Self-Supervised Learning of Graph Representations for Network Intrusion Detection

We thank the reviewer for the valuable feedback and address each point below.

---

1. Handling sudden changes in normal network behavior

This limitation is acknowledged in Section 5, where we note that GraphIDS assumes relatively stable benign behavior and that abrupt changes may lead to increased false positives or missed detections. We also mention online learning as a promising strategy to address this.

To make this limitation and its implications more prominent, we will emphasize this point more clearly in the revised version and expand the discussion of potential adaptation strategies, such as adaptive thresholding or self-training on high-confidence samples.

We consider this an important direction for future work. A realistic evaluation of the robustness of these systems would require new datasets or experimental setups explicitly designed to reflect dynamic but benign network changes. While both UNSW-NB15 and CSE-CIC-IDS2018 include diverse traffic types and temporal segments, they do not specifically model sudden shifts in benign behavior. Therefore, while some variation is present, they are not ideally suited for studying online adaptation in the face of benign concept drift, and to the best of our knowledge, no existing network intrusion datasets have been designed with this specific goal in mind.

---

2. On GNN neighborhood size and masking ratio

Thank you for raising this important point.

Regarding neighborhood size, we explored various settings during the initial development phase. Preliminary results indicated that increasing the number of hops did not consistently improve performance, while substantially increasing training and inference runtime by up to 3$\times$, and using on average 24% more memory. This not only made extensive hyperparameter tuning impractical but also negatively impacted real-time latency, which is a critical aspect of intrusion detection. Based on these observations, we selected a 1-hop neighborhood as the default, though our implementation supports arbitrary n-hop configurations.

To rigorously validate this design choice, we conducted an ablation study comparing 1-hop, 2-hop, and 3-hop variants of GraphIDS under identical experimental conditions. As shown in the table below, the 1-hop configuration consistently delivers strong and stable performance across all datasets. While the 3-hop variant shows slightly higher scores on NF-CSE-CIC-IDS2018-v3, the differences are within the standard deviation and not statistically significant. In contrast, on other datasets, larger neighborhoods often lead to degraded or less stable performance. This suggests that increasing the receptive field may introduce noise from distant, less relevant nodes, diluting local information. Given the added computational overhead of multi-hop aggregation, these results support our choice of 1-hop as an effective and efficient default.

We will include the full results and discussion in the appendix of the revised manuscript and we thank the reviewer for prompting this investigation.

Regarding the masking ratio, the 15% value was chosen based on ablation experiments detailed in Appendix C.4 (in the supplementary material), where we evaluated ratios of 0%, 15%, 30%, 50%, and 70%. The 15% ratio consistently provided the best balance between performance and stability. To increase the visibility of this study we will clearly reference it in the main text.

---

3. Thresholding and use of labeled validation data

While GraphIDS is trained in a fully unsupervised manner using only benign data, employing a small labeled validation set to select the detection threshold is a standard evaluation practice in unsupervised anomaly detection literature (e.g., Anomal-E, DeepLog), allowing for consistent and rigorous comparison across methods using metrics like F1-score that depend on threshold choice.

We acknowledge this in Section 4.3 (Early Stopping) and consider it reasonable to assume access to a limited set of labeled data (e.g., simulated or manually annotated attacks) solely for threshold calibration in practical settings.

That said, GraphIDS can be deployed in a fully unsupervised setting. Our released code includes a simple thresholding method based on statistical assumptions about reconstruction errors. However, this approach has not been extensively tuned and typically yields lower performance compared to threshold selection using labeled validation data. To assess threshold-independent performance, however, we report PR-AUC as evaluation metric. Developing more robust unsupervised thresholding techniques remains an important direction for future work.

---

4. Resilience to evasion attempts

We agree that resilience to adversarial evasion attacks is an important concern. While comprehensive adversarial evaluation is beyond this paper's scope, GraphIDS has inherent properties that provide some evasion resistance. Attackers would need to simultaneously mimic benign flow patterns at the individual connection level and replicate legitimate network topology relationships. This structural mimicry is significantly more challenging than evading single-feature detectors. That said, we plan to investigate GraphIDS's robustness against such attacks in future work.

