| 摘要 |
A system and method for identifying a threatening network is provided. The system comprises a network movement before/after algorithm that provides a graphical plot of changes in networks' communications activity from before to after a key event occurs, so that an analyst is able to identify anomalous behavior; a network progression algorithm that provides a graphical plot to analyze behavior in small increments of time without specification or emphasis upon a particular event, so that the analyst is able to see a trend in behavioral changes; a statistical network anomaly ranking algorithm that provides as output a ranked list of the networks; and an anomaly trend graphs algorithm that analyzes and visualizes the networks' anomaly scores over time, so that the analyst is able to see which networks are consistently suspicious, which networks accumulate more suspiciousness in response to an event, and which networks are trending toward more suspiciousness. |
| 主权项 |
1. A method for identifying a threatening network, the method comprising:
providing a dataset comprising network transaction data of a plurality of networks; performing an AT-SIG algorithm on the dataset; and displaying a graphic output of the AT-SIG algorithm for each of the plurality of networks, wherein the AT-SIG algorithm comprises providing a network movement before/after algorithm that provides a graphical plot of changes in network transaction activity from before to after a specified time, wherein the network movement before/after algorithm, after accepting the specified time, accepting a selection of one or more metrics of interest, and accepting a selection of a time interval duration, performs the steps of:
1) assigning weights to edges between pairs of nodes in a network equal to the average frequency of transactions between the pairs of nodes as the pairs of nodes appear in the time interval duration;2) randomly sampling from Poisson distributions of the edges to create a sample of each of the networks, and computing a plurality of metrics for the networks to generate a matrix that is N×M in size, wherein N is the cardinality of the plurality of networks and M is the cardinality of the plurality of the metrics of interest; and3) repeating steps 1) to 2) multiple times to generate multiple samples for the metrics of interest for each network, wherein the network movement before/after algorithm generates a set of samples of metrics of interest for each network before the specified time and a set of samples of metrics of interest for each network after the specified time; wherein the AT-SIG algorithm further comprises one or more of the following:
providing a network progression algorithm that provides a graphical plot to analyze behavior in small increments of time without specification or emphasis upon a particular time or event;providing a statistical network anomaly ranking algorithm that provides as output a ranked list of the networks; andproviding an anomaly trend graphs algorithm that analyzes and visualizes the networks' anomaly scores over time. |
