GB2581011A - Anomalous network node behaviour identification - Google Patents

Anomalous network node behaviour identification Download PDF

Info

Publication number
GB2581011A
GB2581011A GB1917557.9A GB201917557A GB2581011A GB 2581011 A GB2581011 A GB 2581011A GB 201917557 A GB201917557 A GB 201917557A GB 2581011 A GB2581011 A GB 2581011A
Authority
GB
United Kingdom
Prior art keywords
graph
computer systems
vector
node
computer system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1917557.9A
Other versions
GB2581011B (en
GB201917557D0 (en
Inventor
Gibson Michael
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
British Telecommunications PLC
Original Assignee
British Telecommunications PLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by British Telecommunications PLC filed Critical British Telecommunications PLC
Publication of GB201917557D0 publication Critical patent/GB201917557D0/en
Publication of GB2581011A publication Critical patent/GB2581011A/en
Application granted granted Critical
Publication of GB2581011B publication Critical patent/GB2581011B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A computer implemented method of identifying anomalous behaviour of a computer system in a set of intercommunicating computer systems 200, each computer system in the set being uniquely identifiable, comprises: monitoring communication between computer systems for a baseline time period to generate a baseline graph 202 representation of the systems in which nodes of the graph correspond to computer systems in the set and weighted directed edges between nodes of the graph correspond to a characteristic of communication between pairs of computer systems; for each node in the baseline graph, generating a baseline vector representation 208 based on a combination of a plurality of walks of the graph for the node (e.g. using a Word2Vec or Node2Vec approach); monitoring communication between computer systems in the set of computer systems for a subsequent time period to generate a subsequent graph representation 210 comparable with the baseline graph; for each node in the subsequent graph, generating a subsequent vector representation; and for each computer system in at least a subset of the set, comparing the baseline and subsequent vector representations for a node corresponding to the computer system using a vector similarity function 218 to identify anomalous behaviour.