---

5. On Architectural Novelty and Practical Significance

While we build upon established components (GNNs, Transformers), our key contribution lies in the novel joint training paradigm specifically designed for network intrusion detection. Unlike GraphMAE (general node classification) or Anomal-E (which does not finetune E-GraphSAGE for the downstream task), we introduce the first unified architecture where GNN and Transformer components are jointly optimized under a shared reconstruction objective for network flow anomaly detection. Our performance improvements represent substantial practical value in network security, where accuracy gains directly translate to fewer missed attacks and reduced false alarms. This is, to our knowledge, the first demonstration that joint GNN-Transformer training significantly outperforms pipeline approaches in network intrusion detection.

---

6. On limited topological context and encrypted traffic

As acknowledged in Section 5, GraphIDS may be less effective in scenarios with limited topological context, such as single-host deployments. However, the UNSW-NB15 dataset represents a relatively small network with few hosts, yet GraphIDS still demonstrates strong performance, suggesting its robustness even in constrained settings. Regarding encrypted traffic, both datasets contain extensive encrypted flows (e.g., HTTPS, SSH). While payloads are inaccessible, NetFlow metadata (which is derived from packet headers) remains available and is unaffected by encryption. This allows GraphIDS to operate effectively on flow-level features, including in encrypted sessions.

---

We believe these clarifications, along with the new ablation studies we've conducted, further strengthen our contribution to the field.

We thank the reviewer for their feedback. Below, we respond to each point raised.

---

1. Encrypted traffic

Both the UNSW-NB15 and CSE-CIC-IDS2018 datasets include encrypted traffic. Specifically, this includes extensive HTTPS and SSH flows in CSE-CIC-IDS2018, and SSH and BitTorrent in UNSW-NB15. This has been confirmed through inspection of the raw PCAP files, which are openly available, using tools like Wireshark.

However, as our method operates on NetFlow/IPFIX features, which summarize metadata at the IP and transport layers (e.g., IP addresses, ports, protocols, flow durations, byte counts), the presence of encryption (at higher layers such as TLS) does not impact the feature availability. NetFlow-based approaches, by design, are agnostic to payload encryption. As such, our model is fully compatible with encrypted traffic scenarios, and its effectiveness is not contingent on visibility into packet payloads.

We will clarify in the paper that both datasets include encrypted traffic (e.g., HTTPS, SSH), and that our approach remains compatible due to its reliance on NetFlow metadata.

---

2. Training convergence in P2P environments

While our primary focus is on enterprise-like, common client-server architectures, we note that the UNSW-NB15 dataset used in our experiments includes BitTorrent traffic, which follows a P2P communication model. Therefore, our model has been partially evaluated in the presence of P2P flows.

While these scenarios may not fully reflect highly dynamic or homogeneous P2P networks, they do provide some exposure to non-hierarchical, non-client-server topologies. A more comprehensive analysis of model behavior under fully dynamic P2P environments remains an interesting direction for future work.

We will also add a clarification in the text noting the presence of BitTorrent traffic in the UNSW-NB15 dataset.

---

3. Clarity of methodological details

While the architecture and joint training process are described in the paper and fully available in the released code, we acknowledge that parts of the narrative may benefit from clearer exposition. Due to space constraints, we avoided extensive math or diagrams, but we agree that additional clarity would enhance reproducibility.

In a future revision, we will revise this section to more explicitly describe the masking and reconstruction steps to aid understanding.

---

4. Evaluation scope

NetFlow-based datasets with labeled attacks are limited in number, and the selected datasets are among the most comprehensive, widely used, and representative of real-world intrusion detection settings. Including encrypted traffic as well, we believe these choices are appropriate for evaluating the effectiveness of our proposed approach, which is intended for practical deployment in conventional network environments. However, we do agree that the research community would greatly benefit from the development and release of more up-to-date, comprehensive, and well-structured datasets reflecting evolving network scenarios and attacks.

