Adversarial Reconstruction with Spectral-Augmented and Graph Joint Embedding for Network Anomaly Detection

Abstract

Network anomaly detection is widely used in network analysis and security prevention, in which reconstruction-based approaches have achieved remarkable results. However, attributed networks exhibit highly nonlinear relationships and time dependence over time, which make the anomalies more complex and ambiguous, resulting in anomaly detection still facing challenges. To this end, this study proposes an adversarial reconstruction framework with spectral-augmented and graph joint embedding for anomaly detection (GAN-SAGE), which integrates an autoencoder (AE) based on the frequency feature enhanced graph transformer (GT) into the generator for generating adversarial networks (GAN), improving network representation through adversarial training. The first stage of the encoding process captures the frequency domain information of the input timing data through spectral-augmented, and the second stage enhances the modeling capability of spatial structure and graph interaction dependency through multi-attribute coupling and GTs. We conducted extensive experiments on AIOps, SWaT and WADI datasets, demonstrating the effectiveness of GAN-SAGE compared to the state-of-the-art method. The detection performance of GAN-SAGE, respectively, improved by an average of 9.64%, 18.73% and 19.79% in terms of F1-score across the three datasets.

1. Introduction

Attributed networks [1] are graph structures used to store information about complex systems. In these graphs, vertices represent entities, and edges represent relationships between entities. Each node and edge is typically associated with a set of rich features. In the real world, telecommunication networks, information networks and industrial control networks can be considered as attributed networks. Taking information networks as an example, nodes can represent application devices or users, with attributes such as resource usage and security status. The edges represent the connections between different application devices, and their attributes may include performance metrics such as bandwidth and latency.

With advancing technology and the growing complexity of network environments, network security risks are rapidly evolving, becoming more intricate and diverse, thus, placing higher demands on network defense capabilities. Detecting data anomalies is crucial for many security-related applications [2]. Anomaly detection as a key technology for ensuring network security, involves using specific methods to identify events or observations that are inconsistent with the behavior of most data [3]. Anomaly detection in attributed networks can identify vulnerable nodes to prevent network attacks or failures, serving as a critical prerequisite for ensuring smooth network operations and addressing security vulnerabilities [4].

The use of GANs has gradually become a new trend in anomaly detection [5]. When using GANs for reconstruction-based anomaly detection, the AE serves as a generator, capturing the normal data distribution and mapping it to a latent space during adversarial training, enabling it to function as an anomaly detector by encoding normal samples into latent vectors to learn feature distributions. However, attributed networks nodes not only contain their own attribute information but are also interconnected with other nodes through diverse connection relationships. Additionally, they exhibit highly nonlinear relationships and time-dependent properties over time, making the definition of anomalies more complex and ambiguous. Traditional autoencoding methods show limitations in capturing critical contextual information and complex dependencies. In networks involving complex attributes, such as information networks and industrial control networks, where network components evolve over time with high-dimensional characteristics and multi-scale fluctuations, standard AEs often overly smooth these fine-grained network features, leading to the loss of key anomaly signals [6]. Therefore, it is necessary to enhance learning from normal data, improve the quality of learned representations, and enhance model robustness by identifying a wide range of complex network features [7,8] thereby, improving the accuracy and reliability of anomaly detection.

In attributed networks where both nodes and edges play significant roles, different components interact to execute network tasks. Relying solely on single information sources is insufficient to meet the representation demands of complex scenarios [9]. Network embedding [10] is an efficient tool for graph mining that maps large-scale complex networks to low-dimensional spaces, capturing the rich information within the network to support analysis tasks [11,12], where joint embedding methods for nodes and edges have garnered significant attention due to their ability to comprehensively capture network features. To address the complex interaction features present in attributed networks, joint embedding can be utilized to accurately model the graph-structured data of attributed networks, thereby enhancing their network embedding performance. However, when handling complex attributed networks with long-range dependencies, traditional graph representation paradigms such as graph convolution networks (GCNs) [13,14,15], which rely solely on local neighborhood information for feature aggregation, struggle to capture global structural patterns, potentially leading to over-squashing [16] and under-reaching [17]. To address their limitations in capturing long-range dependencies and adapting to complex graph structures, introducing the GT with strong relationship induction biases into graph representation enables better learning of entities, relationships and combination rules, offering an emerging perspective for graph learning [18,19].

Attributed networks exhibit complex graph structures characterized by strong heterogeneity and high dimensionality, whose topological properties pose significant challenges for traditional anomaly detection methods [20]. Meanwhile, most graph anomaly detection methods focus on extracting temporal features [21]. Some methods enhance the detection capabilities by combining the correlations between variables, primarily by comprehensively considering the temporal features of node neighbors [22,23,24], but struggle to capture long-range dependencies and complex interaction features. Additionally, the temporal data in attributed networks exhibit complex joint correlations, making anomaly behavior more ambiguous [25]. To address this problem, this study investigates the feasibility of enhancing anomaly detection accuracy by leveraging the interactive features between nodes and edges in the network topology [7,8,18,25]. A novel adversarial reconstruction framework for anomaly detection is proposed, based on spectral-augmented and graph joint embedding. This method uses GANs as its basic framework, integrating the frequency feature enhancement GT into the AE as the GAN generator. Additionally, a synchronous encoder is introduced to adjust the generator’s learning ability in the latent space of normal data. The frequency feature enhanced GT aims to extract spectral features from time-series data to enhance the representation capability of complex interaction relationships in attributed networks. The entire anomaly detection architecture is trained using only normal samples, enabling unsupervised network anomaly detection. Through adversarial training, it enhances the learning ability of the data’s latent representation, thereby improving the accuracy of anomaly detection.

The main contributions can be summarized as follows:

(1) Adversarial detection framework with enhanced network representation: In order to achieve efficient and robust anomaly detection using only normal samples, we propose a composite framework centered on a frequency feature enhanced GT-based AE structure. We introduce synchronous encoders and generators for collaborative optimization, and use discriminators to evaluate reconstruction quality, thereby enhancing the ability to model normal data distributions.

(2) Spectral-augmented temporal dependency extraction: In order to extract temporal dependency features from attributed network, spectral decomposition is employed to transform time-series data into multi-scale time-frequency representations, followed by targeted enhancement of different frequency components, thereby enhancing the model’s capacity to represent complex dynamic behavior and improving anomaly detection accuracy.

(3) Multi-attribute graph joint embedding: In order to address the shortcomings of high dimensional and complex interaction analysis methods in attributed networks, we first unify the modeling of multi-attribute information for nodes and links in the extraction of data features. We then introduce position encoding and graph joint embedding to capture the global dependency structure, thereby effectively improving the ability to represent the network’s operating status.

2. Related Work

Deep learning methods can extract complex and high dimensional features from data. Many researchers have utilized deep learning methods for graph anomaly detection, broadly classified into two categories: graph anomaly detection based on network representation and graph anomaly detection based on reconstruction [20].

2.1. Graph Anomaly Detection Based on Network Representation

The main research approach for graph anomaly detection based on network representation is to encode the graph into an embedding space and then perform anomaly detection. In time-series data with graph structure, a graph neural network (GNN) is a representative network of graph-based deep learning models, and most graph anomaly detection methods are based on GNNs to learn graph features and identify anomaly patterns [26,27]. In graph anomaly detection methods based on network representation, there are two types: aggregation mechanism and feature transformation.

