Conventional anomaly detection approaches generally do not monitor internal network communications, but rather monitor communications that cross the network perimeter. Accordingly, once attackers have penetrated the perimeter, they are not analyzed in a statistical way. Signature-based approaches exist that attempt to match previously known intrusion behavior with observed behavior.
However, signature-based approaches have the disadvantage of being unable to detect new behavior, and almost all attacks are new. Also, conventional approaches generally do not model individual edges. Accordingly, an improved way to detect attackers that models individual edges, and more particularly, the creation of new edges (i.e., communications between a pair of computers that have not communicated in the past), may be beneficial.