A Graph Neural Network Approach for Scalableand Dynamic IP Similarity in Enterprise Networks

Hazem M. Soliman, Geoff Salmon, Dusan Sovilij, Mohan RaoRANK Software Inc.

Toronto, Canada{hazem.soliman, geoff.salmon, dusan.sovilij, mohan.rao}@ranksoftwareinc.com

Abstract—Measuring similarity between IP addresses is animportant task in the daily operations of any enterprise network.Applications that depend on an IP similarity measure includemeasuring correlation between security alerts, building base-lines for behavioral modelling, debugging network failures andtracking persistent attacks. However, IPs do not have a naturalsimilarity measure by definition. Deep Learning architectures area promising solution here since they are able to learn numericalrepresentations for IPs directly from data, allowing variousdistance measures to be applied on the calculated representa-tions. Current works have utilized Natural Language Processing(NLP) techniques for learning IP embeddings. However, theseapproaches have no proper way to handle out-of-vocabulary(OOV) IPs not seen during training. In this paper, we propose anovel approach for IP embedding using an adapted graph neuralnetwork (GNN) architecture. This approach has the advantagesof working on the raw data, scalability and, most importantly,induction, i.e. the ability to measure similarity between previouslyunseen IPs. Using data from an enterprise network, our approachis able to identify similarities between local DNS servers androot DNS servers even though some of these machines are neverencountered during the training phase.

I. INTRODUCTION

The problem of measuring how similar a group of machines,denoted with their IPs, are is an important aspect in a largenumber of network operations and security analysis tasks. Inthe security context, malicious behavior such as an AdvancedPersistent Attack (APT) typically affects multiple machinesat a time [1] – in the initial phases when the adversary islooking for exploits in the network assets, and then aftersuccessfully infiltrating the network when the adversary isspreading internally. Alert correlation is of crucial importancein detecting APTs, where individual alerts are not necessarilyan indication of an actual attack, but a correlated group ofsuch alerts following a proper attack plan is a significantlybetter indication of malicious behavior [2]. Since an alert istypically defined through its attributes, such as IP addresses,port number, ... etc, the problem of alert similarity entails theone of IP similarity, where two alerts are more similar if theIPs involved in both alerts are also similar. The problem understudy here, IP similarity, is then a subset of the larger problemof general alert similarity.

Once a security alert is triggered, it is presented to theanalyst for further investigation, following which the analystmay choose to tag the alert as false-positive. The problemof the high rate of false-positives in security analytics and

behavioral modelling is a well-documented one [3]. Oneapproach here is to ask the analyst for feedback on a smallset of alerts, and use this feedback to better label the rest ofthe larger group of alerts through alert similarity, forming anactive-learning loop [4]. This again leads to the question ofalert similarity, and consequently to that of IP similarity.

User Entity Behavior Analytics (UEBA) [5] and Networkbehavior anomaly detection (NBAD) leverage statistical ap-proaches for threat detection in modern enterprise networks.The most common approach here is to build behavior baselinesfrom historical traffic data and evaluate new incoming dataagainst these baselines. An alert is then triggered if the newtraffic deviates significantly from the established baselines.However, this approach suffers greatly with new machines andsparse traffic. For example, consider a load-balanced systemwhere one server is capable of handling most of the requestswhile a backup server is idle during the majority of time.A UEBA system may trigger an excessive number of alertsfor this idle server when the load increases and it has tohandle more traffic. One solution is to use not only the datafor the machine under study but also the data from similarmachines, in order to build a more robust baseline. In this case,the question of similarity between machines is of significantimportance.

A. Related Work

The problem of distance measures between IP addresseshas been extensively studied in the literature, particularly insecurity applications. One of the earliest works is [6], wherethe hierarchy of IP addresses is used to measure their pairwisedistances depending on how far they are in the hierarchy tree.This approach has been extended in [7]. Both approacheshowever have the drawback of being manually designed andnot granular enough beyond the main divisions in the tree,such as public versus private IPs.

Another line of work uses the bit representation of IPs andmeasures distances based on the length of the longest commonprefix [8]. This approach has been utilized to group alertstogether into an attack graph if the distances between themis below a certain threshold. However, this approach suffersfrom putting too much faith in IP allocation, where successiveIPs are assumed to be assigned to the most similar machines.With the migration to the cloud and the dynamic scaling ofenterprise networks, these assumption are becoming out-dated.

arX

iv:2

010.

