GAT-AD: Graph Attention Networks for contextual anomaly detection in network monitoring

Abstract

Network anomaly detection is essential to promptly detect and fix issues in the network. Particularly, detecting traffic anomalies enables the early detection of configuration errors, malicious activities, or equipment malfunctions that could lead to severe impact on the network. In this paper, we present GAT-AD, a Deep Learning-based anomaly detection solution for network monitoring systems, which integrates a custom neural network model based on Graph Attention Networks (GAT). Our solution monitors aggregated traffic on origin–destination flows and automatically defines contexts that group flows with similar past activity. The neural network model within GAT-AD can be efficiently trained in a self-supervised manner. We evaluate our solution against two state-of-the-art anomaly detection baselines also based on graph representations and Deep Learning, in two different datasets: $\left(i\right)$ WaDi, which is a well-known dataset for anomaly detection in a distributed sensor network, and $\left(ii\right)$ Abilene, where we inject synthetically-generated anomalies into a dataset with real-world traffic from a large-scale backbone network. The results show that GAT-AD outperforms the two anomaly detection baselines: in WaDi by 14.1% in recall and 10.07% in F1-score, and in the Abilene dataset by $\approx$17.5% recall with respect to the best baseline.