Detecting malicious activity within an enterprise computer network can be framed as a temporal link prediction task: given a sequence of graphs representing communications between hosts over time, the goal is to predict which edges should--or should not--occur in the future. However, standard temporal link prediction algorithms are ill-suited for computer network monitoring as they do not take account of the peculiar short-term dynamics of computer network activity, which exhibits sharp seasonal variations. In order to build a better model, we propose a source separation-inspired description of computer network activity: at each time step, the observed graph is a mixture of subgraphs representing various sources of activity, and short-term dynamics result from changes in the mixing coefficients. Both qualitative and quantitative experiments demonstrate the validity of our approach.

翻译：检测企业计算机网络中的恶意活动可以被视为一个时间链接预测任务：在表示主机之间通信的一系列图像中，目标是预测未来哪些边缘应该或不应该出现。然而，标准的时间链接预测算法不适用于计算机网络监控，因为它们没有考虑到计算机网络活动的奇特短期动态，这具有明显的季节性变化。为了建立一个更好的模型，我们提出了一个基于源分离的计算机网络活动描述：在每个时间步骤中，观察到的图像是各种活动来源的子图像的混合物，而短期动态则是混合系数的变化所导致的。定性和定量实验都表明了我们方法的有效性。