Analyzing the Semantic Structure of Network Flow: A Threat Detection Method With Independent Generalization Capabilities

Network threat detection and identification remain fundamental tasks in cyberspace defence. Existing graph-based detection methods exhibit limited capabilities in transformability and independence, necessitating a redefinition of network behaviour to enhance their applicability in scenarios such as unknown threat discovery and low sample detection. In response to these challenges, we propose a fine-grained threat detection method based on flow semantic structure, with independent generalization capabilities, to refine the definition of flow and behaviour representation in data analysis. By constructing a semantic association topology map for each flow, the proposed method utilizes behavioural data structure information to extract semantic structure features independently. Subsequently, it aggregates updated graph node information into flow-level semantic embeddings, facilitating behaviour prediction. The final evaluation results show that this method outperforms existing state-of-the-art models, achieving detection accuracies of 97.86%, 95.76%, and 99.62% on three publicly datasets, respectively. In addition, the evaluation through simulating real threat detection environments at different concentrations shows that this method can still maintain a high detection rate with a small amount of data involved in training, and has certain generalization ability for new samples.