主权项 |
1. A method comprising:
receiving, at a computer system, event data indicative of network activity of a plurality of entities; constructing, by the computer system and based on the event data, a graph that represents relationships among the plurality of entities, the graph including a plurality of nodes that each represent a different one of the entities and a plurality of edges that represent relationships between pairs of the nodes; performing, by the computer system, a cluster identification process to identify a node cluster of the plurality nodes, the cluster identification process including computing L1-norm values for the nodes to assign positions to the nodes on a one-dimensional (1D) grid, based on the graph, and identifying the node cluster based on the assigned positions of the nodes on the 1D grid; and detecting, by the computer system, a network security anomaly based on the identified node cluster. |