{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,2]],"date-time":"2026-06-02T21:30:33Z","timestamp":1780435833995,"version":"3.54.1"},"reference-count":158,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"name":"ISEP"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2023]]},"DOI":"10.1109\/access.2023.3275789","type":"journal-article","created":{"date-parts":[[2023,5,12]],"date-time":"2023-05-12T17:45:26Z","timestamp":1683913526000},"page":"49114-49139","source":"Crossref","is-referenced-by-count":173,"title":["Graph Neural Networks for Intrusion Detection: A Survey"],"prefix":"10.1109","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4153-735X","authenticated-orcid":false,"given":"Tristan","family":"Bilot","sequence":"first","affiliation":[{"name":"Iriguard, Puteaux, France"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7742-7748","authenticated-orcid":false,"given":"Nour El","family":"Madhoun","sequence":"additional","affiliation":[{"name":"LISITE Laboratory, ISEP, Issy-les-Moulineaux, France"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Khaldoun Al","family":"Agha","sequence":"additional","affiliation":[{"name":"Laboratoire Interdisciplinaire des Sciences du Num&#x00E9;rique, CNRS, Universit&#x00E9; Paris-Saclay, Gif-sur-Yvette, France"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Anis","family":"Zouaoui","sequence":"additional","affiliation":[{"name":"Iriguard, Puteaux, France"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1145\/3588771"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1007\/BF02854581"},{"key":"ref59","year":"2022","journal-title":"Openargus Home"},{"key":"ref58","year":"2023","journal-title":"Zeek is a Powerful Network Analysis Framework That is Much Different From the Typical IDS You May Know"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/DESSERT.2018.8409116"},{"key":"ref52","year":"2023","journal-title":"Google Transparency Report HTTPS encryption on the web"},{"key":"ref55","article-title":"Graph-based solutions with residuals for intrusion detection: The modified E-GraphSAGE and E-ResGAT algorithms","author":"chang","year":"2021","journal-title":"arXiv 2111 13597"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1145\/3543146.3543171"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1155\/2021\/9961342"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1016\/j.knosys.2022.110030"},{"key":"ref46","first-page":"241","article-title":"Cyber threat intelligence modeling based on heterogeneous graph convolutional network","author":"zhao","year":"2020","journal-title":"Proc 23rd Int Symp Res Attacks Intrusions Defenses (RAID)"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.102152"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3208815"},{"key":"ref47","article-title":"A heterogeneous graph learning model for cyber-attack detection","author":"lv","year":"2021","journal-title":"arXiv 2112 08986"},{"key":"ref42","first-page":"1025","article-title":"Inductive representation learning on large graphs","author":"hamilton","year":"2017","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref41","article-title":"Semi-supervised classification with graph convolutional networks","author":"kipf","year":"2016","journal-title":"arXiv 1609 02907"},{"key":"ref44","article-title":"Neural machine translation by jointly learning to align and translate","author":"bahdanau","year":"2014","journal-title":"arXiv 1409 0473"},{"key":"ref43","article-title":"Graph attention networks","author":"veli?kovi?","year":"2017","journal-title":"arXiv 1710 10903"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/3308558.3313562"},{"key":"ref8","first-page":"1995","article-title":"Convolutional networks for images, speech, and time series","volume":"3361","author":"lecun","year":"2015","journal-title":"Handbook Brain Theory Neural Netw"},{"key":"ref7","first-page":"3371","article-title":"Stacked denoising autoencoders: Learning useful representations in a deep network with a local denoising criterion","volume":"11","author":"vincent","year":"2010","journal-title":"J Mach Learn Res"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1162\/neco.1997.9.8.1735"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-73951-9_2"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.3390\/app9204396"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1162\/neco.2006.18.7.1527"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2019.102526"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1109\/MilCIS.2015.7348942"},{"key":"ref101","article-title":"UNSW-NB15 computer security dataset: Analysis through visualization","author":"zoghi","year":"2021","journal-title":"arXiv 2101 05067"},{"key":"ref40","article-title":"Empirical evaluation of gated recurrent neural networks on sequence