Dependency-Based Link Prediction for Learning Microsegmentation Policy

Abstract

This paper describes a novel approach for predicting future links in cyber networks and applying the predictions to learn optimal microsegmentation policy rules. While link prediction has been applied for anomaly detection in computer networks, ours is the first application of link prediction for formulating network access policy. Link prediction adds an element of adaptivity for building baseline policy models, by predicting near-term requirements for network access. For predicting new links, those observed by at least one member of a node group are predicted to occur for all other members. This is a novel departure from the usual approach to link prediction, which is based on node affinity rather than shared dependencies. In our experiments with real enterprise network data, our approach significantly outperforms traditional link prediction, in which we apply established formulas for node similarity when comparing affinity-based versus dependency-based edge induction. For robustness to variation in future network behavior, we tune link prediction models by applying a low-pass signal filter to the prediction-quality curve and adaptively blend argmax and center of mass to optimize the prediction sensitivity parameter.