2.1.1. Aggregation Mechanism

Feature aggregation is a simple and effective GNN representation method that learns network representations by aggregating node neighbor information in a graph.

Graph attention networks (GATs) [14] as a classical feature aggregation method dynamically aggregates features through an attention mechanism that allows each node to be given different weights depending on the importance of its neighboring nodes. To address the problem of unknown anomaly patterns in attributed networks, Zhou et al. [28] utilized neighbor information to determine anomaly criteria and proposed the abnormality-aware graph neural network (AAGNN), which employs subtraction aggregation to determine each node’s deviation relative to its neighbors. To enhance the ability to select appropriate neighborhood information in graph clustering mechanisms, Beid et al. [29] proposed an unsupervised graph Anomaly Detection (RAND) that amplifies reliable neighbor information and reduces unreliable neighbor information through a reinforcement anomaly evaluation module and an anomaly-aware aggregator. Ma et al. [30] explored the importance of inter-graph structural and attribute information, proposing a deep evolutionary graph mapping framework named GmapAD₁. This framework performs adaptive mapping by considering the similarity between graphs and representative nodes, thereby learning the clear boundaries between anomalies and normal graphs. Furthermore, addressing the heterogeneity issue in graph anomaly detection, Gao et al. [31] prune edges across different clusters by emphasizing high-frequency components in the spectral domain representation of graphs. To mitigate biases caused by inconsistent behavioral patterns in graphs, Wang et al. [32] proposed a node representation learning method named Deep Cluster Infomax (DCI), which captures the intrinsic graph properties by clustering the entire graph into multiple parts.

2.1.2. Feature Transformation

The datasets involved in graph anomaly detection usually contain a large amount of noise information. Therefore, another method detects anomalies by transforming the graph features.

To fully exploit the nonlinear and sparse characteristics of networks, Pei et al. [33] proposed a residual graph convolutional network (ResGCN), which uses attention mechanisms for deep residual modeling of networks. Liu et al. [34] proposed a contrastive self-supervised learning framework based on GNNs, aiming to learn informative embedding from high-dimensional attributes and local structure. Considering that existing graph anomaly detection tends to consider only single-scale views, Jin et al. [35] proposed a novel graph anomaly detection framework named ANEMONE, which can simultaneously identify anomalies across multiple graph scales. To further enhance the learning capability of complex relationships in graph structures, Ailin et al. [36] encoded relationships between nodes as edges, fully learning network embedding via attention-based GNNs. To address the issue of information loss across different graph structures, Du et al. [37] proposed a topology adaptive graph convolutional network (TAGCN) that uses a set of fixed-size learnable filters to capture local features of nodes in the graph, thereby avoiding the linear approximation issues associated with filters of a single size. To fully unlock the potential of edge feature topology in graph networks, Deng et al. [22] constructed an interval-constrained traffic graph by considering the time correlation of traffic flows, and further learned a combined representation of statistical flow features and flow topological structure based on adaptive graph convolutions.

2.2. Graph Anomaly Detection Based on Reconstruction

However, graph anomaly detection based on network representations faces the challenge of a lack of high-quality anomaly annotation data in practice. Therefore, many research efforts have shifted to modeling the features of normal or abnormal states. Among them, anomaly detection based on reconstruction are widely used methods in deep learning, where the model is trained to learn the features of normal data and reconstruct them into an approximate representation of the original data. Common methods include reconstruction based on a graph autoencoder (GAE) and reconstruction based on adversarial learning.

2.2.1. Graph Autoencoder

A GAE [38] is a commonly used method in graph reconstruction anomaly detection. They consist of a graph encoder and a graph decoder, which encode graph data into low-dimensional representations and reconstruct the original graph data through the decoder to achieve anomaly detection. The fundamental idea behind a GAE is that most normal samples can be reconstructed effectively, whereas anomalous samples, whose features differ substantially from those of normal data, are reconstructed poorly and, thus, yield large reconstruction errors. By calculating the reconstruction error for each node or graph instance, it is possible to effectively identify abnormal nodes that exhibit significant deviations from the normal pattern.

Attributed networks typically exhibit characteristics such as long-term time series, graph structures and multi-attributes. During the reconstruction phase, it is necessary to consider both their temporal features and the relational features between variables. For graph-structured data, a GAE has been proposed to leverage GNNs for encoding graph structures and node attributes, thereby enabling the detection of anomalies in graph data. To accurately obtain a low-dimensional latent representation of graph features, Park et al. [39] proposed a symmetric graph convolutional autoencoder to reconstruct node features. To further account for the temporal characteristics of graph structural attributes, Zhao et al. [23] used two graph attention layers to learn the complex dependencies between multivariate time series in both the temporal and feature dimensions. For system states under different temporal features, Zhang et al. [24] proposed a multi-scale convolutional recurrent encoder-decoder (MSCRED) that uses multi-scale feature matrices and attention-based convolutional networks to capture multi-level system correlations and temporal patterns, followed by a convolutional decoder to reconstruct features. To further optimize network embedding performance, Fan et al. [40] proposed a deep joint representation learning framework for anomaly detection through a dual autoencoder (AnomalyDAE), to capture complex interactions between network structure and node attributes. Considering the negative impact of network sparsity and data nonlinearity on detection performance, Ding et al. [25] reconstructs the original data through the collaboration of GCN and AE to detect anomalies from both structural and attribute perspectives.

2.2.2. Adversarial Learning

The GAN provides an effective solution for generating realistic synthetic samples that can be used for normal pattern learning in graph anomaly detection. Specifically, the generator generates samples that are statistically indistinguishable from real data, while the discriminator learns to differentiate real from generated samples. On the other hand, GANs can be used as a reconstruction-based anomaly detection framework, mainly by continuously learning and reconstructing graph data features from normal samples through adversarial learning.

By integrating GANs on a gradient inverse mapping approach, f-AnoGAN [41] uses GANs in reconstruction-based anomaly detection methods. Zhou et al. [42] applied a GAN to the reconstruction of time-series data, using an AE as the generator within the GAN. To avoid the limitations of anomaly detection based on a single data attribute, Qu et al. [43] integrates attention-based AE with a GAN to capture and fuse rich information from diverse data sources. Ding et al. [44] introduced adversarial learning into graph anomaly detection, proposing an adversarial graph differentiation networks (AEGIS) that further employ generative adversarial learning based on graph neural layers to detect data anomalies. Guo et al. [45] addressed the challenge of encoding complex graph data, proposing a graph generative adversarial network named RegraphGAN, which combines relative time encoding, diffusion-based spatial encoding and distance-based spatial encoding within the GAN framework.

