{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,9]],"date-time":"2026-06-09T15:14:14Z","timestamp":1781018054090,"version":"3.54.1"},"reference-count":52,"publisher":"MDPI AG","issue":"6","license":[{"start":{"date-parts":[[2025,6,16]],"date-time":"2025-06-16T00:00:00Z","timestamp":1750032000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>The inherent complexity and heterogeneity of the Internet of Things (IoT) ecosystem present significant challenges for developing effective intrusion detection systems. While graph deep-learning-based methods have shown promise in cybersecurity applications, existing approaches primarily construct graphs based on physical network connections, which may not effectively capture node representations. This paper proposes a Top-K Similarity Graph Framework (TKSGF) for IoT network intrusion detection. Instead of relying on physical links, the TKSGF constructs graphs based on Top-K attribute similarity, ensuring a more meaningful representation of node relationships. We employ GraphSAGE as the Graph Neural Network (GNN) model to effectively capture node representations while maintaining scalability. Furthermore, we conducted extensive experiments to analyze the impact of graph directionality (directed vs. undirected), different K values, and various GNN architectures and configurations on detection performance. Evaluations on binary and multi-class classification tasks using the NF-ToN IoT and NF-BoT IoT datasets from the Machine-Learning-Based Network Intrusion Detection System (NIDS) benchmark demonstrated that our proposed framework consistently outperformed traditional machine learning methods and existing graph-based approaches, achieving superior classification accuracy and robustness.<\/jats:p>","DOI":"10.3390\/info16060499","type":"journal-article","created":{"date-parts":[[2025,6,16]],"date-time":"2025-06-16T09:51:22Z","timestamp":1750067482000},"page":"499","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":16,"title":["Optimizing IoT Intrusion Detection\u2014A Graph Neural Network Approach with Attribute-Based Graph Construction"],"prefix":"10.3390","volume":"16","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-3844-0863","authenticated-orcid":false,"given":"Tien","family":"Ngo","sequence":"first","affiliation":[{"name":"Institute for Sustainable Industries and Liveable Cities, Victoria University, Melbourne, VIC 3011, Australia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0269-2624","authenticated-orcid":false,"given":"Jiao","family":"Yin","sequence":"additional","affiliation":[{"name":"Institute for Sustainable Industries and Liveable Cities, Victoria University, Melbourne, VIC 3011, Australia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5955-6295","authenticated-orcid":false,"given":"Yong-Feng","family":"Ge","sequence":"additional","affiliation":[{"name":"Institute for Sustainable Industries and Liveable Cities, Victoria University, Melbourne, VIC 3011, Australia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8465-0996","authenticated-orcid":false,"given":"Hua","family":"Wang","sequence":"additional","affiliation":[{"name":"Institute for Sustainable Industries and Liveable Cities, Victoria University, Melbourne, VIC 3011, Australia"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2025,6,16]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"100721","DOI":"10.1016\/j.iot.2023.100721","article-title":"The Internet of Things (IoT) in healthcare: Taking stock and moving forward","volume":"22","author":"Rejeb","year":"2023","journal-title":"Internet Things"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"169","DOI":"10.1016\/j.future.2021.08.006","article-title":"Recent advancements and challenges of Internet of Things in smart agriculture: A survey","volume":"126","author":"Sinha","year":"2022","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"100065","DOI":"10.1016\/j.clscn.2022.100065","article-title":"Internet of Things for sustainable railway transportation: Past, present, and future","volume":"4","author":"Singh","year":"2022","journal-title":"Clean. Logist. Supply Chain"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"8176","DOI":"10.1016\/j.egyr.2021.08.126","article-title":"A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments","volume":"7","author":"Li","year":"2021","journal-title":"Energy Rep."