adarsh-aur/stage6-rgcn-security

🛡️ Stage 6 — Heterogeneous Structural GNN (RGCN)

🔍 Multi-Cloud Threat Detection Pipeline — Holistic Version

A schema-agnostic, relation-aware Graph Neural Network for detecting compromised entities across multi-cloud environments using Relational Graph Convolutional Networks (RGCN).

⚙️ Core Design

• Library: PyTorch Geometric (RGCNConv)
• Graph Type: Heterogeneous (multi-node, multi-relation)
• Design Goal: Fully schema-agnostic
• Feature Handling: Supports any input dimension

🔗 Additional Components

• PEFT Adapters → Efficient fine-tuning
• DistMult Edge Scoring → Relation-level anomaly detection
• Threat Heads → Node-level classification

🔬 Ablation Study

Controlled experiment: identical data, seed, and hyperparameters
Only the GNN operator changes

Model	Type	Params	User AUC	User F1	User AP	Role AUC	Role F1	Role AP
RGCN	⭐ PRIMARY	8,515,599	0.5	0.0	0.5	0.5	0.0	0.5
GCN	Baseline	5,219,855	0.5	0.0	0.5	0.5	0.0	0.5
GAT	Baseline	5,320,207	0.5	0.0	0.5	0.5	0.0	0.5
SAGE	Baseline	5,383,695	0.5	0.0	0.5	0.5	0.0	0.5

⚠️ Note on Results

These metrics reflect Phase 1 conditions:

• Small graph (~tens of nodes)
• Limited feature signal (near-zero embeddings)
• Class imbalance effects

➡️ As a result:

• All models converge to random baseline (AUC ≈ 0.5)
• This is expected behavior, not a failure

Performance becomes meaningful in Phase 2 with real embeddings.

📦 Model Characteristics

Property	Value
MAX_FDIM	1024
Hidden Dim	256
Output Dim	128
Relations	20
Layers	3
Adapter Rank	16

🚀 Usage (Stage 7 Integration)

import torch
from huggingface_hub import hf_hub_download

ckpt = torch.load(
    hf_hub_download(
        repo_id="adarsh-aur/stage6-rgcn-security",
        filename="model_RGCN.pt"
    )
)

model = HeteroRGCN()
model.load_state_dict(ckpt['model_state_dict'])
model.eval()

with torch.no_grad():
    h_v, offsets, logits = model(graph_snapshot)

# h_v: [total_nodes, 128]
# → Feed into Stage 7 (GRU / temporal model)

🧩 Key Capabilities

• ✔ Handles any node/edge schema
• ✔ Supports future unseen cloud resources
• ✔ Learns relation-specific transformations
• ✔ Enables edge-level anomaly detection
• ✔ Ready for temporal extension (Stage 7)

📉 Current Limitations

• Phase 1 uses minimal feature signal
• Small dataset limits generalization
• Metrics do not yet reflect full capability

🔮 Next Stage

Stage 7 — Temporal Graph Modeling

• Sequence modeling over time (GRU / Transformer)
• Detect evolving attack patterns
• Improve recall on multi-step attacks

👤 Author

Adarsh
Multi-Cloud Security ML Research

⭐ Summary

This stage establishes the structural backbone of the pipeline:
A flexible, relation-aware GNN that can scale to real-world cloud security graphs.