Multilayer Block Models for Exploratory Analysis of Computer Event Logs

Abstract

We investigate a graph-based approach to exploratory data analysis in the context of network security monitoring. Given a possibly large batch of event logs describing ongoing activity, we first represent these events as a bipartite multiplex graph. We then apply a model-based biclustering algorithm to extract relevant clusters of entities and interactions between these clusters, thereby providing a simplified situational picture. We illustrate this methodology through two case studies addressing network flow records and authentication logs, respectively. In both cases, the inferred clusters reveal the functional roles of entities as well as relevant behavioral patterns. Displaying interactions between these clusters also helps uncover malicious activity. Our code is available at https://github.com/cl-anssi/MultilayerBlockModels.