0477

7v1

[cs

.LG

] 9

Oct

202

0

Moreover, this approach is not designed to handle similaritybetween public IPs.

Driven by the limitations of static, manually-written dis-tance measures, and inspired by recent advances in NLP andword embeddings, IP2vec [9] was proposed as an extensionof the popular word2vec [10] paradigm to the networkingdomain. The idea behind the approach is to treat network logsas the equivalent of a text corpus in NLP, and entries in the logmessage, such as IPs and port numbers, as the equivalent ofwords. Finally, train a neural network on this data and useits hidden layer as the embedding of the network entitiesof interest. These entities include IPs, ports and networkprotocols. This approach does not generate similarity per se,instead it generates a numerical representation for each net-work entity. Various distance functions can be applied on thegiven numerical representations to get the required similarity.This approach has the advantage of learning representationdirectly from data without the need for manually designedmeasures, rendering it more practical and flexible. Recently,this approach has been applied to the detection of persistentattacks in enterprise networks with promising results [11].

B. Proposed Methodology

In this paper, we take this approach one step further byleveraging graph neural networks (GNNs) to generate anembedding for the nodes of the network communication graph,where each node is a distinct IP. Our motivation behind thisapproach is as follows:

• Network data represents a graph, in particular theflow/connection logs describe the communication graphbetween the different entities in the network. This makesGNNs a natural choice to get a representation of the graphand its nodes.

• Out-of-vocabulary (OOV) problem: this is a well-knownproblem in NLP concerned with how to handle newwords during testing which were not seen during training[12]. This problem is more challenging in our case sincenetworking data is much more dynamic than text data.New IPs show up all the time, whether due to newmachines joining the network, new external servers thatusers access, or dynamically allocating IPs in the network.The ability to generate a representation of previouslyunseen IPs is a crucial feature in a network embeddingmodel. NLP-based approaches fall short here, while alarge training text corpus is usually enough to see almostall relevant words, this is not the case with networksdata due to the large number of IPs (∼ 232 for IPv4 and∼ 2128 for IPv6). The same large number of IPs hindersthe feasibility of building a model that can handle allpossible values.The NLP field has some approaches to handle the OOVissue, none of which are applicable to our problem. Onecommon solution is to generate character embeddings,single or few characters, and build a word embeddingfrom the embeddings of its composing characters [13].

However, IP addresses do not have the same compo-sitional nature as words. While a single character isunlikely to change a word’s meaning, two IPs withonly one different bit can belong to two machines withcompletely different jobs. Another approach to addressOOV is to have a singular representation for all unseenwords. Clearly, this solution is not applicable here. Whilein NLP tasks the size of OOV is small, in networking dueto the huge number of IPs, the number of IPs encounteredin any realistic training set is much smaller than the totalnumber of IPs in the internet, and the size of OOV isactually quite significant.

The rest of the paper is organized as follows: Section IIprovides an overview of graph neural networks. Both thesystem and neural network architectures are discussed inSection III. In Section IV we show the results from a realnetwork dataset. The paper is concluded in Section V.

II. OVERVIEW OF GRAPH NEURAL NETWORKS

Graph neural networks comprise a special class of neuralnetworks designed to handle data in a non-Euclidean vec-tor space in the form of a graph [14] [15]. The goal isto leverage the benefits of deep learning methods, such asdistributed representations and end-to-end learning [16], forapplication domains in which the data does not fit into themore popular paradigms of convolutional or recurrent neuralnetworks (CNNs, RNNs). Examples of this non-Euclideandata are chemical molecules, citation networks, user-productinteraction in e-commerce, and, in our case, communicationnetworks.

One of more popular problems studied in the GNN is knownas network embedding, where the goal is to generate low-dimensional vector representation for the graph nodes in linewith the graph topology and the node information content [17].These representations, also referred to as embeddings, are thenused for various tasks such as node classification, clustering,and in our case, measuring similarity between nodes usingtheir vector representation.

