Association for Computing Machinery
A reasonable definition of intrusion is: entering a community to which one does not belong. This suggests that in a network, intrusion attempts may be detected by looking for communication that does not respect community boundaries. In this paper, the authors examine the utility of this concept for identifying malicious network sources. In particular, their goal is to explore whether this concept allows a core-network operator using flow data to augment signature-based systems located at network edges. They show that simple measures of communities can be defined for flow data that allow a remarkably effective level of intrusion detection simply by looking for flows that do not respect those communities.