What question did this study set out to answer?

To develop an effective intrusion detection system that balances detection accuracy and false alarm rates using hybrid machine learning techniques.

April 22, 2026Open Access

A Study on a Network Intrusion Detection System Based on the Fusion of SAGEConv-GNN and a Transformer Encoder

Key Points

To develop an effective intrusion detection system that balances detection accuracy and false alarm rates using hybrid machine learning techniques.
Proposed a hybrid model, HybridSAGETransformerGlobal, combining SAGEConv-based GNN and Transformer encoder.
Represented network flows as graph nodes with edges using IP-group-aware KNNs and temporal chains.
Conducted evaluations on UNSW-NB15 and CIC-IDS2017 datasets.
Achieved an accuracy of 0.9841 ± 0.0006 on UNSW-NB15 with significant improvements over baseline models.
Demonstrated high performance on CIC-IDS2017 with an accuracy of 0.9749 and an ROC-AUC of 0.9957.
Supported findings with additional analyses including ablation and sensitivity tests.

Abstract

A network intrusion detection system (NIDS) plays a critical role in protecting modern networked environments, but conventional approaches often struggle to balance the detection of previously unseen attacks with a low false alarm rate. This study proposes a hybrid intrusion detection model, HybridSAGETransformerGlobal, which integrates a SAGEConv-based graph neural network (GNN) and a Transformer encoder to jointly learn local structural information and global contextual dependencies from network traffic. In the proposed framework, network flows are represented as graph nodes, and edges are constructed using IP-group-aware k-nearest neighbors (KNNs) together with a temporal chain. The model further incorporates a gated fusion mechanism, multiple positional encodings, class weighting, label smoothing, and early stopping to improve training stability and detection performance. The proposed method was evaluated under a unified preprocessing and training pipeline on two benchmark datasets, UNSW-NB15 and CIC-IDS2017, using up to approximately 100,000 flow samples per dataset, and was compared with GCN, GAT, GraphSAGE, and a Transformer-only baseline. On UNSW-NB15, repeated-run evaluation over five random seeds showed that the proposed model achieved an accuracy of 0.9841 ± 0.0006, a macro-precision of 0.9684 ± 0.0010, a macro-recall of 0.9818 ± 0.0026, and a macro-F1-score of 0.9749 ± 0.0011, with statistically significant improvements over the strongest baseline in the macro-F1-score. On CIC-IDS2017, the proposed hybrid model also showed consistently strong performance, achieving an accuracy of 0.9749, a macro-precision of 0.9513, a macro-recall of 0.9722, a macro-F1-score of 0.9613, and an ROC-AUC of 0.9957. Additional ablation, sensitivity, and baseline re-optimization analyses further supported the robustness of the proposed design. These results suggest that a coordinated hybrid architecture combining structural graph learning and long-range contextual modeling can provide an effective framework for robust flow-based network intrusion detection under the evaluated settings.

A Study on a Network Intrusion Detection System Based on the Fusion of SAGEConv-GNN and a Transformer Encoder

Key Points

Abstract

Cite This Study