Click here to flash read.
Detecting malicious activity within an enterprise computer network can be
framed as a temporal link prediction task: given a sequence of graphs
representing communications between hosts over time, the goal is to predict
which edges should--or should not--occur in the future. However, standard
temporal link prediction algorithms are ill-suited for computer network
monitoring as they do not take account of the peculiar short-term dynamics of
computer network activity, which exhibits sharp seasonal variations. In order
to build a better model, we propose a source separation-inspired description of
computer network activity: at each time step, the observed graph is a mixture
of subgraphs representing various sources of activity, and short-term dynamics
result from changes in the mixing coefficients. Both qualitative and
quantitative experiments demonstrate the validity of our approach.
No creative common's license