Dynamic Cluster Analysis to Detect and Track Novelty in Network Telescopes
arxiv(2024)
摘要
In the context of cybersecurity, tracking the activities of coordinated hosts
over time is a daunting task because both participants and their behaviours
evolve at a fast pace. We address this scenario by solving a dynamic novelty
discovery problem with the aim of both re-identifying patterns seen in the past
and highlighting new patterns. We focus on traffic collected by Network
Telescopes, a primary and noisy source for cybersecurity analysis. We propose a
3-stage pipeline: (i) we learn compact representations (embeddings) of hosts
through their traffic in a self-supervised fashion; (ii) via clustering, we
distinguish groups of hosts performing similar activities; (iii) we track the
cluster temporal evolution to highlight novel patterns. We apply our
methodology to 20 days of telescope traffic during which we observe more than 8
thousand active hosts. Our results show that we efficiently identify 50-70
well-shaped clusters per day, 60-70
analysed cases, while we pinpoint 10-20 previously unseen clusters per day.
These correspond to activity changes and new incidents, of which we document
some. In short, our novelty discovery methodology enormously simplifies the
manual analysis the security analysts have to conduct to gain insights to
interpret novel coordinated activities.
更多查看译文
AI 理解论文
溯源树
样例
![](https://originalfileserver.aminer.cn/sys/aminer/pubs/mrt_preview.jpeg)
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要