Pro-ZD: A Transferable Graph Neural Network Approach for Proactive Zero-Day Threats Mitigation

In today’s enterprise network landscape, the combination of perimeter and distributed firewall rules governs connectivity. To address challenges arising from increased traffic and diverse network architectures, organizations employ automated tools for firewall rule and access policy generation. Yet, effectively managing risks arising from dynamically generated policies, especially concerning critical asset exposure, remains a major challenge. This challenge is amplified by evolving network structures due to trends like remote users, bring-your-own devices, and cloud integration. This paper introduces a novel graph neural network model for identifying weighted shortest paths. The model aids in detecting network misconfigurations and high-risk connectivity paths that threaten critical assets, potentially exploited in zero-day attacks – cyber-attacks exploiting undisclosed vulnerabilities. The proposed Pro-ZD framework adopts a proactive approach, automatically fine-tuning firewall rules and access policies to address high-risk connections and prevent unauthorized access. Experimental results highlight the robustness and transferability of Pro-ZD, achieving over 95% average accuracy in detecting high-risk connections. \

💡 Research Summary

The paper addresses the growing challenge of managing security risks in modern enterprise networks where firewall rules and Zero‑Trust (ZT) policies are increasingly dynamic due to remote work, BYOD, and cloud integration. While automated tools can generate firewall and access‑policy configurations at scale, they also introduce the risk of misconfigurations that may expose critical assets to attackers, especially in the context of zero‑day vulnerabilities—exploits that are unknown to defenders. Existing approaches, such as attack‑graph‑based risk assessment or conventional deep‑learning models, either require costly regeneration of the graph whenever the network changes or fail to incorporate the structural information of the network in a transferable way.

To overcome these limitations, the authors propose Pro‑ZD, a framework that (1) automatically identifies high‑risk connectivity paths that could be leveraged in zero‑day attacks, and (2) proactively mitigates those risks by adjusting firewall rules and ZT micro‑segmentation policies in real time. The technical core of Pro‑ZD is a novel Graph Neural Network (GNN) called GraphWSP (Weighted Shortest Path GNN). GraphWSP builds on the authors’ earlier Shortest‑Path GNN (SPGNN) but extends it in two crucial ways:

• It incorporates a stacked Graph Attention Network (GAT) to learn edge‑level importance, enabling the model to capture edge weights that represent risk factors such as port exposure, IP range breadth, and policy complexity.
• It introduces a loss function that directly optimizes for weighted‑shortest‑path embeddings, allowing the network to recover the true weighted distance from any node to a predefined set of critical‑asset nodes.

Because GNNs are inductive, GraphWSP can generate embeddings for previously unseen network topologies without retraining, which the authors demonstrate through transfer‑learning experiments across multiple enterprise environments.

The risk‑assessment module aggregates the weighted‑shortest‑path distance with additional meta‑features (open‑port count, asset criticality, policy entropy, etc.) to compute a risk score for each connection. Connections whose scores exceed a configurable threshold trigger automatic policy updates: firewall rules are tightened or blocked, and ZT policies are re‑written to eliminate the high‑risk path while preserving overall network functionality.

Experimental evaluation uses real‑world network data from several organizations, with ground‑truth labels supplied by network administrators indicating which connections are high‑risk. Results show that GraphWSP attains an average precision of 85 % and recall of 88 % in the intra‑domain setting, outperforming the state‑of‑the‑art SPA‑GAN (63 % precision). In a cross‑domain transfer scenario, GraphWSP maintains 75 % precision, whereas SPA‑GAN drops to 21 %. The full Pro‑ZD pipeline successfully blocks simulated zero‑day attack paths, reducing successful infiltration rates by over 90 %. Moreover, the authors employ topology‑based label propagation to mitigate label scarcity and demonstrate robustness against noisy training data.

Key contributions of the work are:

1. A transferable GNN architecture for weighted shortest‑path computation that can be reused across heterogeneous networks without extensive re‑labeling.
2. An end‑to‑end framework that couples risk detection with autonomous firewall and ZT policy remediation, thereby closing the loop between detection and mitigation.
3. A practical validation on enterprise‑scale datasets, showing high accuracy, robustness, and the ability to operate under limited feature availability.

In conclusion, Pro‑ZD offers a scalable, adaptive, and proactive solution for zero‑day threat mitigation in dynamic enterprise environments. Future work is suggested in extending the approach to multi‑cloud orchestration, integrating streaming telemetry for near‑real‑time updates, and quantifying the impact of policy changes on service‑level objectives.