Description

Anomalous Network Node Behaviour Identification The present invention relates to the detection of anomalous behaviour of a computer system.
Network connected computer systems, whether physical and/or virtual computer systems 5 connected via one or more physical and/or virtual network communication mechanisms, can be susceptible to malicious attack. For example, one or more computer systems can become infected with malicious software such as botnet agents or the like, and such infected systems can instigate malicious communication with other systems such as communications intended to propagate such infections and/or communications intended to affect the operation of target 10 computer systems (e.g. denial of service attacks, hijacking or the like).
It is a longstanding desire to detect such malicious communication occurring in a network of computer systems in order that mitigation measures can be implemented.
The present invention accordingly provides, in a first aspect, a computer implemented method of identifying anomalous behaviour of a computer system in a set of intercommunicating computer systems, each computer system in the set being uniquely identifiable, the method comprising: monitoring communication between computer systems in the set for a predetermined baseline time period to generate a baseline graph representation of the systems in which nodes of the graph correspond to computer systems in the set and weighted directed edges between nodes of the graph correspond to a characteristic of communication between pairs of computer systems in the set; for each node in the baseline graph, generating a baseline vector representation based on a combination of a plurality of walks of the graph for the node; monitoring communication between computer systems in the set of computer systems for a subsequent predetermined time period to generate a subsequent graph representation of the computer systems comparable with the baseline graph; for each node in the subsequent graph, generating a subsequent vector representation based on a combination of a plurality of walks of the graph for the node; for each computer system in at least a subset of the set, comparing the baseline and subsequent vector representations for a node corresponding to the computer system using a vector similarity function to identify behaviour of the computer system in the subsequent time period that is anomalous in comparison to behaviour of the computer system in the baseline time period.
Preferably, the combination of a plurality of walks for a node is generated by the steps of: generating a vector representation for each of a plurality of random walks of the graph from the node to constitute a set of vector representations; and combining the vector representations in the set into a single vector representation for the node.
Preferably, combining the vector representations into a single vector representation includes calculating a sample average vector representation based on the set of vector 5 representations.
Preferably, combining the vector representations into a single vector representation for a node includes generating an orthogonal transformation vector for each of a plurality of pairs of vector representations for the node such that the orthogonal transformation vector transforms a first vector in the pair to a second vector in the pair, and performing linear optimisation on the orthogonal transformation vectors by linear regression.
Preferably, the vector similarity function is a cosine similarity function.
Preferably, the characteristic of communication includes one or more of: a flow of network traffic from a source computer system to a target computer system; and a volume of data communicated from a source computer system to a target computer system.
Preferably, a direction of an edge in a graph corresponds to a net direction of flow of network traffic between source and target computer systems.
Preferably, a weight of an edge in a graph corresponds to a volume of data communicated.
Preferably, the direction of an edge in a graph corresponds to the reverse of a net 20 direction of flow of network traffic between a source and target computer systems.
Preferably, the method further comprises, responsive to the identification of a computer system exhibiting anomalous behaviour, implementing protective measures for one or more computer systems in the set to protect against malicious communication involving the computer system exhibiting anomalous behaviour.
Preferably, the protective measures include one or more of: preventing network communication to and/or from a particular computer system; performing an antimalware task on one or more of the computer systems; disconnecting one or more of the computer systems; and increasing a level of monitoring of network communication with one or more computer systems.
Preferably, the predetermined baseline time period corresponds to at least part of a time period when the set of intercommunicating computer systems are separated from influence by malicious agents.
The present invention accordingly provides, in a second aspect, a computer system including a processor and memory storing computer program code for performing the steps of the method set out above.
The present invention accordingly provides, in a third aspect, a computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the steps of the method set out above.
Embodiments of the present invention will now be described, by way of example only, with reference to the accompanying drawings, in which: Figure 1 is a block diagram a computer system suitable for the operation of 10 embodiments of the present invention; Figure 2 is a component diagram of an arrangement for identifying anomalous behaviour of a computer system in a set of intercommunicating computer systems in accordance with embodiments of the present invention; Figure 3 is a flowchart of a method for identifying anomalous behaviour of a computer 15 system in a set of intercommunicating computer systems in accordance with embodiments of the present invention; Figures 4a, 4b and 4c depict exemplary graph data structures representing intercommunicating computer systems in accordance with embodiments of the present invention; and Figures 5a and 5b depict exemplary graph data structures of representing intercommunicating computer systems in accordance with embodiments of the present invention.
Networks of computer systems can be represented as graphs of interconnected nodes. Physical or virtual computer systems can be physically or virtually connected to other such systems by way of, for example, a physical or virtual communications network. Computer systems can be represented as nodes with communications therebetween represented as edges in a graph representation. Nodes can have associated characteristics corresponding to characteristics of represented computer systems such as unique identifiers, technical, functional or locational characteristics. Edges between nodes correspond to communications between computer systems corresponding to the nodes such as a volume, frequency, type, speed (e.g. throughput) of data, an effectiveness of communication (e.g. a degree of error in the communication), a level of security of the communication (e.g. presence, absence or a degree of encryption) or other communication characteristics. Notably, such edges relate to communication between nodes (representing computer systems), not the very existence of means for achieving such communication (e.g. network connections). Thus, a graph representation of such communicating computer systems represents communications at a point in time or over a period of time between computer systems represented in the graph.