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Manoharan, P., Hong, W., Yin, J., Wang, H., Zhang, Y., and Ye, W. (2024). Optimising Insider Threat Prediction: Exploring BiLSTM Networks and Sequential Features. Data Science and Engineering, Springer Nature.","DOI":"10.1007\/s41019-024-00260-z"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Yin, J., Tang, M., Cao, J., You, M., and Wang, H. (2022). Cybersecurity applications in software: Data-driven software vulnerability assessment and management. Emerging Trends in Cybersecurity Applications, Springer.","DOI":"10.1007\/978-3-031-09640-2_17"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"102810","DOI":"10.1016\/j.cose.2022.102810","article-title":"Datasets are not enough: Challenges in labeling network traffic","volume":"120","author":"Guerra","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"6955","DOI":"10.1007\/s00521-024-09439-x","article-title":"Comparative study of ML models for IIoT intrusion detection: Impact of data preprocessing and balancing","volume":"36","author":"Eid","year":"2024","journal-title":"Neural Comput. Appl."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Mbow, M., Koide, H., and Sakurai, K. (2021, January 23\u201326). An intrusion detection system for imbalanced dataset based on deep learning. Proceedings of the 2021 Ninth International Symposium on Computing and Networking (CANDAR), Matsue, Japan.","DOI":"10.1109\/CANDAR53791.2021.00013"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"395","DOI":"10.1016\/j.neunet.2021.05.033","article-title":"PC-GAIN: Pseudo-label conditional generative adversarial imputation networks for incomplete data","volume":"141","author":"Wang","year":"2021","journal-title":"Neural Netw."},{"key":"ref_11","unstructured":"Chen, Y., Zhang, Y., and Maharjan, S. (2017). Deep learning for secure mobile edge computing. arXiv."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"1125","DOI":"10.1007\/s10207-023-00682-2","article-title":"A systematic literature review for network intrusion detection system (IDS)","volume":"22","author":"Abdulganiyu","year":"2023","journal-title":"Int. J. Inf. Secur."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"23906","DOI":"10.1109\/TITS.2022.3190432","article-title":"LSTM-based intrusion detection system for VANETs: A time series classification approach to false message detection","volume":"23","author":"Yu","year":"2022","journal-title":"IEEE Trans. Intell. Transp. Syst."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"64375","DOI":"10.1109\/ACCESS.2022.3182333","article-title":"RTIDS: A robust transformer-based approach for intrusion detection system","volume":"10","author":"Wu","year":"2022","journal-title":"IEEE Access"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Kheddar, H. (2024). Transformers and large language models for efficient intrusion detection systems: A comprehensive survey. arXiv.","DOI":"10.1016\/j.inffus.2025.103347"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"103165","DOI":"10.1016\/j.ipm.2022.103165","article-title":"Graph-based data management system for efficient information storage, retrieval and processing","volume":"60","author":"Aldwairi","year":"2023","journal-title":"Inf. Process. Manag."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"101515","DOI":"10.1016\/j.aei.2021.101515","article-title":"A knowledge graph-based data representation approach for IIoT-enabled cognitive manufacturing","volume":"51","author":"Liu","year":"2022","journal-title":"Adv. Eng. Inform."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"49114","DOI":"10.1109\/ACCESS.2023.3275789","article-title":"Graph neural networks for intrusion detection: A survey","volume":"11","author":"Bilot","year":"2023","journal-title":"IEEE Access"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"118935","DOI":"10.1016\/j.ins.2023.118935","article-title":"INS-GNN: Improving graph imbalance learning with self-supervision","volume":"637","author":"Juan","year":"2023","journal-title":"Inf. Sci."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Wu, C., Wu, F., Cao, Y., Huang, Y., and Xie, X. (2021). Fedgnn: Federated graph neural network for privacy-preserving recommendation. arXiv.","DOI":"10.1038\/s41467-022-30714-9"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Xu, K., Li, Y., Li, Y., Xu, L., Li, R., and Dong, Z. (2023). Masked graph neural networks for unsupervised anomaly detection in multivariate time series. Sensors, 23.","DOI":"10.3390\/s23177552"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3687468","article-title":"A compact vulnerability knowledge graph for risk assessment","volume":"18","author":"Yin","year":"2024","journal-title":"ACM Trans. Knowl. Discov. Data"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"1850","DOI":"10.1109\/TSP.2022.3163626","article-title":"Learning decentralized wireless resource allocations with graph neural networks","volume":"70","author":"Wang","year":"2022","journal-title":"IEEE Trans. Signal Process."