{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,27]],"date-time":"2026-02-27T03:47:47Z","timestamp":1772164067124,"version":"3.50.1"},"reference-count":44,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2024,12,30]],"date-time":"2024-12-30T00:00:00Z","timestamp":1735516800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,12,30]],"date-time":"2024-12-30T00:00:00Z","timestamp":1735516800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100012165","name":"Key Technologies Research and Development Program","doi-asserted-by":"publisher","award":["2021YFC3300401"],"award-info":[{"award-number":["2021YFC3300401"]}],"id":[{"id":"10.13039\/501100012165","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"Abstract<\/jats:title>Internal network attacks pose a serious security threat to enterprises and organizations, potentially leading to critical information leaks and network system damage. Hosts, as the core data and service bearers, are often primary targets of cyber attacks. Therefore, accurately identifying hosts with malicious behavior in the network is crucial. However, detecting malicious hosts on this intranet presents several challenges. Firstly, the network state is unstructured data that dynamically changes in real-time. Secondly, the large amount of normal traffic in the network drowns out the traces generated by malicious behaviors, leading to the problem of category imbalance. Lastly, the traditional graph neural network model has limitations in processing edge information and is unable to directly learn the information in netflow. To overcome these challenges, this paper proposes a malicious host detection system. The system extracts the Host Communication Graph by time slicing and uses a random undersampling method to balance samples. For malicious host detection, this paper proposes the Relational-Edge Graph Convolutional Network (RE-GCN) model, which can directly aggregate and learn features on edges and use them to accurately classify nodes, compared to other GNN models. Comparative experiments were conducted on various netflow datasets, demonstrating the effectiveness of our approach. Our approach outperformed other common GNN models in detecting malicious hosts.<\/jats:p>","DOI":"10.1186\/s42400-024-00242-8","type":"journal-article","created":{"date-parts":[[2024,12,30]],"date-time":"2024-12-30T01:01:22Z","timestamp":1735520482000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["A novel approach for detecting malicious hosts based on RE-GCN in intranet"],"prefix":"10.1186","volume":"7","author":[{"given":"Haochen","family":"Xu","sequence":"first","affiliation":[]},{"given":"Xiaoyu","family":"Geng","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0003-3383-2292","authenticated-orcid":false,"given":"Junrong","family":"Liu","sequence":"additional","affiliation":[]},{"given":"Zhigang","family":"Lu","sequence":"additional","affiliation":[]},{"given":"Bo","family":"Jiang","sequence":"additional","affiliation":[]},{"given":"Yuling","family":"Liu","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,12,30]]},"reference":[{"key":"242_CR1","doi-asserted-by":"publisher","first-page":"165130","DOI":"10.1109\/ACCESS.2020.3022862","volume":"8","author":"A Alsaedi","year":"2020","unstructured":"Alsaedi A, Moustafa N, Tari Z, Mahmood A, Anwar A (2020) Ton_iot telemetry dataset: a new generation dataset of iot and iiot for data-driven intrusion detection systems. IEEE Access 8:165130\u2013165150","journal-title":"IEEE Access"},{"key":"242_CR2","doi-asserted-by":"publisher","DOI":"10.1016\/j.scs.2021.103041","volume":"72","author":"J Ashraf","year":"2021","unstructured":"Ashraf J, Keshk M, Moustafa N, Abdel-Basset M, Khurshid H, Bakhshi