Embodiments of the present invention provide for a comparison between graph representations of communicating computer systems such that anomalous behaviour of a computer system can be detected. Detection of such anomalous behaviour can lead to the implementation of mitigation measures to protect computer systems from potentially malicious communications. In particular, embodiments of the present invention determine a baseline graph representation of a set of communicating computer systems including nodes corresponding to computer systems and edges corresponding to communications therebetween. The baseline graph is determined for a time when the communicating computer systems are determined to be free from malicious intervention, such as when the computer systems are operating in a protected environment such as a network not being accessible to, or susceptible to, external communications from untrusted systems. For example, a pre-production operation of the communicating computer systems. Further, embodiments of the present invention determine a graph representation of the computer system corresponding to the computer system in production operation during which the detection of anomalous system behaviour is sought. Embodiments of the present invention are directed to providing techniques for the effective comparison of graphs corresponding to each of the baseline operation and production operation of the communicating computer systems so as to detect anomalous computer system behaviour in the production operation.
Embodiments of the present invention allow subgraphs (graphs with the same set of nodes and, potentially, edges as each other) to be compared with each other. By looking at how nodes are connected to other nodes (edges) and utilising an attribute between pairs of nodes, a measurement of how edges and attributes change from one subgraph to another can be made. Before a measurement can be made, edges and attributes of a subgraph must be converted into a format which will allow comparisons with other subgraphs. This conversion technique is called "embedding" and will be used for each subgraph to be compared. Each subgraph can be a representation of how all nodes of the subgraph are connected to each other at a particular point in time, or over a particular period of time, so that changes to a node's connections correspond to a change of behaviour of the node. This behaviour change of a node is a measurement performed when comparing two subgraphs.
Graph comparison techniques rely on a node's "degree" within a graph. A degree is the 35 number of edges belonging to a node. Depending on where is located within a graph its "centrality" may change as well. A determination of centrality identifies most influential nodes and can be influenced by node positions and degrees. A problem with centrality is there are multiple differing mechanisms for determining such a characteristic and it is difficult to know which type of centrality measure should be employed in dependence on a particular subgraph. Another technique is "PageRank" ("The PageRank Citation Ranking: Bringing Order to the Web" (Page et al., 1999)) which scores nodes depending on a number of references (directed edges) from other nodes. PageRank sums all scores in a graph to one, which means it is infeasible to compare multiple graphs with this technique.
Figure 1 is a block diagram of a computer system suitable for the operation of embodiments of the present invention. A central processor unit (CPU) 102 is communicatively connected to a storage 104 and an input/output (I/O) interface 106 via a data bus 108. The storage 104 can be any read/write storage device such as a random-access memory (RAM) or a non-volatile storage device. An example of a non-volatile storage device includes a disk or tape storage device. The I/O interface 106 is an interface to devices for the input or output of data, or for both input and output of data. Examples of I/O devices connectable to I/O interface 106 include a keyboard, a mouse, a display (such as a monitor) and a network connection.
Machine learning is a form of artificial intelligence which allows a machine to learn a model of a process by applying statistical techniques on observed data. This means a machine can predict an outcome when given new, previously unseen data. An example of how machine learning has benefited people is language translation. By having a machine learn several translations from one language to another, the machine can "learn" how words are associated with each other. When a new phrase is entered, the machine can refer to previously seen examples and predict what the translation should be. Machine learning attempts to mimic how humans learn; observe experiences and recall on these when presented something new. Many machine learning techniques have been developed: from utilising basic mathematical models like linear regression to emulating how a brain works through the use of "neural networks".
One machine learning technique which can be employed in embodiments of the present invention is known as "word embedding". Word embedding transforms words in a vocabulary into a set of vectors consisting of real numbers. The reason for this process is to allow a machine to represent a meaning of a word in relation to other words. Unlike a human, a machine does not know the meaning of a word but it can work with vector representations of words to represent the meaning of a word. One method of converting words into vectors is known as "Word2Vec" ("Efficient Estimation of Word Representations in Vector Space", Mikolov et al., 2013). Word2Vec is a collection of models for representing words in a corpus of text as a collection of vectors denoting how similar they are to each other depending on sentence context. It involves training a neural network to associate words with each other depending on where they lie within a context. The neural network itself (specifically its weight matrix) is the word embedding and it can be used to predict the context of a given word which appeared in the corpus.
Embodiments of the present invention identify anomalous behaviour of a computer system in a set of intercommunicating computer systems such as physical or virtual computer systems communicating via one or more physical or virtual computer networks in which each computer system is uniquely identifiable (such as by way of an identifier, name, address or other suitable identification). Figure 2 is a component diagram of an arrangement for identifying anomalous behaviour of a computer system in a set 200 of intercommunicating computer systems in accordance with embodiments of the present invention. The set 200 of computer systems are arranged for intercommunication by way of, for example, one or more wired or wireless communications networks. As illustrated in Figure 2, such networks can be disparate in technology, topology and/or architecture such as a linear, hierarchical, star, wireless, cellular or any other suitable intercommunication means for computer systems. In the exemplary set 200 of computer systems of Figure 2, eleven computer systems labelled "A" through "J" are depicted, each being communicatively connected to one or more other of the computer systems in the set. Embodiments of the present invention are operable to monitor communications between the computer systems in the set 200 so as to generate graph representation of communications between the computer systems. Notably, such graph representations of communications do not necessarily correspond to the architecture, topology or arrangement of computer networks interconnecting the computer systems.
Rather, such graph representations model actual communications between systems in the set 200.