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"15051","DOI":"10.1109\/TNNLS.2023.3283523","article-title":"Challenges and opportunities in deep reinforcement learning with graph neural networks: A comprehensive review of algorithms and applications","volume":"35","author":"Munikoti","year":"2023","journal-title":"IEEE Trans. Neural Netw. Learn. Syst."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"35","DOI":"10.1007\/s11280-024-01275-2","article-title":"A heterogeneous graph-based semi-supervised learning framework for access control decision-making","volume":"27","author":"Yin","year":"2024","journal-title":"World Wide Web"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Vrahatis, A.G., Lazaros, K., and Kotsiantis, S. (2024). Graph attention networks: A comprehensive review of methods and applications. Future Internet, 16.","DOI":"10.3390\/fi16090318"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Hajibabaee, P., Malekzadeh, M., Heidari, M., Zad, S., Uzuner, O., and Jones, J.H. (2021, January 27\u201330). An empirical study of the graphsage and word2vec algorithms for graph multiclass classification. Proceedings of the 2021 IEEE 12th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), Vancouver, BC, Canada.","DOI":"10.1109\/IEMCON53756.2021.9623238"},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"1230593","DOI":"10.1155\/2021\/1230593","article-title":"A reliable network intrusion detection approach using decision tree with enhanced data quality","volume":"2021","author":"Guezzaz","year":"2021","journal-title":"Secur. Commun. Netw."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"109860","DOI":"10.1016\/j.compeleceng.2024.109860","article-title":"Optimizing random forests to detect intrusion in the Internet of Things","volume":"120","author":"Majidian","year":"2024","journal-title":"Comput. Electr. Eng."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"23615","DOI":"10.1007\/s11042-023-14795-2","article-title":"An efficient network intrusion detection model for IoT security using K-NN classifier and feature selection","volume":"82","author":"Guezzaz","year":"2023","journal-title":"Multimed. Tools Appl."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"5156","DOI":"10.1007\/s11227-018-2413-7","article-title":"NBC-MAIDS: Na\u00efve Bayesian classification technique in multi-agent system-enriched IDS for securing IoT against DDoS attacks","volume":"74","author":"Mehmood","year":"2018","journal-title":"J. Supercomput."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Alqahtani, M., Mathkour, H., and Ben Ismail, M.M. (2020). IoT botnet attack detection based on optimized extreme gradient boosting and feature selection. Sensors, 20.","DOI":"10.3390\/s20216336"},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"3392","DOI":"10.1007\/s11227-022-04783-y","article-title":"An improved anomaly detection model for IoT security using decision tree and gradient boosting","volume":"79","author":"Douiba","year":"2023","journal-title":"J. Supercomput."},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Hamidouche, M., Popko, E., and Ouni, B. (2023, January 7\u201310). Enhancing iot security via automatic network traffic analysis: The transition from machine learning to deep learning. Proceedings of the 13th International Conference on the Internet of Things, Nagoya, Japan.","DOI":"10.1145\/3627050.3627053"},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"106529","DOI":"10.1016\/j.knosys.2020.106529","article-title":"Apply transfer learning to cybersecurity: Predicting exploitability of vulnerabilities by description","volume":"210","author":"Yin","year":"2020","journal-title":"Knowl.-Based Syst."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"99837","DOI":"10.1109\/ACCESS.2022.3206425","article-title":"CNN-LSTM: Hybrid deep neural network for network intrusion detection system","volume":"10","author":"Halbouni","year":"2022","journal-title":"IEEE Access"},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"62722","DOI":"10.1109\/ACCESS.2022.3176317","article-title":"Design and development of RNN anomaly detection model for IoT networks","volume":"10","author":"Ullah","year":"2022","journal-title":"IEEE Access"},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"2330","DOI":"10.1109\/JIOT.2022.3211346","article-title":"An enhanced AI-based network intrusion detection system using generative adversarial networks","volume":"10","author":"Park","year":"2022","journal-title":"IEEE Internet Things J."