GNNs can be classified into two broad families [14]:message-passing convolutional GNNs and Weisfeiler-LehmanGNNs. Message-passing GNNs update a node representationusing the representations of its neighbors, through variationsof the basic formula:

ℎ𝑙+1𝑖 = 𝑓

©­«𝑊 𝑙1ℎ

𝑙𝑖 +

∑︁𝑗∈N𝑖

𝑊 𝑙2ℎ

𝑙𝑗

ª®¬ (1)

where ℎ𝑙𝑖

is the representation of node 𝑖 at layer 𝑙, 𝑓 (.) is anon-linear mapping such as ReLU, 𝑊’s are learnable weighttensors and N𝑖 is the set of neighbors for node 𝑖.

One of the major advantages of message-passing GNNs istheir inductive nature. A GNN is called inductive if, during thetest phase, it can generate a representation for a node it hasnot seen before during the training phase. This is mainly dueto the parameter sharing between all nodes and the messagepassing operation itself [18]. This inductive nature is a key

feature that we believe gives GNN the edge over NLP-likeapproaches for the task of IP embedding.

In summary, our design goals for GNNs in the embeddingof network IP addresses are:

• Inductive vs transductive: inductive approaches can em-bed unseen nodes, a feature we need for constantlychanging networks.

• Edge attributes: compared to other application domains,edge information such as protocol, byte count, ... etc areparticularly important for our use-case.

• Anomaly detection: an auto-encoder based loss functionis useful here as the GNN would not only provide theembedding but also an anomaly signal if the networkinstance is very different from the training data.

III. SYSTEM DESCRIPTION

A. ArchitectureThe input data to our system is the set of network logs from

the Bro/Zeek monitoring tool1. These logs are pre-processedfor any data enrichment/cleaning and then used to build thecommunication graph of the network. An offline training stepuses a large historic dataset to train the GNN and save thetrained model. During real-time operation, a new batch of datais applied to the model every fixed interval, 10 minutes forexample, and the inference operation of the GNN providesthe embeddings for the IPs seen during the interval as well asan anomaly signal if needed. The offline training operation canbe periodically repeated as deemed necessary. Note that dueto the inductive nature of the model, we can do the trainingon one network and deploy the model on as many networksas desired, resulting in more deployment flexibility.

B. Mathematical ModelOur model is an extension of the Residual Gated Graph

Convolution model proposed in [19], and shown in [14] to beone of the best performing GNN models on a variety of tasks.

1) Data Format: The input data to our system comes fromBro/Zeek conn.log files. Table I has a list of the fields we usein our experiments.

TABLE IFIELDS USED FROM ZEEK CONN.LOG FILE

Group FieldsIP information sourceIP, destinationIP

Port Information sourcePort, destinationPort

Protocol Information protocolService

Numerical TrafficFeatures

responseBytes, requestBytes,duration, bytes, responsePackets,requestPackets, responseIPBytes,requestIPBytes

Due to the incredibly high rate of new connectionsin any real world network, we group connections to-gether into a single graph for a fixed interval, 10 min-utes for example. In particular, the data is first grouped

1https://zeek.org/

Fig. 1. Edge input feature vector

by 𝑠𝑜𝑢𝑟𝑐𝑒𝐼𝑃, 𝑑𝑒𝑠𝑡𝑖𝑛𝑎𝑡𝑖𝑜𝑛𝐼𝑃, 𝑝𝑟𝑜𝑡𝑜𝑐𝑜𝑙𝑆𝑒𝑟𝑣𝑖𝑐𝑒 and the 𝑠𝑢𝑚

aggregation operation is applied on the numerical featuressuch as 𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒𝐵𝑦𝑡𝑒𝑠, 𝑟𝑒𝑞𝑢𝑒𝑠𝑡𝐵𝑦𝑡𝑒𝑠, 𝑑𝑢𝑟𝑎𝑡𝑖𝑜𝑛...etc. Thisgrouping for small intervals strikes a nice balance betweenunrealistically running a new inference for every change in thegraph, i.e. every new connection in the network, and buildinga static graph for large intervals.

The structure of the graph is then as follows:• Node: each node represents an IP.• Edge: There is at most one edge connection between two

nodes if at least one connection happened between themusing any protocol.

