TGN-SVDD: Dynamic Graph Intrusion Detection
- TGN-SVDD is a one-class novelty detection framework for dynamic graphs that uses temporal embeddings and a deep hypersphere objective to distinguish benign from anomalous events.
- The method integrates a Temporal Graph Network encoder that captures sequential node interactions and produces event representations by concatenating embeddings of interacting nodes.
- Empirical evaluations on datasets like CIC-IDS2017 demonstrate high ROC-AUC and effective anomaly detection, even under challenging conditions and noise.
TGN-SVDD, short for Temporal Graph Network Support Vector Data Description, is a one-class intrusion detection method for continuous-time dynamic graphs in which network flows are represented as time-stamped directed events between nodes and training uses only benign traffic. The method combines a Temporal Graph Network (TGN) encoder, which maintains node-wise temporal memory and produces event-time embeddings, with a Deep SVDD objective applied to the concatenation of the two endpoint embeddings. Normal interactions are therefore encouraged to lie in a compact region around a learned hypersphere center, and anomalous events are identified by large squared distances to that center (Liuliakov et al., 18 Aug 2025). In the current literature, the acronym refers principally to dynamic-graph intrusion detection; a later probabilistic extension targets noisy inputs (Liuliakov et al., 19 Aug 2025), whereas a radar paper discussing SVDD-based CFAR detectors does not define TGN-SVDD as an introduced method (Pinsolle et al., 11 Feb 2026).
1. Problem formulation and dynamic-graph setting
TGN-SVDD casts intrusion detection as one-class novelty detection on a dynamic graph. The graph is built from communication events, with vertices corresponding to IP addresses and each event corresponding to a directed communication between a source node and a destination node at a timestamp, augmented by a NetFlow feature vector. Detection is performed at the interaction-event level, not merely at the node or graph level. Training observes only benign traffic; malicious events are assumed to appear only at test time (Liuliakov et al., 18 Aug 2025).
The dynamic graph is formalized through time-indexed events. The node set is written as , the event set as , and the neighborhood of node as . A graph snapshot at time is . Each event is represented as
where is the source, is the destination, is the timestamp, and 0 is the event feature vector. In the reported experiments, the feature dimension is 61 NetFlow features (Liuliakov et al., 18 Aug 2025).
This formulation addresses two properties of network traffic emphasized in the literature: it is inherently sequential and inherently graph-structured. A plausible implication is that methods which ignore either temporal order or interaction structure are structurally mismatched to the task. TGN-SVDD is designed precisely to exploit both.
2. Temporal Graph Network encoder
The TGN component serves as the representation backbone. Each node 1 maintains a memory vector 2 that summarizes its interaction history up to time 3, and this memory is initialized to the zero vector at training start. For an interaction event 4 between nodes 5 and 6, the encoder retrieves the pre-event memories 7 and 8, constructs messages, updates memory via a learnable updater, and computes node embeddings using temporal attention over past interactions (Liuliakov et al., 18 Aug 2025).
The paper specifies the encoder abstractly as
9
with the shorthand 0 for the embedding of node 1 at event time 2. The implementation uses the PyTorch Geometric TGN encoder defaults rather than publishing explicit message-passing or attention equations. In that configuration, the reported dimensions are: time embedding dimension 200, memory dimension 200, and node embedding dimension 200 (Liuliakov et al., 18 Aug 2025).
TGN-SVDD uses both endpoint embeddings for event scoring. For an event between nodes 3 and 4, the model concatenates the two node embeddings, 5, and passes the result directly to the SVDD objective. Event features influence the anomaly detector only through the TGN encoder: the SVDD stage itself operates on the learned concatenated node representation.
A common misconception is to treat TGN-SVDD as a generic graph classifier with an auxiliary anomaly score. In fact, the TGN part is only the encoder; the detection principle is the one-class hypersphere compactness objective defined on event embeddings. The baseline paper explicitly contrasts this with vanilla TGN using a link-prediction decoder and reports that vanilla TGN performs poorly for intrusion detection on the same data (Liuliakov et al., 18 Aug 2025).
