Upload README.md with huggingface_hub
Browse files
README.md
ADDED
|
@@ -0,0 +1,52 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
---
|
| 2 |
+
tags: [graph-neural-network, cybersecurity, rgcn, pytorch-geometric, multi-cloud]
|
| 3 |
+
---
|
| 4 |
+
# Stage 6 — Heterogeneous Structural GNN (RGCN)
|
| 5 |
+
## Multi-Cloud Threat Detection Pipeline — Holistic Version
|
| 6 |
+
|
| 7 |
+
**Library**: PyTorch Geometric (RGCNConv)
|
| 8 |
+
**Design**: Schema-agnostic — works with any node/edge types, any feature dimension
|
| 9 |
+
|
| 10 |
+
### Architecture
|
| 11 |
+
- Input: any fdim → zero-padded to MAX_FDIM=1024 → Linear(1024→256)
|
| 12 |
+
- 3-layer RGCNConv (256→256→128), num_relations=20
|
| 13 |
+
- PEFT Adapters (rank=16) after layers 1 and 2
|
| 14 |
+
- DistMult edge anomaly scoring per relation type
|
| 15 |
+
|
| 16 |
+
### Master Schema
|
| 17 |
+
- **Node types (15)**: User, VM, IP, Role, CVE, Container, CloudAccount, Subnet, Bucket, Function, Cluster, Pod, Database, LoadBalancer, Gateway
|
| 18 |
+
- **Edge types (20)**: EXPLOITS, CROSS_CLOUD_ACCESS, CONNECTS_TO, EXPLOITS, ACCESS, ASSUMES_ROLE, CONNECTS_TO, RESTART_VM, START_VM, STOP_VM, DEPLOYED_ON, HAS_VULN, LATERAL_MOVEMENT, GRANTS_ACCESS, RUNS_ON, EXPLOITS, ACCESS, TRIGGERS, ACCESS, CONTAINS
|
| 19 |
+
|
| 20 |
+
### Active Schema (this run)
|
| 21 |
+
- **Node types**: User, VM, IP, Role, CVE
|
| 22 |
+
- **Edge types**: 10
|
| 23 |
+
- **Supervised**: User, Role
|
| 24 |
+
|
| 25 |
+
## Ablation Results (Test Set)
|
| 26 |
+
|
| 27 |
+
| Model | Type | Params | User_AUC | User_F1 | User_AP | Role_AUC | Role_F1 | Role_AP |
|
| 28 |
+
|:--------|:---------|:----------|-----------:|----------:|----------:|-----------:|----------:|----------:|
|
| 29 |
+
| RGCN | PRIMARY | 8,515,599 | 0.5 | 0 | 0.5 | 0.5 | 0 | 0.5 |
|
| 30 |
+
| GCN | BASELINE | 5,219,855 | 0.5 | 0 | 0.5 | 0.5 | 0 | 0.5 |
|
| 31 |
+
| GAT | BASELINE | 5,320,207 | 0.5 | 0 | 0.5 | 0.5 | 0 | 0.5 |
|
| 32 |
+
| SAGE | BASELINE | 5,383,695 | 0.5 | 0 | 0.5 | 0.5 | 0 | 0.5 |
|
| 33 |
+
|
| 34 |
+
## Usage — Stage 7 API Integration
|
| 35 |
+
```python
|
| 36 |
+
import torch
|
| 37 |
+
from huggingface_hub import hf_hub_download
|
| 38 |
+
|
| 39 |
+
# Load once, call forever
|
| 40 |
+
ckpt = torch.load(hf_hub_download("adarsh-aur/rgcn-security-zero-embedding", "model_RGCN.pt"))
|
| 41 |
+
model = HeteroRGCN()
|
| 42 |
+
model.load_state_dict(ckpt['model_state_dict'])
|
| 43 |
+
model.eval()
|
| 44 |
+
|
| 45 |
+
# Works with any graph snapshot from Stage 5
|
| 46 |
+
with torch.no_grad():
|
| 47 |
+
h_v, offsets, logits = model(graph_snapshot)
|
| 48 |
+
# h_v shape: [total_nodes, 128] → feed to Stage 7 GRU
|
| 49 |
+
# New node/edge types: silently skipped
|
| 50 |
+
# Missing node/edge types: silently skipped
|
| 51 |
+
# Different fdim: auto-padded/truncated to 1024
|
| 52 |
+
```
|