Detecting communication anomalies in tactical networks via graph learning

A widely practiced approach for detecting suspicious communication in a network is to formulate the problem as statistical anomaly detection. However, the communication patterns in mission-oriented tactical networks are highly variable and have a much richer structure than incorporated by existing anomaly detection methods. For instance, the legitimacy of a communication may depend on who sends the message to who, when and under what circumstances. Existing anomaly detection methods insensitively aggregate data losing critical contextual information about the structure of communication and as a consequence, they either fail to detect suspicious communication or produce excessive amount of false positives. We have developed an extended graph based anomaly detection method that allows us to incorporate the context and rich structure of communication in a mission-oriented tactical network to model and detect suspicious patterns. We use a vector-weighted multidigraph representation to model communication and use a given data to learn the graph, i.e., to determine the nodes, the edges, and their statistical attributes corresponding to normal communication. We then use deviations from the attributes of normal communications to detect the suspicious ones. We have applied the proposed approach to detect suspicious communication in a MANET comprising of USRP2 radios and successfully demonstrated the approach in TRL-6 demonstration of the TITAN project at Fort Dix. While our proposed approach is very general, only a part of it applies to the MANET under consideration and we used it to successfully detect various types of illegal messages, congestion, and the DDoS attack.