N-STGAT：Spatio-Temporal Graph Neural Network Based Network Intrusion Detection for Near-earth Remote Sensing

1. Introduction

Remote sensing technology has undergone rapid development in recent years. High-resolution satellite remote sensing technology has provided convenience for meteorology, terrain surveying, military, agriculture, and other fields [1,2]. However, satellite remote sensing has limitations in some remote sensing fields that require ultra-high precision and multimodal information due to distance and equipment constraints [3]. To address these issues, the development of Internet of Things (IoT)-based near-earth remote sensing technology has made significant progress. Near-earth remote sensing technology plays a crucial role in agriculture analysis, mining, water monitoring [4], and other fields. The near-earth remote sensing technology consists of a vertical structure as shown in Figure 1, which includes a large number of IoT devices [5], such as weather balloons, airplanes, drones, and sensors. These devices are connected to the base station via an IoT network and collect various remote sensing information, providing hardware support for subsequent data analysis. Figure 2 shows the deployment of near-earth remote sensing devices for monitoring crops in farmland.

The deployment of a large number of Internet of Things (IoT) devices is required for the near-ground remote sensing system, and most of these devices are outdoors, exposed to the elements, and unsupervised, which makes them vulnerable to physical or network-based intrusions. Once a remote sensing device is compromised, it may send incorrect data or attack other devices, causing problems for the near-earth remote sensing system. Therefore, it is essential to deploy a network intrusion detection system specifically designed for the near-ground remote sensing system.

A network intrusion detection system is a system that can quickly respond when an IoT device is invaded, and its core is a network intrusion detection method. There are mainly two types of network intrusion detection methods: feature-based detection and machine learning-based detection [6]. Feature-based detection methods require a pre-set of attack features, and the captured data packets are compared with these features. The accuracy of this detection method depends entirely on the set of features, and this method cannot respond well to new attacks. With the development and application of machine learning in recent years, machine learning-based detection methods have been developed. However, these methods directly use data flow information for identification [7-11]. Although these methods can effectively solve the problem of feature dependence and have good detection effects on new attacks, the identification accuracy is not high, and they are difficult to apply to practical networks. Recently, researchers have studied the newer subfield of machine learning, graph neural networks (GNNs), and proposed intrusion detection methods based on GNNs [6,12,13]. However, these methods have low identification accuracy in multi-classification tasks and cannot be effectively applied to near-Earth remote sensing systems.

Due to the fact that meteorological balloons, aircraft, drones, and other devices have their own operating systems, the near-Earth remote sensing system composed of these devices can provide more information. Therefore, this article considers the characteristics of the near-Earth remote sensing system and proposes a spatio-temporal graph attention network (N-STGAT) that considers the node status, applying spatio-temporal graph neural networks [14] to network intrusion detection in the near-Earth remote sensing system. To the best of our knowledge, this is the first time that spatio-temporal graph neural networks have been applied to network intrusion detection in the near-Earth remote sensing system.

The contributions of this article are as follows:

Expanding the latest IoT network intrusion detection dataset by incorporating the status of the node, which better reflects the situation of the near-Earth remote sensing system and enables better evaluation of the proposed method.

The article proposes for the first time the application of spatio-temporal graph neural networks to network intrusion detection in near-Earth remote sensing systems, and further improves the method to better align with the characteristics of near-Earth remote sensing systems, providing a new solution for network intrusion detection.

The proposed method is validated on the extended dataset and compared with some of the recent effective IoT network intrusion detection methods. The results show that the proposed method outperforms other methods.

The other chapters of this article are as follows: Chapter 2 introduces the research contents of various scholars in the field of network intrusion detection methods. Chapter 3 first briefly introduces some information about GNN and LSTM, and then explains how to extend the latest network intrusion detection dataset. Chapter 4 provides a detailed explanation of the proposed network intrusion detection system. Chapter 5 describes the experimental methods and results. Chapter 6 concludes the article.

2. Related Work

In recent years, many researchers have developed machine learning-based methods for network intrusion detection. However, most of these methods directly use data flow information for identification.

