Dynamic Link Anomaly Analysis for Network Security Management

Abstract

Network management is challenging due to ever increasing complexity and dynamics of network interactions. While many changes in networks are normal, some changes are not. One of the daily tasks of network administrators is to identify and analyze these abnormal changes that are hard to find by traditional security mechanisms (IDS, firewall, anti-virus, etc.). This research conducts dynamic network analysis (DNA) and presents practical methodologies of data stream mining based dynamic link anomaly analysis (DLAA) using novel sliding time window structures and network analytics metrics. DLAA employs spatiotemporal link analysis to detect anomalies from dynamic network graphs. We formally define the network link anomaly types and use key link-structure similarity metrics and time-weighted functions to model the dynamics of topological changes. The methodology is generic in that it does not require additional information from nodes or links but only the topology itself. The DLAA framework consists of three algorithmic components including sliding time window, link scoring and link anomaly detection algorithms. Through experimental study on publicly available dataset, we demonstrate that the proposed DLAA framework has the capability to construct effective knowledge structures for measuring the security levels of large scale dynamic networks, and to provide insight for generalized DNA in network security domain.