3. Methodology

Attributed network nodes not only contain their own resource states as node attributes but also form complex interactive network structures with other nodes through call chains. These can be represented using the graph time-series structure $G=(V,E,X^v,X^e,T)$, where $V=\{v_1,v_2,\dots ,v_n\}$ denotes a finite set of network nodes, $E=\{e\left(v_{ij}\right)\mid v_i,v_j\in V\}$ denotes a finite set of connections between two adjacent nodes, $X^v\in {\mathbb{R}}^{n_v\times m_v\times L}$ denotes the feature set of each node in the network over time, $X^e\in {\mathbb{R}}^{n_e\times m_e\times L}$ denotes the feature set of each edge in the network over time, n and m, respectively, represent the number of nodes/edges and the number of features, while L denotes the length of the time series. For a single node or edge, its temporal features can be represented as $x_i^v=\{x_i^v\left(1\right),x_i^v\left(2\right),\dots ,x_i^v\left(L\right)\}\in {\mathbb{R}}^{m_v\times L}$ and $x_{ij}^e=\{x_{ij}^e\left(1\right),x_{ij}^e\left(2\right),\dots ,x_{ij}^e\left(L\right)\}\in {\mathbb{R}}^{m_e\times L}$.

Figure 1 shows the overall architecture of GAN-SAGE, where the generator, discriminator, and synchronous encoder undergo adversarial training to continuously learn the normal network representation. The frequency feature enhanced GT-based AE serves as the generator, consists of an encoder and a decoder. When receiving attributed network time-series data G, it first splits the data into node time-series data $X^v$ and edge time-series data $X^e$ based on the network definition, which serve as inputs to the encoder. These inputs undergo spectral-augmentation and are then fed into a multi-attribute graph joint embedding to obtain the joint embedded latent vector z of nodes and their adjacent edges in the attributed network. The decoder is responsible for reconstructing the latent vector back into the input data structure. The discriminator takes real and generated data as inputs and outputs the discrimination results. The synchronous encoder has the same structure as the encoder, takes generated data as input and outputs its latent vector $z^{\prime }$. During adversarial training, the synchronous encoder interacts with the generator to enhance the learning capability of network representations.

GAN-SAGE integrates spectral-augmentation, multi-attribute graph joint embedding, and adversarial training in a complementary manner to establish a progressive learning framework. Spectral-augmentation decomposes raw time series into multi-scale sub-band signals, followed by targeted enhancement of these components to mitigate noise interference, thereby providing robust input for multi-attribute graph joint embedding. The multi-attribute graph joint embedding module explicitly models nonlinear inter-attribute dependencies and higher-order network interactions, yielding a joint latent representation that accurately captures the network’s intrinsic behavioral patterns. This latent representation serves as a semantically coherent input for the adversarial training, enabling the GAN to learn the complex distribution of normal behavior within a relatively noise-free latent space. Consequently, the learned features are more focused on critical states and interaction patterns sensitive to anomalies, thereby enhancing anomaly detection performance.

3.1. Adversarial Learning Framework

The GAN-based reconstruction framework possesses powerful feature extraction capabilities [46]. This framework combines the adversarial training mechanism between the generator G and discriminator D, enabling the generator G to progressively learn the deep features and latent distribution structure of the data during the reconstruction process. However, when handling complex attributed network data, it may fail to adequately capture effective network features. To address this challenge, we integrate the frequency feature enhanced GT into the AE as the generator G, which consists of an encoder G_E and a decoder G_D. The encoder G_E consists of spectral-augmented encoding and multi-attribute graph joint embedding modules, designed to capture network features from temporal evolution dependencies and complex interactions, thus, enabling the construction of a latent space for representing normal samples. The decoder G_D employs a deconvolution decoding strategy to reconstruct the input samples, generating data with a structure matching the original input. In addition, a synchronous encoder E is introduced to participate in adversarial training, aiming to enhance the GAN detection framework’s modeling capabilities for network representations under temporal evolution.

The adversarial reconstruction framework is shown in Figure 2. During the training phase, the system inputs node features X^v and edge features X^e within the time T, and the encoder G_E of the generator G captures the distribution of the original real data to obtain the latent features z of the samples. Subsequently, the decoder G_D in the generator G learns the distribution of the input data from the latent space, reconstructs the normal samples, and obtains the generated samples G(X^v) and G(X^e). The discriminator D receives both real samples and generated samples, respectively, evaluating them to output its judgment on the authenticity of each sample. The architecture of encoder E is the same as that of the encoder G_E in the generator G. The reconstructed samples from the generator G are re-encoded by the encoder E to obtain their latent vectors z′.

To ensure that the distribution of the generated samples closely approximates that of the real samples, the adversarial loss L_adv guides the interplay between the discriminator D and the generator G through minimizing the difference between the distribution of actual data X and the distribution of generated data $G\left(X\right)$ [47], enabling the latent vectors z′ to learn features consistent with normal patterns:

$$L_{adv}={\mathbb{E}}_{X\sim P_r}\left[logD\left(G\right(X\left)\right)\right]+{\mathbb{E}}_{X\sim P_r}\left[log(1-D(X\left)\right)\right]$$

(1)

where X represents the actual data input, consisting of node and adjacent edge data. P_r represents the distribution of actual data, implicitly learned from the training data, approximating the true data distribution as an empirical distribution [48].

The synchronous encoder E encodes the latent vectors of the generated samples to calculate the encoding loss L_enc. By minimizing the difference between the latent features of the real samples and the generated samples, it guides the encoder G_E to capture more critical and effective features. The representation of the latent space is optimized through the encoding loss L_enc:

$$L_{\mathrm{enc}}={\mathbb{E}}_{X\sim P_r}{∥G_E\left(X\right)-E\left(G\left(X\right)\right)∥}_2$$

(2)

To ensure the reconstruction quality of the generator G for normal samples and to ensure the similarity between the generated samples and the input samples, the content loss L_con measures the difference between the input samples and the generated samples:

$$L_{\mathrm{con}}={\mathbb{E}}_{X\sim P_r}{∥X-G\left(X\right)∥}_2$$

(3)

Thus, the total loss of adversarial training can be expressed as:

$$L={\lambda }_{\mathrm{adv}}{L}_{\mathrm{adv}}+{\lambda }_{\mathrm{enc}}{L}_{\mathrm{enc}}+{\lambda }_{\mathrm{con}}{L}_{\mathrm{con}}$$

(4)

where $\lambda$_adv, $\lambda$_enc and $\lambda$_con are weighting parameters used to adjust the impact of adversarial loss L_adv, encoding loss L_enc and content loss L_con on the overall objective function.

The entire process continuously improves the quality of data representation through joint optimization of adversarial loss, encoding loss, and content loss, thereby enhancing the overall embedding quality of normal samples in the network.

In anomaly detection, encoding loss is used to score anomalies in samples, with the anomaly score defined as the quadratic reconstruction error:

$$A\left(X\right)={∥G_E\left(X\right)-E\left(G\left(X\right)\right)∥}_2$$

(5)

After determining the anomaly detection threshold, the trained model is used for anomaly detection. The anomaly detection process is achieved through the joint action of the generator G and encoder E. If the anomaly score of a sample exceeds the set threshold, it is judged to be an anomaly.

3.2. Graph Joint Embedding Based on Spectral-Augmented

Network representation analysis provides a comprehensive and effective assessment of network security status. Nodes and edges in attributed networks interact and collaborate in complex ways to jointly influence network behavior. The two interact with each other in the network, and abnormal node behavior may be manifested through edge relationships, while abnormal edge characteristics may also affect the performance of connected nodes. Therefore, these potential abnormal behaviors can be captured by considering the interaction between nodes and edges in network joint embedding.

