Key points are not available for this paper at this time.
Traditional intrusion detection systems (IDSs) rely on static rules and one-dimensional features, and they have difficulty dealing with zero-day attacks and highly concealed threats; furthermore, mainstream deep learning models cannot capture the correlation between multiple views of attacks due to their single perspective. This paper proposes a knowledge graph-enhanced multi-view deep learning framework, considering the strategy of integrating network traffic, host behavior, and semantic relationships; and evaluates the impact of the secondary fusion strategy on feature fusion to identify the optimal multi-view model configuration. The primary objective is to verify the superiority of multi-view feature fusion technology and determine whether incorporating knowledge graphs (KGs) can further enhance model performance. First, we introduce the knowledge graph (KG) as one of the feature views and neural networks as additional views, forming a multi-view feature fusion strategy that emphasizes the integration of spatial and relational features. The KG represents relational features combined with spatial features extracted by neural networks, enabling a more comprehensive representation of attack patterns through the synergy of both feature types. Secondly, based on this foundation, we propose a two-level fusion strategy. During the representation learning of spatial features, primary fusion is performed of each view, followed by secondary fusion with relational features from KG, thereby deepening and broadening feature integration. These strategies for understanding and deploying the multi-view concept improve the model’s expressive power and detection performance and also demonstrate strong generalization and robustness across three datasets, including TONIoT and UNSW-NB15, marking a contribution of this study. After experimental evaluation, the F1 scores of multi-view models outperformed single-view models across all three datasets. Specifically, the F1 score of the multi-view approach (Model 6) improved by 10. 57% on the TONIoT Network+Win10 dataset compared with the best single-view model. In contrast, improvements of 5. 53% and 3. 21% were observed on the TONIoT network and UNSW-NB15 datasets. In terms of feature fusion strategies, the secondary fusion strategy (Model 6) outperformed primary fusion (Model 5). Furthermore, incorporating KG-based relational features as a separate view improved model performance, a finding validated by ablation studies. Experimental results show that the deep fusion strategy of multi-dimensional data overcomes the limitations of traditional single-view models, enables collaborative multi-dimensional analysis of network attack behaviors, and significantly enhances detection capabilities in complex attack scenarios. This approach establishes a scalable multimodal analysis framework for intelligent cybersecurity, advancing intrusion detection beyond traditional rule-based methods toward semantic understanding.
Li et al. (Thu,) studied this question.