Technical Field
The present invention relates to computer and network security and, more particularly, to integrated discovery of node community and role in such networks.
Description of the Related Art
Enterprise networks are key systems in corporations and they carry the vast majority of mission-critical information. As a result of their importance, these networks are often the targets of attack. Communications on enterprise networks are therefore frequently monitored and analyzed to detect anomalous network communication as a step toward detecting attacks.
There are many challenges to overcome in detecting such communications. First, a typical enterprise network may include hundreds, or even many thousands, of hosts. Each host may generate hundreds of network connections in a second. The total data volume of a mid-sized enterprise network can easily reach terabyte scales in a matter of hours. In addition, enterprise networks may have very complex network structures, with both the network and the entities it connects evolving over time. The system needs to track these changes and maintain an accurate model. Furthermore, training data for automatically detecting anomalous activity is often unavailable or difficult to produce, and cannot recognize attacks that are not present in the training corpus.
Existing approaches to real-time threat detection suffer from a lack of accuracy, are inflexible in the face of changing attack patterns, or are otherwise unsuitable for use in large enterprise networks.