SManojna/zeek-meta-graph-phishing-detection

# zeek-meta-graph-phishing-detection Comparative analysis exploring whether Graph Attention Networks, meta‑graph attention, and Zeek connection/HTTP logs can be combined into a forensically sound framework for detecting phishing infrastructure. ## Overview This project investigates whether combining **Graph Attention Networks (GATs)**, **meta‑graph attention**, and **Zeek‑based network monitoring** can form a forensically effective framework for detecting phishing campaigns. It provides a comparative analysis of three recent research works, identifies a critical gap in the literature, and proposes a conceptual architecture that applies cross‑path semantic attention to heterogeneous network graphs. ## Key Technologies and Concepts - **Graph Attention Networks (GATs)** – learn neighbour importance dynamically, enabling models to focus on suspicious connections such as phishing referrer links. - **Meta‑Graph Attention** – merges multiple meta‑paths into unified structures to capture cross‑path interactions (e.g., a domain hosted on the same IP *and* referenced from a malicious URL). - **Zeek Network Monitor** – provides the real‑world data source via `conn.log` and `http.log`, grounding the analysis in operational network forensics. ## Project Contribution - Synthesizes three independent lines of research to reveal a productive tension between single‑path GATs and multi‑path meta‑graph models. - Proposes a concrete conceptual architecture where Zeek logs are transformed into a heterogeneous graph (IPs, domains, referrers) and meta‑graph attention is applied to uncover coordinated phishing infrastructure. - Identifies open engineering challenges, including the encoding of HTTP metadata (e.g., `Referer` headers) into graph features and the impact of temporal class imbalance on classification performance. - Demonstrates the ability to translate complex machine learning concepts into actionable forensic insights, bridging research and real‑world security applications. ## Context This research was completed as part of Threat Intelligence and Incident Response course within the Master’s program in Data Science and Artificial Intelligence. ## References P. Veličković et al., “Graph attention networks,” ICLR, 2018. S. Bi et al., “Meta‑graph enhanced heterogeneous graph neural network for cyber attack behavior detection,” IEEE DSC, 2025. T. Hristov, “An intrusion detection system using graph neural networks,” M.S. thesis, TU Delft, 2025.