GRAFFITO-IDS: A Graph-based Algorithm for Feature Enrichment on Online Intrusion Detection Systems

The increasing number of connected devices to provide the required ubiquitousness of Internet of Things and the massive machine-type communications of 5G and beyond pave the way for distributed denial of service attacks at an unprecedented scale. Graph theory, strengthened by machine-learning techniques, improves the automatic discovery of group behavior patterns of network threats often missed by traditional security systems. This paper proposes an intrusion detection system for online threat detection enriched by a graph-based analysis. We develop a feature enrichment algorithm that infers metrics from a graph modeling of a time-windowed set of samples and incorporates them to the original set prior to the classification. Using different learning techniques, we evaluated our proposed system for three network datasets: a real traffic of a Brazilian network operator, a synthetic traffic produced in GTA/UFRJ lab, and a realistic and publicly available dataset of botnet. Results show the proposed graph-based enrichment improves the threat detection accuracy up to 15.7% and significantly reduces the number of false negatives and false positives.