3. Deep SVDD objective and event-level decision rule
The SVDD component is the detector proper. For an event 6 between nodes 7 and 8, the anomaly score is
9
where 0 is the center of the hypersphere in embedding space. The training objective is
1
with 2 the number of training events, 3 the TGN encoder parameters, and 4 a weight-decay coefficient (Liuliakov et al., 18 Aug 2025).
Several aspects distinguish this from classical kernel SVDD. No radius 5 is learned, no 6 parameter is used, and the center 7 is trainable rather than fixed as a precomputed mean. The method therefore instantiates a Deep SVDD formulation rather than classical soft-boundary SVDD (Liuliakov et al., 18 Aug 2025).
At inference time, the score is thresholded. The decision threshold 8 is set as the 0.99 percentile of training scores, and events with 9 are flagged as anomalies. Because events are processed in timestamp order and the node memories are updated after each event, the procedure supports online scoring in a natural way: each new event is embedded using the current temporal state, scored against the learned center, and then used to update the temporal state (Liuliakov et al., 18 Aug 2025).
This design gives TGN-SVDD a clear operational interpretation. The TGN encoder captures temporal interaction context, while Deep SVDD imposes compactness of benign event embeddings. Large deviations from the benign manifold produce large squared distances and therefore anomaly alarms.
4. Data preparation, temporal splits, and training protocol
The principal evaluation uses CIC-IDS2017, represented as a dynamic graph derived from NetFlows extracted with NFStream. Nodes are IP addresses mapped to unique IDs, timestamps are taken from the first packet time of each flow, and all continuous features are scaled to 0. To produce time-respecting data streams, Monday benign traffic is concatenated before one malicious weekday, and timestamps are re-based so that the resulting stream is continuous and monotonically increasing (Liuliakov et al., 18 Aug 2025).
For each day-pair, the split is fixed in event time: the first 200,000 events are used for training, the next 70,000 for validation, and the remaining events for testing. Training and validation contain only normal events; attacks appear only in the test portion. The paper reports the following day-pair statistics (Liuliakov et al., 18 Aug 2025):
| Day-pair | Events | Nodes / features |
|---|---|---|
| Tuesday | 572,087 | 12,972 / 61 |
| Wednesday | 597,202 | 13,595 / 61 |
| Thursday | 614,336 | 13,611 / 61 |
| Friday | 753,468 | 13,314 / 61 |
The reported implementation uses Python 3.9, PyTorch, and PyTorch Geometric. Training is performed for 25 epochs, with strict temporal order preserved throughout processing. The paper does not specify optimizer, learning rate, batch size, gradient clipping, or the numerical value of 1 in the text, referring instead to the released code for exact settings (Liuliakov et al., 18 Aug 2025).
A notable methodological addition is the paper’s “more challenging variant.” The original data contain a dominant attacker source IP, node 32, that appears only during test, which could enable trivial detection based on source identity. To reduce this shortcut, the authors randomly select 500 normal training events with source node 31, duplicate them, replace the source with node 32, and inject these 500 events into training as additional normal examples. This modification forces the learned boundary to treat node 32 as potentially benign and therefore tests whether the detector relies on interaction dynamics rather than a single unseen identifier (Liuliakov et al., 18 Aug 2025).
5. Empirical performance and comparative behavior
The baseline comparison includes LOF in novelty and outlier modes, Isolation Forest, and vanilla TGN. Two evaluation scenarios are reported: one using event features and one in which all event features are set to zero so that TGN-SVDD relies only on temporal dynamics (Liuliakov et al., 18 Aug 2025).
With features, TGN-SVDD reports the following headline results. On Tuesday, ROC-AUC is 0.999 and F1 is 0.878, with precision 0.783 and recall 1.000. On Wednesday, ROC-AUC is 0.999 and F1 is 0.964, with precision 0.930 and recall 1.000. On Thursday, ROC-AUC is 0.994 but F1 drops to 0.068 because precision is 0.035 despite recall 0.997. On Friday, ROC-AUC is 0.995 and F1 is 0.993, with precision 0.992 and recall 0.993 (Liuliakov et al., 18 Aug 2025).
