Interpreting Manifolds and Graph Neural Embeddings from Internet of Things Traffic Flows

The rapid expansion of Internet of Things (IoT) ecosystems has led to increasingly complex and heterogeneous network topologies. Traditional network monitoring and visualization tools rely on aggregated metrics or static representations, which fail to capture the evolving relationships and structural dependencies between devices. Although Graph Neural Networks (GNNs) offer a powerful way to learn from relational data, their internal representations often remain opaque and difficult to interpret for security-critical operations. Consequently, this work introduces an interpretable pipeline that generates directly visualizable low-dimensional representations by mapping high-dimensional embeddings onto a latent manifold. This projection enables the interpretable monitoring and interoperability of evolving network states, while integrated feature attribution techniques decode the specific characteristics shaping the manifold structure. The framework achieves a classification F1-score of 0.830 for intrusion detection while also highlighting phenomena such as concept drift. Ultimately, the presented approach bridges the gap between high-dimensional GNN embeddings and human-understandable network behavior, offering new insights for network administrators and security analysts.

💡 Research Summary

The paper addresses the growing complexity of Internet‑of‑Things (IoT) networks, where traditional monitoring tools based on aggregated metrics fail to capture the evolving relational structure among devices. While Graph Neural Networks (GNNs) have become the de‑facto approach for learning from graph‑structured traffic, their high‑dimensional embeddings remain opaque, limiting adoption in security‑critical contexts. To bridge this gap, the authors propose an integrated pipeline that simultaneously learns a GNN for intrusion detection and a low‑dimensional manifold representation of the same embeddings.

The pipeline consists of three main components. First, raw IoT flow logs are transformed into heterogeneous graphs: nodes represent devices, ports, or protocols, and edges encode communication events. A Graph Isomorphism Network (GIN) is employed as the backbone GNN because its sum‑aggregation and learnable ε parameter provide strong expressive power for capturing subtle topological differences. Second, instead of applying a post‑hoc dimensionality reduction, the authors embed a parametric Uniform Manifold Approximation and Projection (P‑UMAP) network directly into the training objective. The total loss is a weighted sum of a standard cross‑entropy intrusion‑detection loss and a UMAP‑based topological loss that forces the high‑dimensional GIN embeddings to preserve their fuzzy simplicial structure when mapped to a d‑dimensional space (d ≪ D). This joint optimization ensures that the low‑dimensional projection is aligned with the decision‑making features of the classifier, eliminating the drift that often occurs with purely post‑hoc visualizations. Third, to provide feature‑level explanations, the authors compute Shapley Additive Explanations (SHAP) on the combined model. SHAP values are derived for each raw traffic attribute (packet size, protocol type, inter‑arrival time, etc.), allowing analysts to see which features drive both the placement of a sample on the manifold and its final classification.

Experiments are conducted on publicly available IoT traffic datasets (e.g., NB‑IoT, UNSW‑NB15) using five‑fold cross‑validation. The joint GIN + P‑UMAP model achieves an F1‑score of 0.830 for binary intrusion detection, outperforming baseline GNN classifiers by 3–5 percentage points. Visualizations of the learned manifold reveal a dense cluster for benign traffic and dispersed outliers for various attack types (DoS, scanning, malware propagation). By tracking the manifold over time, the authors demonstrate the ability to detect concept drift, such as the introduction of new device types or firmware updates, before conventional detectors raise alarms. SHAP analysis shows that protocol type and packet size contribute most to manifold shifts and classification decisions, providing concrete, actionable insights for security operators.

The paper also discusses limitations. The choice of manifold dimensionality d is currently manual and can affect both visualization clarity and detection performance; an automated selection mechanism would be valuable. Computing exact SHAP values is computationally intensive, posing challenges for real‑time streaming scenarios; approximate or sampling‑based SHAP variants are suggested as future work. GIN’s memory footprint is relatively high, which may hinder deployment on large‑scale edge environments; exploring lighter GNN architectures (e.g., GraphSAGE, LightGCN) or hybrid models is a promising direction. Finally, while the current approach assumes static graphs per time window, IoT networks evolve continuously; integrating dynamic graph learning with incremental manifold updates is an open research avenue.

In summary, the authors present a coherent, end‑to‑end framework that transforms high‑dimensional GNN embeddings into an interpretable, visual manifold while simultaneously preserving detection accuracy. By coupling manifold learning with SHAP‑based feature attribution, the work offers both a “big‑picture” view of network state and granular explanations of individual alerts, thereby advancing the practical usability of GNN‑based intrusion detection in heterogeneous IoT ecosystems.