AD, Mostafa RR (2021) Iotbot-ids: a novel statistical learning-enabled botnet detection framework for protecting networks of smart cities. Sustain Cities Soc 72:103041","journal-title":"Sustain Cities Soc"},{"key":"242_CR3","doi-asserted-by":"crossref","DOI":"10.1007\/978-1-4612-0619-4","volume-title":"Modern graph theory","author":"B Bollob\u00e1s","year":"1998","unstructured":"Bollob\u00e1s B (1998) Modern graph theory, vol 184. Springer, Berlin"},{"issue":"1","key":"242_CR4","doi-asserted-by":"publisher","first-page":"485","DOI":"10.1109\/JIOT.2021.3085194","volume":"9","author":"TM Booij","year":"2021","unstructured":"Booij TM, Chiscop I, Meeuwissen E, Moustafa N, Den Hartog FT (2021) Ton_iot: the role of heterogeneity and the need for standardization of features and attack types in iot network intrusion data sets. IEEE Internet Things J 9(1):485\u2013496","journal-title":"IEEE Internet Things J"},{"key":"242_CR5","doi-asserted-by":"publisher","first-page":"321","DOI":"10.1613\/jair.953","volume":"16","author":"NV Chawla","year":"2002","unstructured":"Chawla NV, Bowyer KW, Hall LO, Kegelmeyer WP (2002) Smote: synthetic minority over-sampling technique. J Artif Intell Res 16:321\u2013357","journal-title":"J Artif Intell Res"},{"key":"242_CR6","unstructured":"Djidjev H, Sandine G, Storlie C, Vander\u00a0Wiel S (2011) Graph based statistical analysis of network traffic. In: Proceedings of the ninth workshop on mining and learning with graphs"},{"key":"242_CR7","doi-asserted-by":"crossref","unstructured":"Du M, Li F, Zheng G, Srikumar V (2017) Deeplog: anomaly detection and diagnosis from system logs through deep learning. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pp. 1285\u20131298","DOI":"10.1145\/3133956.3134015"},{"key":"242_CR8","unstructured":"Gilmer J, Schoenholz SS, Riley PF, Vinyals O, Dahl GE (2017) Neural message passing for quantum chemistry. In: International conference on machine learning. PMLR, pp 1263\u20131272"},{"key":"242_CR9","doi-asserted-by":"crossref","unstructured":"Gong L, Cheng Q (2019) Exploiting edge features for graph neural networks. In: Proceedings of the IEEE\/CVF conference on computer vision and pattern recognition, pp. 9211\u20139219","DOI":"10.1109\/CVPR.2019.00943"},{"issue":"3","key":"242_CR10","doi-asserted-by":"publisher","first-page":"515","DOI":"10.1109\/TIT.1968.1054155","volume":"14","author":"P Hart","year":"1968","unstructured":"Hart P (1968) The condensed nearest neighbor rule (corresp). IEEE Trans Inf Theory 14(3):515\u2013516","journal-title":"IEEE Trans Inf Theory"},{"key":"242_CR11","doi-asserted-by":"publisher","first-page":"183207","DOI":"10.1109\/ACCESS.2019.2959131","volume":"7","author":"H He","year":"2019","unstructured":"He H, Sun X, He H, Zhao G, He L, Ren J (2019) A novel multimodal-sequential approach based on multi-view features for network intrusion detection. IEEE Access 7:183207\u2013183221","journal-title":"IEEE Access"},{"key":"242_CR12","doi-asserted-by":"crossref","unstructured":"Iliofotou M, Faloutsos M, Mitzenmacher M (2009) Exploiting dynamicity in graph-based traffic analysis: techniques and applications. In: Proceedings of the 5th international conference on emerging networking experiments and technologies, pp 241\u2013252","DOI":"10.1145\/1658939.1658967"},{"key":"242_CR13","doi-asserted-by":"crossref","unstructured":"Iliofotou M, Pappu P, Faloutsos M, Mitzenmacher M, Singh S, Varghese G (2007) Network monitoring using traffic dispersion graphs (tdgs). In: Proceedings of the 7th ACM SIGCOMM conference on internet measurement, pp 315\u2013320","DOI":"10.1145\/1298306.1298349"},{"issue":"1","key":"242_CR14","doi-asserted-by":"publisher","first-page":"49","DOI":"10.1145\/2492101.1555356","volume":"37","author":"Y