WebWall: Zero-Day Attack Detection in Web Traffic Using Spatial Graph Neural Network

Abstract

With the continuous rise of web threats and the increasing growth and adaptability of HTTP/3 and ongoing HTTP/2, identifying malicious web traffic through intrusion detection systems is crucial to ensure network security and stability. Conventionally, signature-based intrusion detection systems (SIDS) are proven effective by researchers due to their high detection rate but fall short as these can only detect attacks whose signature is stored in the database. Zero-day attacks remain undetected by these IDS. In contrast, anomaly-based IDS (AIDS) can detect zero-day attacks; they suffer from a high false positive rate. Additionally, machine learning and deep learning approaches have gained significant attention in recent years. However, continuous updates are required in the training samples to make these models adaptable to dynamically changing environments. To fill these gaps, graph neural network-based intrusion detection systems (GNN-IDS) have become popular due to their capability of capturing and learning inter-dependencies of networks, which improve detection rates and reduce false positives and false negatives. Therefore, we propose WebWall, a graph-based intrusion detection system for the zero-day detection of malicious activities in the encrypted web traffic. We construct a graph with packet and flow level features extracted from bidirectional flows and apply the GraphSAGE to build our detection model. GraphSAGE generates low-dimensional vector embeddings of nodes for generating representations on previously unseen data without retraining the model. Our experimental results on the CICIDS2017 and CICIDS2018 datasets show that WebWall achieves {9 9. 9 5 %} and {9 9. 9 6 %} accuracy rates on both datasets. We also compared WebWall with four state-of-the-art methods and found that it performed better than other methods. © 2024 IEEE.