Without features, the method remains strong: Tuesday ROC-AUC 0.999 and F1 0.931; Wednesday ROC-AUC 0.999 and F1 0.967; Thursday ROC-AUC 0.992 and F1 0.056; Friday ROC-AUC 0.994 and F1 0.991. The paper summarizes the overall pattern as consistent superiority over all baselines across days and scenarios, while noting that Isolation Forest approaches TGN-SVDD only on Wednesday with features (Liuliakov et al., 18 Aug 2025).
The Thursday results are important for interpretation. They show that a very high threshold percentile such as 0.99 can yield very high recall but very low precision, illustrating a pronounced precision–recall trade-off. This is not presented as a contradiction to the ROC-AUC results; rather, it shows that ranking quality and thresholded classification quality can diverge substantially.
The “more challenging variant” further clarifies what the model learns. After injecting benign occurrences of node 32 into training, TGN-SVDD still maintains strong performance. On Friday under this modification, the reported metrics are ROC-AUC 0.999, precision 0.995, recall 0.999, and F1 0.997 (Liuliakov et al., 18 Aug 2025). This suggests that the detector is not reducible to a simple unseen-IP heuristic.
6. Variants, related architectures, and terminological ambiguity
A direct extension of TGN-SVDD is the probabilistic model introduced in “Noise Robust One-Class Intrusion Detection on Dynamic Graphs” (Liuliakov et al., 19 Aug 2025). That work describes a probabilistic version of the Temporal Graph Network Support Vector Data Description model in which the TGN encoder predicts, for each event, Gaussian parameters rather than only deterministic embeddings. For an event between nodes 2 and 3, the model predicts means and per-dimension standard deviations, forms an event-level diagonal Gaussian, and trains via a Gaussian negative log-likelihood relative to a trainable center. It also introduces negative sampling with sampled node pairs and synthetic Gaussian targets, together with a two-stage inference rule: first a noise score
4
then an attack score
5
On CIC-IDS2017 with synthetic noise, this probabilistic variant remains markedly more stable than deterministic TGN-SVDD as noise increases; for example, on Friday the reported ROC-AUC sequence is 92.7 → 91.1 → 90.0 → 89.1 → 88.0 for the probabilistic model versus 83.0 → 73.3 → 67.0 → 60.9 → 56.1 for the baseline (Liuliakov et al., 19 Aug 2025).
TGN-SVDD also has a conceptual antecedent in Deep Graph Stream SVDD (DGS-SVDD) for cyber-physical systems (Azim et al., 2023). DGS-SVDD is not a TGN model: it uses a transformer to obtain temporal embeddings, constructs a dynamic weighted graph through sensor-type similarity, applies a variational graph auto-encoder for spatio-temporal representation learning, and finally learns a hypersphere over normal embeddings. The shared principle is the use of one-class hypersphere learning on graph-temporal embeddings, but the temporal encoder and graph construction mechanisms differ substantially.
A separate source of ambiguity arises from the radar literature. “Support Vector Data Description for Radar Target Detection” studies kernel SVDD and Deep SVDD as CFAR detectors for heavy-tailed clutter, but explicitly states that “TGN-SVDD” is not introduced or defined anywhere in the provided paper (Pinsolle et al., 11 Feb 2026). That paper discusses only a hypothetical mapping of the label to possible texture-normalized or gamma-normalized SVDD variants. Consequently, in the published record summarized here, TGN-SVDD is properly associated with dynamic-graph intrusion detection, not with radar CFAR detection.
Taken together, these related works position TGN-SVDD as a member of a broader family of graph-temporal one-class detectors. Its specific contribution is the end-to-end coupling of a temporal dynamic-graph encoder with a Deep SVDD objective at the event level, tailored to streaming intrusion detection.