Network Anomaly Detection via Persistent Homology

Thumbnail Image

Files

Collins_umbc_0434M_12039.pdf (2.28 MB)

Links to Files

Permanent Link

http://hdl.handle.net/11603/20881

Collections

UMBC Theses and Dissertations
UMBC Computer Science and Electrical Engineering Department
UMBC Graduate School
UMBC Student Collection

Author/Creator

Author/Creator ORCID

Date

2019-01-01

Type of Work

theses
Text
application:pdf

Department

Computer Science and Electrical Engineering

Program

Computer Science

Citation of Original Publication

Rights

Distribution Rights granted to UMBC by the author.
Access limited to the UMBC community. Item may possibly be obtained via Interlibrary Loan thorugh a local library, pending author/copyright holder's permission.
This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.

Subjects

Anomaly Detection
Persistent Homology
Topological Data Analysis
Topology
Weight Ranked Clique Filtration

Abstract

Network anomaly detection has wide ranging applications, to include fraud prevention and cybersecurity. This paper introduces several methods of network anomaly detection derived from topological data analysis (TDA). At a high level, TDA captures the qualitative geometric features of data. The primary tool of TDA is persistent homology, which is used to analyze the "�holes"� present in data. When applied to networks, the generated features provide insight into global and local trends. Specifically, we employ persistence landscapes generated directly from the weight ranked clique filtration (WRCF) of communication graphs. This obviates the need for graph embedding. The graph construction is application dependent, with communications frequency being the natural choice for edge weight in most cases. Applying persistent homology to this filtration yields a persistence landscape, which is used as a graph invariant. This research aims to show that anomalous behavior corresponds to detectable deviation from previous persistence landscapes. By calculating the persistence landscapes of local neighborhoods around individual vertices over time, suspicious behavior can be detected. The persistence landscapes of the entire network over time are used to detect global changes in behavior corresponding to major events.