Casas et al. [15]. proposed an unsupervised network intrusion detection system called UNIDS, which employs a subspace clustering-based and multi-evidence accumulation-based unsupervised outlier detection method to detect unknown network attacks. It does not require the use of any features, labeled traffic, or training to detect various types of network attacks, such as DoS/DDoS, probing attacks, worm propagation, buffer overflow, illegal access to network resources, etc. The proposed method's effectiveness was demonstrated through experiments using KDD99 and real traffic data from two operational networks. However, the KDD99 dataset is quite old and may not reflect the attack characteristics present in modern IoT networks.

In [16], authors proposed a hybrid anomaly mitigation framework for IoT using fog computing to ensure faster and accurate anomaly detection. The framework employs signature- and anomaly-based detection methodologies for its two modules, respectively. The BoT-IoT dataset was used for experimentation and the effectiveness of the proposed method was ultimately validated. Results showed accuracy of 99% in binary and multi-class classification problems, with at least 97% average recall, average precision, and average F1 score.

The two methods mentioned above use traditional machine learning techniques for network intrusion detection, such as decision trees, MDAE, LSTM, random forests, and XGBoost. These methods directly train on the dataset without considering the graph topology information, resulting in each training data being relatively singular and unable to fully explore the information in each data. Therefore, these methods have limited capability in detecting complex network attacks, such as Botnet attacks [17], distributed port scans [18] or DNS Amplification attacks [19], which require a more global network view and traffic.

Leichtnam et al. [20]. introduced a unique graph representation called security objects' graphs that linked events of different kinds and allowed for a rich description of the analyzed activities. They proposed an unsupervised learning approach based on auto-encoders to detect anomalies in these graphs. The authors hypothesized that auto-encoders could build a relevant model of the normal situation based on the rich vision provided by security objects' graphs. To validate their approach, they applied it to the CICIDS2017 dataset and showed that their unsupervised method performed as well as, or even better than, many supervised approaches.

Due to the good performance of GNN on graph-structured data and the fact that a network is a natural graph, in recent years, some scholars have applied GNN to intrusion detection systems.

Wai Weng Lo et al. [6]. proposed the E-GraphSAGE architecture based on GraphSAGE, which allows capturing the edge features and topology information of the graph for network intrusion detection in the Internet of Things. Experiments on four latest NIDS benchmark datasets show that the method has achieved very good effects on binary classification problems, but not on multi-classification problems. When constructing the graph, this method directly uses the ip address and port of the network flow as nodes and the network flow as edges. When this method uses GraphSAGE for neighborhood aggregation, it may cause some neighborhoods to be aggregated multiple times and the whole neighborhood to be aggregated, which will affect the identification accuracy.

Cheng Q et al. [12]. proposed an Alert-GCN framework that uses graph convolutional networks (GCN) to associate alerts coming from the same attack for the prediction of the alert system. Then adopted the DARPA99 data set for experiments, achieving good results in the experiment. However, this method used a custom similarity method to define the edges in the graph when constructing an alarm-related graph, which will cause the neighbors of any node in the graph to be highly similar to themselves. This article recognizes that the graph constructed by this method will cause overfitting in the graph neural network.

Evan Caville et al. [13]. proposed an intrusion and anomaly detection method called Anomal-E based on E-GraphSAGE, which utilized edge features and graph topology in a self-supervised process. Then, they validated the proposed method using the NF-UNSW-NB15-v2 and NF-CSE-CIC-IDS2018-v2 datasets. Ultimately, they achieved results with at least 97.5% accuracy and at least 92% F1-Score. Additionally, the article was the first to apply a self-supervised graph neural network solution to network intrusion detection.

Although the above method applies graph neural networks to network intrusion detection, it does not take into considering the characteristics of the remote sensing system, node status, and temporal information. Therefore, this article combines GAT and LSTM to better utilize the spatial information of the graph and the temporal information of the data flow, increasing the reliability of network intrusion detection.

3. Background

This article argues that when identifying data flows, the state of the nodes should be considered simultaneously. When a network attack occurs, the state of the attacking node is significantly different from that of a normal node. Therefore, considering the state of the nodes is very beneficial for identifying attacks. In addition, identifying attacks should also consider the topological relationship between data flows and the temporal information of data flows.