Graph representations are generated in two phases of operation of embodiments of the present invention. In a first phase, one or more baseline graphs are generated to represent communications between computer systems in the set 200 occurring to at least part of a time period when the set 200 of intercommunicating computer systems are determined to be unaffected by potentially or actually malicious agents such as malicious software, viruses, botnets or other malicious activity. For example, the set 200 of systems can be separated from influence by potentially or actually malicious agents. In such first phase of operation, the set 200 of computer systems can operate in a pre-production environment, secured environment or environment confirmed to be clean of malicious infection. Subsequently, embodiments of the present invention operate in a second phase of operation in which one or more subsequent graphs are generated to represent communications between computer systems in the set 200. In the second phase of operation the set 200 of computer systems operate in, for example, a production mode of operation in which there is a possibility of influence of malicious agents such as the introduction of malware, the activity of botnets or other malicious occurrences potentially affecting one or more of the computer systems in the set 200.
In each phase of operation, embodiments of the present invention generate vector representations of network communication derived from the generated graphs such that a set of baseline vectors is generated derived from the baseline graph(s) with a baseline vector generated for each node in the baseline graph corresponding to a computer system in the set 200. Further, a set of subsequent vectors is generated derived from the subsequent graph(s) such that a subsequent vector is generated for each node in the subsequent graph corresponding to a computer system in the set 200. The baseline and subsequent vectors for each computer system are comparable using a vector similarity function to identify anomalous behaviour of a computer system operating in the production mode of operation vis-a-vis its operation in the pre-production (baseline) mode of operation. Such anomalies correspond to a behavioural change of one or more computer systems in the set 200 and can trigger the implementation of protective measures for one or more of the computer systems or the entire set 200.
Protective measures can include, for example, the deployment of firewalls, new security measures, additional authentication or authorisation checks, execution or updating of antimalware services, preventing communication with one or more computer systems or the whole set 200, increasing a level of monitoring, tracing or logging and other protective measures as will be apparent to those skilled in the art.
Thus, in the arrangement of Figure 2, a baseline graph generator as a hardware, software, firmware or combination component, generates a baseline graph data structure 204 representing communication between computer systems in the set 200 of intercommunicating computer systems. Each of at least a subset of the computer systems in the set 200 is provided as a node in the graph 204 with communications therebetween represented as weighted directed edges in the graph 200. As depicted in Figure 2, edges are directed to indicate a net flow of traffic and are weighted (indicated by thickness of an edge) to indicate a volume of traffic. A "net" flow of traffic is a predominant direction of transfer of communicated data such as payload data in network communication, recognising that network communication can be bidirectional including at least the negotiation, setup and/or configuration of a communication by way of protocol messages to achieve the delivery of a payload or portion of data as the substantive subject of the communication. For example, network communication corresponding to a request for a web-page by a web-browser being communicated to a web-server will involve communication of the request from the browser to the server with the substantive data transfer being realised as the communication of the web-page content from the server to the browser. Thus, the net flow is from the server to the browser and can be determined, in this example, based on the volume of data transferred. Other mechanisms to determine the net flow of data can be employed including mechanisms that infer the direction of net flow of data based on an analysis, inspection or other identification of the data to determine the substantive part of a communication between 10 computer systems.
Figure 2 further includes a baseline vector generator 206 as a hardware, software, firmware or combination component arranged to generate a vector representation 208 of communication for each node in the baseline graph 204. In one embodiment, the baseline vector generator 206 uses Word2Vec or, preferably, Node2Vec which uses node identifiers as words and paths through the baseline graph 204 as sentences into a typical Word2Vec model ("On Generalizing Neural Node Embedding Methods to Multi-Network Problems", Heimann and Koutra, 2017). The paths can be generated by random walks (traversals of the graph) for a node in the baseline graph 204, as will be described in more detail later. Due to the non-deterministic nature of Node2Vec (arising because it employs random walks to generate a corpus for Word2Vec) it is preferably to combine a plurality of such random walks to generate a representative vector for a node, the representative vector being defined based on a combination of the plurality of walks of the graph for a node (the node representing a computer system). Combining multiple vector representations into a single representation can be achieved using a simple average vector. Alternatively, an orthogonal transformation vector for each of a plurality of pairs of vector representations for the node can be generated such that the orthogonal transformation vector transforms a first vector in each pair to a second vector in the pair. A linear optimisation process operating on the orthogonal vectors by, for example, linear regression, can be used to define a combination vector representation for a node in the graph 204.
Thus, in this way, embodiments of the present invention generate baseline vector representations 208 for each node in the baseline graph 204. Such baseline vector representation 208 and the baseline graph 204 are generated during a time period when the intercommunicating computer systems 200 are not susceptible to malicious attack such as malware, botnets or the like. In this way the baseline vectors 208 constitute a baseline for comparison to identify anomalies during production operation of the computer systems when the set 200 of systems may be subject or susceptible to attack or intrusion. Accordingly, during production operation of the set 200 of intercommunicating computer systems a subsequent graph generator 210 as a hardware, software, firmware or combination component is operable to generate subsequent graph 212. The subsequent graph generator 210 can be operationally identical to the baseline graph generator 202 except that the subsequent graph generator 210 is operable during execution of the computer systems in a production mode of operation, when potentially subject or susceptible to attack. In some embodiments, the baseline graph generator 202 and the subsequent graph generator 210 are one and the same. The subsequent graph 212 is comparable with the baseline graph 204 by way of vector representations. Thus, a subsequent vector generator 214 (which is operationally identical to the baseline vector generator 206 and can be one and the same) is operable to generate a vector representation of the subsequent graph 212 as a subsequent vector 216 for each node in the subsequent graph 212.
The subsequent vector representations 216 can be generated periodically each corresponding to a particular period of time such that the subsequent vectors 216 can be compared with the baseline vectors 208 to identify anomalies in the subsequent vectors with respect to the baseline vectors. The comparison is made by a vector similarity function 218 such as a cosine similarity function for comparing vectors as is known in the art. Where a subsequent vector for a node in the subsequent graph 212 corresponding to a computer system in the set 200 is sufficiently dissimilar to a baseline vector for a node in the baseline graph 204 corresponding to the same computer system, then an anomaly is identified. Sufficiency of dissimilarity (or similarity) can be predetermined in terms of a degree of difference characterised in dependence on the particular vector similarity function 218 employed -such as an angular difference, an extent of vectoral magnitude difference or a combination or other such characterisations of difference as will be apparent to those skilled in the art. Protective measures 220 can be implemented to protect one or more of the computer systems in the set 200 of intercommunicating computer systems in dependence on the detection of an anomaly by the vector similarity function 218.
Figure 3 is a flowchart of a method for identifying anomalous behaviour of a computer system in a set of intercommunicating computer systems in accordance with embodiments of the present invention. Initially, at step 302, communication between computer systems in the set 200 for a predetermined baseline time period is monitored and at step 304 a baseline graph representation of the systems is generated in which nodes of the graph correspond to computer systems in the set and weighted directed edges between nodes of the graph correspond to a characteristic of communication between pairs of computer systems in the set 200. At steps 306 to 310 a baseline vector representation is generated for each node in the baseline graph based on a combination of a plurality of walks of the graph for the node.
At step 312 communication between computer systems in the set 200 for a subsequent time period is monitored. The subsequent time period is a predetermined period of time during which the computer systems operate in a production mode of operation. At step 314 a subsequent graph representation of the systems is generated in which nodes of the graph correspond to computer systems in the set and weighted directed edges between nodes of the graph correspond to a characteristic of communication between pairs of computer systems in the set 200. At steps 316 to 320 a subsquent vector representation is generated for each node in the subsequent graph based on a combination of a plurality of walks of the graph for the node. At steps 322 to 330 baseline and subsequent vectors for nodes corresponding to each of a plurality of computer systems in at least a subset of the set 200 of computer systems are compared using a vector similarity function 218. Where anomalous behaviour of a computer system is detected at step 326, protective measures are implemented at step 328.
Thus, embodiments of the present invention seek to identify a computer system in the set 200 exhibiting a behaviour change relative to a baseline representation of its behaviour. Figures 4a, 4b and 4c depict exemplary graph data structures representing intercommunicating computer systems in accordance with embodiments of the present invention. Specifically, Figures 4a, 4b and 4c depict graph representations of network traffic for a set of computer systems at different time points. In Figures 4a and 4b, computer "A" is showing "normal" behaviour (that is, typical behaviour for itself), whereas in Figure 4c, computer "A" is "attacking" several computers, so exhibiting anomalous behaviour.
Each edge (arrowed) in Figures 4a to 4c is a flow of traffic between a source and a destination computer and the weight (thickness) represents an attribute of the flow. This attribute can be the number of connections/flows between two computers, the number of bytes or packets sent or an aggregation of these. In the example of Figure 4c the number of simultaneous flows between computer "A" and others has increased (hence the thicker arrows). As this behaviour was not observed before it is likely that an attack (for example a denial of service attack) is occurring.
To identify this anomalous behaviour embodiments of the present invention employ machine learning techniques such as Node2Vec to convert each graph into an embedding so that differences in a node can be measured between embeddings. Node2Vec is a version of Word2Vec which uses node identifiers as words and paths through a graph as sentences in a Word2Vec model. The paths are generated by random walks from each node in a graph. These random walks can be configured to walk close to neighbouring nodes (akin to breadth-first search) or walk across the structure of the graph (akin to depth-first search). A next step to take in a walk can be determined by edge probabilities. These probabilities can be calculated by an attribute of an edge (for example, an attribute of flow), such as by normalising the attribute among all edges and applying the breadth/depth-first search configurations. In the context of monitoring computer behaviour, attacks may be more likely to occur in respect of neighbouring computer systems rather than systems on the other side of a network. Therefore, a larger breadth-first search parameter can be employed, for example.
The net flows of network traffic is directed (as previously described). This direction is carried forward during a random walk which can have an effect on which nodes appear in a path. Figures 5a and 5b depict exemplary graph data structures of representing intercommunicating computer systems in accordance with embodiments of the present invention. In the graph of Figure 5a, node "B" has relatively heavy weighted edges directed to each of nodes "A", "J", "H" and "E" indicating that computer corresponding to node "B" is sending lots of packets to those target computers. During walks of the graph of Figure 5a as part of the Node2Vec process, only node "C" can result in a traversal to node "13" because only node "C" has an edge directed to node "B". This means the set of paths (corpus) for training Node2Vec will for all nodes other than node "C" will not involve node "B", despite node "B" representing the most communicative computer system in the set. To remedy this, all edges and their weights are reversed prior to the walking process of Node2Vec, as illustrated in Figure 5b. In the exemplary graph of Figure 5b many more nodes now lead to node "B". During the random walks of the Node2Vec process there is an increased chance of walks involving node "B" meaning the path corpus has a higher chance of mentioning node "B" and thus highlighting the impact node "B" has on the graph.
Word2Vec is used to determine the similarity of words within an embedding. In this process, a similarity score is used on vectors within the embedding. For example, the cosine between two vectors can be calculated which is used to determine how similar (i.e. how parallel) they are. In embodiments of the present invention, however, each node is to be compared across a set of graph embeddings.
A problem in using Node2Vec is it is a non-deterministic algorithm because it uses random walks to generate the corpus for Word2Vec. This means that every time Node2Vec is used on the same graph with the same parameters, different embeddings can be generated. For effective comparison of vectors to determine anomalies, Node2Vec would preferably operate deterministically producing consistent embeddings no matter how many executions are performed. This would also mean performing a similarity score for the same node among all embeddings should reveal an identical or, at least, much more similar score, for example, using cosine similarity should yield a score tending towards one.
One possible solutions to this challenge is to use a different walking strategy known as graph kernelling. Alternatively, a sample average can be calculated from a set of 5 embeddings.
Random walking is integral to Node2Vec and for its intended purpose of producing one embedding for a graph, it suits most needs. However, for larger graphs where there are many possible paths, this strategy may be unsuitable. Even increasing a number of iterations during an execution (i.e. the number of walks performed from each node) may not improve the embedding as the training phase is built on previous walks. Another walking strategy could be used, especially if it can be built on hidden Markov models as this is how the graph is constructed as an input to Node2Vec ("What is a Hidden Markov Model?", Sean R Eddy, Nature Biotechnology volume 22, pages 1315-1316, 2004).
Combining of embeddings is considered in "Linear Ensembles of Word Embedding Models" (Muromagi et al, 2017) where an ensemble is created for performing Word2Vec tasks on a small corpus. The technique in Muromagi of combining embeddings (matrices) through a process called "orthogonal Procrustes" leads to more accurate representations of combined embeddings compared to least squares regression. Orthogonal Procrustes produces an orthogonal matrix, given matrices A and B, so that A can be transformed to (closely match) B. As there are multiple matrices to be combined and one matrix is to represent all of them, this process can be adapted into a linear optimisation problem so that the process can be run iteratively to produce a matrix as an embedding rather than an orthogonal matrix. Thus, in the above described exemplary embodiments, combining vector representations into a single vector representation for a node can be performed by generating an orthogonal transformation vector for each of a plurality of pairs of vector representations for the node such that the orthogonal transformation vector transforms a first vector in the pair to a second vector in the pair. Linear optimisation is then performed on the orthogonal transformation vectors by linear regression. Thus, the different embeddings from each Node2Vec iteration on the same graph and parameters can be combined to produce a representative embedding of the graph.
To evaluate the model, a baseline is required to compare an embedding with, as previously described. This baseline graph (and resulting vector embedding) should represent the normal state of the environment. The baseline graph can also be an aggregation of graphs which is especially advantageous if time windows are to be used to observe changes.
As previously described, a baseline graph and embedding are generated for a period of time where traffic behaviour is expected to be normal (nothing malicious occurring). Since traffic can change over time (and may have temporal, seasonal or other effects, such as peak and off-peak work hours), time windows can be used to observe traffic during different periods of time. When constructing a baseline graph multiple constant observations are aggregated to form the baseline graph.
During observations of live data at a production time of operation of computer systems, new (subsequent) graphs are generated which have the same nodes as the baseline graph (but not necessarily the same edges and edge properties which depend on the intercommunications between the computer systems). Before the subsequent graph can be used it is preferably aggregated with the baseline graph to smooth out any noise. Once the observed graph has been aggregated and smoothed, it goes through the Node2Vec and Procrustes mechanisms to produce another representative embedding to be used for comparing with the baseline embedding.
The two representative embeddings, baseline and subsequent observation, can be compared to show how a node has changed behaviour (how the edges have changed) between baseline and subsequent observation. Since an embedding is a collection of vectors, the vectors of the same word (i.e. node having a node identifier) from each embedding are compared against each other using the vector similarity function. For example, cosine similarity can be used to show how parallel two vectors are -parallel vectors have a score of 1, perpendicular vectors have a score of 0 and opposite-facing vectors have a score of -1. Other similarity scores can be used as will be apparent to those skilled in the art.
For example, network traffic can be collected to generate a baseline representational embedding and production (subsequent) representational embeddings. A time window of one hour can be used per observation and a full day's worth of traffic is to be used to generate the baseline. The 24 hours of data can be divided into 24 observations and each one of them can be converted into a graph in which each node represents a computer system in the set 200 and each edge represents a property of a connection between two systems. Some properties can include the number of connections made, number of packets or bytes sent or some other suitable observable property. The 24 network graphs are then aggregated into one graph by, for example, taking a mean of each edge property. The resulting aggregate graph is processed iteratively through Node2Vec with the resulting vectors merged by the Procrustes mechanism to produce a representative embedding of the baseline graph.
During observation of live data from the set 200 of computer systems operating in a production mode of operation, new one-hour network graphs are generated as subsequent graphs with the same edge property used in the baseline graph. Each subsequent network graph is aggregated (and averaged) with the baseline to smooth out any noise (consequently resulting in a 25-hour averaged subsequent network graph). The process of Node2Vec and Procrustes is applied iteratively to the averaged subsequent graph to create a new representative embedding which can be used for comparison.
Each generated embedding arising from a subsequent graph is compared with the baseline embedding using a similarity function as previously described. For each node in the embeddings a similarity score will show how much a computer system represented by the node has changed behaviour. If cosine similarity is used, a score close to 1 means the node did not change behaviour (constant connections maintained), whereas a score closer to -1 means the node dramatically changed behaviour, possibly meaning it was performing an attack. Where an attack is indicated, reactive measures can be employed such as the protective measures previously described.
Insofar as embodiments of the invention described are implementable, at least in part, using a software-controlled programmable processing device, such as a microprocessor, digital signal processor or other processing device, data processing apparatus or system, it will be appreciated that a computer program for configuring a programmable device, apparatus or system to implement the foregoing described methods is envisaged as an aspect of the present invention. The computer program may be embodied as source code or undergo compilation for implementation on a processing device, apparatus or system or may be embodied as object code, for example.
Suitably, the computer program is stored on a carrier medium in machine or device readable form, for example in solid-state memory, magnetic memory such as disk or tape, optically or magneto-optically readable memory such as compact disk or digital versatile disk etc., and the processing device utilises the program or a part thereof to configure it for operation. The computer program may be supplied from a remote source embodied in a communications medium such as an electronic signal, radio frequency carrier wave or optical carrier wave. Such carrier media are also envisaged as aspects of the present invention.
It will be understood by those skilled in the art that, although the present invention has been described in relation to the above described example embodiments, the invention is not limited thereto and that there are many possible variations and modifications which fall within the scope of the invention.
The scope of the present invention includes any novel features or combination of features disclosed herein. The applicant hereby gives notice that new claims may be formulated to such features or combination of features during prosecution of this application or of any such further applications derived therefrom. In particular, with reference to the appended claims, features from dependent claims may be combined with those of the independent claims and features from respective independent claims may be combined in any appropriate manner and not merely in the specific combinations enumerated in the claims.

