RF PGNN: Random Forest Proximity Graph Neural Network for Multi Class Intrusion Detection
Article Sidebar
Main Article Content
Contemporary network intrusion detection systems (NIDS) need to be able to classify various types of attacks in the high-dimensional, highly skewed network traffic. In this paper, a hybrid RF-PGNN framework will be presented, which combines a Random Forest (RF) and a Graph Attention Network (GAT) to utilize both feature-level discriminative patterns and sample-level relational structure. Similarities of RF leaf-assignments are utilized to create a proximity graph that indicates non-linear decision boundaries that are learned implicitly by the forest. This graph is then trained on to spread relational signals between neighbouring samples to the GAT. The standalone RF has an accuracy of 98.86 and GAT has an accuracy of 78.34 on a balanced seven-class subset of the CIC-IDS2017 benchmark. The ensemble with weight (RF weight 0.9, GAT weight 0.1) has an accuracy of 98.94 and macro F1-score of 0.9894 and ROC-AUC of 0.9986. This low standalone accuracy of the GAT can be attributed to the limiting nature of graph-scale to the use of edges, over-smoothing effects on the multi-layer passage of messages, as well as to the limitation of proximity-based edges to the encoding of directed flow semantics of fine-grained attack sub-types; however, the complementary relational signal that it provides can provide a consistent ensemble boost. The McNemar test shows that the RF baseline gain is significant (p < 0.05). Additional testing with an unequal class distribution suggests that RF-PGNN recovers macro F1 on classes that are attacked by minorities, implying that it can be used in practice even at suboptimal benchmarks like equal classes. The suggested framework provides a theoretically sound tool to integrate tree ensembles and graph-based learning to promote the further development of multi-class intrusion detection without losing interpretability.
Downloads
References
M. M. Alani, A. I. Awad, and E. Barka, “A Hybrid Ensemble Learning-Based Intrusion Detection System for the Internet of Things,” Proceedings of the 2024 IEEE International Conference on Cyber Security and Resilience, CSR 2024, pp. 1–8, 2024, doi: 10.1109/CSR61664.2024.10679427.
H. Asgharzadeh, A. Ghaffari, M. Masdari, and F. S. Gharehchopogh, “An Intrusion Detection System on The Internet of Things Using Deep Learning and Multi-objective Enhanced Gorilla Troops Optimizer,” Journal of Bionic Engineering 2024 21:5, vol. 21, no. 5, pp. 2658–2684, Jul. 2024, doi: 10.1007/s42235-024-00575-7.
A. Elmasry and W. Abdullah, “A CNN-RF Hybrid Model for Intrusion Detection System: Analysis, Improvements, and Application,” Artificial Intelligence in Cybersecurity, vol. 1, pp. 12–20, Jan. 2024, doi: 10.61356/j.aics.2024.1212.
F. S. Gharehchopogh, B. Abdollahzadeh, S. Barshandeh, and B. Arasteh, “A multi-objective mutation-based dynamic Harris Hawks optimization for botnet detection in IoT,” Internet of Things, vol. 24, p. 100952, Dec. 2023, doi: 10.1016/j.iot.2023.100952.
Z. Jadidi, V. Muthukkumarasamy, E. Sithirasenan, and M. Sheikhan, “Flow-based anomaly detection using neural network optimized with GSA algorithm,” Proc. Int. Conf. Distrib. Comput. Syst., pp. 76–81, 2013, doi: 10.1109/ICDCSW.2013.40.
R. A. Disha and S. Waheed, “Performance analysis of machine learning models for intrusion detection system using Gini Impurity-based Weighted Random Forest (GIWRF) feature selection technique,” Cybersecurity 2022 5:1, vol. 5, no. 1, pp. 1-, Jan. 2022, doi: 10.1186/s42400-021-00103-8.
M. Zhong, M. Lin, C. Zhang, and Z. Xu, “A survey on graph neural networks for intrusion detection systems: Methods, trends and challenges,” Comput. Secur., vol. 141, p. 103821, Jun. 2024, doi: 10.1016/j.cose.2024.103821.
F. Ares-Robledo, H. Rifà-Pous, and R. Clarisó, “Graph neural networks for anomaly detection: a systematic review of dynamic temporal approaches,” Artificial Intelligence Review 2026, Mar. 2026, doi: 10.1007/s10462-026-11532-7.
A. Puviarasu and V. K. Sudha, “Enhanced IoT security: privacy-preserving federated learning model for accurate, real-time intrusion detection across devices,” Ain Shams Engineering Journal, vol. 17, no. 1, p. 103866, Jan. 2026, doi: 10.1016/j.asej.2025.103866.
C. Zhang, X. Costa-Perez, and P. Patras, “Adversarial Attacks Against Deep Learning-Based Network Intrusion Detection Systems and Defense Mechanisms,” IEEE/ACM Transactions on Networking, vol. 30, no. 3, pp. 1294–1311, Jun. 2022, doi: 10.1109/TNET.2021.3137084.
S. F. Misrak and H. M. Melaku, “Lightweight intrusion detection system for IoT with improved feature engineering and advanced dynamic quantization,” Discover Internet of Things 2025 5:1, vol. 5, no. 1, pp. 97-, Sep. 2025, doi: 10.1007/s43926-025-00203-8.
A. A. Mir, M. F. Zuhairi, S. Musa, and A. Namoun, “Adaptive Anomaly Detection in Dynamic Graph Networks,” 2024 International Visualization, Informatics and Technology Conference, IVIT 2024, pp. 200–206, 2024, doi: 10.1109/IVIT62102.2024.10692372.
H. Chen, S. Farokhi, K. Bladen, H. Karimi, and K. R. Moon, “Random-Forest-Induced Graph Neural Networks for Tabular Learning,” Feb. 2026, Accessed: Mar. 21, 2026. [Online]. Available: http://arxiv.org/abs/2602.24224
S. Li, H. Zhang, H. Zhang, and K. Ding, “Research on Enterprise Risk Prediction Using Graph Neural Networks Fused with Knowledge Graph,” pp. 666–671, Oct. 2025, doi: 10.1145/3785706.3785810.
F. Errica, “On Class Distributions Induced by Nearest Neighbor Graphs for Node Classification of Tabular Data,” Advances in Neural Information Processing Systems 36, pp. 28910–28940, 2023, doi: 10.52202/075280-1259.
This work is licensed under a Creative Commons Attribution 4.0 International License.
All articles published in our journal are licensed under CC-BY 4.0, which permits authors to retain copyright of their work. This license allows for unrestricted use, sharing, and reproduction of the articles, provided that proper credit is given to the original authors and the source.