Deep learning (DL) greatly enhances cyber anomaly detection capabilities through effective statistical network characteristic. However, previous methods have not fully addressed two real-world scenario-driven challenges. 1) Frequent node access and disconnection sourced from free-bounded 5G/B5G cyberspace introduce unfamiliar communication behavior patterns, reducing the detection ability of the pre-trained DL model. 2) Low-frequency or sporadic communication behaviors lack stable patterns, posing a challenge for existing AI-driven models, including DL-based detection methods. To address these issues, we propose a cyber anomaly detection framework based on Continuous Temporal Graph (CTG) neural network from a new interaction-centered perspective. The proposed framework refines the concrete information interaction between network entities into the CTG evolution process, thereby naturally incorporating new node access behaviors into feature extraction on CTG neural network. We furthermore present a message aggregation scheme on CTG with fusion of spatio-temporal neighborhood, the actual time distribution and the historical state, thus transforming communication into a more stable pattern for the learning of low-frequency interactions. Extensive experiments on 4 novel datasets, including ToN-IoT, UNSWNB15, CIC-Dark2020, J.P. Morgan payment, demonstrate that our approach outperforms state-of-the-art methods, particularly in detecting new access and low-frequency behaviors.

中文翻译：

---

动态网络系统中连续时间图的实用网络攻击检测

深度学习（DL）通过有效统计网络特征，极大增强网络异常检测能力。然而，以前的方法并没有完全解决两个现实世界场景驱动的挑战。 1）来自自由边界5G/B5G网络空间的频繁节点访问和断开引入了不熟悉的通信行为模式，降低了预训练的深度学习模型的检测能力。 2）低频或零星的通信行为缺乏稳定的模式，对现有的人工智能驱动模型（包括基于深度学习的检测方法）提出了挑战。为了解决这些问题，我们从以交互为中心的新角度提出了一种基于连续时序图（CTG）神经网络的网络异常检测框架。所提出的框架将网络实体之间的具体信息交互细化到CTG演化过程中，从而自然地将新的节点访问行为纳入CTG神经网络的特征提取中。我们还提出了一种融合时空邻域、实际时间分布和历史状态的 CTG 消息聚合方案，从而将通信转变为更稳定的低频交互学习模式。对 4 个新颖数据集（包括 ToN-IoT、UNSWNB15、CIC-Dark2020、JP Morgan payment）的广泛实验表明，我们的方法优于最先进的方法，特别是在检测新访问和低频行为方面。