modeling","author":"chung","year":"2014","journal-title":"arXiv 1412 3555"},{"key":"ref35","year":"2021","journal-title":"How to Get Started With Graph Machine Learning"},{"key":"ref34","first-page":"3844","article-title":"Convolutional neural networks on graphs with fast localized spectral filtering","author":"defferrard","year":"2016","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/TNN.2008.2005605"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2005.1555942"},{"key":"ref31","article-title":"Inductive representation learning in temporal networks via causal anonymous walks","author":"wang","year":"2021","journal-title":"arXiv 2101 05974"},{"key":"ref148","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2013.37"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1007\/s41109-019-0169-5"},{"key":"ref149","year":"2020","journal-title":"Insider Threat Test Dataset"},{"key":"ref33","first-page":"4","article-title":"Deep graph infomax","volume":"2","author":"velickovic","year":"2019","journal-title":"Proc ICLR"},{"key":"ref146","first-page":"1","article-title":"BETH dataset: Real cybersecurity data for anomaly detection research","volume":"763","author":"highnam","year":"2021","journal-title":"Training"},{"key":"ref32","article-title":"Representation learning on graphs: Methods and applications","author":"hamilton","year":"2017","journal-title":"arXiv 1709 05584"},{"key":"ref147","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2013.13"},{"key":"ref39","first-page":"4509","article-title":"Interaction networks for learning about objects, relations and physics","author":"battaglia","year":"2016","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref38","first-page":"1263","article-title":"Neural message passing for quantum chemistry","author":"gilmer","year":"2017","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref155","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2021.3130434"},{"key":"ref156","doi-asserted-by":"publisher","DOI":"10.1109\/ICEE.2018.8472577"},{"key":"ref153","first-page":"405","article-title":"Online anomaly detection under adversarial impact","author":"kloft","year":"2010","journal-title":"Proc 13th Int Conf Artif Intell Statist JMLR Workshop Conf"},{"key":"ref154","first-page":"1","author":"aiken","year":"2019","journal-title":"Proc IEEE Conf Netw Function Virtualization Softw Defined Netw (NFV-SDN)"},{"key":"ref151","doi-asserted-by":"publisher","DOI":"10.1145\/3469659"},{"key":"ref152","doi-asserted-by":"publisher","DOI":"10.1145\/3359992.3366642"},{"key":"ref150","doi-asserted-by":"publisher","DOI":"10.1109\/TEVC.2019.2890858"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/2939672.2939754"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1145\/2623330.2623732"},{"key":"ref26","first-page":"1","article-title":"Network representation learning with rich text information","author":"yang","year":"2015","journal-title":"Proc 24th Int Joint Conf Artif Intell"},{"key":"ref25","article-title":"Efficient estimation of word representations in vector space","author":"mikolov","year":"2013","journal-title":"arXiv 1301 3781 [cs]"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1155\/2021\/6291276"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363224"},{"key":"ref157","year":"2019","journal-title":"Data Collected for ACM SOSR 2019\/Attack and Benign Data"},{"key":"ref21","first-page":"257","article-title":"Detecting lateral movement in enterprise computer networks with unsupervised graph AI","author":"bowman","year":"2020","journal-title":"Proc 23rd Int Symp Res Attacks Intrusions Defenses (RAID)"},{"key":"ref158","first-page":"74","author":"he","year":"2022","journal-title":"Proc IEEE 7th Eur Symp Secur Privacy (EuroS&P)"},{"key":"ref28","first-page":"40","article-title":"Revisiting semi-supervised learning with graph embeddings","author":"yang","year":"2016","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref27","first-page":"3889","article-title":"Max-margin deepwalk: Discriminative learning of network representation","author":"tu","year":"2016","journal-title":"Proc IJCAI"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/BigData.2018.8622109"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.3390\/app13020825"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-Companion55297.2022.9793807"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-90019-9_1"},{"key":"ref128","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2022.3229472"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/TNSE.2022.3184975"},{"key":"ref129","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLA52953.2021.00273"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.5220\/0006639801080116"},{"key":"ref126","year":"2022","journal-title":"auditd(8) Audit daemon - Linux man