Abstract

We develop a real-time anomaly detection method for directed activity on large, sparse networks. We model the propensity for future activity using a dynamic logistic model with interaction terms for sender- and receiver-specific latent factors in addition to sender- and receiver-specific popularity scores; deviations from this underlying model constitute potential anomalies. Latent nodal attributes are estimated via a variational Bayesian approach and may change over time, representing natural shifts in network activity. Estimation is augmented with a case-control approximation to take advantage of the sparsity of the network and reduces computational complexity from $O(N^2)$ to O(E), where N is the number of nodes and E is the number of observed edges. We run our algorithm on network event records collected from an enterprise network of over 25,000 computers and are able to identify a red team attack with half the detection rate required of the model without latent interaction terms.

摘要

我们为大型稀疏网络上的定向活动开发了一种实时异常检测方法。我们使用动态逻辑模型对未来活动的倾向进行建模，该模型除了发送者和接收者特定的流行度得分外，还具有针对发送者和接收者特定潜在因素的交互项；与此基础模型的偏差构成潜在异常。潜在节点属性是通过变分贝叶斯方法估计的，并且可能随时间变化，代表网络活动的自然变化。估计增加了一个案例控制近似，以利用网络的稀疏性并降低计算复杂度$○({ñ}^2)$到O ( E )，其中N是节点数，E是观察到的边数。我们对从超过 25,000 台计算机的企业网络收集的网络事件记录运行我们的算法，并且能够以模型所需的一半检测率识别红队攻击，而无需潜在的交互项。