Jin","year":"2009","unstructured":"Jin Y, Sharafuddin E, Zhang Z-L (2009) Unveiling core network-wide communication patterns through application traffic activity graph decomposition. ACM SIGMETRICS Perform Eval Rev 37(1):49\u201360","journal-title":"ACM SIGMETRICS Perform Eval Rev"},{"key":"242_CR15","doi-asserted-by":"publisher","first-page":"1397","DOI":"10.1007\/s10586-019-03008-x","volume":"23","author":"V Kumar","year":"2020","unstructured":"Kumar V, Sinha D, Das AK, Pandey SC, Goswami RT (2020) An integrated rule based intrusion detection system: analysis on unsw-nb15 data set and the real time online dataset. Cluster Comput 23:1397\u20131418","journal-title":"Cluster Comput"},{"key":"242_CR16","doi-asserted-by":"crossref","unstructured":"Leskovec J, Faloutsos C (2006) Sampling from large graphs. In: Proceedings of the 12th ACM SIGKDD international conference on knowledge discovery and data mining, pp 631\u2013636","DOI":"10.1145\/1150402.1150479"},{"key":"242_CR17","doi-asserted-by":"crossref","unstructured":"Li W-Z, Wang C-D, Xiong H, Lai J-H (2023) Graphsha: synthesizing harder samples for class-imbalanced node classification. arXiv preprint arXiv:2306.09612","DOI":"10.1145\/3580305.3599374"},{"key":"242_CR18","doi-asserted-by":"publisher","first-page":"390","DOI":"10.1016\/j.future.2021.05.024","volume":"124","author":"X Liu","year":"2021","unstructured":"Liu X, Liu W, Di X, Li J, Cai B, Ren W, Yang H (2021) Lognads: network anomaly detection scheme based on log semantics representation. Future Gener Comput Syst 124:390\u2013405","journal-title":"Future Gener Comput Syst"},{"key":"242_CR19","doi-asserted-by":"crossref","unstructured":"Lo WW, Layeghy S, Sarhan M, Gallagher M, Portmann M (2022) E-graphsage: a graph neural network based intrusion detection system for iot. In: NOMS 2022-2022 IEEE\/IFIP network operations and management symposium. IEEE, pp 1\u20139","DOI":"10.1109\/NOMS54207.2022.9789878"},{"issue":"12","key":"242_CR20","first-page":"2346","volume":"31","author":"J Lu","year":"2018","unstructured":"Lu J, Liu A, Dong F, Gu F, Gama J, Zhang G (2018) Learning under concept drift: a review. IEEE Trans Knowl Data Eng 31(12):2346\u20132363","journal-title":"IEEE Trans Knowl Data Eng"},{"key":"242_CR21","doi-asserted-by":"crossref","unstructured":"Milajerdi SM, Gjomemo R, Eshete B, Sekar R, Venkatakrishnan V (2019) Holmes: real-time apt detection through correlation of suspicious information flows. In: 2019 IEEE symposium on security and privacy (SP). IEEE, pp. 1137\u20131152","DOI":"10.1109\/SP.2019.00026"},{"key":"242_CR22","unstructured":"Moustafa N (2019) New generations of internet of things datasets for cybersecurity applications based machine learning: Ton_iot datasets. In: Proceedings of the eResearch Australasia Conference, Brisbane, Australia, pp 21\u201325"},{"key":"242_CR24","doi-asserted-by":"publisher","DOI":"10.1016\/j.scs.2021.102994","volume":"72","author":"N Moustafa","year":"2021","unstructured":"Moustafa N (2021a) A new distributed architecture for evaluating ai-based security systems at the edge: network ton_iot datasets. Sustain Cities Soc 72:102994","journal-title":"Sustain Cities Soc"},{"key":"242_CR23","doi-asserted-by":"crossref","unstructured":"Moustafa N (2021b) A systemic iot\u2013fog\u2013cloud architecture for big-data analytics and cyber security systems: a review of fog computing. Secure Edge Comput 41\u201350","DOI":"10.1201\/9781003028635-4"},{"key":"242_CR30","doi-asserted-by":"crossref","unstructured":"Moustafa N, Slay J (2015) Unsw-nb15: a comprehensive data set for network intrusion detection systems (unsw-nb15 network data set). In: 2015 military communications and information systems conference (MilCIS). IEEE, pp 1\u20136","DOI":"10.1109\/MilCIS.2015.7348942"},{"issue":"1\u20133","key":"242_CR25","doi-asserted-by":"publisher","first-page":"18","DOI":"10.1080\/19393555.2015.1125974","volume":"25","author":"N Moustafa","year":"2016","unstructured":"Moustafa N, Slay J (2016) The evaluation of network anomaly detection systems: statistical analysis of the unsw-nb15 data set and the comparison with the kdd99 data set. Inf Sec J Global Perspect 25(1\u20133):18\u201331","journal-title":"Inf Sec J Global Perspect"},{"issue":"4","key":"242_CR26","doi-asserted-by":"publisher","first-page":"481","DOI":"10.1109\/TBDATA.2017.2715166","volume":"5","author":"N Moustafa","year":"2017","unstructured":"Moustafa N, Slay J, Creech G (2017a) Novel geometric area analysis technique for anomaly detection using trapezoidal area estimation on large-scale networks. IEEE Trans Big Data 5(4):481\u2013494","journal-title":"IEEE Trans Big Data"},{"key":"242_CR28","doi-asserted-by":"crossref","unstructured":"Moustafa N, Creech G, Slay J (2017b) Big data analytics for intrusion detection system: statistical decision-making using finite dirichlet mixture models. Data Anal Decis Support Cybersec Trends Methodol Appl 127\u2013156","DOI":"10.1007\/978-3-319-59439-2_5"},{"key":"242_CR27","doi-asserted-by":"crossref","unstructured":"Moustafa N, Ahmed M, Ahmed S (2020a) Data analytics-enabled intrusion detection: Evaluations of ton_iot linux datasets. In: 2020 IEEE 19th international conference on trust, security and privacy in computing and communications (TrustCom). IEEE, pp727\u2013735","DOI":"10.1109\/TrustCom50675.2020.00100"},{"key":"242_CR29","doi-asserted-by":"crossref","unstructured":"Moustafa N, Keshky M, Debiez E, Janicke H (2020b) Federated ton_iot windows datasets for evaluating ai-based security applications. In: 2020 IEEE 19th international conference on trust, security and privacy in computing and communications (TrustCom). IEEE, pp 848\u2013855","DOI":"10.1109\/TrustCom50675.2020.00114"},{"key":"242_CR31","unstructured":"Park J, Song J, Yang E (2022) Graphens: neighbor-aware ego network synthesis for class-imbalanced node classification. In: The tenth international conference on learning representations, ICLR 2022. International Conference on Learning Representations (ICLR)"},{"key":"242_CR32","unstructured":"Rong Y, Huang W, Xu T, Huang J (2019) Dropedge: towards deep graph convolutional networks on node classification. arXiv preprint arXiv:1907.10903"},{"key":"242_CR33","doi-asserted-by":"crossref","unstructured":"Sarhan M, Layeghy S, Moustafa N, Portmann M (2021) Netflow datasets for machine learning-based network intrusion detection systems. In: Big data technologies and applications: 10th EAI international conference, BDTA 2020, and 13th EAI international conference on wireless internet, WiCON 2020, Virtual Event, December 11, 2020, Proceedings 10. Springer, pp 117\u2013135","DOI":"10.1007\/978-3-030-72802-1_9"},{"key":"242_CR34","doi-asserted-by":"crossref","unstructured":"Schlichtkrull M, Kipf TN, Bloem P, Van Den\u00a0Berg R, Titov I, Welling M (2018) Modeling relational data with graph convolutional networks. In: The semantic web: 15th international conference, ESWC 2018, Heraklion, Crete, Greece, June 3\u20137, 2018, Proceedings 15. Springer, pp 593\u2013607","DOI":"10.1007\/978-3-319-93417-4_38"},{"issue":"12","key":"242_CR35","doi-asserted-by":"publisher","first-page":"4221","DOI":"10.1073\/pnas.0501179102","volume":"102","author":"MP Stumpf","year":"2005","unstructured":"Stumpf MP, Wiuf C, May RM (2005) Subnets of scale-free networks are not scale-free: sampling properties of networks. Proc Nat Acad Sci 102(12):4221\u20134224","journal-title":"Proc Nat Acad