---

5. Deployment considerations

We acknowledge this limitation in Section 5, noting that accurately assessing real-world detection latency requires a holistic evaluation of the full pipeline, including data collection, aggregation, preprocessing, and inference. While such a deployment-focused study would offer additional insight, it involves extensive engineering effort and infrastructure setup. As such, we consider it outside the scope of this work, which centers on modeling innovations under the common NetFlow-based IDS paradigm.

---

We believe these clarifications and planned revisions address the reviewer’s concerns and will help improve the final version of the paper.

We thank the reviewer for their thorough review, which not only recognizes the strengths of our work but also provides suggestions for additional proofs that further validate our findings. Below, we respond to each point in detail.

---

1. On the fairness of baseline comparisons

The reviewer raises a valid point. Our goal was to make comparisons as fair as possible under practical constraints:

• T-MAE (our ablation): We conducted dedicated hyperparameter tuning to ensure competitive performance.
• Anomal-E and traditional anomaly detection models: We tuned the E-GraphSAGE encoder but saw no performance gain, so we retained the original configuration, which was already tuned for the same datasets. We explored and adjusted the hyperparameters of the anomaly detection components using the same ranges as in the original work. These details are available in our code.
• SAFE: We tuned the hyperparameters of the LOF anomaly detection component, but briefly exploring alternative hyperparameters for the MAE module yielded no performance improvements. Furthermore, as can be observed from the original codebase, the MAE component in SAFE shows poor discrimination ability (e.g., flat ROC curves, AUC=0.5), which limits its contribution regardless of parameter tuning. Given these factors and the computational cost (tuning SAFE can take several days), we believe further tuning would yield marginal gains and not meaningfully affect the overall conclusions. We will clarify this point in the revised manuscript.

---

2. On pre-training and fine-tuning of E-GraphSAGE

In Anomal-E, the E-GraphSAGE encoder is trained using Deep Graph Infomax (DGI) on benign training data, essentially a self-supervised pretext task, so we refer to the encoder as "pre-trained". This step is performed before anomaly detection and the encoder is not fine-tuned afterward, as the original design and the assumption of label unavailability preclude it. Our implementation follows this setup, consistent with the original Anomal-E paper.

In contrast, our method jointly trains E-GraphSAGE together with the Transformer encoder-decoder, optimizing the entire architecture end-to-end without relying on a separate pretext task. This allows the encoder to learn representations that are directly useful for the anomaly detection objective, rather than general-purpose graph embeddings. This difference in training strategy is a central reason for our model’s improved performance.

---

3. On the role of the Transformer and performance improvements

This question addresses a key design choice we considered during the development of GraphIDS. We had explored simpler architectures, and for this rebuttal, we have run a rigorous comparison to provide concrete data on this choice. To do so, we tested a baseline where the Transformer is replaced by a fully connected autoencoder, consisting of a two-layer encoder and a two-layer decoder, using ReLU activations, isolating the architectural benefit on top of our end-to-end reconstruction framework. To ensure a fair comparison, we explored different bottleneck dimensions and hyperparameters.

The results confirm that the autoencoding task itself provides the most significant performance increase, as evidenced by the strong SimpleAutoencoder baseline.

However, the Transformer still provides clear improvements in performance and stability. GraphIDS consistently achieves higher Macro F1-scores, which we attribute to self-attention's ability to capture global co-occurrence patterns between flows. Importantly, we gain this advantage while keeping the model lightweight, using only a single-layer Transformer encoder and decoder. While we did not focus on maximizing its efficiency, it is also possible to reduce the window size to balance performance with resource usage.

We will include these new results in the appendix and expand the architectural discussion in the revised paper.

---

We thank the reviewer for raising these technical points, and we believe these additions further support the robustness and practical value of our approach.