Skip to main content
SpringerLink
Log in

Multilayer Block Models for Exploratory Analysis of Computer Event Logs

  • Conference paper
  • First Online:
Complex Networks and Their Applications XI (COMPLEX NETWORKS 2016 2022)

Part of the book series: Studies in Computational Intelligence ((SCI,volume 1077))

Included in the following conference series:

  • 1623 Accesses

Abstract

We investigate a graph-based approach to exploratory data analysis in the context of network security monitoring. Given a possibly large batch of event logs describing ongoing activity, we first represent these events as a bipartite multiplex graph. We then apply a model-based biclustering algorithm to extract relevant clusters of entities and interactions between these clusters, thereby providing a simplified situational picture. We illustrate this methodology through two case studies addressing network flow records and authentication logs, respectively. In both cases, the inferred clusters reveal the functional roles of entities as well as relevant behavioral patterns. Displaying interactions between these clusters also helps uncover malicious activity. Our code is available at https://github.com/cl-anssi/MultilayerBlockModels.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 349.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 449.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 449.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    TCP/20 (FTP-Data), TCP/21 (FTP), TCP/22 (SSH), TCP/23 (Telnet), TCP/25 (SMTP), TCP/53 (DNS), TCP/80 (HTTP), TCP/443 (HTTPS), TCP/465 (SMTPS), and TCP/587 (SMTP message submission).

References

  1. Ball, R., Fink, G.A., North, C.: Home-centric visualization of network traffic for security administration. In: VizSec/DMSec (2004)

    Google Scholar 

  2. Barbillon, P., Donnet, S., Lazega, E., Bar-Hen, A.: Stochastic block models for multiplex networks: an application to a multilevel network of researchers. J. R. Stat. Soc. A Stat. 180(1), 295–314 (2017)

    Article  MathSciNet  Google Scholar 

  3. Biernacki, C., Celeux, G., Govaert, G.: Assessing a mixture model for clustering with the integrated completed likelihood. IEEE Trans. Pattern Anal. Mach. Intell. 22(7), 719–725 (2000)

    Article  Google Scholar 

  4. Côme, E., Latouche, P.: Model selection and clustering in stochastic block models based on the exact integrated complete data likelihood. Stat. Model. 15(6), 564–589 (2015)

    Article  MathSciNet  MATH  Google Scholar 

  5. Corneli, M., Latouche, P., Rossi, F.: Exact ICL maximization in a non-stationary time extension of the latent block model for dynamic networks. In: ESANN (2015)

    Google Scholar 

  6. De Bacco, C., Power, E.A., Larremore, D.B., Moore, C.: Community detection, link prediction, and layer interdependence in multilayer networks. Phys. Rev. E 95(4), 042317 (2017)

    Article  Google Scholar 

  7. Dhillon, I.S.: Co-clustering documents and words using bipartite spectral graph partitioning. In: KDD (2001)

    Google Scholar 

  8. Fischer, F., Mansmann, F., Keim, D.A., Pietzko, S., Waldvogel, M.: Large-scale network monitoring for visual analysis of attacks. In: VizSec (2008)

    Google Scholar 

  9. Glatz, E., Mavromatidis, S., Ager, B., Dimitropoulos, X.: Visualizing big network traffic data using frequent pattern mining and hypergraphs. Computing 96(1), 27–38 (2014)

    Article  Google Scholar 

  10. Govaert, G., Nadif, M.: Clustering with block mixture models. Pattern Recognit. 36(2), 463–473 (2003)

    Article  MATH  Google Scholar 

  11. Govaert, G., Nadif, M.: Block clustering with Bernoulli mixture models: comparison of different approaches. Comput. Stat. Data Anal. 52(6), 3233–3245 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  12. Govaert, G., Nadif, M.: Latent block model for contingency table. Commun. Stat. Theory Methods 39(3), 416–425 (2010)

    Article  MathSciNet  MATH  Google Scholar 

  13. Hartigan, J.A.: Direct clustering of a data matrix. J. Am. Stat. Assoc. 67(337), 123–129 (1972)

    Article  Google Scholar 

  14. Kent, A.D.: Comprehensive, multi-source cyber-security events. Los Alamos National Laboratory (2015)

    Google Scholar 

  15. Kent, A.D.: Cybersecurity data sources for dynamic network research. In: Dynamic Networks in Cybersecurity. Imperial College Press (2015)

