Detecting anomalous connections on the internet

Building statistical models to measure the likelihood of new connections being formed in a network, to help detect potentially malicious intruders


Monitoring computer network traffic for anomalous behaviour presents an important security challenge. 'Network graphs' represent connections across a network with 'edges' connected to 'nodes'. When a new edge appears it means there's a previously unobserved connection between either a client and server, a user and a computer, or a computer and a process. In rare cases these might suggest the presence of malicious intruders. This project aims to build models which measure the attraction between two unconnected nodes, to measure the likelihood of a future connection and therefore identify unexpected, anomalous connections when they occur.

Explaining the science

The work uses a combination of survival analysis models (for modelling intensity functions) and latent factor models such as topic modelling, which is usually applied in text analysis to determine and group the meanings of words.

Project aims

The project researchers have access to network connection data sets collected from real computer networks, some of which contain some connections created during penetration testing. The aim is to develop intelligent systems that could automatically detect that such connections are suspicious, and lead to further analytics being deployed for monitoring the subsequent traffic.

This project is part of the Data-centric engineering programme's Grand Challenge of 'Monitoring Complex Systems'.


The project's work aims to improve enterprise network security, which is of importance to government, industry and academia.

Recent updates

Invited talks/seminars:

  • September 2018 Alan Turing Institute seminar series, Statistics in Cyber-Security.
  • September 2018 National University of Singapore, Bayesian changepoint detection in cyber-security.
  • July 2018 Microsoft Research, Redmond, WA, USA, Statistics in Cyber-Security.
  • April 2018 CISCO Innovation and Research Symposium, Paris, Unsupervised streaming analytics for enterprise cyber-security.
  • March 2018 Microsoft Research, Seattle, Unsupervised streaming analytics for enterprise cyber-security.

 Conference talks:

  • August 2018: 2018 Joint Statistical Meeting, Vancouver, Combining subsets of p-values.
  • June 2018 Causal inference for complex graph structures workshop, Montreal, Causality and cyber-security.


Researchers and collaborators

Contact info

[email protected]