Sci"},{"key":"242_CR36","unstructured":"Tomek I (1976) Two modifications of cnn"},{"key":"242_CR37","doi-asserted-by":"publisher","first-page":"3972","DOI":"10.1109\/TIFS.2022.3208815","volume":"17","author":"S Wang","year":"2022","unstructured":"Wang S, Wang Z, Zhou T, Sun H, Yin X, Han D, Zhang H, Shi X, Yang J (2022) Threatrace: detecting and tracing host-based threats in node level through provenance graph learning. IEEE Trans Inf Forensics Sec 17:3972\u20133987","journal-title":"IEEE Trans Inf Forensics Sec"},{"key":"242_CR38","doi-asserted-by":"crossref","unstructured":"Wehmuth K, Ziviani A, Fleury E (2015) A unifying model for representing time-varying graphs. In: 2015 IEEE international conference on data science and advanced analytics (DSAA). IEEE, pp 1\u201310","DOI":"10.1109\/DSAA.2015.7344810"},{"key":"242_CR39","doi-asserted-by":"crossref","unstructured":"Xiao Q, Liu J, Wang Q, Jiang Z, Wang X, Yao Y (2020) Towards network anomaly detection using graph embedding. In: Computational Science\u2013ICCS 2020: 20th international conference, Amsterdam, The Netherlands, June 3\u20135, 2020, Proceedings, Part IV 20. Springer, pp 156\u2013169","DOI":"10.1007\/978-3-030-50423-6_12"},{"key":"242_CR40","doi-asserted-by":"crossref","unstructured":"Yen S-J, Lee Y-S (2006) Under-sampling approaches for improving prediction of the minority class in an imbalanced dataset. In: Intelligent control and automation: international conference on intelligent computing, ICIC 2006 Kunming, China, August 16\u201319, 2006. Springer, pp 731\u2013740","DOI":"10.1007\/978-3-540-37256-1_89"},{"key":"242_CR42","doi-asserted-by":"crossref","unstructured":"Zhao T, Zhang X, Wang S (2021a) Graphsmote: imbalanced node classification on graphs with graph neural networks. In: Proceedings of the 14th ACM international conference on web search and data mining, pp 833\u2013841","DOI":"10.1145\/3437963.3441720"},{"key":"242_CR41","first-page":"11015","volume":"35","author":"T Zhao","year":"2021","unstructured":"Zhao T, Liu Y, Neves L, Woodford O, Jiang M, Shah N (2021b) Data augmentation for graph neural networks. Proc Aaai Conf Artif Intell 35:11015\u201311023","journal-title":"Proc Aaai Conf Artif Intell"},{"key":"242_CR43","unstructured":"Zhou J, Xu Z, Rush AM, Yu M (2020) Automating botnet detection with graph neural networks. arXiv preprint arXiv:2003.06344"},{"key":"242_CR44","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102632","volume":"115","author":"F Zola","year":"2022","unstructured":"Zola F, Segurola-Gil L, Bruse JL, Galar M, Orduna-Urrutia R (2022) Network traffic analysis through node behaviour classification: a graph-based approach with temporal dissection and data-level preprocessing. Comput Sec 115:102632","journal-title":"Comput Sec"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-024-00242-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-024-00242-8\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-024-00242-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,12,30]],"date-time":"2024-12-30T02:04:48Z","timestamp":1735524288000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-024-00242-8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,30]]},"references-count":44,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2024,12]]}},"alternative-id":["242"],"URL":"https:\/\/doi.org\/10.1186\/s42400-024-00242-8","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,12,30]]},"assertion":[{"value":"16 February 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"11 April 2024","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"30 December 2024","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no Conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"69"}}