Intrusion detection systems are generally deployed at the entry point in order to detect network intrusions. However, with the development of the IoT, more and more networks are structured as shown in Figure 3, which this article refers to as an "IoT domain". Such IoT domains are increasingly prevalent in industrial IoT systems, such as those used by companies like Apple, Huawei, and Xiaomi. Most of the devices in an IoT domain are monitored by a central server, which can obtain information about the status of the nodes. This situation is similar to that of a ground-based remote sensing system based on the IoT. As the situation where certain nodes within a domain are controlled to attack other nodes becomes more and more common, intrusion detection systems need to be deployed at the exit points of the domain to detect attacks on nodes.

3.1. GNN and LSTM

3.1.1. GNN

GNNs are a new type of neural network specifically designed to handle the properties of graphs. In recent years, GNNs have been widely applied in graph processing [21], networking [22], intelligent transportation [23], recommendation systems [24], and distributed computing [25], among other fields. A key feature of GNNs is that they can process non-Euclidean data and utilize topological structure data through message passing. When identifying nodes in a graph, GNNs can aggregate the data features of neighboring nodes, allowing them to influence each other [26]. This process is called embeddings [27]. There are many different types of GNNs, among which Graph Attention Network (GAT) [28], Graph Convolutional Network (GCN) [29], and GraphSAGE [30] are particularly popular among researchers.

GAT (Graph Attention Networks) is a type of graph neural network that incorporates attention mechanism to aggregate neighborhood nodes by computing attention coefficients. This enables GAT to capture the influence of different nodes within the neighborhood. GAT has two core components: computing the attention coefficients ${\alpha }_{ij}$ and the hidden layer features ${\overrightarrow{v}}_i^{\mathrm{\text{'}}}$ of nodes.

GAT is a type of graph neural network that incorporates attention mechanism to aggregate neighborhood nodes by computing attention coefficients. This enables GAT to capture the influence of different nodes within the neighborhood. GAT has two core components: computing the attention coefficients ${\alpha }_{ij}$ and the hidden layer features ${\overrightarrow{v}}_i^{\mathrm{\text{'}}}$ of nodes.

The calculation process for the attention coefficients ${\alpha }_{ij}$ between neighboring nodes is shown in Figure 4(a). The original GAT article mentions two types of neighborhoods: node neighbors (nodes directly connected to the current node) and full neighborhood (all nodes). In this article, we use node neighbors as the neighborhood to prevent the aggregation of a large amount of neighborhood node information that may cause the features to become blurry. Using node neighbors can also reduce time and space complexity. The calculation formula is:

$${\alpha }_{ij}=\frac{\mathrm{e}\mathrm{x}\mathrm{p}\left(\mathrm{L}\mathrm{e}\mathrm{a}\mathrm{k}\mathrm{y}\mathrm{R}\mathrm{e}\mathrm{L}\mathrm{U}\left({\overrightarrow{a}}^T\left[\mathrm{W}{\overrightarrow{v}}_i\left|\right|\mathrm{W}{\overrightarrow{v}}_j\right]\right)\right)}{\sum _{k\in {\mathcal{N}}_i}\mathrm{e}\mathrm{x}\mathrm{p}\left(\mathrm{L}\mathrm{e}\mathrm{a}\mathrm{k}\mathrm{y}\mathrm{R}\mathrm{e}\mathrm{L}\mathrm{U}\left({\overrightarrow{a}}^T\left[\mathrm{W}{\overrightarrow{v}}_i\left|\right|\mathrm{W}{\overrightarrow{v}}_k\right]\right)\right)}$$

(1)

$a$ is a single-layer feedforward neural network, which is parameterized by a weight vector $\overrightarrow{a}\in {\mathbb{R}}^{2F^{\mathrm{\text{'}}}}$, $\mathrm{W}\in {\mathbb{R}}^{2F^{\mathrm{\text{'}}}\times F}$ is a shared linear transformation matrix, $\mathrm{L}\mathrm{e}\mathrm{a}\mathrm{k}\mathrm{y}\mathrm{R}\mathrm{e}\mathrm{L}\mathrm{U}$ is a nonlinear function, and ${\mathcal{N}}_i$ is the neighbor node of node $i$. The equation finally uses a $softmax$ function for normalization.

