Simplicial complexes in network intrusion profiling
Mandala von Westenholz, Martin Atzmueller, Tim Römer
TL;DR
The paper addresses network intrusion profiling by moving from pairwise graph representations to higher-order topology using Vietoris-Rips simplicial complexes, enabling attacked data points and their interactions to be embedded in higher-dimensional faces. It introduces simplicial centrality measures and constructs vertex-level patterns from these features to detect and characterize intrusions, arguing advantages over graph-only patterns. Through synthetic, SI-based experiments on a restricted congress network, the study demonstrates that higher-dimensional simplicial features can improve discrimination between attackers and non-attackers. The work provides a foundation for applying higher-order topology to real intrusion data and suggests avenues for richer pattern construction with multiple complexes and metrics.
Abstract
For studying intrusion detection data we consider data points referring to individual IP addresses and their connections: We build networks associated with those data points, such that vertices in a graph are associated via the respective IP addresses, with the key property that attacked data points are part of the structure of the network. More precisely, we propose a novel approach using simplicial complexes to model the desired network and the respective intrusions in terms of simplicial attributes thus generalizing previous graph-based approaches. Adapted network centrality measures related to simplicial complexes yield so-called patterns associated to vertices, which themselves contain a set of features. These are then used to describe the attacked or the attacker vertices, respectively. Comparing this new strategy with classical concepts demonstrates the advantages of the presented approach using simplicial features for detecting and characterizing intrusions.