ANOMALOUS NETWORK NODE BEHAVIOUR IDENTIFICATION USING DETERMINISTIC PATH WALKING

摘要

A computer implemented method of identifying anomalous behaviour of a computer system in a set of intercommunicating computer systems, each computer system in the set being uniquely identifiable, the method comprising: monitoring communication between computer systems in the set for a predetermined baseline time period to generate a baseline vector representation of each of the systems; monitoring communication between computer systems in the set for a subsequent predetermined time period to generate a subsequent vector representation of each of the systems; comparing baseline and subsequent vector representations corresponding to a target computer system using a vector similarity function to identify anomalous behaviour of the target system in the subsequent time period compared to the baseline time period, characterised in that a vector representation of the target system for a time period is generated based on a deterministic walk of a graph representation of communications between the computer systems in which nodes of the graph correspond to computer systems in the set and weighted directed edges between nodes of the graph correspond to a characteristic of communication between pairs of computer systems in the set.