The calculation process of hidden layer features ${\overrightarrow{v}}_i^{\mathrm{\text{'}}}$ is shown in Figure 4(b). The calculation formula is:

$${\overrightarrow{v}}_i^{\mathrm{\text{'}}}=\sigma \left(\frac{1}{K}\sum _{k=1}^K\sum _{j\in {\mathcal{N}}_i}{\alpha }_{ij}^k{\mathrm{W}}^k{\overrightarrow{v}}_j\right)$$

(2)

$\sigma$ is a nonlinear function. Since GAT uses a multi-head attention mechanism, K represents the number of attention heads.

3.1.2. LSTM

LSTM is a special type of recurrent neural network (RNN) architecture used for processing and predicting sequence data [31]. It uses gate mechanisms to better capture long-term dependencies in time series data, making it perform better in handling such data. An LSTM network consists of a series of LSTM cells, each of which contains an input gate, a forget gate, and an output gate. The input gate and forget gate are used to control the flow of information, with the input gate determining which information should be updated in the memory cell and the forget gate deciding which information should be discarded from the memory cell. The output gate determines how much influence the memory cell should have on the current output. The core cell unit of LSTM is shown in Figure 5.

3.2. Datasets

In order to describe the proposed method more clearly, it is necessary to first introduce the datasets used in this article. The datasets used in this article are NF-BoT-IoT-v2 and NF-ToN-IoT-v2[32], and their descriptions are shown in the following table:

Table 1. Basic information of the datasets.

Dataset	Release year	No. Classes	No. features	No. data	Benign ratio
NF-BoT-IoT-v2	2021	5	43	37,763,497	0.0 to 10.0
NF-ToN-IoT-v2	2021	10	43	16,940,496	3.6 to 6.4

Table 1. Basic information of the datasets.

Dataset	Release year	No. Classes	No. features	No. data	Benign ratio
NF-BoT-IoT-v2	2021	5	43	37,763,497	0.0 to 10.0
NF-ToN-IoT-v2	2021	10	43	16,940,496	3.6 to 6.4

These two datasets are improved based on the original datasets BoT-IoT [33] and ToN-IoT [34], where the network data is integrated in a stream fashion to make a complete network behavior.

The features in the aforementioned datasets are referred to as flow features, denoted as FI in this article. As the article requires the node status information, 14 additional features were added to these two datasets based on the original datasets, including:

This article refers to the features in Table 2 as node features, denoted as NI. With the above fields, the dataset is expanCded into two parts, with a total of 57 fields.

4. Method Description

4.1. Problem Definition

Suppose there are $n$ nodes in a near-earth sensing system, defined as $N_1,N_2,\dots \dots ,N_n$. The data flows sent by each node are defined in chronological order as $v_i^k(i\left[1,n\right],k[1,\mathrm{\infty }\left)\right)$, where $k$ is the sequential number of the data flow.. The purpose of this article is to identify the attack type $r_i^k$ of the data flow $v_i^k$ sent by node $N_i$, as shown in Figure 6.

To solve the aforementioned issues, this article proposes the N-STGAT network intrusion detection system. As the goal of this article is to solve network intrusion detection problems in time series, a spatiotemporal graph neural network combining GAT and LSTM is used, which has good performance in identifying data flows with spatiotemporal sequences.

Figure 7 illustrates the system flow of N-STGAT. First, the extended dataset is preprocessed, and then $\mathcal{G}$ for training and ${\mathcal{G}}_{test}$ for testing are generated based on the graph construction rules. Then, the $\mathcal{G}$ is fed into the training process of N-STGAT to obtain a trained model. Finally, the ${\mathcal{G}}_{test}$ is input into the model for data flow classification.