However, in network joint embedding, it is crucial to select embedding objects and construct appropriate feature representations. The feature representations of embedding objects directly determine how the model understands and distinguishes key information in the network, serving as the foundation for the model to identify and detect abnormal behavior. Accurately representing the multidimensional features of nodes and edges helps the model comprehensively understand network interactions and behavioral patterns.

In attributed networks, network behavior evolves dynamically over time, with temporal characteristics revealing distinct activity patterns during anomalies. Nodes and edges possess multidimensional attributes that not only collectively define their properties but also generate additional information through attribute interactions. This can comprehensively reflect the collaborative changes in the network’s operational process, providing more detailed clues and stronger discernment capabilities. Therefore, anomaly detection in attributed networks cannot be separated from the temporal characteristics and multidimensional attributes of the network. When constructing features for the embedding object, both temporal characteristics and multidimensional attributes should be comprehensively considered.

Therefore, the frequency feature enhanced GT is integrated into the AE of the adversarial training generator; the graph joint embedding method based on spectral-augmented is shown in Figure 3. The frequency feature enhanced GT takes graph time-series data of the attributed network as input. The spectral-augmentation is employed to extract rich temporal features by applying discrete wavelet transform (DWT) to the node time-series data and edge time-series data and performing targeted enhancement. The multi-attribute graph joint embedding receives the spectrally augmented time-series data. It first captures nonlinear state features within the data through multi-attribute coupling across different components. Then, it obtains global dependency information guided by edge features by incorporating the network structure, ultimately generating the latent vector of the network representation.

3.2.1. Spectral-Augmented Encoding

In attributed networks, many performance metrics often exhibit complex time-varying characteristics over time, including long-term trends, periodic fluctuations and sudden anomalies. However, due to the large number of metrics, critical anomaly information is easily obscured by a large amount of unchanged time-series data, thereby hindering the timely detection of anomalies. This calls for extracting more rich features from the data to highlight anomalies and prevent information dilution, thereby addressing the issue of feature over-smoothing during the reconstruction process [49].

To capture the details of performance fluctuations and rich feature information in attributed network time series data, spectral-augmented encoding is used to dig its time series features, mainly including spectral decomposition and frequency targeted enhancement. This reveals the multi-scale temporal features of attributed network time-series through a rigorous multi-resolution analysis process, while preserving the dynamic temporal structure and preventing signal features from being diluted by noise.

Spectral Decomposition

Spectral decomposition uses wavelet transforms to decompose time series into sub-sequences of different frequencies, thereby retaining the time information of the signal while revealing its frequency components, making it suitable for network time series feature learning. Given a discrete time series, we use DWT in the spectral decomposition encoder to decompose the temporal data into trend and detail components, avoiding the conflation of these two feature types when modeling at a single scale, while achieving the conversion from time domain features to multi-scale time-frequency features.

The nodes and edges of attributed networks represent different objects and their interactive relationships. Node time series reflect the behavioral patterns of individual nodes over time, manifested as changes in the nodes’ own states. Node time series typically exhibit continuity, with most nodes’ states tending to transition smoothly over time. In contrast, edge time series capture the dynamics of the relationships between nodes. Interactions between nodes can occur within short time frames, revealing the communication interactions and information flows between nodes over time, typically exhibiting instantaneity and discreteness.

Daubechies wavelets and Coiflet wavelets were selected to adapt to the temporal characteristics of nodes and edges, respectively. Daubechies wavelets can effectively capture low-frequency components, thereby better representing the continuous changes in node states over time. Coiflet wavelets have good tight support and perform well in processing local information, making them suitable for analyzing edge interaction patterns.

The DWT is implemented using the Mallat algorithm, which decomposes signals into approximate components and detail components of different frequencies through alternating operations of filter banks and downsampling. The input time series is decomposed into J layers, and the final output is the approximate coefficients of the last layer and the detail coefficients of each layer. The approximate coefficients and detail coefficients of layer J + 1 are calculated using the approximate coefficients of layer J, expressed as:

$$c{A}_{j+1}\left(n\right)=\sum _{k}H\left(k\right)·c{A}_j(2n-k)$$

(6)

$$c{D}_{j+1}\left(n\right)=\sum _{k}G\left(k\right)·c{A}_j(2n-k)$$

(7)

where H represents a low-pass filter and G represents a high-pass filter.

The input time series data are $x_i^v=\{x_i^v\left(1\right),x_i^v\left(2\right),\dots ,x_i^v\left(L\right)\}\in {\mathbb{R}}^{m_v\times L}$ and $x_{ij}^e=\{x_{ij}^e\left(1\right),x_{ij}^e\left(2\right),\dots ,x_{ij}^e\left(L\right)\}\in {\mathbb{R}}^{m_e\times L}$. A first-order wavelet transform was performed on the input time series data to extract its trend component and detail component, represented by the approximation coefficient and detail coefficient, respectively:

$$x_{trend}^i,x_{detail}^i=\mathrm{DWT}\left(x_{ij}^{\nu }\right)\in {\mathbb{R}}^{m_v\times {\displaystyle \frac{L}{2}}}$$

(8)

$$x_{trend}^{ij},x_{detail}^{ij}=\mathrm{DWT}\left(x_{ij}^e\right)\in {\mathbb{R}}^{m_e\times {\displaystyle \frac{L}{2}}}$$

(9)

where $\mathrm{DWT}(\ast )$ represents the DWT process, $x_{trend}^i$ and $x_{detail}^i$ represents the trend component and detail component of the node $v_i$ in the input time series data, and $x_{trend}^{ij}$ and $x_{detail}^{ij}$ represents the trend component and detail component of the link $e\left(v_{ij}\right)$ in the input time series data.

Frequency Targeted Enhancement

To further reduce noise interference and enhance the ability to distinguish frequency information, targeted feature enhancement processing was introduced for the trend component and detail component of the time series features, aiming to obtain network data with clearer temporal characteristics. Gaussian smoothing was applied to the trend component to suppress high-frequency noise and reinforce the overall trend pattern, while Laplace sharpening was applied to the detail component to highlight small changes and sudden changes.

Gaussian smoothing as a linear low-pass filter enhances the low-frequency components of a signal by computing a weighted average of data points, effectively highlighting long-term trends and global change patterns. It suppresses high-frequency noise and local fluctuations by integrating each data point with its neighbors, making it well-suited for extracting and preserving the continuity of time-series data during reconstruction. Gaussian smoothing of trend components $x_{trend}$ can be expressed as:

$${\tilde{x}}_{trend}\left(l\right)=\sum _{k=-K}^K{\displaystyle \frac{1}{\sqrt{2\pi {\sigma }^2}}}·e^{-{\displaystyle \frac{k^2}{2{\sigma }^2}}}·x_{trend}(l-k)\in {\mathbb{R}}^{m\times {\displaystyle \frac{L}{2}}}$$

(10)

where $\sigma$ represents the Gaussian smoothing standard deviation, K represents the Gaussian convolution kernel radius, and l represents the discrete time step of the time series data.

Compared to smoothing, sharpening enhances high-frequency components of data signals through differential operations, emphasizing abrupt changes and local details. The Laplace sharpening operator as a second-order differential operator can effectively detect rapid signal changes by computing differences between each data point and their neighbors, identifying potential abrupt anomalies. This differential approach makes sharpening ideal for amplifying sudden anomalies during reconstruction, increasing the distinction between anomalous and normal data representations. Laplace sharpening of detail components $x_{detail}$ can be expressed as:

$${\tilde{x}}_{detail}=x_{detail}+\lambda ·\Delta x_{detail}\in {\mathbb{R}}^{m\times {\displaystyle \frac{L}{2}}}$$

(11)

where $\lambda \in (0,1)$ represents the Laplace sharpening coefficient, and $\Delta x_{detail}$ represents the one-dimensional discrete Laplace operator.