page"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2014.05.011"},{"key":"ref127","doi-asserted-by":"publisher","DOI":"10.1145\/3511808.3557200"},{"key":"ref11","first-page":"1","article-title":"Network attacks detection methods based on deep learning techniques: A survey","volume":"2020","author":"wu","year":"2020","journal-title":"Secur Commun Netw"},{"key":"ref99","year":"2018","journal-title":"IDS 2018 |Datasets |Research |Canadian Institute for Cybersecurity |UNB"},{"key":"ref124","year":"2018","journal-title":"CamFlow Practical Whole-System Provenance for Linux"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/JAS.2021.1004261"},{"key":"ref98","year":"2017","journal-title":"Applications |Research |Canadian Institute for Cybersecurity |UNB"},{"key":"ref125","year":"2023","journal-title":"Sysmon Sysinternals |Microsoft Learn"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2022.3216902"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-91356-4_14"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/NOMS54207.2022.9789921"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/TETCI.2019.2952908"},{"key":"ref93","first-page":"3111","article-title":"Distributed representations of words and phrases and their compositionality","author":"mikolov","year":"2013","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref133","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24167"},{"key":"ref92","first-page":"1126","article-title":"Model-agnostic meta-learning for fast adaptation of deep networks","author":"finn","year":"2017","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref134","doi-asserted-by":"publisher","DOI":"10.1145\/2939672.2939783"},{"key":"ref95","year":"2009","journal-title":"The CAIDA Anonymized OC48 Internet Traces Dataset"},{"key":"ref131","doi-asserted-by":"publisher","DOI":"10.1145\/3289600.3290967"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.1145\/3097983.3098036"},{"key":"ref132","first-page":"926","article-title":"Reasoning with neural tensor networks for knowledge base completion","author":"socher","year":"2013","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref130","doi-asserted-by":"publisher","DOI":"10.1109\/BigData55660.2022.10020336"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1109\/JBHI.2021.3053568"},{"key":"ref90","year":"2023","journal-title":"Hping3 (8)-Linux Man Page"},{"key":"ref89","article-title":"Spatio-temporal graph convolutional networks: A deep learning framework for traffic forecasting","author":"yu","year":"2017","journal-title":"arXiv 1709 04875"},{"key":"ref139","doi-asserted-by":"publisher","DOI":"10.1109\/CTC.2013.9"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-39235-1_4"},{"key":"ref137","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2020.2971484"},{"key":"ref85","article-title":"Relational inductive biases, deep learning, and graph networks","author":"battaglia","year":"2018","journal-title":"arXiv 1806 01261"},{"key":"ref138","article-title":"PROV-overview. An overview of the PROV family of documents","author":"groth","year":"2013","journal-title":"World Wide Web Consortium"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1007\/s11036-021-01843-0"},{"key":"ref135","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134015"},{"key":"ref87","year":"2023","journal-title":"MAWI working group traffic archive"},{"key":"ref136","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-93417-4_38"},{"key":"ref82","first-page":"9244","article-title":"GNNExplainer: Generating explanations for graph neural networks","author":"ying","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref144","author":"han","year":"2018","journal-title":"Streamspot dataset Harvard dataverse"},{"key":"ref81","first-page":"6437","article-title":"Training graph neural networks with 1000 layers","author":"li","year":"2021","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref145","year":"2016","journal-title":"Sbustreamspot\/Sbustreamspot-Data Datasets Used in the StreamSpot Experiments"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1016\/j.ins.2013.03.022"},{"key":"ref142","first-page":"4805","article-title":"Hierarchical graph representation learning with differentiable pooling","author":"ying","year":"2018","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref83","article-title":"Inferential SIR-GN: Scalable graph representation learning","author":"layne","year":"2021","journal-title":"arXiv 2111 04826"},{"key":"ref143","year":"2023","journal-title":"Transparent Computing"},{"key":"ref140","article-title":"How powerful are graph neural networks?","author":"xu","year":"2018","journal-title":"arXiv 1810 00826"},{"key":"ref141","first-page":"4393","article-title":"Deep one-class