Abstract
In this paper, we study the problem of identifying misbehaving network communications using community detection algorithms. Recently, it was shown that identifying the communications that do not respect community boundaries is a promising approach for network intrusion detection. However, it was also shown that traditional community detection algorithms are not suitable for this purpose.
In this paper, we propose a novel method for enhancing community detection algorithms, and show that contrary to previous work, they provide a good basis for network misbehavior detection. This enhancement extends disjoint communities identified by these algorithms with a layer of auxiliary communities, so that the boundary nodes can belong to several communities. Although non-misbehaving nodes can naturally be in more than one community, we show that the majority of misbehaving nodes belong to multiple overlapping communities, therefore overlapping community detection algorithms can also be deployed for intrusion detection.
Finally, we present a framework for anomaly detection which uses community detection as its basis. The framework allows incorporation of application-specific filters to reduce the false positives induced by community detection algorithms. Our framework is validated using large email networks and flow graphs created from real network traffic.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ahn, Y.-Y., Bagrow, J.P., Lehmann, S.: Link communities reveal multiscale complexity in networks. Nature 466(7307), 761–764 (2010)
Akoglu, L., Faloutsos, C.: Anomaly, event, and fraud detection in large network datasets. In: WSDM, p. 773. ACM Press (2013)
Akoglu, L., McGlohon, M., Faloutsos, C.: oddball: Spotting Anomalies in Weighted Graphs. In: Zaki, M.J., Yu, J.X., Ravindran, B., Pudi, V. (eds.) PAKDD 2010. LNCS, vol. 6119, pp. 410–421. Springer, Heidelberg (2010)
Almgren, M., John, W.: Tracking Malicious Hosts on a 10Gbps Backbone Link. In: Aura, T., Järvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 104–120. Springer, Heidelberg (2012)
Blondel, V.D., Guillaume, J.-L., Lambiotte, R., Lefebvre, E.: Fast Unfolding of Communities in Large Networks. Journal of Statistical Mechanics: Theory and Experiment 2008(10), P10008 (2008)
Chandola, V., Banerjee, A., Kumar, V.: Anomaly Detection: A Survey. ACM Computing Surveys 41, 1–72 (2009)
Clauset, A., Newman, M.E.J., Moore, C.: Finding community structure in very large networks. Physical Review. E 70(6 pt. 2), 066111 (2004)
Coscia, M., Rossetti, G., Giannotti, F., Pedreschi, D.: DEMON: a local-first discovery method for overlapping communities. In: ACM SIGKDD, p. 615 (2012)
Ding, Q., Katenka, N., Barford, P., Kolaczyk, E., Crovella, M.: Intrusion as (anti)social communication. In: ACM SIGKDD, p. 886 (2012)
DShield. Recommended block list (2010), http://www.dshield.org/block.txt
Eberle, W., Holder, L.: Anomaly detection in data represented as graphs. Intelligent Data Analysis 11(6), 663–689 (2007)
Evans, T., Lambiotte, R.: Line graphs, link partitions, and overlapping communities. Physical Review E 80(1), 1–8 (2009)
Fortunato, S.: Community detection in graphs. Physics Reports 486(3-5), 75–174 (2010)
Gao, J., Liang, F., Fan, W., Wang, C., Sun, Y., Han, J.: On community outliers and their efficient detection in information networks. In: ACM SIGKDD (2010)
Gomes, L., Almeida, R., Bettencourt, L.: Comparative Graph Theoretical Characterization of Networks of Spam and Legitimate Email. In: CEAS (2005)
Kreibich, C., Kanich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: On the Spam Campaign Trail. In: LEET, pp. 697–698 (2008)
Lancichinetti, A., Fortunato, S.: Community Detection Algorithms: A Comparative Analysis. Physical Review E 80(5), 1–11 (2009)
Lancichinetti, A., Radicchi, F., Ramasco, J.J., Fortunato, S.: Finding statistically significant communities in networks. PloS One 6(4), e18961 (2011)
Leskovec, J., Lang, K.J., Mahoney, M.: Empirical Comparison of Algorithms for Network Community Detection. In: WWW, p. 631 (2010)
Moradi, F., Olovsson, T., Tsigas, P.: Towards modeling legitimate and unsolicited email traffic using social network properties. In: SNS (2012)
Noble, C.C., Cook, D.J.: Graph-based anomaly detection. In: ACM SIGKDD, pp. 631–636 (2003)
Rosvall, M., Bergstrom, C.T.: Maps of random walks on complex networks reveal community structure. National Academy of Sci. 105(4), 1118–1123 (2008)
Shrivastava, N., Majumder, A., Rastogi, R.: Mining (Social) Network Graphs to Detect Random Link Attacks. In: ICDE, pp. 486–495. IEEE (2008)
SRI. International Malware Threat Center, most aggressive malware attack source and filters (2010), http://mtc.sri.com/live_data/attackers/
Sun, J., Qu, D., Chakrabarti, H., Faloutsos, C.: Neighborhood Formation and Anomaly Detection in Bipartite Graphs. In: ICDM, pp. 418–425 (2005)
Xie, J., Kelley, S., Szymanski, B.: Overlapping community detection in networks: the state of the art and comparative study. ACM Computing Surveys 45(4) (2013)
Xie, J., Szymanski, B.K.: Towards Linear Time Overlapping Community Detection in Social Networks. In: Tan, P.-N., Chawla, S., Ho, C.K., Bailey, J. (eds.) PAKDD 2012, Part II. LNCS, vol. 7302, pp. 25–36. Springer, Heidelberg (2012)
Yang, J., Leskovec, J.: Defining and evaluating network communities based on ground-truth. In: ICDM, pp. 745–754. IEEE (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Moradi, F., Olovsson, T., Tsigas, P. (2014). Overlapping Communities for Identifying Misbehavior in Network Communications. In: Tseng, V.S., Ho, T.B., Zhou, ZH., Chen, A.L.P., Kao, HY. (eds) Advances in Knowledge Discovery and Data Mining. PAKDD 2014. Lecture Notes in Computer Science(), vol 8443. Springer, Cham. https://doi.org/10.1007/978-3-319-06608-0_33
Download citation
DOI: https://doi.org/10.1007/978-3-319-06608-0_33
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-06607-3
Online ISBN: 978-3-319-06608-0
eBook Packages: Computer ScienceComputer Science (R0)