Patent attributes
A multivariate anomaly detector can detect a cyber-attack using incremental malicious actions distributed across multiple devices in a network. A multivariate anomaly detector can collect input data describing communication connections between devices in the network. The multivariate anomaly detector can group the input data into a graph data batch based on a fixed batch increment of time to identify incremental actions. The multivariate anomaly detector can calculate a multivariate centrality score for two or more devices based on the graph data batch describing device centrality to the network. The multivariate anomaly detector can identify whether the two or more devices are in an anomalous state from normal device network interactions based on the multivariate centrality score to identify malicious activity distributed across multiple devices in the network. The multivariate anomaly detector can identify a cyber-attack upon identifying the incremental malicious actions distributed across multiple devices in the network.
