Mapping the Attack Path: How Graph Networks Are Reinventing Lateral Movement Detection

by

Author: Denis Avetisyan

A new approach leverages the power of graph-based machine learning to identify malicious activity as it spreads within enterprise networks.

Large language model pretraining conventionally relies on predicting masked tokens within sampled sentences, but this work extends that paradigm by treating random walks through a graph as those sentences-where node IDs and edge features function as the tokens to be predicted-thereby framing the learning process as a navigation of relationships rather than a parsing of sequential text.
Large language model pretraining conventionally relies on predicting masked tokens within sampled sentences, but this work extends that paradigm by treating random walks through a graph as those sentences-where node IDs and edge features function as the tokens to be predicted-thereby framing the learning process as a navigation of relationships rather than a parsing of sequential text.

This review details CyberGFM, a novel framework employing graph foundation models and random walks to achieve state-of-the-art precision in lateral movement detection.

Detecting malicious lateral movement within enterprise networks remains a critical challenge, often hampered by the limitations of both computationally expensive deep learning methods and feature-poor traditional approaches. This paper introduces CyberGFM: Graph Foundation Models for Lateral Movement Detection in Enterprise Networks, a novel system that bridges this gap by framing network traffic as a language and leveraging the efficiency of random walks with the representational power of large language models. CyberGFM achieves state-of-the-art results on standard anomaly detection datasets, demonstrating up to a 2x improvement in average precision. Could this paradigm shift-treating network data as text-unlock new avenues for proactive threat detection and response?

The Inevitable Decay of Signature-Based Defenses

For decades, cybersecurity defenses have been painstakingly constructed through manual feature engineering – the process of human experts identifying and coding specific indicators of compromise. This approach demands constant updates as attackers devise new strategies, creating a reactive cycle where defenses perpetually lag behind evolving threats. The inherent brittleness of these systems stems from their reliance on explicitly defined rules; any deviation from the expected – a novel attack vector, obfuscated malware, or simply unusual but legitimate network behavior – can easily bypass detection. While effective against known threats, this method struggles to generalize and consistently fails to identify zero-day exploits or sophisticated adversaries who skillfully blend malicious activity within the noise of normal network traffic, highlighting the limitations of a purely signature-based defense.

Contemporary cyberattacks are increasingly characterized by techniques designed to mimic legitimate network activity, rendering traditional signature-based detection methods less effective. Sophisticated adversaries now actively employ tactics like polymorphic malware and advanced persistent threats that intentionally blend malicious code and communications within the noise of normal traffic. This camouflage circumvents systems reliant on predefined rules and static indicators, as the attacks do not present easily identifiable anomalies. Consequently, security solutions struggle to differentiate between benign data flows and covert intrusions, leading to a higher rate of false negatives and a compromised security posture. The shift towards stealthy, adaptive attacks necessitates a move beyond reactive defenses and towards proactive systems capable of discerning malicious intent even when disguised as routine network behavior.

Cybersecurity is entering an era demanding a departure from reliance on explicitly programmed defenses. Instead of painstakingly crafting rules based on known threats, the field now looks to systems capable of autonomously learning directly from the continuous stream of network data. This approach seeks to identify subtle anomalies and intricate patterns – the ‘digital fingerprints’ of malicious activity – that would evade traditional signature-based detection. By embracing machine learning, these systems move beyond reacting to known attacks and begin to proactively anticipate and neutralize emerging threats, adapting in real-time to the ever-evolving tactics of sophisticated adversaries and offering a more resilient defense against previously unseen intrusions.

Reducing the amount of training data used for end-to-end pretraining and fine-tuning demonstrably impacts performance.
Reducing the amount of training data used for end-to-end pretraining and fine-tuning demonstrably impacts performance.

The Rise of Graph Foundation Models: A Network’s Silent Language

Graph Foundation Models (GFMs) utilize the inherent relationships within network data – represented as nodes and edges – to generate contextualized embeddings. Unlike traditional methods that rely on manually engineered features, GFMs learn representations directly from the graph structure. These embeddings capture not only the attributes of individual nodes but also their positions and roles within the network, as determined by their connections to other nodes. The resulting embeddings are vector representations where proximity in vector space indicates similarity in graph structure and context, enabling effective downstream tasks such as node classification, link prediction, and graph clustering without extensive feature engineering.

