From Flow Features to Communication Topology: Adaptive Graph Attention Network-Based IoMT Intrusion Detection

preprint OA: closed CC-BY-4.0
🔓 Open OA copy View at publisher
AI-generated summary by claude@2026-07, 2026-07-16

This study demonstrates that communication topology graphs improve IoMT intrusion detection with GNNs, particularly for topology-heavy attacks, and highlights the critical impact of representation choice and evaluation protocol over model complexity.

One-sentence paraphrase of the abstract; not a substitute for reading it. No clinical advice. How this works

Abstract

Graph neural networks have been increasingly explored for network intrusion detection, yet the effect of graph construction strategy on detection performance remains underexamined, particularly for IoMT networks. In this study, we systematically investigate how data representation, graph construction, evaluation protocol, and task formulation shape the effectiveness of graph-based intrusion detection on the CICIoMT2024 benchmark data. We compare three representation strategies: flow-level tabular features, feature-similarity graphs, and PCAP-derived communication-topology graphs constructed from raw packet captures. We further examine the effect of domain-typed edge augmentation, PCAP-level validation protocols, and task decomposition into topology-heavy and protocol-heavy attack categories. Our results show that feature-similarity graphs provide no reliable advantage over Random Forest baselines, whereas PCAP-derived communication topology enables GNNs to become competitive on topology-heavy attacks. Third, domain-aware edge typing improves both performance and stability. Fourth, under proper PCAP-level validation with session-aware splits, previously reported gains diminish substantially, underscoring the importance of evaluation protocol. Fifth, in our experiments on this dataset, GNN effectiveness depends on attack category: topology-heavy attacks (DDoS, DoS, Recon) benefit from graph modeling, while protocol-heavy attacks (MQTT, Spoofing) do not. Across five random seeds, a domain-typed Adaptive Edge-Weighted GAT achieves a macro-F1 of 0.800 ± 0.026 on the topology-heavy subset, compared with 0.784 ± 0.020 for Random Forest. These results suggest that in IoMT intrusion detection, representation of choice and evaluation protocol matter more than architectural complexity.

My notes (saved in your browser only)

Citation neighborhood (no data yet)

We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2026) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.

Source provenance

europepmc
last seen: 2026-05-20T01:45:00.602351+00:00
unpaywall
last seen: 2026-05-22T02:00:06.705733+00:00
License: CC-BY-4.0