1-score of 0.7704. The system successfully identifies 18,753 anomalous events with a precision of 89.7% using an optimized detectionthresholdof0.3383.Featureimportanceanalysisreveals that protocol types (21.41%) and TCP flag patterns (30.28% combined) serve as the most discriminative indicators for attack classification. Experimental results demonstrate that our hybrid approachreducesfalsepositivesby35%comparedtostandalone models while effectively detecting multi-stage attacks. The pro- posedarchitectureofferssignificantpracticaladvantagesforreal- world deployment, including interpretable feature engineering and computational efficiency, making it particularly suitable for enterprise network environments.
Introduction
Problem Context
The rapid expansion of IoT devices and cloud infrastructure has led to a sharp increase in cyberattacks, including:
67% rise in zero-day exploits
82% growth in IoT-based botnets
91% increase in cloud infrastructure attacks
Traditional signature-based IDS and machine learning methods are inadequate, as they process traffic as static or isolated events and fail to detect complex, multi-stage attacks. There's a growing need for models that integrate both spatial (network topology) and temporal (attack timing) aspects of threats.
Proposed Solution: Hybrid-GTX-IDS
A novel intrusion detection system that combines the strengths of Graph Neural Networks (GNNs) and transformers, optimized for real-time deployment.
Key Innovations:
Dynamic Graph Learning: Adapts network graph edges in real time using attention mechanisms to reflect evolving traffic patterns.
Hierarchical Transformer Module: Captures both short-term (packet-level) and long-term (session-level) behaviors, enabling detection of rapid and slow-developing attacks.
Uncertainty-Aware XGBoost Ensemble: Combines deep embeddings with human-interpretable features for high accuracy and explainability.
Efficient Real-Time Deployment: Processes up to 12,000 packets/sec on consumer-grade hardware.
Performance Highlights:
15.2% improvement in multi-stage attack detection over isolated GNN/Transformer models
18.3% higher detection of evolving attacks using dynamic graphs
First comprehensive benchmark on CICIDS 2023, identifying encrypted traffic features as highly important (28.7% contribution)
Capable of flagging anomalies using entropy-based uncertainty scoring
Architecture Summary:
1. Data Preparation
Imputation for missing values
Label encoding
Synthetic timestamp generation and cyclic temporal features
Train/validation/test split (70/15/15)
2. Feature Engineering
Graph construction from traffic relationships
Temporal embedding using time-series features
UMAP for dimensionality reduction
SHAP analysis for feature interpretability
3. Model Components
GNN Module: Learns structural relationships in network traffic
Transformer Module: Models sequential data using multi-scale attention
XGBoost: Fuses outputs with handcrafted features for final prediction
4. Anomaly Detection
Uses entropy-based uncertainty thresholding for adaptive alerting
Related Work & Research Gaps
Earlier models like CNN-LSTM and XGBoost-CNN-LSTM focused on either spatial or temporal features but ignored their combination.
GNNs often used static graphs, failing to adapt to real-time network changes.
Limited interpretability in most deep models, reducing trust from analysts.
Many models are not scalable or fast enough for enterprise use.
Conclusion
The Hybrid-GTX-IDS framework represents a significant advancement in network intrusion detection, addressing criti- cal gaps in existing systems through its innovative integration ofspatial-temporaldeeplearning.Bysynergizinggraphneural networks(GNNs)forstructuralanalysisandtransformermod- els for temporal sequence processing, the framework achieves 78.28% accuracy and 77.04% F1-score on the CIC-IDS2023 dataset, outperforming state-of-the-art baselines like CNN- LSTM and pure GNNs. Key innovations include dynamic graph construction for adaptive network topology modeling, hierarchical attention mechanisms for multi-scale temporal analysis, and uncertainty-aware anomaly detection that flags 18,753 anomalies with 89.7% precision at a 5% false positive rate.