• Node Features: we do not have any node features in ourdata.

• Edge Features: each edge has a feature vector of thefollowing format: the first part of the feature vector isa one-hot encoding of all the protocols seen betweenthe source and destination nodes, and the rest is theconcatenation of the aggregated numerical features forall protocols under study, as shown in Fig. 1.

Since each node represents an IP, and in most deploymentswe do not have access to end-point data, there are no nodefeatures per se. This is a stark departure from existing modelsand datasets, where node features are the most important partof the data. Instead, in networking applications, almost all datais contained in the edge features, such as protocol informationand traffic volume.

2) GNN Input Layer with Edge Features Only: Since inour graph the nodes are feature-less, we propose a new inputlayer that works solely on the edge features and can use themto generate preliminary node feature vectors.

The input layer functions as follows:

ℎ1𝑖 = 𝑅𝐸𝐿𝑈

©­«𝐵𝑁 ©­«∑︁𝑗∈N𝑖

𝑒1𝑖 𝑗 � 𝑉0𝑒0

𝑖 𝑗

ª®¬ª®¬ (2)

where 𝑊0 is a trainable weight matrix, 𝐵𝑁 stands for batchnormalization, � is the Hadamard product, and the edge gates𝑒1𝑖 𝑗

are defined as

𝑒1𝑖 𝑗 =

𝜎

(𝑒1𝑖 𝑗

)∑

𝑗′∈N𝑖𝜎(𝑒1

𝑖 𝑗′) + 𝜖

𝑒1𝑖 𝑗 = 𝑒0

𝑖 𝑗 + 𝑅𝐸𝐿𝑈

(𝐵𝑁

(𝐶0𝑒0

𝑖 𝑗

)) (3)

and shown in Fig. 2.

Fig. 2. GNN Input Layer with Edge Features Only

Fig. 3. GatedGCN Convolutional Layer

3) GatedGCN Convolutional Layers: Following the inputlayer, the other layers are the same as the convolutional layersin the original GatedGCN model in [19]. These layers takethe form

ℎ𝑙+1𝑖 = ℎ𝑙𝑖 + 𝑅𝐸𝐿𝑈

©­«𝐵𝑁 ©­«𝑈𝑙ℎ𝑙𝑖 +∑︁𝑗∈N𝑖

𝑒𝑙𝑖 𝑗 � 𝑉 𝑙ℎ𝑙𝑗ª®¬ª®¬ (4)

where 𝑈𝑙 , 𝑉 𝑙 are trainable weight matrices, and the edge gates𝑒𝑙𝑖 𝑗

are defined as

𝑒𝑙𝑖 𝑗 =

𝜎

(𝑒𝑙𝑖 𝑗

)∑

𝑗′∈N𝑖𝜎(𝑒𝑙

𝑖 𝑗′) + 𝜖

𝑒𝑙𝑖 𝑗 = 𝑒𝑙−1𝑖 𝑗 + 𝑅𝐸𝐿𝑈

(𝐵𝑁

(𝐴𝑙ℎ𝑙−1

𝑖 + 𝐵𝑙ℎ𝑙−1𝑗 + 𝐶𝑙𝑒𝑙−1

𝑖 𝑗

)) (5)

and shown in Fig. 3. In both types of layers, the edge gates𝑒𝑙𝑖 𝑗

can be seen as a soft-attention mechanism [14].4) Loss Function: Our loss function is composed of two

parts:• Edge Feature Reconstruction: this is main part of the

loss function and represents the auto-encoder learningobjective. The goal here is to reconstruct the edge featuresfrom the low dimension representation as follows:

𝑙𝑜𝑠𝑠𝐴𝐸 = _𝐴𝐸𝐵𝑖𝑛𝑎𝑟𝑦𝐶𝑟𝑜𝑠𝑠𝐸𝑛𝑡𝑟𝑜𝑝𝑦

(𝑒0𝑖 𝑗 , 𝑒

𝑑𝑖 𝑗

)(6)

where 𝑒0𝑖 𝑗

are the input edge features and 𝑒𝑑𝑖 𝑗

are thefeature representations from the last layer of the decoder.

Fig. 4. GNN Model

• Neighborhood Embedding Match: similar to other graphauto-encoder approaches [20], we would like embeddingsof neighboring nodes to be similar:

𝑙𝑜𝑠𝑠𝑁𝑀 = −_𝑁𝑀

𝑁∑︁𝑖=1

∑︁𝑗∈N𝑖

log

(1

1 + 𝑒𝑥𝑝(−h̃𝑇𝑖

h̃ 𝑗 )

)(7)

where ℎ̃𝑖 , ℎ̃ 𝑗 are the embeddings of nodes 𝑖, 𝑗 respectively.The total loss is simply the sum of all the loss functions:

𝑙𝑜𝑠𝑠 = 𝑙𝑜𝑠𝑠𝐴𝐸 + 𝑙𝑜𝑠𝑠𝑁𝑀 (8)

The complete GNN model is shown in Fig. 4. The sparsityof the input edge feature vectors proved to be a consistentchallenge for the stability and convergence of the GNNlearning process. To handle this issue, we have found it bestto normalize the input features, use a 𝑆𝑖𝑔𝑚𝑜𝑖𝑑 layer as theoutput of the decoder and and 𝐵𝑖𝑛𝑎𝑟𝑦𝐶𝑟𝑜𝑠𝑠𝐸𝑛𝑡𝑟𝑜𝑝𝑦(., .) asthe loss function between the two.

IV. RESULTS

In this paper, we use a private dataset from a medium-sizedenterprise network. This network has around 50 users usingprimarily windows machines, and a few internal servers. Thetraffic sensor is located such that it can capture both the trafficbetween internal hosts and between internal and external hosts,so-called east-west traffic and north-south traffic.

We conduct two main experiments to judge the ability ofour model to measure similarity between new and previouslyobserved nodes. In particular, given a set of IPs that we knowto belong to machines of similar functionality, we remove asubset during the training phase and only introduce them backduring the testing phase. We do so by removing all conn logswhere either the 𝑠𝑜𝑢𝑟𝑐𝑒𝐼𝑃 or the 𝑑𝑒𝑠𝑡𝑖𝑛𝑎𝑡𝑖𝑜𝑛𝐼𝑃 is the part ofthe subset to be removed. We then expect the model to producehigh similarity between the whole set of such IPs, not only theones seen during training. We conduct this experiment usingtwo sets of IPs:

• Local DNS servers: the network under study has two localDNS servers, 192.168.2.15 and 192.168.2.19. We remove192.168.2.19 during training.

• Root DNS servers: these servers are the highest in thehierarchy of the internet DNS servers2. These IPs are

2https://en.wikipedia.org/wiki/Root_name_server#Root_server_addresses

198.41.0.4, 199.9.14.201, 192.33.4.12,199.7.91.13, 192.203.230.10, 192.5.5.241,192.112.36.4, 198.97.190.53, 192.36.148.17,192.58.128.30, 193.0.14.129, 199.7.83.42, 202.12.27.33.We remove the last four IPs during training time andmeasure their similarity with the first nine IPs duringtest time.

In all our experiments we adopt the cosine similarity measuredefined as

𝑑 ( ℎ̃𝑖 , ℎ̃ 𝑗 ) =ℎ̃𝑇𝑖ℎ̃ 𝑗

| | ℎ̃𝑖 | |.| | ℎ̃ 𝑗 | |(9)

We also conduct all experiments using both 𝑙𝑜𝑠𝑠𝐴𝐸 and𝑙𝑜𝑠𝑠𝐴𝐸+𝑙𝑜𝑠𝑠𝑁𝑀 as the loss functions, with _𝐴𝐸 = 1.0, _𝑁𝑀 =

0.01.In Table II, we show the similarity between the two IPs,

192.168.2.15 and 192.168.2.19 on the test graphs. Except forthe first row, the similarity between these two IPs quicklyreaches very high values, indicating the ability of the modelto recognize the similar behavior even though only one IP wasseen before. We posit that for shorted periods, e.g. 10 minutes,the amount of traffic seen might not be representative enoughof the typical behavior of the machine and hence one modelproduced low similarity between the two IPs in this case.

In Table III we show a similar set of results but for the rootDNS servers. Similarity is averaged across all possible pairswhen the first IP is one of the 9 root IPs seen during bothtraining and testing while the second IP belongs to the setof 4 root IPs seen only during testing. The same observationholds here that the model was able to recognize the similaritybetween these public IPs due to their similar functionality.We also see high similarity here even for the shorter periodof 10 minutes. We explain that as public DNS servers wouldonly receive one kind of traffic, that is DNS queries. However,we have more visibility into the traffic between the localmachines, including local DNS servers, and hence it takes alonger interval to see the dominant traffic pattern for localmachines. We would like to note that although we have arelatively high number of test graphs, the inference passes areindependent across each graph. In other words, the model doesnot need to see a large number of graphs including the IP(s)under study, in fact, once the model is trained, it can generatea high-quality embedding for an IP from a single test graph.

We also provide visualizations of some interesting clustersof similar IPs. Fig. 5 shows the visualizations of all IPs inthe network during a single interval with some interestingclusters highlighted, these clusters are zoomed on in the figuresto follow. Fig. 6 has a cluster including the root DNS IPsdiscussed before. Fig. 7 has the broadcast IP 255.255.255.255,and all the other IPv6 addresses are multicast IPs. In Fig. 8, allthe IPs of the form 17.* belong to Apple. In all four figures,t-SNE [21] is used for the 2-dimensional visualization.

V. CONCLUSION AND FUTURE WORK

In this paper, we introduced the first study on applyingGNNs for the embedding of network assets, represented as

Fig. 5. t-SNE visualization of all IPs with highlighted clusters

Fig. 6. t-SNE visualization of Root DNS Cluster

Fig. 7. t-SNE visualization of Broadcast and Multicast Cluster

IPs. We identified a few challenges that render this problemuniquely different from both NLP-based network embeddingand the more common use-cases of GNNs. These challengesrevolve mainly around the inductive nature of a model beingsignificantly more important compared to text data, and thelack of node features in typical deployments of such a model.We then introduced a new input layer to handle our data,and the necessary output layer and loss function to stabilizethe training process. The outcome is an efficient embeddingfor each asset in the network incorporating its own as well

TABLE IISIMILARITY BETWEEN TWO LOCAL DNS SERVERS WHEN ONLY ONE IS SEEN DURING TRAINING

Graph Interval Length 𝑙𝑜𝑠𝑠𝐴𝐸 Similarity 𝑙𝑜𝑠𝑠𝐴𝐸 + 𝑙𝑜𝑠𝑠𝑁𝑀 Similarity Number of Test Graphs10 minutes 0.7060738 ± 0.34426507 0.9862463 ± 0.01696037 207

30 minutes 0.9743041 ± 0.04809975 0.9869821 ± 0.01701941 70

60 minutes 0.9647852 ± 0.06598776 0.9906003 ± 0.01601414 35

120 minutes 0.9880788 ± 0.030548556 0.9803449 ± 0.05673271 18

TABLE IIIAVERAGE SIMILARITY BETWEEN ROOT DNS SERVERS

Graph Interval Length 𝑙𝑜𝑠𝑠𝐴𝐸 Similarity 𝑙𝑜𝑠𝑠𝐴𝐸 + 𝑙𝑜𝑠𝑠𝑁𝑀 Similarity Number of Test Graphs10 minutes 0.9654844 ± 0.04811225 0.9918937 ± 0.00860384 207

30 minutes 0.9791588 ± 0.03466465 0.9879824 ± 0.01978309 70

60 minutes 0.9768600 ± 0.04310611 0.9870570 ± 0.01964757 35

120 minutes 0.9930404 ± 0.01426881 0.9593274 ± 0.09711087 18

Fig. 8. t-SNE visualization of Apple Cluster

as its neighbors traffic behavior. Our results show that themodel is able to properly represent similar IPs even thoughonly a subset of those IPs has been seen before during thetraining phase. The model is also able to highlight interestingIP clusters, such DNS servers, broadcast/multicast IPs andApple IPs.

An extension to our approach is to introduce node featuresin the system. These node features will have to come fromend-point data, such as Windows event log. The model canthen learn better embeddings representing both the end-pointand the network behavior of each asset in the network.