Graph Foundation Models utilize unsupervised pretraining methodologies to learn network representations without requiring labeled datasets. This commonly involves techniques such as random walk, where the model learns node embeddings by traversing the graph and predicting subsequent nodes in a sequence. Scheduled masked token prediction, adapted from natural language processing, involves randomly masking portions of the graph structure – either nodes or edges – and training the model to reconstruct the missing information. These processes enable the model to capture complex network dynamics, including node relationships, community structures, and propagation patterns, solely from the inherent graph topology and node attributes, effectively learning a generalized representation of the network.

Traditional network analysis relies heavily on manual feature engineering, requiring domain expertise to identify and quantify relevant node and edge attributes. Graph Foundation Models (GFMs) circumvent this limitation by leveraging architectures derived from natural language processing, specifically Transformer networks like BERT and GPT. These models learn directly from the graph structure through unsupervised pretraining, automatically discovering latent patterns and relationships. Rather than explicitly defining features, GFMs represent nodes and edges as dense vector embeddings that encapsulate contextual information derived from the network’s topology and connectivity. This automated pattern discovery enables GFMs to generalize to downstream tasks without the need for extensive feature crafting, offering a significant advantage in handling complex and large-scale network data.

Average precision on the LANL dataset increases with wallclock time, correlating with the number of pretraining tokens used for CyberGFM.
Average precision on the LANL dataset increases with wallclock time, correlating with the number of pretraining tokens used for CyberGFM.

Graph Traversal and Representation: Echoes of Network Behavior

Effective Graph Feature Models (GFMs) fundamentally depend on methods for exploring and representing the underlying graph structure to derive meaningful features. Random walks are a foundational technique, iteratively traversing the graph to generate sequences that capture network proximity and relationships. Extensions to basic random walks, such as Node2Vec, introduce biased transition probabilities, allowing the walk to explore neighborhoods based on parameters α and β. These parameters balance breadth-first and depth-first search, enabling the capture of both homophily – the tendency of connected nodes to share features – and structural equivalence, where nodes have similar roles within the network, irrespective of feature overlap. The resulting sequences can then be used to train embeddings, effectively representing each node as a vector in a lower-dimensional space, preserving the graph’s structural information for downstream tasks.

Traditional random walk-based graph feature modeling (GFM) treats network traffic as order-agnostic. Incorporating temporal bias modifies random walks to prioritize transitions reflecting the observed sequence of events. This is achieved by weighting subsequent node visits based on the time elapsed since the previous visit, effectively biasing the walk towards paths consistent with the temporal order of network activity. By capturing the sequence of interactions, the model gains the ability to differentiate between normal and anomalous behavior more effectively, as anomalies often manifest as deviations from expected temporal patterns. This approach improves the accuracy of anomaly detection by providing a more nuanced representation of network behavior than methods that disregard temporal information.

Graph Neural Networks (GNNs) improve network representation learning by iteratively propagating information between nodes. Unlike traditional machine learning methods which treat nodes in isolation, GNNs leverage the graph structure to aggregate feature information from neighboring nodes. This aggregation process, typically implemented using functions like mean, sum, or max, allows each node’s representation to incorporate contextual information from its immediate network surroundings. Subsequent layers can then re-aggregate these updated representations, effectively capturing multi-hop relationships and dependencies within the network. The resulting node embeddings encode not only the node’s intrinsic features but also its position and role within the broader network topology, improving performance in tasks like anomaly detection and link prediction.

Random walks are extracted from a control signal representation (CSR) derived from raw log files, where temporal constraints can be optionally relaxed as illustrated by the dotted region.
Random walks are extracted from a control signal representation (CSR) derived from raw log files, where temporal constraints can be optionally relaxed as illustrated by the dotted region.

The Unfolding Reality: Detecting Lateral Movement and Anomalies

Graph Feature Models (GFMs) offer a significant advancement in addressing the complex cybersecurity challenge of lateral movement, wherein attackers navigate through a network after initial compromise. These models excel not by seeking known signatures of attacks, but by establishing a baseline of ‘normal’ network communication and then identifying deviations from that norm. By representing network interactions as graphs – nodes being devices and edges representing communication – GFMs can learn intricate patterns of connectivity and data flow. Anomalous activity, indicative of an attacker probing for vulnerabilities or accessing sensitive resources, manifests as unusual patterns within this graph, such as unexpected communication pathways or statistically improbable data transfers, which the model flags for further investigation. This pattern-based approach proves particularly effective against novel threats and zero-day exploits, as it doesn’t rely on pre-existing knowledge of attack methods.