classification","author":"ruff","year":"2018","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00936"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1109\/IPCCC55026.2022.9894347"},{"key":"ref108","doi-asserted-by":"publisher","DOI":"10.1142\/9781786340757_0002"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2021.12.026"},{"key":"ref109","article-title":"Operationally transparent cyber (OPTC)","author":"arantes","year":"0","journal-title":"IEEE Dataport"},{"key":"ref106","year":"2023","journal-title":"nProbe An Extensible NetFlow v5\/v9\/IPFIX Probe for IPv4\/v6"},{"key":"ref107","doi-asserted-by":"publisher","DOI":"10.1145\/3442520.3442521"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3108782"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.1016\/j.scs.2021.102994"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1109\/CSCWD54268.2022.9776097"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-72802-1_9"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom50675.2020.00099"},{"key":"ref102","doi-asserted-by":"publisher","DOI":"10.1109\/IRI.2018.00041"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1002\/cpe.7197"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2019.05.041"},{"key":"ref2","article-title":"Machine learning methods for network intrusion detection","author":"alkasassbeh","year":"2018","journal-title":"arXiv 1809 02610"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2018.2847722"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1109\/NOMS54207.2022.9789878"},{"key":"ref111","article-title":"Http data set CSIC 2010","volume":"64","author":"gim\u00e9nez","year":"2010","journal-title":"Information Security Institute of CSIC (Spanish Research National Council)"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1007\/s12530-020-09347-0"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2011.12.012"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1155\/2022\/5363764"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1109\/CTISC52352.2021.00013"},{"key":"ref110","year":"2022","journal-title":"Data Model |MITRE Cyber Analytics Repository"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1109\/BigData52589.2021.9671728"},{"key":"ref119","doi-asserted-by":"publisher","DOI":"10.1145\/3539605"},{"key":"ref67","article-title":"XG-BoT: An explainable deep graph neural network for botnet detection and forensics","author":"weng lo","year":"2022","journal-title":"arXiv 2207 09088"},{"key":"ref117","doi-asserted-by":"publisher","DOI":"10.1145\/2043556.2043584"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1016\/j.ins.2020.03.113"},{"key":"ref118","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24046"},{"key":"ref64","year":"2022","journal-title":"Home - Suricata"},{"key":"ref115","first-page":"16","article-title":"Towards automated collection of application-level data provenance","volume":"12","author":"tariq","year":"2012","journal-title":"Proc TaPP"},{"key":"ref63","year":"2022","journal-title":"SNORT network intrusion detection system"},{"key":"ref116","doi-asserted-by":"publisher","DOI":"10.1145\/2834050.2834111"},{"key":"ref66","first-page":"66","article-title":"A practical botnet traffic detection system using GNN","author":"zhang","year":"2021","journal-title":"Proc Int Symp Cyberspace Saf Secur"},{"key":"ref113","article-title":"PicoDomain: A compact high-fidelity cybersecurity dataset","author":"laprade","year":"2020","journal-title":"arXiv 2008 09192"},{"key":"ref65","article-title":"Automating botnet detection with graph neural networks","author":"zhou","year":"2020","journal-title":"arXiv 2003 06344"},{"key":"ref114","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420989"},{"key":"ref60","year":"2023","journal-title":"Wireshark Download"},{"key":"ref122","year":"2010","journal-title":"The Open Provenance Model"},{"key":"ref123","year":"2013","journal-title":"PROV-Overview"},{"key":"ref62","year":"2022","journal-title":"Splunk |The Key to Enterprise Resilience"},{"key":"ref120","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102282"},{"key":"ref61","year":"2022","journal-title":"Cisco\/Joy A Package for capturing Analyzing Network Flow Data Intraflow Data for Network Research Forensics and Security Monitoring"},{"key":"ref121","doi-asserted-by":"publisher","DOI":"10.1145\/3529466.3529480"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/6287639\/10005208\/10123384.pdf?arnumber=10123384","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,6,12]],"date-time":"2023-06-12T18:25:12Z","timestamp":1686594312000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10123384\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023]]},"references-count":158,"URL":"https:\/\/doi.org\/10.1109\/access.2023.3275789","relation":{},"ISSN":["2169-3536"],"issn-type":[{"value":"2169-3536","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023]]}}}