To fully exploit the complementarity of the two types of features, the enhanced trend component and detail component are integrated along the feature dimension in the spectral-augmented encoder to form a fused multi-scale feature representation:

$$x_{enh}={\tilde{x}}_{trend}\left|\right|{\tilde{x}}_{detail}\in {\mathbb{R}}^{m\times L}$$

(12)

where $\left|\right|$ denotes concatenation.

3.2.2. Multi-Attribute Graph Joint Embedding

The nodes and edges of attributed networks contain multiple attributes, and different attributes jointly characterize the dynamic behavior of the system during operation. The network state is often determined by the interplay of several interrelated attributes and, thus, network anomalies may manifest as a collaborative change among multiple attributes. Meanwhile, tasks in attributed networks are executed through interactions and collaborations among different components. Different nodes form global interactions with other nodes through complex invocation and transfer relationships, not only limited to directly connected neighboring nodes. Their intricate dynamic coupling relationships play an important role in identifying network anomalies. Therefore, anomaly detection should focus on the collaboration patterns and dependencies between different components.

Multi-Attribute Coupling

To capture the nonlinear interaction features of multidimensional attributes of network components under temporal evolution, we use a Bidirectional Long Short-Term Memory (Bi-LSTM) network to generate semantically rich vector for network components. BI-LSTM possesses powerful nonlinear feature extraction capabilities. Its internal memory units and gating mechanisms effectively integrate information across different attribute features. Moreover, by considering both forward and backward time dependencies, Bi-LSTM comprehensively captures patterns in time series.

When performing multi-attribute coupling on nodes and edges, a neural network $f(\ast )$ containing a Bi-LSTM structure is used to extract the feature depth interaction of network features:

$$f\left(x\right)={\displaystyle \frac{\left[\overrightarrow{LSTM}\left\{x_{enh}\left(i\right)\right\}\oplus \overleftarrow{LSTM}\left\{x_{enh}\left(i\right)\right\}\right]}{|x_{enh}|}}$$

(13)

where $x_{enh}\left(i\right)\in {\mathbb{R}}^{L\times 1}$ represents the i-th attribute feature of a node or edge. Different attributes are passed to the bidirectional LSTM for processing. The multi-attribute coupling feature vector $x_{fuse}\in {\mathbb{R}}^{d\times 1}$ is obtained by averaging all potential states of the LSTM and adaptive convolution matching the input dimension of GT.

Graph Joint Embedding

Next, the GT architecture is employed to process the long-range joint interaction features of the attributed network, which can effectively capture complex global dependencies. Inspired by [50], edge features are introduced into the attention mechanism of the transformer, allowing nodes to exchange information with other nodes globally and adaptively obtain collaborative dependency features with other nodes based on the actual connection edges, thereby obtaining the graph joint embedding of the attributed network.

In graph joint embedding, network structure information enhances the capture of long-distance node dependencies, improving network representation accuracy. Node and edge embedding vectors, derived from multi-attribute coupling, respectively, represent node characteristics and single connections. Therefore, it is necessary to obtain network structure information and introduce position encoding into the node embedding vectors to strengthen the global positional relationships between nodes.

In the structure of an attributed network, the adjacency matrix directly reflects the node’s connection, while the degree matrix reflects the connection strength of each node, indicating the node’s influence in the network, which helps identify nodes with higher-risk behavior in anomaly detection. Therefore, the adjacency matrix and degree matrix are used to calculate the Laplacian matrix for the network structure, comprehensively revealing the global structural relationships between nodes:

$$\Delta =I-D^{-{\displaystyle \frac{1}{2}}}A{D}^{-{\displaystyle \frac{1}{2}}}=U^T\Lambda U$$

(14)

where A represents the network adjacency matrix, and D represents the network degree matrix. $\Delta$ is the Laplacian vector of the network structure, $\Lambda$ and U, respectively, represent its eigenvalues and eigenvectors. The smallest non-trivial eigenvector k is used as the node $v_i$ position encoding.

After obtaining the node position encoding, add it to the node embedding vector as input $a_i$ to GT:

$$a_i=x_{fuse}^i+{\lambda }_i^{\prime }\in {\mathbb{R}}^{d\times 1}$$

(15)

where $x_{fuse}^i$ represents the embedding vector of the node $v_i$. Among them, ${\lambda }_i^{\prime }=A{\lambda }_i+B$, $A\in {\mathbb{R}}^{d\times k}$ represents the weight matrix of the linear projection layer, and $B\in {\mathbb{R}}^{d\times 1}$ represents the bias vector.

At the same time, the edge embedding vector $x_{fuse}^{ij}$ is used as the edge feature input for GT, $b_{ij}=x_{fuse}^{ij}$ representing the information features of the edge $e\left(v_{ij}\right)$.

GT can realize the dynamic update of node features and edge features through multi-attention mechanism, and at the same time, the edge features are integrated into the process of node update, and the update process for layer l is described below:

$$Q_{ij}^{k,l}=Q^{k,l}Norm\left(a_i^l\right),K_{ij}^{k,l}=K^{k,l}Norm\left(a_i^l\right),V_{ij}^{k,l}=V^{k,l}Norm\left(a_i\right)$$

(16)

$$E_{ij}^{k,l}=E^{k,l}Norm\left(b_{ij}^l\right)$$

(17)

$$w_{ij}^{k,l}={softmax}_j\left(\left({\displaystyle \frac{Q_{ij}^{k,l}{a}_i^l·K_{ij}^{k,l}{a}_i^l}{\sqrt{d_k}}}\right)·E_{ij}^{k,l}{b}_{ij}^l\right)$$

(18)

$${\widehat{a}}_i^{l+1}=a_i^l+O_v^l{\left|\right|}_{k=1}^H\sum _{j\in N_i}{w}_{ij}^{kl}\left(V_{ij}^{kl}{a}_j^l\right)$$

(19)

$${\widehat{b}}_{ij}^{l+1}=b_{ij}^l+O_e^l{\left|\right|}_{k=1}^H{w}_{ij}^{k,l}$$

(20)

where $Q^{k,l}$, $K^{k,l}$, $V^{k,l}$, $E^{k,l}\in {\mathbb{R}}^{d_k\times d}$,$O_v^l$,$O_e^l\in {\mathbb{R}}^{d\times d}$ are the learned projection matrices. $k\in [1,H]$ means the number of attention heads. $d_k={\displaystyle \frac{d_z}{H}}$ is the attention head dimension.

At the end of each layer, the features will be fed into a Feed Forward Network (FFN) with two fully connected linear layers:

$$a_i^{l+1}={\widehat{a}}_i^{l+1}+FF{N}_v^{l+1}\left(LN\left({\widehat{a}}_i^{l+1}\right)\right)$$

(21)

$$b_{ij}^{l+1}={\widehat{b}}_{ij}^{l+1}+FF{N}_v^{l+1}\left(LN\left({\widehat{b}}_{ij}^{l+1}\right)\right)$$

(22)

where $FFN(\ast )$ denotes the FFN part, with a non-linearity [51] in the between. $LN(\ast )$ denotes the Layer Normalization (LN) [52].

After obtaining the node vectors $a_i^L$ and edge vectors $b_i^L$ that incorporate the global interaction features, the final potential vector representation is obtained by aggregating the node vectors and node proximity vectors, this is because the results of anomaly detection can ultimately be pinpointed to specific nodes through the nodes themselves or their neighboring interfaces. Attention-based aggregation is used to obtain the final potential vectors:

$${\alpha }_{ij}={\displaystyle \frac{exp\left(\right(a_i^L\left|\right|b_{ij}^L\left)Z\right)}{{\sum }_{j\in n}exp\left(\right(a_i^L\left|\right|b_{ij}^L\left)Z\right)}}$$

(23)

$$z_i=a_i^L+\sum _{j\in n}{\alpha }_{ij}{b}_{ij}^L$$

(24)

where $Z\in {\mathbb{R}}^{1\times 2d_z}$ is the learned projection matrix. $z_i$ denotes the the latent vector of $v_i$.

4. Experiments and Results

All experiments used the PyTorch 2.7.1 deep learning framework and Python 3.13.2 programming language, with Linux as the operating system and an NVIDIA 4090 24GB GPU as the processor.

4.1. Datasets

GAN-SAGE is evaluated using the three open source datasets, which exhibit complex structures and dynamic interaction characteristics, aligning with the application scenarios of the proposed method.

AIOps Challenge dataset [53]: This dataset comes from a real open computer network system, where each system component forms a complex, heterogeneous network of interactions with other system components. It contains 15 days of network runtime metric data, during which 81 anomalies occurred, each lasting 5 min.

The Secure Water Treatment (SWaT) dataset [54]: The dataset comes from a real industrial water treatment test bed with multiple sensors and monitoring equipment. It contains 11 days of actual system operation data, during which 4 days were under attack.

The Water Distribution (WADI) dataset [55]: This dataset comes from a water distribution testbed that extends SWaT, with additional sensors and monitoring equipment installed on the testbed. It contains 16 days of data on the actual operational state of the system, during which 2 days were under attack.

To construct the graph structure from raw data, we map the network components in the dataset to a set of graph nodes V and then build the edge E set based on their connection relationships. For the AIOps dataset, the connection relationships are determined by invocation chains and component dependencies. For the SWaT and WADI datasets, the physical links between monitored entities are defined as edges. The monitoring measurements associated with nodes and edges are normalized and organized into feature vectors $X^v$ and $X^e$, thereby transforming the data into the graph time-series structure $G=(V,E,X^v,X^e,T)$ of the attributed network. This representation preserves the temporal evolution characteristics and structural dependencies of the system, serving as input for subsequent detection tasks.

GAN-SAGE employs unsupervised learning, using only data from normal states during the training phase. In the data processing stage, data samples are constructed based on time window snapshots, with each sample containing graph structure snapshots for L consecutive time steps. If any anomalous data point exists within the time window, the sample is labeled as anomalous.

4.2. Implementation Details

In the network architecture design, there is a generator G, a discriminator D, and a synchronous encoder E, where the generator G is an AE.

The encoding part G_E in generator G primarily consists of two components: spectral-augmented encoding and multi-attribute joint embedding. In the spectral-augmented encoding, the wavelet bases for node data and edge data are Daubechies wavelets and Coiflet wavelets, with a wavelet transformation order of 1. In the multi-attribute coupling, the hidden states in unidirectional LSTM is set to match the input feature dimension, and an adaptive convolution layer is used before the GT to match the input dimensions. In the GT, the number of GT layers is set to two, and the number of attention heads is four. In the synchronous encoder E, its network architecture is consistent with that of the generator G_E.

The decoding part G_D in generator G consists of a linear layer with learnable weight matrices, two layers of one-dimensional transposed convolutions, and an adaptive pooling layer. The weight matrix of the linear layer with learnable weight matrices is determined by the dimension of the latent vector and the number of nodes and links to be decoded. The convolution kernels of the two layers of one-dimensional transposed convolutions are two, with a stride of two and padding of zero. The output dimension of the adaptive pooling layer is determined by the temporal and feature dimensions of the nodes and links. ReLU is used as the activation function after the transposed convolution to further enhance the model’s nonlinear expression capabilities.

The discriminator D consists of two layers of one-dimensional convolutions and a fully connected layer. The convolution kernels of the two layers of one-dimensional convolutions are two, the stride is two, and the padding is zero. LeakyReLU is used as the activation function, and the fully connected layer uses Sigmoid as the activation function.

The experiments were conducted using the Adam optimizer [56], with the learning rate set to $1\times {10}^{-4}$. The network was trained for 500 iterations.

4.3. Evaluation Metrics

We use four standard metrics to evaluate the performance of the proposed method GAN-SAGE.

$$\mathrm{Accuracy}={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}$$

(25)

$$\mathrm{Recall}={\displaystyle \frac{TP}{TP+FN}}$$

(26)

$$\mathrm{Precision}={\displaystyle \frac{TP}{TP+FP}}$$

(27)

$$\mathrm{F}1=2\times {\displaystyle \frac{\mathrm{Precision}\times \mathrm{Recall}}{\mathrm{Precision}+\mathrm{Recall}}}$$

(28)

where TP, FP, TN and FN, respectively, denote true positive, false positive, true negative and false negative.

4.4. Anomaly Detection Threshold

The anomaly detection threshold $\tau$ is first determined experimentally, and then the performance of the model in the test set is evaluated on this basis. The threshold determination strategy is based on the histogram analysis of the distribution of anomaly scores, where the range distribution of normalized anomaly scores of normal samples is computed after obtaining them, and the anomaly detection threshold is determined by selecting a percentile of the distribution.

The histograms of anomaly score distribution on the three datasets are shown in Figure 4. The histograms of anomaly score distribution show the distribution of the percentage of anomaly scores of normal samples. In these histograms, the grey dashed lines represent the detection thresholds. Based on the data distribution, the 99th percentile is selected as the detection threshold, and the anomaly detection thresholds for AIOps, SWaT and WADi are 0.59, 0.40 and 0.38. The anomalies are judged according to the corresponding thresholds in the subsequent detection.

We visualized the anomaly detection process for GAN-SAGE using a subset of AIOps dataset. The original samples with the reconstruction results are illustrated in Figure 5. The blue line segments in Figure 5a represent the normalized values of the original samples, while the red line segments represent the normalized values of the reconstructed samples generated by the generator from the original samples. The purple region indicates the presence of anomalies during that time period. According to the results shown, there is a regular difference between the original sample values in the anomalous region and those in the normal region, while the reconstructed samples exhibit limitations in effectively reflecting the distribution of normal samples. Figure 5b displays the anomaly scores corresponding to the same time period as Figure 5a, showing higher anomaly score values in the anomalous region compared to the normal region. Within a time window, a sample is identified as anomalous when its average anomaly score exceeds the detection threshold.

4.5. Hyperparametric Experiments

In order to test the effect of setting different hyperparameters on GAN-SAGE training, test experiments are designed for latent vector dimension $d_z$ and temporal sliding window size L. The latent vector dimension $d_z$ and the temporal sliding window size L affect the model’s ability to capture features of temporal data. The latent vector dimension $d_z$ determines the dimension of the latent space into which the input data is compressed, and is also related to the calculation of the detection threshold, affecting the model’s ability to represent the features. The sliding window size L determines the length of the temporal region used for reconstruction and detection, affecting the model’s ability to capture the temporal dependence of the data. Hyperparametric experiments are conducted on the AIOps, SWaT and WADI datasets, the rest of the hyperparameters other than the target parameter are kept unchanged during the experiments.

The influence of latent vector dimensions $d_z$ is shown in the experimental results of Figure 6. The latent vector dimension $d_z=\{8,16,32,64,128,256\}$ is selected, respectively. The results indicate that the comprehensive performance is best at $d_z=32$ on the AIOps and WADI datasets, and at $d_z=16$ on theSWaT dataset. The latent vector dimension for optimal performance on the AIOps and WADI dataset is higher than that on the SWaT dataset, possibly because the complex network interaction relationships in AIOps dataset and the high-dimensional characteristics of WADI dataset require a relatively larger representational space.

The variation in latent vector dimensions on the AIOps dataset has a minimal impact on the F1-score, with only a 0.021 difference between the best and worst performance, indicating that the GAN-SAGE exhibits strong robustness to changes in latent vector dimensions on this dataset. However, when $d_z=128$, the recall shows a noticeable downward trend, and the F1-score experiences a slight decline, possibly due to the introduction of redundant information from excessively high dimensions, which weakens the overall ability to discriminate anomalous patterns. On the SWaT dataset, adjustments to the latent vector dimension cause fluctuations in the GAN-SAGE’s performance, but its precision remains relatively stable. On the WADI dataset, the lowest F1-score is observed when $d_z=8$, with the model performing better at larger latent vector dimensions, possibly due to the high-dimensional of WADI dataset, which makes it difficult for the model to effectively represent complex features at lower latent vector dimensions.

The influence of sliding window sizes L is shown in the experimental results of Figure 7. The latent vector dimension $L=\{10,20,50,100,150,200\}$ is selected, respectively. GAN-SAGE achieves the best overall performance on the AIOps, SWaT and WADI datasets with sliding window sizes $L=$ 100, 50 and 20, respectively. On the AIOps dataset, GAN-SAGE performs best with the largest sliding window size, possibly due to network interactions and information transfer requiring a longer time window to provide rich contextual information. In contrast, GAN-SAGE’s performance on the SWaT and WADI datasets is more sensitive to anomalies with relatively shorter time windows.

GAN-SAGE on the AIOps dataset exhibits higher F1-score with larger time windows, while the recall significantly decreases when $L<50$, possibly because smaller time windows limit the model’s ability to capture effective contextual information. On the SWaT dataset, GAN-SAGE’s performance declines when $L=200$, possibly due to larger sliding windows introducing more noise, making smaller anomalies less detectable. On the WADI dataset, GAN-SAGE demonstrates good robustness to changes in sliding window size, with the sliding window size having minimal impact on the F1-score.

4.6. Comparative Experiments

To validate GAN-SAGE’s effectiveness, we compare it with seven existing methods, including three network representation-based methods, GAT, TAGCN and FT-GCN, and four reconstruction-based methods, AnomalyDAE, DOMINANT, BeatGAN and ConGNN:

GAT [14]: This model is an attention-based GNN that assigns different weights to nodes in a node’s neighborhood through an attention mechanism.

TAGCN [37]: This model introduces a set of filters that can adapt to different sensory field sizes to implement graph convolution, which can flexibly capture different levels of local features.

FT-GCN [22]: This model takes into account traffic topology and temporal correlation and learns a combinatorial representation of features based on GCN.

AnomalyDAE [40]: This model uses two AEs to obtain embedded representations of graph structures and attributes, and ultimately uses reconstruction errors for anomaly detection.

DOMINANT [25]: This model learns node embeddings based on GCN, combined with an AE to reconstruct the original data, detecting anomalies by separately calculating the reconstruction errors of attributes and structure.

BeatGAN [42]: This model combines AE and GAN to augment time-series data with corrected time warping to reconstruct the time series by adversarial training.

ConGNN [57]: This model proposes a controlled GNN with denoising diffusion, which guides the neighborhood aggregation in GNN through a graph-specific generator to compute the representation of the target node.

The results of the detection performance including accuracy, recall, precision, and F1-score are obtained after the experiments as shown in the

Table 1. Comparative experimental results (%).

Methods	AIOps				SWaT				WADI
	Acc	Rec	Pre	F1	Acc	Rec	Pre	F1	Acc	Rec	Pre	F1
GAT	55.69	65.02	54.79	59.47	74.04	53.38	83.47	65.12	72.66	55.10	80.08	65.28
TAGCN	61.14	68.45	59.71	63.78	75.95	55.94	86.24	67.86	72.87	54.04	81.60	65.02
FT-GCN	64.73	68.10	63.79	65.88	75.01	54.23	85.41	66.34	70.37	54.81	74.95	63.32
AnomalyDAE	67.48	74.52	65.32	69.62	88.73	81.00	93.28	86.71	64.16	43.01	68.45	52.83
DOMINANT	66.06	72.43	64.24	68.09	84.87	73.11	91.92	81.44	59.31	35.26	61.07	44.71
BeatGAN	62.01	76.87	59.26	66.92	75.14	81.34	69.26	74.81	45.22	45.60	41.98	43.71
ConGNN	69.03	75.23	66.92	70.83	89.73	83.19	93.48	88.03	61.17	43.40	61.97	51.05
GAN-SAGE	70.86	77.89	68.28	72.77	91.22	86.56	93.62	89.95	73.28	55.67	81.14	66.04

.

Table 1 demonstrates the experimental data of GAN-SAGE with the other seven comparative methods, and GAN-SAGE achieves the highest F1-score on three datasets, proving the GAN-SAGE’s effectiveness.

In network representation-based methods, FT-GCN achieves a higher F1-score on the AIOps dataset compared to GAT and TAGCN, demonstrating stronger modeling capabilities for temporal correlations. This suggests that precise extraction of temporal features on the AIOps dataset significantly enhances detection performance. Compared to FT-GCN, GAN-SAGE not only precisely extracts temporal features but also considers global dependency features under complex network structures, thereby characterizing more accurate network behavior patterns and achieving better performance across three datasets. GAT exhibits the poorest performance on the AIOps dataset, likely due to its suboptimal performance in scenarios where temporal features are important. This underscores the importance of considering temporal features in the processing of graph time-series data. While both GAN-SAGE and GAT utilize attention mechanisms, GAN-SAGE more effectively extracts temporal features, resulting in superior performance compared to GAT. TAGCN outperforms GAT and FT-GCN on the SWaT dataset and shows a minimal difference in F1-score compared to GAT on the WADI dataset. This may stem from TAGCN’s filters offer stronger adaptability to the network, enabling the extraction of multi-scale local features, while its graph convolution layer’s aggregation function effectively reduces noise in node features. Both TAGCN and GAN-SAGE precisely extract network features, but GAN-SAGE emphasizes global dependencies. In attributed networks with complex structures, GAN-SAGE can more comprehensively characterize network features, thereby achieving better detection performance. Compared to the GAT, TAGCN and FT-GCN methods, the GAN-SAGE method exhibits improved performance. On the WADI dataset, TAGCN achieves a higher recall than GAN-SAGE, indicating that effective local contextual information in graphs facilitates anomaly detection. However, GAN-SAGE leverages node Laplacian positional feature vectors to represent network structural information, incorporating long-distance dependency graph information through GT without sacrificing local context, thereby providing more comprehensive graph features and achieving a higher F1 score.

In reconstruction-based methods, ConGNN outperforms AnomalyDAE, DOMINANT and BeatGAN across all three datasets. ConGNN enhances network features by leveraging controlled GNN to incorporate node neighborhood information, achieving good detection performance through learning clearer detection boundaries. However, it faces the issue of insufficient feature extraction in the temporal dimension when capturing attributed network characteristics under temporal evolution, resulting in inferior performance compared to GAN-SAGE across three datasets. AnomalyDAE and DOMINANT consider attribute and structural features through autoencoders, their performance declines in complex scenarios, underperforming compared to GAN-SAGE, which captures attribute and structural information within an adversarial framework. This highlights the capability of the adversarial framework, where incorporating adversarial training during reconstruction is increasingly valuable, as it enhances the model’s robustness across different data distributions and reducing its sensitivity to variations in data characteristics. On the AIOps dataset and the WADI dataset, BeatGAN demonstrates better recall than ConGNN, AnomalyDAE and DOMINANT, as it enhances processing for time series data, making it more sensitive to temporal anomalies. However, this may lead to more false positives, resulting in lower precision for BeatGAN. Both BeatGAN and GAN-SAGE enhance the processing of temporal information, but GAN-SAGE provides a richer perspective for temporal features through frequency-domain decomposition, thereby improving the accuracy.

Comparative analysis reveals that while reconstruction-based methods achieve more detailed and sensitive detection through precise representation and reconstruction of network features, their performance on the WADI dataset drops significantly. This is possibly due to the high-dimensional characteristics of the WADI dataset, where reconstruction-based methods are susceptible to interference in noisy and highly complex scenarios, leading to limitations and instability in maintaining accurate feature learning. Compared to ConGNN, AnomalyDAE and DOMINANT, BeatGAN and GAN-SAGE show better adaptability to dataset variations, with its performance less affected by data scenarios. This may be attributed to the adversarial training mechanisms of BeatGAN and GAN-SAGE, which improve the quality of reconstructed samples, maintaining some generalization performance in complex scenarios.

4.7. Ablation Experiments

To validate the effectiveness of GAN-SAGE’s key components, this section designs six variants of GAN-SAGE. As shown in

Table 2. Ablation experimental results (%).

Schemes	Section 3.2.1		Section 3.2.2		Section 3.1		F1
	Section Spectral Decomposition	Section Frequency Targeted Enhancement	Section Multi-Attribute Coupling	Section Graph Joint Embedding	D	E	AIOps	SWaT	WADI
1	√	√	√	√	√	√	72.77	89.95	66.04
2	×	×	√	√	√	√	68.21	80.58	57.03
3	√	×	√	√	√	√	70.47	89.75	62.07
4	√	√	×	×	√	√	67.95	87.24	60.28
5	√	√	×	√	√	√	69.53	88.04	60.97
6	√	√	√	√	×	×	65.83	83.14	46.14
7	√	√	√	√	√	×	70.34	84.96	53.55

, the full GAN-SAGE model is denoted as Scheme 1, and the six ablated variants are labeled as Schemes 2–7. By systematically removing different components and evaluating the model’s performance, the impact of each component on anomaly detection can be intuitively demonstrated.

Scheme 1 is the proposed complete model. It acquires time-domain information through spectral-augmentation, extracts latent vectors containing internal interactions and external long-distance dependencies in multi-attribute graph joint embedding, and further constrains the network representation through adversarial training, achieving the highest overall performance on three datasets.

Scheme 2 inadequately extracts temporal features, and struggles to effectively capture the dynamic changes in network behavior. Since network anomalies often appear over time, this leads to reduced anomaly detection performance.

Scheme 3 utilizes DWT to decompose time-series data, obtaining time-frequency components at different scales, but it does not perform frequency targeted enhancement. Compared to Scheme 2, Scheme 3 achieves higher F1-score across three datasets, indicating that the multi-scale information beneficial for anomaly detection. However, Scheme 3 shows lower performance compared to Scheme 1, demonstrating the effectiveness of frequency targeted enhancement in improving feature quality.

Scheme 1 outperforms Scheme 4 in anomaly detection by approximately 7.1%, 3.1% and 9.5% on the AIOps, SWaT and WADI datasets, indicating that relying solely on temporal features in attributed networks is insufficient to comprehensively capture network anomalies. While temporal features can reveal temporal correlations in network behavior, they are inadequate for fully capturing anomalies in complex attributed networks.

Scheme 5 removes the multi-attribute coupling from Scheme 1, directly performing graph joint embedding on the spectrally augmented time-series data. The higher F1-score of Scheme 1 indicates that the multi-attribute interaction features extracted through multi-attribute coupling can effectively indicate network anomalies.

Compared to Scheme 6 without an adversarial training framework, Scheme 1 demonstrates improved detection performance, validating the effectiveness of incorporating adversarial training in the reconstruction process. Scheme 6 can capture the latent representation of the attributed network, but it is insufficient to ensure robust characterization of normal samples. Adversarial training in Scheme 1 further guides the latent representation learning to better align with the feature distribution of normal data, thereby enhancing its effectiveness for anomaly detection.

Scheme 7 employs an adversarial training framework but does not include the synchronous encoder, leading to lower F1-score on three datasets compared to Scheme 1. This could be attributed to the absence of encoding loss and content loss guidance, which may cause semantic drift in the latent representation and, thus, diminishing its ability to detect anomalies.

Therefore, it can be concluded that the GAN-SAGE better learns temporal features in attributed networks, with contributions from its modules in extracting temporal and multi-attribute joint embedding features collectively enhancing anomaly detection performance.

5. Conclusions

Considering the limitations of existing methods in adequately capturing complex interaction features under time evolution, this paper proposes an adversarial reconstruction framework with spectral-augmented and graph joint embedding for anomaly detection. The proposed method GAN-SAGE uses DWT and frequency targeted enhancement to, respectively, decompose the time series into trend and detail components, and to extract temporal features more efficiently by decomposing the complex temporal patterns and enhancing the expansion of spectral features. In addition, the ability of the model to capture complex interaction features under the global structure is enhanced by multi-attribute graph joint embedding. We conducted extensive experiments on three public datasets, visualizing their anomaly score distributions and the detection process. We analyzed the impact of latent vector dimensions and time window size parameters to evaluate the GAN-SAGE’s performance under different conditions. The experimental results demonstrating that the GAN-SAGE outperforms seven state-of-the-art methods in attributed network scenarios, achieving average F1 score improvements of 9.64%, 18.73% and 19.79% across the three datasets, while detailed ablation studies confirmed the effectiveness of different components and overall performance. Considering the increasing complexity of network environments and the evolving tactics of attackers, future research will explore combining network feature extraction methods with other graph learning techniques to further enhance anomaly detection performance, particularly in identifying patterns of stealthy attacks.