    Google Scholar 

  16. Keribin, C., Brault, V., Celeux, G., Govaert, G.: Estimation and selection for the latent block model on categorical data. Stat. Comput. 25(6), 1201–1216 (2015)

    Article  MathSciNet  MATH  Google Scholar 

  17. Kivelä, M., Arenas, A., Barthelemy, M., Gleeson, J.P., Moreno, Y., Porter, M.A.: Multilayer networks J. Complex Netw. 2(3), 203–271 (2014)

    Google Scholar 

  18. Kluger, Y., Basri, R., Chang, J.T., Gerstein, M.: Spectral biclustering of microarray data: coclustering genes and conditions. Genome Res. 13(4), 703–716 (2003)

    Article  Google Scholar 

  19. Lomet, A., Govaert, G., Grandvalet, Y.: Model selection in block clustering by the integrated classification likelihood. In: COMPSTAT (2012)

    Google Scholar 

  20. Metelli, S., Heard, N.: On Bayesian new edge prediction and anomaly detection in computer networks. Ann. Appl. Stat. 13(4), 2586–2610 (2019)

    Article  MathSciNet  MATH  Google Scholar 

  21. Paul, S., Chen, Y.: Consistent community detection in multi-relational data through restricted multi-layer stochastic blockmodel. Electron. J. Stat. 10(2), 3807–3870 (2016)

    Article  MathSciNet  MATH  Google Scholar 

  22. Peixoto, T.P.: Inferring the mesoscale structure of layered, edge-valued, and time-varying networks. Phys. Rev. E 92(4), 042807 (2015)

    Article  Google Scholar 

  23. Siadati, H., Saket, B., Memon, N.: Detecting malicious logins in enterprise networks using visualization. In: VizSec (2016)

    Google Scholar 

  24. Stanley, N., Shai, S., Taylor, D., Mucha, P.J.: Clustering network layers with the strata multilayer stochastic block model. IEEE Trans. Netw. Sci. Eng. 3(2), 95–105 (2016)

    Article  MathSciNet  Google Scholar 

  25. Taylor, T., Paterson, D., Glanfield, J., Gates, C., Brooks, S., McHugh, J.: Flovis: Flow visualization system. In: CATCH (2009)

    Google Scholar 

  26. Whiting, M., Cook, K., Paul, C., Whitley, K., Grinstein, G., Nebesh, B., Liggett, K., Cooper, M., Fallon, J.: Vast challenge 2013: Situation awareness and prospective analysis. In: VAST (2013)

    Google Scholar 

  27. Wyse, J., Friel, N., Latouche, P.: Inferring structure in bipartite networks using the latent blockmodel and exact ICL. Netw. Sci. 5(1), 45–69 (2017)

    Article  Google Scholar 

  28. Yin, X., Yurcik, W., Treaster, M., Li, Y., Lakkaraju, K.: Visflowconnect: netflow visualizations of link relationships for security situational awareness. In: VizSec/DMSec (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. French National Cybersecurity Agency (ANSSI), Paris, France

    Corentin Larroche

Authors
  1. Corentin Larroche
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Corentin Larroche .

Editor information

Editors and Affiliations

  1. University of Burgundy, Dijon, France

    Hocine Cherifi

  2. Dipartimento di Fisica e Chimica Emilio Segrè, Università degli Studi Palermo, Palermo, Italy

    Rosario Nunzio Mantegna

  3. Thomas J. Watson College of Engineering and Applied Science, Binghamton University, Binghamton, NY, USA

    Luis M. Rocha

  4. IUT Lumière - Université Lyon 2, University of Lyon, Bron, France

    Chantal Cherifi

  5. Dipartimento di Fisica e Chimica Emilio Segrè, Università degli Studi Palermo, Palermo, Italy

    Salvatore Miccichè

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Larroche, C. (2023). Multilayer Block Models for Exploratory Analysis of Computer Event Logs. In: Cherifi, H., Mantegna, R.N., Rocha, L.M., Cherifi, C., Miccichè, S. (eds) Complex Networks and Their Applications XI. COMPLEX NETWORKS 2016 2022. Studies in Computational Intelligence, vol 1077. Springer, Cham. https://doi.org/10.1007/978-3-031-21127-0_51

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-21127-0_51

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-21126-3

  • Online ISBN: 978-3-031-21127-0

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation