CONTINUOUS-TIME HETEROGENEOUS GRAPH ATTENTION WITH HYPERSPHERICAL CONTRASTIVE LEARNING FOR ZERO-DAY ANOMALY DETECTION
DOI:
https://doi.org/10.70917/ijcisim-2026-3069Keywords:
Zero-Day Exploit Detection, Dynamic Graph Neural Networks, Temporal Contrastive Learning, Network Anomaly Detection, Open-Set Recognition, Cyber Threat IntelligenceAbstract
In the era of constantly changing malware and vulnerabilities, detecting new zero-days that do not have signatures becomes one of the most important tasks for securing networks. In fact, traditional machine learning techniques usually fail to perform well in this field due to their inability to detect new types of attacks because of their dependency on static data. Thus, the purpose of this study is to develop a more effective dynamic machine learning model, named the Dynamic Heterogeneous Graph Neural Network (DH-GNN) enhanced with Temporal Contrastive Learning. The network should be treated as a graph, where each node represents a particular entity, such as a specific IP source, destination, and port (therefore, being heterogeneous). The edges show how entities communicate with each other at certain points in time. Contrastive learning is used to find a proper representation for each traffic cluster, namely to put the traffic from normal operations close and separate attacks from the others. Therefore, in the event of a zero-day exploit, a new traffic pattern appears which would not belong to any cluster, thus making it possible to identify it as an anomaly. Evaluation is performed on current relevant datasets using a strict testing procedure. The attacks were not included in the training sample to replicate real-world conditions. Experiments showed that the proposed approach significantly outperforms all state-of-the-art models. The model's performance is measured by the F1-score of the highest detection and very low false-positive rates. Moreover, processing of traffic is done at a very low latency level.