ResHGNN: An Internal Network Threat Detection Scheme Based on Sparse Residual Heterogeneous Graph Neural Networks

ResHGNN is a deep learning framework for insider threat detection. Its core is to model users' daily activities as heterogeneous graphs, combine residual learning to preserve original behavioral features, and capture abnormal signals in organizational relationships to efficiently detect insider threats. This scheme aims to solve the problems of high false positives and missed detection of hidden malicious behaviors in traditional methods, providing more intelligent and accurate detection means for the cybersecurity field.

Insider threats have become a thorny issue in cybersecurity due to their rarity (low proportion of malicious behaviors), concealment (similarity to legitimate behaviors), and complexity (multi-dimensional organizational behavior relationships). Traditional rule-based auditing or simple anomaly detection algorithms tend to generate a large number of false positives or missed detections. ResHGNN defines insider threat detection as a heterogeneous graph learning problem and proposes a new solution by leveraging the complex relationships between organizational structures and user behaviors.

1. Heterogeneous Graph Modeling: Model user activity data as a heterogeneous graph containing UserDay (user daily activity), Supervisor (supervisory entity), and User (user identity) nodes and corresponding edge relationships to capture temporal and organizational dimension information; 2. Residual Learning: Preserve original behavioral features through skip connections to alleviate the over-smoothing problem of deep GNNs; 3. Sparse Design: Achieve sparsity from three aspects—graph structure, message passing, and prediction—to adapt to data imbalance.

Supports mainstream GNN backbone networks such as GCN, GAT, and GraphSAGE; provides three relationship configurations: All_relation (all relationships), Supervision_relation (supervision only), and SameUser_relation (identity only); uses K-fold cross-validation to ensure reliable results and an early stopping strategy to prevent overfitting.

Uses processed sample data at the user-date granularity (including behavioral features, labels, and user/date/organization information); evaluation metrics include accuracy, precision, recall, F1 score, and AUC to comprehensively measure the model's performance on imbalanced datasets.

The repository includes data directories, graph construction scripts, main detection experiment scripts, etc.; quick start steps: 1. Install dependencies (numpy, pandas, torch, etc.); 2. Run the graph construction script; 3. Execute the detection experiment; 4. Summarize the results.

Academic contributions: First to integrate organizational and behavioral relationships into a graph learning framework, transfer residual learning to the graph domain, and provide a reproducible platform; practical value: Reduce false positives, improve detection rates, and enhance interpretability; future directions: Sequence modeling, dynamic graphs, multi-modal fusion, and federated learning.

ResHGNN demonstrates the successful application of graph neural networks in the cybersecurity field, converting complex organizational behaviors into structured graph representations and using deep learning to automatically learn abnormal patterns. It provides a complete technical stack and experimental framework for researchers and engineers in cybersecurity, graph machine learning, and enterprise risk control, which can serve as a foundation for further research and development.