},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"122401","DOI":"10.1109\/ACCESS.2024.3451726","article-title":"Intrusion detection in IoT systems using denoising autoencoder","volume":"12","author":"Alrayes","year":"2024","journal-title":"IEEE Access"},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"684","DOI":"10.1109\/TNSM.2022.3213807","article-title":"Flow topology-based graph convolutional network for intrusion detection in label-limited IoT networks","volume":"20","author":"Deng","year":"2022","journal-title":"IEEE Trans. Netw. Serv. Manag."},{"key":"ref_41","unstructured":"Zhang, L., Tan, L., Shi, H., Sun, H., and Zhang, W. (2023, January 6\u20138). Malicious Traffic Classification for IoT based on Graph Attention Network and Long Short-Term Memory Network. Proceedings of the 2023 24st Asia-Pacific Network Operations and Management Symposium (APNOMS), Sejong, Republic of Korea."},{"key":"ref_42","first-page":"1025","article-title":"Inductive representation learning on large graphs","volume":"30","author":"Hamilton","year":"2017","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Lo, W.W., Layeghy, S., Sarhan, M., Gallagher, M., and Portmann, M. (2022, January 25\u201329). E-graphsage: A graph neural network based intrusion detection system for iot. Proceedings of the NOMS 2022-2022 IEEE\/IFIP Network Operations and Management Symposium, Budapest, Hungary.","DOI":"10.1109\/NOMS54207.2022.9789878"},{"key":"ref_44","doi-asserted-by":"crossref","first-page":"110495","DOI":"10.1016\/j.comnet.2024.110495","article-title":"Applying self-supervised learning to network intrusion detection for network flows with graph neural network","volume":"248","author":"Xu","year":"2024","journal-title":"Comput. Netw."},{"key":"ref_45","unstructured":"Sarhan, M., Layeghy, S., Moustafa, N., and Portmann, M. (2020, January 11). Netflow datasets for machine learning-based network intrusion detection systems. Proceedings of the Big Data Technologies and Applications: 10th EAI International Conference, BDTA 2020, and 13th EAI International Conference on Wireless Internet, WiCON 2020, Virtual. Proceedings 10."},{"key":"ref_46","first-page":"1938","article-title":"A brief study of wannacry threat: Ransomware attack 2017","volume":"8","author":"Mohurle","year":"2017","journal-title":"Int. J. Adv. Res. Comput. Sci."},{"key":"ref_47","doi-asserted-by":"crossref","first-page":"100818","DOI":"10.1016\/j.iot.2023.100818","article-title":"A new concatenated multigraph neural network for IoT intrusion detection","volume":"22","author":"Altaf","year":"2023","journal-title":"Internet Things"},{"key":"ref_48","doi-asserted-by":"crossref","unstructured":"Manoharan, P., Yin, J., Wang, H., Zhang, Y., and Ye, W. (2023). Insider threat detection using supervised machine learning algorithms. Telecommunication Systems, Springer.","DOI":"10.1007\/s11235-023-01085-3"},{"key":"ref_49","doi-asserted-by":"crossref","unstructured":"Beaver, J.M., Borges-Hink, R.C., and Buckner, M.A. (2013, January 4\u20137). An evaluation of machine learning methods to detect malicious SCADA communications. Proceedings of the 2013 12th International Conference on Machine Learning and Applications, Miami, FL, USA.","DOI":"10.1109\/ICMLA.2013.105"},{"key":"ref_50","doi-asserted-by":"crossref","first-page":"e4150","DOI":"10.1002\/ett.4150","article-title":"Network intrusion detection system: A systematic study of machine learning and deep learning approaches","volume":"32","author":"Ahmad","year":"2021","journal-title":"Trans. Emerg. Telecommun. Technol."},{"key":"ref_51","doi-asserted-by":"crossref","unstructured":"Ngo, T., Yin, J., Ge, Y.F., Zhou, C., and Cao, J. (2024, January 8\u201310). Comparative Study of Machine Learning Algorithms for IoT Cyber Threat Detection in Healthcare Information Systems. Proceedings of the International Conference on Health Information Science, Hong Kong, China.","DOI":"10.1007\/978-981-96-5597-7_7"},{"key":"ref_52","doi-asserted-by":"crossref","first-page":"19379","DOI":"10.1109\/ACCESS.2025.3531691","article-title":"SViG: A Similarity-thresholded Approach for Vision Graph Neural Networks","volume":"13","author":"Elsharkawi","year":"2025","journal-title":"IEEE Access"}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/6\/499\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T17:52:52Z","timestamp":1760032372000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/6\/499"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,16]]},"references-count":52,"journal-issue":{"issue":"6","published-online":{"date-parts":[[2025,6]]}},"alternative-id":["info16060499"],"URL":"https:\/\/doi.org\/10.3390\/info16060499","relation":{},"ISSN":["2078-2489"],"issn-type":[{"value":"2078-2489","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,6,16]]}}}