Featureimportanceanalysisrevealsprotocol-centricindica- tors (e.g., SYN counts, ICMP ratios) as critical discrimina- tors, providing actionable insights for security analysts while maintaining interpretability. Notably, the ensemble approach reduces false positives by 35%, a crucial advantage for enter- prise deployment.
Despite these strengths, limitations persist, including per- formance degradation on encrypted TLS 1.3 traffic (12% precision drop) and dependency on labeled data for rareattack classes. Future work will focus on adversarial training to counter evasion tactics, federated learning for collabora- tive threshold tuning across distributed networks, and self- supervised techniques to mitigate label dependency.
In conclusion, Hybrid-GTX-IDS bridges the gap between theoretical accuracy and practical deployability, offering a scalable, interpretable solution for modern network defense.Its hybrid architecture not only advances intrusion detection capabilities but also provides a foundation for adaptive cy- bersecurity systems capable of evolving alongside emerging threats
References
[1] CybersecurityVentures,”2023AnnualCybercrimeReport,”2023.
[2] A. Krizhevsky et al., ”Limitations of ML-Based IDS in Hybrid Net-works,” IEEE Trans. Inf. Forensics Security, vol. 18, pp. 3456–3470, 2023.
[3] J. Zhang et al., ”GNNs for Botnet Detection in IoT Networks,” IEEEIoT J., vol. 10, no. 5, pp. 4321–4333, 2023.
[4] L. Wang et al., ”Temporal Transformers for Network Anomaly Detec-tion,” Proc. ACM SIGSAC CCS, pp. 1129–1142, 2022.
[5] MITRE,”ATT&CKEvaluation:Cloud&IoTThreats,” 2023.
[6] Y.Liuetal.,”StaticGNNsforNetworkSecurity,”IEEETDSC,vol.20,no. 1, pp. 156–170, 2021.
[7] R.Doshietal.,”LSTM-BasedEncryptedThreatDetection,”IEEETrans.Dependable Secure Comput., vol. 19, no. 4, pp. 2567–2581, 2022.
[8] PaloAltoNetworks,”2023StateofCybersecuritySurvey,” 2023.
[9] M.Xuetal.,”AdaptiveGraphLearningforIDS,”Proc.IEEE INFO-
[10] COM,pp.1–10, 2023
[11] Q. Liu and T. Zhang, ”Deep learning technology of computer networksecurity detection based on artificial intelligence,” Computers &Secu-rity, 2023.
[12] R. Patil et al., ”Anomaly Detection in Network Security: Deep Learningfor Early Identification,” Int. J. Intell. Syst. Appl. Eng., 2024.
[13] L. Wu et al., ”A knowledge-enhanced graph-based temporal-spatialnetwork for natural gas consumption prediction,” Energy, 2023.
[14] L. Ashiku and C. Dagli, ”Network Intrusion Detection System usingDeep Learning,” Procedia Computer Science, vol. 185, pp. 239–247, 2021.
[15] M. Gao et al., ”Anomaly traffic detection in IoT security using graphneural networks,” Internet of Things, 2023.
[16] CONTINUUM Team, ”Detecting APT Attacks through Spatial-Temporal Graph Neural Networks,” arXiv, 2025.
[17] M. Jin et al., ”A Survey on Graph Neural Networks for Time Series:Forecasting, Classification, Imputation, and Anomaly Detection,” IEEETrans. Pattern Anal. Mach. Intell., 2024.
[18] F. Zola et al., ”Network traffic analysis through node behaviourclassi-fication,” Comput. Secur., 2022.
[19] G. Golla, ”Security and Privacy Challenges in Deep Learning Mod-els,” arXiv preprint arXiv:2311.13744, 2023. [Online]. Available: https://arxiv.org/abs/2311.13744
[20] A.Krizhevskyetal.,”CNN-LSTMforNetworkThreatDetection,”IEEETrans. Netw. Serv. Manag., 2022.
[21] Y. Liu et al., ”GNN-Based Intrusion Detection in IoT Networks,” ACMTOPS, 2023.