{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,23]],"date-time":"2025-11-23T06:13:48Z","timestamp":1763878428324,"version":"3.41.0"},"reference-count":53,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2021,10,15]],"date-time":"2021-10-15T00:00:00Z","timestamp":1634256000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2021,12,31]]},"abstract":"\n Cyber operations is drowning in diverse, high-volume, multi-source data. To get a full picture of current operations and identify malicious events and actors, analysts must see through data generated by a mix of human activity and benign automated processes. Although many monitoring and alert systems exist, they typically use signature-based detection methods. We introduce a general method rooted in\n spectral graph theory<\/jats:italic>\n to discover patterns and anomalies without\n a priori<\/jats:italic>\n knowledge of signatures. We derive and propose a new graph-theoretic centrality measure based on the derivative of the graph Laplacian matrix in the direction of a vertex. To build intuition about our measure, we show how it identifies the most central vertices in standard network datasets and compare to other graph centrality measures. Finally, we focus our attention on studying its effectiveness in identifying important IP addresses in network flow data. Using both real and synthetic network flow data, we conduct several experiments to test our measure\u2019s sensitivity to two types of injected attack profiles and show that vertices participating in injected attack profiles exhibit noticeable changes in our centrality measures, even when the injected anomalies are relatively small, and in the presence of simulated network dynamics.\n <\/jats:p>","DOI":"10.1145\/3450286","type":"journal-article","created":{"date-parts":[[2021,4,16]],"date-time":"2021-04-16T00:47:40Z","timestamp":1618534060000},"page":"1-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["Directional Laplacian Centrality for Cyber Situational Awareness"],"prefix":"10.1145","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3466-3334","authenticated-orcid":false,"given":"Sinan G.","family":"Aksoy","sequence":"first","affiliation":[{"name":"Pacific Northwest National Laboratory, Seattle, WA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2069-5594","authenticated-orcid":false,"given":"Emilie","family":"Purvine","sequence":"additional","affiliation":[{"name":"Pacific Northwest National Laboratory, Seattle, WA"}]},{"given":"Stephen J.","family":"Young","sequence":"additional","affiliation":[{"name":"Pacific Northwest National Laboratory, Seattle, WA"}]}],"member":"320","published-online":{"date-parts":[[2021,10,15]]},"reference":[{"key":"e_1_3_2_2_2","unstructured":"Sinan G. Aksoy Helen Jenne Emilie Purvine and Stephen J. Young. in preparation. Rapid Generation and Parameter Recovery of Correlated Temporal Graphs."},{"key":"e_1_3_2_3_2","unstructured":"David Aldous and James Fill. 1995. Reversible Markov chains and random walks on graphs. https:\/\/www.stat.berkeley.edu\/aldous\/RWG\/book.pdf"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1137\/S0895480192236628"},{"key":"e_1_3_2_5_2","first-page":"147","volume-title":"Discussion Tracking in Enron Email Using PARAFAC","author":"Bader Brett W.","year":"2008","unstructured":"Brett W. Bader, Michael W. Berry, and Murray Browne. 2008. In Discussion Tracking in Enron Email Using PARAFAC. Springer London, 147\u2013163."},{"issue":"1","key":"e_1_3_2_6_2","doi-asserted-by":"crossref","first-page":"191","DOI":"10.1007\/BF01788093","article-title":"Spanning tree formulas and Chebyshev polynomials","volume":"2","author":"Boesch Francis T.","year":"1986","unstructured":"Francis T. Boesch and Helmut Prodinger. 1986. Spanning tree formulas and Chebyshev polynomials. Graphs Combinat. 2, 1 (1986), 191\u2013200.","journal-title":"Graphs Combinat."},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.5555\/1097029"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10588-005-5381-4"},{"key":"e_1_3_2_9_2","volume-title":"Spectral Graph Theory","author":"Chung Fan","year":"1997","unstructured":"Fan Chung. 1997. Spectral Graph Theory. Vol. 92. American Mathematical Society."},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1007\/s004930200010"},{"issue":"1","key":"e_1_3_2_11_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1002\/rsa.20188","article-title":"Quasi-random graphs with given degree sequences","volume":"32","author":"Chung Fan","year":"2008","unstructured":"Fan Chung and Ron Graham. 2008. Quasi-random graphs with given degree sequences. Rand. Struct. Algor. 32, 1 (2008), 1\u201319.","journal-title":"Rand. Struct. Algor."},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1073\/pnas.85.4.969"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1073\/pnas.252631999"},{"key":"e_1_3_2_14_2","first-page":"91","volume-title":"Internet Mathematics","author":"Chung Fan","year":"2004","unstructured":"Fan Chung and Linyuan Lu. 2004. The average distances in random graphs with given expected degrees. In Internet Mathematics, Vol. 1. 