4.2. Pre-processing and Graph Construction

To input the training data into GAT, the dataset needs to be transformed into a graph structure. Before constructing the graph, the dataset needs to be formatted to seamlessly apply to GAT. The flow-based dataset is collected through network monitoring tools, which capture and save packets that pass through nodes, switches, and routers. Then, the data packets are aggregated into flows using analysis tools. These datasets contain a wealth of important network information, including source and destination IP addresses, source and destination ports, byte counts, and other useful packet information. However, there are many data formats in the dataset that cannot be directly used for training, such as enumeration type, null value, and invalid value. Figure 8 shows the data processing process.

The dataset is grouped by the source IP address and each group is sorted by the time sequence of the data flows. In this way, the dataset is composed of thousands of chains of data flows. The data from time $t$ to $(t+7t_s/10)$ is selected as the training dataset, and the data from $t_{test}$ to $(t_{test}+3t_s/10)$ is selected as the testing dataset, as shown in Figure 6. Useless features such as IP addresses and ports are removed. There are also some invalid and empty values in the dataset, which are set to 0. Since the values of some fields in the dataset have a large range, quantification is needed. Finally, the remaining fields are normalized using L2 normalization.

Once the datasets for training and testing are selected, it is necessary to build graphs based on specific rules. Graph construction is done to find neighbors for nodes, so knowing the neighbor-finding process for one node is enough to construct the entire graph. The process of finding neighbors for nodes can be divided into two parts: finding neighborhood ${\mathcal{B}}_i$ for node $N_i$ and finding neighborhood ${\mathcal{N}}_i^k$ for node $v_i^k$.

${\mathcal{B}}_i$ is obtained using the cosine similarity with the NI field of the dataset as shown in formula (3). The method is as follows: assuming the time when $v_i^k$ exists is $t_i^k$, and the latest node before time $t_i^k$ for any $N_j$ is $v_j^{lt}$, calculate the cosine similarity ${\cos \left(\theta \right)}_{ij}^{klt}$ between $v_i^k$ and $v_j^{lt}$, if ${\cos \left(\theta \right)}_{ij}^{klt}$ is greater than 0.7, then add $N_j$ to ${\mathcal{B}}_i$. Here, $x_i$ represents the i-th feature value in $v_i^k$'s NI field, and $y_i$ represents the i-th feature value in $v_j^{lt}$'s NI field.

$$\cos \left(\theta \right)=\frac{\sum _{i=1}^n\left(x_i{y}_i\right)}{\sqrt{\sum _{i=1}^n{\left(x_i\right)}^2}\sqrt{\sum _{i=1}^n{\left(y_i\right)}^2}}$$

(3)

In ${\mathcal{B}}_i$, all nodes $v_j^l$ (including $v_i^k$) within ($t_i^k-\Delta t)$ to $t_i^k$ are neighbors of $v_i^k$, and these nodes form the neighborhood ${\mathcal{N}}_i^k$ of $v_i^k$. Then, connect A and C to form an edge E, which is a directed edge from $v_i^k$ to $v_j^l$. In this article, $\Delta t$ is set to 3s when constructing the graph using the method described above, resulting in the graph structure shown in formula (4).

$$\begin{gathered} V=v_i^k i\left[1,n\right] ,k[1,\mathrm{\infty }) \\ E={\mathrm{e}}_{ij}^{kl} l\left[t_i^k-\Delta t,t_i^k\right],\mathrm{j}{\mathcal{N}}_i^k \\ \mathcal{G}\leftarrow V,E \end{gathered}$$

(4)

4.3. N-STGAT Training

Because the dataset contains two labels, “Label”and “Attack”. The “Label”indicates whether the data flow is an attack or not, while the “Attack”label defines the type of the data flow. Therefore, the labels can be used for binary and multi-class classification training.

N-STGAT is described in Algorithm 1, and the pseudocode shows the process of integrating GAT and LSTM. In lines 3 to 6, GAT is used to calculate the hidden layer feature ${\overrightarrow{v}}_i^{k\mathrm{\text{'}}}$. Then, in line 7, ${\overrightarrow{v}}_i^{k\mathrm{\text{'}}}$ is assigned to $x_i^k$ to participate in the LSTM calculation process. Lines 8 to 13 represent the LSTM calculation process. Finally, in line 16, the output C of LSTM is fed into a fully connected layer to obtain the final recognition result $r_i^k$.