The effectiveness of this approach hinges on its ability to perform reliably across varied network conditions, a claim substantiated through rigorous testing with established datasets. Specifically, the model was evaluated using the DARPA OpTC, UNSW-NB15, and LANL datasets, each representing unique network topologies and attack profiles. Successful performance across these diverse environments indicates the model isn’t simply memorizing specific attack signatures, but rather learning fundamental patterns of normal and malicious network behavior. This generalization capability is crucial for real-world deployment, where network configurations and threat landscapes are constantly evolving, and a system’s ability to adapt determines its long-term viability and security value.

Graph Feature Models (GFMs) aren’t limited to simply identifying known intrusions; they proactively enhance anomaly detection by leveraging techniques such as link prediction. This approach moves beyond signature-based security, enabling the identification of unusual connections within a network that deviate from established patterns. By predicting likely links between network entities, GFMs can flag unexpected or improbable connections as potentially malicious activity, even if no known intrusion signature exists. This predictive capability is particularly valuable in uncovering advanced persistent threats and zero-day exploits, where attackers attempt to establish covert communication channels within a compromised network, and represents a significant step toward a more resilient and adaptive cybersecurity posture.

The CyberGFM system represents a significant advancement in network security, achieving a benchmark Average Precision (AP) score of 0.76 when evaluated on the LANL dataset for anomalous lateral movement detection. This performance surpasses previous state-of-the-art methods by more than double, indicating a substantial improvement in the system’s ability to accurately identify malicious activity within a network. Lateral movement, the technique attackers use to navigate a compromised network, is notoriously difficult to detect, but CyberGFM’s heightened precision suggests a robust capability to pinpoint unusual connection patterns indicative of such threats. The results demonstrate not only a functional system, but one that sets a new standard for identifying and mitigating advanced network intrusions.

Significant gains in anomaly detection accuracy were achieved through a focused finetuning process applied to the Graph Foundation Models. Initial performance, while promising, underwent a dramatic transformation, resulting in a 580% improvement in Average Precision. This substantial increase demonstrates the models’ capacity to learn nuanced patterns within network traffic data when provided with targeted training. The finetuning process effectively refined the models’ ability to distinguish between legitimate network behavior and malicious lateral movement, leading to a more robust and reliable system for identifying potential cybersecurity threats. This level of improvement underscores the importance of adaptive learning in complex network security applications, pushing the boundaries of what’s possible in automated threat detection.

Fine-tuning the CyberGFM models resulted in a measurable change in AP score.
Fine-tuning the CyberGFM models resulted in a measurable change in AP score.

The pursuit of network security, as demonstrated by CyberGFM, often feels less like construction and more like tending a garden. The model’s reliance on graph representations and random walks acknowledges the inherent unpredictability of attacker behavior; a system designed to anticipate every path will inevitably fail. This echoes G.H. Hardy’s sentiment: “The most beautiful and profound experience is the realization that there is no design, no purpose.” CyberGFM doesn’t build a fortress, but cultivates an awareness of anomalies within the network’s natural flow, accepting that complete control is an illusion. The promise of precision, while valuable, is but a fleeting moment of order before the next inevitable cascade of failures.

What’s Next?

The pursuit of precision, as demonstrated by CyberGFM, inevitably reveals the fragility of any static definition of “normal.” A system that flawlessly identifies lateral movement today will, tomorrow, be blind to the novel strategies of an adversary. The elegance of graph foundation models lies not in their current efficacy, but in their capacity to absorb failure. Each evasion, each undetected probe, is a data point reshaping the model’s understanding, nudging it toward a more comprehensive, though never complete, representation of network behavior.

The true challenge isn’t simply to detect anomalies, but to cultivate a system resilient to anomaly. The focus will shift from feature engineering – the desperate attempt to anticipate every attack vector – toward architectures that prioritize continual learning and adaptation. The model must become a mirror, reflecting the evolving threat landscape, rather than a shield attempting to hold it back. It is not a question of building a perfect detector, but of fostering a perpetually imperfect, perpetually learning one.

Ultimately, the limitations of CyberGFM, and its successors, will not be technical, but human. A system that anticipates every breach leaves no room for investigation, for the nuanced understanding that arises from responding to, and learning from, actual incidents. Perfection, in this domain, is not security, but atrophy. The future of network defense lies not in automation, but in augmentation – in systems that empower human analysts, not replace them.

Original article: https://arxiv.org/pdf/2601.05988.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

See also:

2026-01-12 21:57