91\u2013113."},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1007\/s000260300002"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1073\/pnas.0937490100"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1080\/15427951.2004.10129089"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1090\/S0894-0347-1989-0965008-X"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1007\/BF02125347"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/49.464717"},{"key":"e_1_3_2_21_2","doi-asserted-by":"crossref","first-page":"153","DOI":"10.1016\/j.laa.2005.06.024","article-title":"A sharp upper bound on the largest Laplacian eigenvalue of weighted graphs","volume":"409","author":"Das Kinkar Ch.","year":"2005","unstructured":"Kinkar Ch. Das and R. B. Bapat. 2005. A sharp upper bound on the largest Laplacian eigenvalue of weighted graphs. Lin. Algeb. Applic. 409 (2005), 153\u2013165.","journal-title":"Lin. Algeb. Applic."},{"key":"e_1_3_2_22_2","first-page":"3","volume-title":"Proceedings of the Workshop on Link Analysis, Counterterrorism and Security, SIAM International Conference on Data Mining","author":"Diesner J.","year":"2005","unstructured":"J. Diesner and K. M. Carley. 2005. Exploration of communication networks from the Enron email corpus. In Proceedings of the Workshop on Link Analysis, Counterterrorism and Security, SIAM International Conference on Data Mining. 3\u201314. Retrieved from http:\/\/www.andrew.cmu.edu\/user\/jdiesner\/publications\/diesner_carley_siam_enron_03_05.pdf."},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1518\/001872095779049543"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.21136\/CMJ.1975.101357"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jctb.2007.10.007"},{"key":"e_1_3_2_26_2","doi-asserted-by":"crossref","first-page":"181","DOI":"10.1142\/9781786340757_0009","volume-title":"Dynamic Networks and Cyber-Security","author":"Hagberg Aric","year":"2016","unstructured":"Aric Hagberg, Nathan Lemons, and Sidhant Misra. 2016. Temporal reachability in dynamic networks. In Dynamic Networks and Cyber-Security. World Scientific, 181\u2013208."},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2014.2321898"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.5555\/1658182"},{"key":"e_1_3_2_29_2","first-page":"1","volume-title":"Proceedings of the IEEE\/IFIP Network Operations and Management Symposium","author":"Jirsik T.","year":"2020","unstructured":"T. Jirsik and P. Celeda. 2020. Cyber situation awareness via IP flow monitoring. In Proceedings of the IEEE\/IFIP Network Operations and Management Symposium (NOMS 2020). 1\u20136. DOI:https:\/\/doi.org\/10.1109\/NOMS47738.2020.9110327"},{"key":"e_1_3_2_30_2","article-title":"User-computer Authentication Associations in Time","author":"Kent Alexander D.","year":"2014","unstructured":"Alexander D. Kent. 2014. User-computer Authentication Associations in Time. Los Alamos National Laboratory. DOI:https:\/\/doi.org\/10.11578\/1160076","journal-title":"Los Alamos National Laboratory"},{"key":"e_1_3_2_31_2","article-title":"Comprehensive, Multi-source Cyber-security Events","author":"Kent Alexander D.","year":"2015","unstructured":"Alexander D. Kent. 2015. Comprehensive, Multi-source Cyber-security Events. Los Alamos National Laboratory. DOI:https:\/\/doi.org\/10.17021\/1179829","journal-title":"Los Alamos National Laboratory"},{"key":"e_1_3_2_32_2","volume-title":"Dynamic Networks in Cybersecurity","author":"Kent Alexander D.","year":"2015","unstructured":"Alexander D. Kent. 2015. Cybersecurity data sources for dynamic network research. In Dynamic Networks in Cybersecurity. Imperial College Press."},{"key":"e_1_3_2_33_2","first-page":"217","volume-title":"Machine Learning: ECML","author":"Klimt Bryan","year":"2004","unstructured":"Bryan Klimt and Yiming Yang. 2004. The Enron corpus: A new dataset for email classification research. In Machine Learning: ECML, Jean-Fran\u00e7ois Boulicaut, Floriana Esposito, Fosca Giannotti, and Dino Pedreschi (Eds.). Springer, Berlin, Heidelberg, 217\u2013226."},{"key":"e_1_3_2_34_2","volume-title":"The Stanford GraphBase: A Platform for Combinatorial Computing","author":"Knuth Donald Ervin","year":"1993","unstructured":"Donald Ervin Knuth. 1993. The Stanford GraphBase: A Platform for Combinatorial Computing. ACM Press New York, NY."},{"issue":"1","key":"e_1_3_2_35_2","first-page":"20","article-title":"Community structure in large networks: Natural cluster sizes and the absence of large well-defined clusters","volume":"6","author":"Leskovec Jure","year":"2010","unstructured":"Jure Leskovec, Kevin J. Lang, Anirban Dasgupta, and Michael W. Mahoney. 2010. Community structure in large networks: Natural cluster sizes and the absence of large well-defined clusters. Internet Math. 6, 1 (2010), 20\u2013123.","journal-title":"Internet Math."