The rapid propagation of malware within complex enterprise and Internet Service Provider (ISP) networks poses a critical and growing cybersecurity challenge.
The traditional methods of detection are less effective when it comes to zero-day threats because they are mostly based on a static pattern of analysis.
This paper proposes a DNM-EWS that identifies pre-exploitation indicators of compromise by analyzing the temporal evolution of network topology. The approach models network traffic as a dynamic graph and continuously computes a set of complex network metrics including dynamic degree centrality, temporal betweenness centrality, temporal clustering coefficient, and eigenvector centrality. Deviations from learned behavioral baselines are quantified using statistically grounded measures and integrated into a composite risk score.
Evaluation on the anonymized corporate network data using the malware attack shows that the average lead time gained by DNM-EWS prior to secondary infections is five minutes. This helps restrict the total infection by 57% as compared to standard static and volume threshold techniques, while maintaining a low false positive rate of 1.1%. These findings confirm that dynamic network analysis using topology awareness has the potential to be leveraged for preemptive malware attacks.
Key words: Cybersecurity, Malware Propagation, Dynamic Networks, Complex Network Metrics, Early Warning System, Anomaly Detections
|
Download PDF 
Post