Algorithm 1: Pseudocode of the N-STGAT algorithm.
Input: $\mathcal{G}(V,E$) node features ${\overrightarrow{v}}_i^k$; GAT weight matrices $W$; non-linearity $\sigma$; LSTM weight matrices $W_f , W_l , W_C , W_o , b_f , b_l , b_C , b_o$; LSTM initialization $C^0 , h^0$
Output: node features $r_i^k$;
1	for $i$=1 to $n$ do
2	for$k=1$ to length($N_i$) do
3	for$j=1$ to length(${\mathcal{N}}_i^k$) do
4	${\alpha }_i^{kj}=\frac{{\cos \left(\theta \right)}_i^{kj}\left(\exp \left(\mathrm{L}\mathrm{e}\mathrm{a}\mathrm{k}\mathrm{y}\mathrm{R}\mathrm{e}\mathrm{L}\mathrm{U}\left({\overrightarrow{a}}^T\left[W{\overrightarrow{v}}_i^k\left|\right|W{\overrightarrow{v}}^j\right]\right)\right)\right)}{\sum _{s\in {\mathcal{N}}_i}{\cos \left(\theta \right)}_i^{ks}\left(\exp \left(\mathrm{L}\mathrm{e}\mathrm{a}\mathrm{k}\mathrm{y}\mathrm{R}\mathrm{e}\mathrm{L}\mathrm{U}\left({\overrightarrow{a}}^T\left[W{\overrightarrow{v}}_i^k\left|\right|W{\overrightarrow{v}}^s\right]\right)\right)\right)}$
5	end
6	${\overrightarrow{v}}_i^{k\text{'}}=\sigma \left(\sum _{s\in {\mathcal{N}}_i}{\alpha }_i^{ks}\mathrm{W}{\overrightarrow{v}}^s\right)$
7	$x_i^k\leftarrow {\overrightarrow{v}}_i^{k\text{'}}$
8	$f_i^k=\sigma (W_f·\left[h_i^{k-1} , x_i^k\right]+b_f)$
9	$l_i^k=\sigma (W_l·\left[h_i^{k-1} , x_i^k\right]+b_l)$
10	${\tilde{C}}_i^k=tanh(W_C·\left[h_i^{k-1} , x_i^k\right]+b_C)$
11	$C_i^k=f_i^k* C_i^{k-1}+l_i^k* {\tilde{C}}_i^k$
12	$o_i^k=\sigma (W_o·\left[h_i^{k-1} , x_i^k\right]+b_o)$
13	$h_i^k=o_i^k*\mathrm{t}\mathrm{a}\mathrm{n}\mathrm{h}\left(C_i^k\right)$
14	end
15	end
16	$r_i^k=FC\left(h_i^k\right)$ //FC is fully connected layers

The algorithm uses only one layer of GAT model instead of multiple layers because multiple layers can make the features blur and not conducive to recognition. Specifically, we add the cosine similarity ${\cos \left(\theta \right)}_i^{kj}$ between two nodes as a constraint to the calculation of attention coefficients in the attention coefficient calculation process in the 4th line, so that the graph information constructed in 4.2 can be better expressed.

For each dataset mentioned in the experiments, we conducted experiments with the hyperparameters shown in Table 3 to obtain the best training model. As mentioned above, we used a single-layer GAT model instead of a multi-layer one. To better represent node features, we expanded the original 53 features to 256 hidden layer features. GAT supports multi-head attention, but in this case, we only used single-head attention since we introduced cosine similarity as a constraint for attention coefficient calculation. We used ReLU as the activation function and did not use dropout rate. Cross-Entropy function was used to calculate the training loss, and Adam was used for backpropagation optimization with a learning rate set to 0.002.

4.4. N-STGAT Detection

In the previous section, the N-STGAT model $\mathcal{M}$ was obtained through model training. In the detection task, the test graph ${\mathcal{G}}_{test}$ is input into the model $\mathcal{M}$. The 16th line of Algorithm 1 uses a fully connected layer to recognize the specific classification. Whether it is a binary or multi-classification problem, the softmax function is used to calculate the classification in the final layer of the fully connected layer to obtain the exact classification result.