},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1017\/S0266466600011129"},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1016\/0024-3795(81)90150-6"},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1007\/BF01789463"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2018.12.006"},{"issue":"1","key":"e_1_3_2_40_2","doi-asserted-by":"crossref","first-page":"131","DOI":"10.1109\/TNET.2017.2765719","article-title":"Anomaly detection and attribution in networks with temporally correlated traffic","volume":"26","author":"Nevat Ido","year":"2017","unstructured":"Ido Nevat, Dinil Mon Divakaran, Sai Ganesh Nagarajan, Pengfei Zhang, Le Su, Li Ling Ko, and Vrizlynn L. L. Thing. 2017. Anomaly detection and attribution in networks with temporally correlated traffic. IEEE\/ACM Trans. Netw. 26, 1 (2017), 131\u2013144.","journal-title":"IEEE\/ACM Trans. Netw."},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1103\/PhysRevE.74.036104"},{"key":"e_1_3_2_42_2","first-page":"213","volume-title":"Proceedings of the International Conference on Trust and Privacy in Digital Business","author":"Pitropakis Nikolaos","year":"2018","unstructured":"Nikolaos Pitropakis, Emmanouil Panaousis, Alkiviadis Giannakoulias, George Kalpakis, Rodrigo Diaz Rodriguez, and Panayiotis Sarigiannidis. 2018. An enhanced cyber attack attribution framework. In Proceedings of the International Conference on Trust and Privacy in Digital Business. Springer, 213\u2013228."},{"key":"e_1_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10588-005-5378-z"},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.ins.2011.12.027"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1145\/1134271.1134282"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1142\/S0219199708002788"},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1002\/rsa.20406"},{"key":"e_1_3_2_48_2","first-page":"1","volume-title":"Unified Host and Network Data Set","author":"Turcotte Melissa J. M.","year":"2018","unstructured":"Melissa J. M. Turcotte, Alexander D. Kent, and Curtis Hash. 2018. In Unified Host and Network Data Set. World Scientific, 1\u201322. DOI:https:\/\/doi.org\/10.1142\/9781786345646_001"},{"issue":"3","key":"e_1_3_2_49_2","doi-asserted-by":"crossref","first-page":"548","DOI":"10.2307\/1970079","article-title":"Characteristic vectors of bordered matrices with infinite dimensions","volume":"62","author":"Wigner Eugene P.","year":"1955","unstructured":"Eugene P. Wigner. 1955. Characteristic vectors of bordered matrices with infinite dimensions. Ann Math. 62, 3 (1955), 548\u2013564. Retrieved from http:\/\/www.jstor.org\/stable\/1970079.","journal-title":"Ann Math."},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.2307\/1970008"},{"key":"e_1_3_2_51_2","doi-asserted-by":"crossref","first-page":"524","DOI":"10.1007\/978-3-662-02781-3_35","volume-title":"The Collected Works of Eugene Paul Wigner","author":"Wigner Eugene P.","year":"1993","unstructured":"Eugene P. Wigner. 1993. Characteristic vectors of bordered matrices with infinite dimensions I. In The Collected Works of Eugene Paul Wigner. Springer, 524\u2013540."},{"key":"e_1_3_2_52_2","doi-asserted-by":"crossref","first-page":"541","DOI":"10.1007\/978-3-662-02781-3_36","volume-title":"The Collected Works of Eugene Paul Wigner","author":"Wigner Eugene P.","year":"1993","unstructured":"Eugene P. Wigner. 1993. Characteristic vectors of bordered matrices with infinite dimensions II. In The Collected Works of Eugene Paul Wigner. Springer, 541\u2013545."},{"issue":"1967","key":"e_1_3_2_53_2","doi-asserted-by":"crossref","first-page":"330","DOI":"10.1112\/jlms\/s1-42.1.330","article-title":"The eigenvalues of a graph and its chromatic number","volume":"42","author":"Wilf Herbert S.","year":"1967","unstructured":"Herbert S. Wilf. 1967. The eigenvalues of a graph and its chromatic number. J. London Math. Soc. 42, 1967 (1967), 330.","journal-title":"J. London Math. Soc."},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1086\/jar.33.4.3629752"}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3450286","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3450286","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T20:47:00Z","timestamp":1750193220000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3450286"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,10,15]]},"references-count":53,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2021,12,31]]}},"alternative-id":["10.1145\/3450286"],"URL":"https:\/\/doi.org\/10.1145\/3450286","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"type":"print","value":"2692-1626"},{"type":"electronic","value":"2576-5337"}],"subject":[],"published":{"date-parts":[[2021,10,15]]},"assertion":[{"value":"2020-08-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-02-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-10-15","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}