To address the challenges of scarce supervision, dynamically evolving attack patterns, and the decoupling of representation learning from anomaly detection in network intrusion detection, this paper proposes GraphIDS—a novel self-supervised graph learning framework. GraphIDS unifies local graph representation learning with implicit modeling of global co-occurrence patterns: it employs an inductive GNN to encode local topological contexts and a Transformer-based encoder-decoder for masked graph reconstruction, directly leveraging reconstruction error as the anomaly score. The embedding process is end-to-end optimized, yielding representations intrinsically tailored for anomaly detection. Evaluated on multiple NetFlow benchmarks, GraphIDS achieves 99.98% PR-AUC and 99.61% macro F1-score—surpassing state-of-the-art baselines by 5–25 percentage points—and demonstrates significantly enhanced generalization to previously unseen attacks.

Detecting intrusions in network traffic is a challenging task, particularly under limited supervision and constantly evolving attack patterns. While recent works have leveraged graph neural networks for network intrusion detection, they often decouple representation learning from anomaly detection, limiting the utility of the embeddings for identifying attacks. We propose GraphIDS, a self-supervised intrusion detection model that unifies these two stages by learning local graph representations of normal communication patterns through a masked autoencoder. An inductive graph neural network embeds each flow with its local topological context to capture typical network behavior, while a Transformer-based encoder-decoder reconstructs these embeddings, implicitly learning global co-occurrence patterns via self-attention without requiring explicit positional information. During inference, flows with unusually high reconstruction errors are flagged as potential intrusions. This end-to-end framework ensures that embeddings are directly optimized for the downstream task, facilitating the recognition of malicious traffic. On diverse NetFlow benchmarks, GraphIDS achieves up to 99.98% PR-AUC and 99.61% macro F1-score, outperforming baselines by 5-25 percentage points.