Several cyber-security data sources are collected in enterprise networks providing relational information between different types of nodes in the network, namely computers, users and ports. This relational data can be expressed as adjacency matrices detailing inter-type relationships corresponding to relations between nodes of different types and intra-type relationships showing relationships between nodes of the same type. In this paper, we propose an extension of Non-Negative Matrix Tri-Factorisation (NMTF) to simultaneously cluster nodes based on their intra and inter-type relationships. Existing NMTF based clustering methods suffer from long computational times due to large matrix multiplications. In our approach, we enforce stricter cluster indicator constraints on the factor matrices to circumvent these issues. Additionally, to make our proposed approach less susceptible to variation in results due to random initialisation, we propose a novel initialisation procedure based on Non-Negative Double Singular Value Decomposition for multi-type relational clustering. Finally, a new performance measure suitable for assessing clustering performance on unlabelled multi-type relational data sets is presented. Our algorithm is assessed on both a simulated and real computer network against standard approaches showing its strong performance.

企业网络中收集了多个网络安全数据源，提供网络中不同类型节点（即计算机、用户和端口）之间的关系信息。该关系数据可以表示为详细描述与不同类型节点之间的关系对应的类型间关系和显示相同类型节点之间关系的类型内关系的邻接矩阵。在本文中，我们提出了非负矩阵三因式分解 (NMTF) 的扩展，以基于节点内和类型间关系同时聚类节点。由于大矩阵乘法，现有的基于 NMTF 的聚类方法的计算时间很长。在我们的方法中，我们对因子矩阵实施更严格的集群指标约束以规避这些问题。此外，为了使我们提出的方法不易受随机初始化导致的结果变化的影响，我们提出了一种基于非负双奇异值分解的新型初始化程序，用于多类型关系聚类。最后，提出了一种适用于评估未标记多类型关系数据集的聚类性能的新性能度量。我们的算法在模拟和真实计算机网络上与标准方法进行了评估，显示出其强大的性能。提出了一种适用于评估未标记多类型关系数据集的聚类性能的新性能度量。我们的算法在模拟和真实计算机网络上与标准方法进行了评估，显示出其强大的性能。提出了一种适用于评估未标记多类型关系数据集的聚类性能的新性能度量。我们的算法在模拟和真实计算机网络上与标准方法进行了评估，显示出其强大的性能。