A machine learning procedure to detect network attacks

TL;DR

This paper evaluates simple machine learning algorithms, specifically k-Nearest Neighbor and Random Forest, for detecting targeted network attacks using graph metrics, successfully identifying certain attack types in artificial and real networks.

Contribution

It introduces a method using basic machine learning classifiers and graph metrics to detect specific network attacks, demonstrating effectiveness for targeted node deletions.

Findings

Successfully detects maximum-degree and maximum-betweenness attacks

Fails to identify random failures in networks

Provides a basis for network attack analysis and detection

Abstract

The goal of this note is to assess whether simple machine learning algorithms can be used to determine whether and how a given network has been attacked. The procedure is based on the $k$-Nearest Neighbor and the Random Forest classification schemes, using both intact and attacked Erd\H{o}s-R\'enyi, Barabasi-Albert and Watts-Strogatz networks to train the algorithm. The types of attacks we consider here are random failures and maximum-degree or maximum-betweenness node deletion. Each network is characterized by a list of 4 metrics, namely the normalized reciprocal maximum degree, the global clustering coefficient, the normalized average path length and the assortativity: a statistical analysis shows that this list of graph metrics is indeed significantly different in intact or damaged networks. We test the procedure by choosing both artificial and real networks, performing the attacks and applying the classification algorithms to the resulting graphs: the procedure discussed here turns out to be able to distinguish between intact networks and those attacked by the maximum-degree of maximum-betweenness deletions, but cannot detect random failures. Our results suggest that this approach may provide a basis for the analysis and detection of network attacks.