Claims (14)

  1. CLAIMS1. A computer implemented method of identifying anomalous behaviour of a computer system in a set of intercommunicating computer systems, each computer system in the set being uniquely identifiable, the method comprising: monitoring communication between computer systems in the set for a predetermined baseline time period to generate a baseline graph representation of the systems in which nodes of the graph correspond to computer systems in the set and weighted directed edges between nodes of the graph correspond to a characteristic of communication between pairs of computer systems in the set; for each node in the baseline graph, generating a baseline vector representation based on a combination of a plurality of walks of the graph for the node; monitoring communication between computer systems in the set of computer systems for a subsequent predetermined time period to generate a subsequent graph representation of the computer systems comparable with the baseline graph; for each node in the subsequent graph, generating a subsequent vector representation based on a combination of a plurality of walks of the graph for the node; for each computer system in at least a subset of the set, comparing the baseline and subsequent vector representations for a node corresponding to the computer system using a vector similarity function to identify behaviour of the computer system in the subsequent time 20 period that is anomalous in comparison to behaviour of the computer system in the baseline time period.
  2. 2. The method of any preceding claim wherein the combination of a plurality of walks for a node is generated by the steps of: generating a vector representation for each of a plurality of random walks of the graph from the node to constitute a set of vector representations; and combining the vector representations in the set into a single vector representation for the node.
  3. 3. The method of claim 2 wherein combining the vector representations into a single vector representation includes calculating a sample average vector representation based on the set of vector representations.
  4. 4. The method of claim 2 wherein combining the vector representations into a single vector representation for a node includes generating an orthogonal transformation vector for 35 each of a plurality of pairs of vector representations for the node such that the orthogonal transformation vector transforms a first vector in the pair to a second vector in the pair, and performing linear optimisation on the orthogonal transformation vectors by linear regression.
  5. 5. The method of any preceding claim wherein the vector similarity function is a cosine similarity function.
  6. 6. The method of any preceding claim wherein the characteristic of communication includes one or more of: a flow of network traffic from a source computer system to a target computer system; and a volume of data communicated from a source computer system to a 10 target computer system.
  7. 7. The method of claim 6 wherein a direction of an edge in a graph corresponds to a net direction of flow of network traffic between source and target computer systems.
  8. 8. The method of any of claims 6 and 7 wherein a weight of an edge in a graph corresponds to a volume of data communicated.
  9. 9. The method of any preceding claim wherein the direction of an edge in a graph corresponds to the reverse of a net direction of flow of network traffic between a source and 20 target computer systems.
  10. 10. The method of any preceding claim further comprising, responsive to the identification of a computer system exhibiting anomalous behaviour, implementing protective measures for one or more computer systems in the set to protect against malicious communication involving the computer system exhibiting anomalous behaviour.
  11. 11. The method of claim 10 wherein the protective measures include one or more of: preventing network communication to and/or from a particular computer system; performing an antimalware task on one or more of the computer systems; disconnecting one or more of the computer systems; and increasing a level of monitoring of network communication with one or more computer systems.
  12. 12. The method of any preceding claim wherein the predetermined baseline time period corresponds to at least part of a time period when the set of intercommunicating computer 35 systems are separated from influence by malicious agents.
  13. 13. A computer system including a processor and memory storing computer program code for performing the steps of the method of any preceding claim.
  14. 14. A computer program element comprising computer program code to, when loaded 5 into a computer system and executed thereon, cause the computer to perform the steps of a method as claimed in any of claims 1 to 12.
GB1917557.9A 2018-12-03 2019-12-02 Anomalous network node behaviour identification Active GB2581011B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GBGB1819703.8A GB201819703D0 (en) 2018-12-03 2018-12-03 Anomalous network node behaviour identification

