[Question] The way process raw graph in the code is different from the way it's described in the paper

FDUDSDE / MAGIC

Codes and data for USENIX Security 24 paper "MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning"

MIT License

64 stars 10 forks source link

[Question] The way process raw graph in the code is different from the way it's described in the paper #5

Closed VV-S-VV closed 5 months ago

VV-S-VV commented 6 months ago

I had reviewed your code and your paper, and the way process raw graph confused me.

In the function "process_graph" of utils/wget_parser.py, you add the edge that first processed of all edges between two nodes only. While in the paper, you add the edge that first processed of same type between two nodes, then combine different types of edges into one edge.

So I wondered if there were any parts of this that I hadn't noticed.

Jimmyokok commented 6 months ago

In this implementation, we use the simplest method to reduce overlapping edges, which is to discard all subsequent edges after the first one. Though loss of information is expected, the performance still stands, so we keep this underoptimized implementation for the sake of simplicity and efficiency.

Acomand commented 5 months ago

Hi, I also have this problem, and I find some other differences in 4.2.2.

About the calculation of "AGG", the attention part "a(i, dst) MSG(i, dst)", may be "a(i, dst) h_src"? (your code in gat.py, the "hs" is the feat_src, line-185 and line-202).
MSG(src,dst) is obtained by adding "h_src" and "emb_e" in the implementation (instead of concat).

I would like to know if I made any mistakes. Thanks a lot. (Thanks for opening the source, by the way)

Jimmyokok commented 5 months ago

Please check the following document for reply. response_to_acomand.pdf

Acomand commented 5 months ago

No further questions, thanks for your patience.