Multilayer Block Models for Exploratory Analysis of Computer Event Logs
Corentin Larroche
TL;DR
This paper presents a graph-based biclustering method for analyzing network security logs, revealing functional roles, behavioral patterns, and malicious activities through cluster interactions.
Contribution
It introduces a novel bipartite multiplex graph model and biclustering algorithm for exploratory analysis of security event logs, demonstrated through real-world case studies.
Findings
Clusters reveal entity roles and behaviors
Interactions uncover malicious activities
Method effective on network flow and authentication logs
Abstract
We investigate a graph-based approach to exploratory data analysis in the context of network security monitoring. Given a possibly large batch of event logs describing ongoing activity, we first represent these events as a bipartite multiplex graph. We then apply a model-based biclustering algorithm to extract relevant clusters of entities and interactions between these clusters, thereby providing a simplified situational picture. We illustrate this methodology through two case studies addressing network flow records and authentication logs, respectively. In both cases, the inferred clusters reveal the functional roles of entities as well as relevant behavioral patterns. Displaying interactions between these clusters also helps uncover malicious activity. Our code is available at https://github.com/cl-anssi/MultilayerBlockModels.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsComplex Network Analysis Techniques · Network Security and Intrusion Detection · Data Mining Algorithms and Applications