Publications (3)

Publication Number Publication Date
GB201917557D0 GB201917557D0 (en) 2020-01-15
GB2581011A true GB2581011A (en) 2020-08-05
GB2581011B GB2581011B (en) 2021-12-01

Family

ID=65024757

Family Applications (2)

Application Number Title Priority Date Filing Date
GBGB1819703.8A Ceased GB201819703D0 (en) 2018-12-03 2018-12-03 Anomalous network node behaviour identification
GB1917557.9A Active GB2581011B (en) 2018-12-03 2019-12-02 Anomalous network node behaviour identification

Family Applications Before (1)

Application Number Title Priority Date Filing Date
GBGB1819703.8A Ceased GB201819703D0 (en) 2018-12-03 2018-12-03 Anomalous network node behaviour identification

Country Status (1)

Country Link
GB (2) GB201819703D0 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210067524A1 (en) * 2019-08-26 2021-03-04 The Western Union Company Detection of a malicious entity within a network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140245443A1 (en) * 2013-02-27 2014-08-28 Sayan Chakraborty Cyber Defense Systems And Methods
US9798876B1 (en) * 2015-08-19 2017-10-24 Symantec Corporation Systems and methods for creating security profiles
US20180103052A1 (en) * 2016-10-11 2018-04-12 Battelle Memorial Institute System and methods for automated detection, reasoning and recommendations for resilient cyber systems
US20180336437A1 (en) * 2017-05-19 2018-11-22 Nec Laboratories America, Inc. Streaming graph display system with anomaly detection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140245443A1 (en) * 2013-02-27 2014-08-28 Sayan Chakraborty Cyber Defense Systems And Methods
US9798876B1 (en) * 2015-08-19 2017-10-24 Symantec Corporation Systems and methods for creating security profiles
US20180103052A1 (en) * 2016-10-11 2018-04-12 Battelle Memorial Institute System and methods for automated detection, reasoning and recommendations for resilient cyber systems
US20180336437A1 (en) * 2017-05-19 2018-11-22 Nec Laboratories America, Inc. Streaming graph display system with anomaly detection

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210067524A1 (en) * 2019-08-26 2021-03-04 The Western Union Company Detection of a malicious entity within a network
US11509687B2 (en) * 2019-08-26 2022-11-22 The Western Union Company Detection of a malicious entity within a network

Also Published As

Publication number Publication date
GB2581011B (en) 2021-12-01
GB201917557D0 (en) 2020-01-15
GB201819703D0 (en) 2019-01-16

Similar Documents

Publication Publication Date Title
US11552977B2 (en) Anomalous network node behavior identification using deterministic path walking
Kalech Cyber-attack detection in SCADA systems using temporal pattern recognition techniques
CN107465651B (en) Network attack detection method and device
RU2676021C1 (en) DDoS-ATTACKS DETECTION SYSTEM AND METHOD
JP2023512507A (en) Cyber detection fuzzy pattern matching
JP7425832B2 (en) Pattern matching based detection in IoT security
Xiao et al. Towards network anomaly detection using graph embedding
US20240089278A1 (en) Anomalous network behaviour identification
US20230252145A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program
Frye et al. An ontology-based system to identify complex network attacks
Cao et al. Behavior-based community detection: Application to host assessment in enterprise information networks
GB2581011A (en) Anomalous network node behaviour identification
Ya et al. An automatic approach to extract the formats of network and security log messages
US20230048076A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program
JP6666475B2 (en) Analysis apparatus, analysis method and analysis program
Nwokoye et al. Scan-Based Worms: The Impact of IPV4 Address Space on Epidemic Computer Network Models.
US20230254340A1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information
Kong et al. Semantic aware attribution analysis of remote exploits
Jianguo et al. Botnet detection method analysis on the effect of feature extraction
Alata et al. An automated approach to generate web applications attack scenarios
US20230252146A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program
US20240211595A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program
Manoj et al. Explainable autonomic cybersecurity for industrial control systems
US20230252143A1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information
RU2665919C1 (en) System and method of determination of ddos-attacks under failure of service servers