Detecting malicious activity within an enterprise computer network can be framed as a temporal link prediction task: given a sequence of graphs representing communications between hosts over time, the goal is to predict which edges should--or should not--occur in the future. However, standard temporal link prediction algorithms are ill-suited for computer network monitoring as they do not take account of the peculiar short-term dynamics of computer network activity, which exhibits sharp seasonal variations. In order to build a better model, we propose a source separation-inspired description of computer network activity: at each time step, the observed graph is a mixture of subgraphs representing various sources of activity, and short-term dynamics result from changes in the mixing coefficients. Both qualitative and quantitative experiments demonstrate the validity of our approach.

翻译：在企业计算机网络中检测恶意活动可被构建为时序链路预测任务：给定一系列随时间表示主机间通信关系的图，目标是预测未来哪些边应当（或不应当）出现。然而，标准时序链路预测算法并不适用于计算机网络监控，因为它们未考虑计算机网络活动特有的短期动态特性——这种活动表现出剧烈的季节性波动。为构建更优模型，我们提出一种基于源分离启发的计算机网络活动描述方式：在每个时间步，观测到的图是代表各类活动源的子图混合体，而短期动态则源于混合系数的变化。定性与定量实验均验证了本方法的有效性。