Cyber operations is drowning in diverse, high-volume, multi-source data. In order to get a full picture of current operations and identify malicious events and actors analysts must see through data generated by a mix of human activity and benign automated processes. Although many monitoring and alert systems exist, they typically use signature-based detection methods. We introduce a general method rooted in spectral graph theory to discover patterns and anomalies without a priori knowledge of signatures. We derive and propose a new graph-theoretic centrality measure based on the derivative of the graph Laplacian matrix in the direction of a vertex. To build intuition about our measure we show how it identifies the most central vertices in standard network data sets and compare to other graph centrality measures. Finally, we focus our attention on studying its effectiveness in identifying important IP addresses in network flow data. Using both real and synthetic network flow data, we conduct several experiments to test our measure's sensitivity to two types of injected attack profiles, and show that vertices participating in injected attack profiles exhibit noticeable changes in our centrality measures, even when the injected anomalies are relatively small, and in the presence of simulated network dynamics.
翻译:网络操作被各种、高容量、多源数据淹没。为了全面了解当前操作的全貌,查明恶意事件和行为者分析家必须通过由人类活动和良性自动化程序混合产生的数据来观察。虽然存在许多监测和警报系统,但它们通常使用基于签名的检测方法。我们引入了基于光谱图理论的一般方法,以发现模式和异常现象,而不必事先知道签名。我们根据图解 Laplacian 矩阵的衍生物,从一个顶点方向提出和提出一个新的图形理论中心度措施。为了建立关于我们测量的直觉,我们展示了它如何在标准网络数据集中识别最中央的顶点,并与其他图形中心度措施进行比较。最后,我们集中研究其有效性,在网络流数据中识别重要的IP地址。我们利用真实和合成网络流数据,进行了几次实验,以测试我们测量对两种注射攻击特征的敏感度,并显示参与注射攻击特征的脊椎在我们的中心度措施中显示出显著的变化,即使注射异常现象相对小,并且存在模拟网络动态。