5. Experimental Evaluation

5.1. Evaluation Metrics

To evaluate the performance of N-STGAT, experiments were conducted using the datasets mentioned in Section 3.2. Due to the large size of these datasets, 10% of the datasets were selected using the method described in Section 4.2 for experimentation, with 70% of the experimental dataset used for training and 30% used for testing. Since only a portion of the dataset was used for experimentation, experiments were conducted multiple times for each algorithm and each dataset

In the experiments, the proposed method was compared with graph neural network-based methods (GAT, E-ResGAT, Anomal-E) and traditional machine learning methods (SVM, Random Forest). Therefore, evaluation metrics as shown in Table 4 were used to assess the performance of all methods. TP, FP, FN, and TN represent True Positive, False Positive, True Negative, and True Negative in the Confusion Matrix, respectively. These evaluation metrics provide a comprehensive comparison of the superiority of the proposed method.

5.2. Result

In the experiments, the accuracy and loss changes during the training process were first recorded, and then the recognition results for both binary and multi-class classification were evaluated based on the performance metrics in Section 5.1.

5.2.1. Loss and Accuracy Comparison in Training

The training accuracy changes for multi-class classification on different datasets are shown in Figure 10. The training accuracy of dataset NF-BoT-IoT-v2 quickly reached 90% before 20 epochs and remained stable above 95% after 100 epochs. Its validation accuracy was lower than the training accuracy throughout the entire training process, but also stabilized above 92% in the end. The training accuracy of dataset NF-ToN-IoT-v2 was slightly lower than that of dataset NF-BoT-IoT-v2, with continuous growth before 600 epochs and stability above 93% after 700 epochs. Its validation accuracy was also lower than the training accuracy throughout the entire training process, but stabilized above 90% in the end.

The cross-entropy loss during the training process for multi-classification on different datasets is shown in Figure 11. For the dataset NF-BoT-IoT-v2, the training loss rapidly decreased to 0.6 before 100 epochs and stabilized around 0.4 after 200 epochs. The validation loss was higher than the training loss throughout the training process, but also stabilized at around 0.7 in the end. For the dataset NF-ToN-IoT-v2, the training loss was slightly worse than that of NF-BoT-IoT-v2, and it continued to decrease before 600 epochs and then stabilized at 0.4 after 700 epochs. The validation loss was higher than the training loss throughout the training process but also stabilized at 0.6 in the end.

5.2.2. Binary Classification Results

The results of the binary classification experiment using the “Label” label of the dataset is shown in Table 5. In the binary classification task, the proposed method in this article outperforms the other 5 methods in terms of recall and accuracy, indicating that the proposed method has a better recognition accuracy. Additionally, the proposed method also performs well in precision, with results only 0.4% lower than E-GraphSAG in the NF-ToN-IoT-v2 dataset but higher than the other 5 methods. In terms of F1-score, the proposed method outperforms the other 5 methods, indicating better stability of the proposed method.

5.2.3. Multiclass Classification Results

The results of the multi-class classification experiment using the “Attack” label of the dataset are shown in Table 6 and Table 7. It can be seen from the results that the proposed method has superiority in multi-class problems, with high recognition rates for each category of different datasets. On the NF-BoT-IoT-v2 dataset, the proposed method has a 3.53% - 20.49% improvement in Weighted Recall and 8.03% - 23.16% improvement in Weighted F1-Score compared to other methods. On the NF-ToN-IoT-v2 dataset, the proposed method has a 4.05% - 18.69% improvement in Weighted Recall and 7.17% - 17.78% improvement in Weighted F1-Score compared to other methods.

6. Conclusions

This article proposes a spatio-temporal graph attention network (N-STGAT) that considers node states and applies it to network intrusion detection in near-Earth remote sensing systems. A method is proposed for constructing graphs based on node state and the temporal characteristics of data flow, where data flow are viewed as nodes in the graph, and edges between nodes are constructed based on cosine similarity and time series features. A spatio-temporal graph neural network combining GAT and LSTM is applied to intrusion detection systems. Finally, experiments are conducted using the latest flow-based network intrusion detection dataset, and the proposed method is compared with existing methods to demonstrate its superiority and feasibility.