Network Anomaly Detection via Persistent Homology
Loading...
Links to Files
Permanent Link
Author/Creator
Author/Creator ORCID
Date
2019-01-01
Type of Work
Department
Computer Science and Electrical Engineering
Program
Computer Science
Citation of Original Publication
Rights
Distribution Rights granted to UMBC by the author.
Access limited to the UMBC community. Item may possibly be obtained via Interlibrary Loan thorugh a local library, pending author/copyright holder's permission.
This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
Access limited to the UMBC community. Item may possibly be obtained via Interlibrary Loan thorugh a local library, pending author/copyright holder's permission.
This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
Abstract
Network anomaly detection has wide ranging applications, to include fraud prevention and cybersecurity. This paper introduces several methods of network anomaly detection derived from topological data analysis (TDA). At a high level, TDA captures the qualitative geometric features of data. The primary tool of TDA is persistent homology, which is used to analyze the "�holes"� present in data. When applied to networks, the generated features provide insight into global and local trends. Specifically, we employ persistence landscapes generated directly from the weight ranked clique filtration (WRCF) of communication graphs. This obviates the need for graph embedding. The graph construction is application dependent, with communications frequency being the natural choice for edge weight in most cases. Applying persistent homology to this filtration yields a persistence landscape, which is used as a graph invariant. This research aims to show that anomalous behavior corresponds to detectable deviation from previous persistence landscapes. By calculating the persistence landscapes of local neighborhoods around individual vertices over time, suspicious behavior can be detected. The persistence landscapes of the entire network over time are used to detect global changes in behavior corresponding to major events.