Graph-Based Anomaly Detection Framework for Security Threats

In security adversarial scenarios, malicious actors frequently change resources such as IP addresses, device fingerprints, and request parameters to evade static policies, making it difficult for analysts to design comprehensive, multi‑dimensional detection rules.

Technical challenges include:

Timeliness: quickly judging whether an IP is malicious to respond to rapid resource changes.

Computational performance: handling over 6 million events per hour and computing similarity without distance‑based features.

Interpretability: providing clear explanations for why a flow is flagged as abnormal.

Model framework consists of three layers:

1. Complex network construction – Vertices are built from user IDs or session IDs, with edge weights derived from similarity of associated features. Both strong (e.g., same IP segment) and weak (e.g., combined attributes) relationships are encoded.

2. Graph mining layer – Similarity between vertices is measured using a triple representation of user behavior, followed by clustering (k‑means, DBSCAN, hierarchical) and subgraph extraction. Subgraphs are evaluated by purity and stability metrics to ensure strong internal correlation and explainability.

3. Application layer – Different data sources and scenarios adjust thresholds and evaluation standards to identify abnormal groups, such as anomalous traffic bursts or malicious registrations.

Images illustrating the architecture and subgraph evaluation are included:

Experimental results show that the graph‑based method achieves over 98% accuracy in traffic anomaly detection and 97% in malicious registration identification, improving recall by roughly 40% compared with traditional rule‑based strategies.

The future work will enrich the graph with richer behavioral signals and further integrate graph representation learning to enhance detection robustness against evolving black‑market tactics.