XG-Temp: An Interpretable Temporal Graph Neural Network System for Network Intrusion Detection

This article introduces the XG-Temp system, which combines the interpretability of graph neural networks (GNN), temporal modeling capabilities, and large language model (LLM)-driven report generation. It aims to address three core challenges faced by current network intrusion detection systems (NIDS): detection accuracy, capturing temporal dependencies, and result interpretability. The system performs excellently on multiple standard datasets, providing security operations center (SOC) analysts with an actionable intelligent security analysis tool.

With the increasing complexity of attack methods such as advanced persistent threats (APT), traditional rule/signature-based NIDS struggle to cope with modern threats. Although deep learning models improve accuracy, their "black box" nature reduces analysts' trust and response efficiency. The XG-Temp project emerged to integrate explainable AI (XAI), temporal modeling, and LLM report generation to address the issues of detection accuracy, capturing temporal dependencies, and result interpretability.

XG-Temp integrates four key capabilities: 1. Intrinsic interpretability: Embedding GNNExplainer and Integrated Gradients into the training process; 2. Adaptive temporal processing: BiGRU + sliding window to capture long-range dependencies; 3. XU-Loss: Dynamically adjusting class and confidence weights to handle imbalance; 4. LLM-driven report generation: Outputting natural language explanations and disposal recommendations. Additionally, the system models network traffic as a graph structure (nodes are IPs/ports, edges are communication relationships), and GNN layers extract spatial features to identify abnormal patterns.

APT attacks have a long cycle and are stealthy in multiple stages. XG-Temp uses BiGRU layers to process graph snapshot sequences (dividing traffic into overlapping time windows). The bidirectional design leverages past/future context, and the sliding window flexibly handles variable-length sequences. This design can detect attack behaviors that are normal at single points but abnormal in sequences.

Cybersecurity data has an extreme class imbalance problem. XU-Loss solves this issue through class reweighting (increasing weights for minority classes) and uncertainty awareness (assigning high weights to low-confidence samples). Experimental results: The binary classification F1 score reaches 99.98% on CIC-IDS2018-V3, 99.84% on UNSW-NB15-V3, and 99.99% on NF-BoT-IoT-V2. It also performs excellently in multi-classification with strong generalization ability.

The interpretability of XG-Temp is reflected in: Feature level (Integrated Gradients quantifies feature contributions); Structure level (GNNExplainer identifies key subgraphs). The system inputs technical explanations into LLM to generate natural language reports, explaining detection basis, attack paths, and disposal recommendations, thereby improving SOC efficiency.

XG-Temp brings a paradigm shift for enterprise security teams: from "detection and alerting" to "detection-explanation-recommendation", reducing analysts' burden. It demonstrates the direction of AI security systems balancing performance and interpretability, and will play a more important role in network defense in the future. Summary: XG-Temp organically combines GNN, temporal modeling, uncertainty learning, and LLM, providing an innovative solution for network intrusion detection.