A machine-learning procedure to detect network attacks

Abstract

Abstract The goal of this note is to assess whether simple machine-learning algorithms can be used to determine whether and how a given network has been attacked. The procedure is based on the k-Nearest Neighbour and the Random Forest classification schemes, using both intact and attacked Erdős–Rényi, Barabasi–Albert and Watts–Strogatz networks to train the algorithm. The types of attacks we consider here are random failures and maximum-degree or maximum-betweenness node deletion. Each network is characterized by a list of four metrics, namely the normalized reciprocal maximum degree, the global clustering coefficient, the normalized average path length and the degree assortativity: a statistical analysis shows that this list of graph metrics is indeed significantly different in intact or damaged networks. We test the procedure by choosing both artificial and real networks, performing the attacks and applying the classification algorithms to the resulting graphs: the procedure discussed here turns out to be able to distinguish between intact networks and those attacked by the maximum-degree of maximum-betweenness deletions, but cannot detect random failures. Our results suggest that this approach may provide a basis for the analysis and detection of network attacks.