REFERENCES

[1] I. Ghafir and V. Prenosil, “Advanced persistent threat attack detection:an overview,” International Journal of Advances in Computer Networksand Its Security (IJCNS), vol. 4, no. 4, p. 5054, 2014.

[2] P. Cao, E. Badger, Z. Kalbarczyk, R. Iyer, and A. Slagell, “Preemptiveintrusion detection: Theoretical framework and real-world measure-ments,” in Proceedings of the 2015 Symposium and Bootcamp on theScience of Security, 2015, pp. 1–12.

[3] R. Sommer and V. Paxson, “Outside the closed world: On using machinelearning for network intrusion detection,” in IEEE symposium on securityand privacy, 2010, pp. 305–316.

[4] K. Veeramachaneni, I. Arnaldo, V. Korrapati, C. Bassias, and K. Li,“Aiˆ 2: training a big data machine to defend,” in 2016 IEEE 2nd Inter-national Conference on Big Data Security on Cloud (BigDataSecurity).IEEE, 2016, pp. 49–54.

[5] M. Shashanka, M.-Y. Shen, and J. Wang, “User and entity behavioranalytics for enterprise security,” in 2016 IEEE International Conferenceon Big Data (Big Data). IEEE, 2016, pp. 1867–1874.

[6] K. Julisch, “Clustering intrusion detection alarms to support root causeanalysis,” ACM transactions on information and system security (TIS-SEC), vol. 6, no. 4, pp. 443–471, 2003.

[7] S. E. Coull, F. Monrose, and M. Bailey, “On measuring the similarity ofnetwork hosts: Pitfalls, new metrics, and empirical analyses.” in NDSS,2011.

[8] R. O. Shittu, “Mining intrusion detection alert logs to minimise falsepositives & gain attack insight,” Ph.D. dissertation, City UniversityLondon, 2016.

[9] M. Ring, A. Dallmann, D. Landes, and A. Hotho, “Ip2vec: Learningsimilarities between ip addresses,” in 2017 IEEE International Confer-ence on Data Mining Workshops (ICDMW). IEEE, 2017, pp. 657–666.

[10] Y. Goldberg and O. Levy, “word2vec explained: deriving mikolovet al.’s negative-sampling word-embedding method,” arXiv preprintarXiv:1402.3722, 2014.

[11] B. Burr, S. Wang, G. Salmon, and H. Soliman, “On the detection ofpersistent attacks using alert graphs and event feature embeddings,” inIEEE/IFIP NOMS, 2020, pp. 1–4.

[12] I. Bazzi, “Modelling out-of-vocabulary words for robust speech recog-nition,” Ph.D. dissertation, Massachusetts Institute of Technology, 2002.

[13] Y. Kim, Y. Jernite, D. Sontag, and A. M. Rush, “Character-aware neurallanguage models,” in Proceedings of the Thirtieth AAAI Conference onArtificial Intelligence, 2016, pp. 2741–2749.

[14] V. P. Dwivedi, C. K. Joshi, T. Laurent, Y. Bengio, andX. Bresson, “Benchmarking graph neural networks,” arXiv preprintarXiv:2003.00982, 2020.

[15] Z. Wu, S. Pan, F. Chen, G. Long, C. Zhang, and S. Y. Philip, “Acomprehensive survey on graph neural networks,” IEEE Transactionson Neural Networks and Learning Systems, 2020.

[16] Y. LeCun, Y. Bengio, and G. Hinton, “Deep learning,” nature, vol. 521,no. 7553, pp. 436–444, 2015.

[17] W. L. Hamilton, R. Ying, and J. Leskovec, “Representation learning ongraphs: Methods and applications,” arXiv preprint arXiv:1709.05584,2017.

[18] W. Hamilton, Z. Ying, and J. Leskovec, “Inductive representationlearning on large graphs,” in NIPS, 2017, pp. 1024–1034.

[19] X. Bresson and T. Laurent, “Residual gated graph convnets,” arXivpreprint arXiv:1711.07553, 2017.

[20] A. Salehi and H. Davulcu, “Graph attention auto-encoders,” arXivpreprint arXiv:1905.10715, 2019.

[21] L. v. d. Maaten and G. Hinton, “Visualizing data using t-sne,” Journalof machine learning research, vol. 9, no. Nov, pp. 2579–2605, 2008.