社区发现算法 - Fast Unfolding(Louvian)算法初探
1. 社团划分
直观地说,community detection的一般目标是要探测网络中的“块”cluster或是“社团”community。
我们再看一个例子,word association network。即词的联想/搭配构成的网络:
这个网络从词bright开始进行演化,到后面分别形成了4个组:Colors, Light, Astronomy & Intelligence。
可以说以上这4个词可以较好地概括其所在community的特点(有点聚类的感觉);另外,community中心的词,比如color, Sun, Smart也有很好的代表性(自动提取摘要)。
0x3:节点间存在连接的抽象本质 - 逻辑拓朴结构
1. 节点代表消费者:节点间的连接代表了它们共同购买了一批书籍,weight代表共同购买的书籍数; 2. 节点代表DNS域名:节点间的连接代表了它们拥有一批共同的src client ip(客户端),weight代表了共同的src_ip数量;
(Newman and Gievan 2004) A community is a subgraph containing nodes which are more densely linked to each other than to the rest of the graph or equivalently, a graph has a community structure if the number of links into any subgraph is higher than the number of links between those subgraphs.
理想情况下,降噪后得到的数据集已经是社区完全内聚,社区间完全零连接,这样pylouvain只要一轮运行就直接得到结果。当然实际场景中不可能有这么好的情况,数据源质量,专家经验的丰富程度等等都会影响降噪的效果,一般情况下,降噪只要能cutoff 90%以上的噪音,pylouvain就基本能通过几轮的迭代完成整体的社区发现过程。
接下来的问题是,什么样的metrics可以用来描述这种density?Louvian 定义了一个数值上的概念(本质上就是一个目标函数),有了这个目标函数,就可以引出接下来要讨论的 method based on modularity optimization
要注意的,社区划分有很多不同的算法,本文讨论的 Fast Unfolding(Louvian)只是其中一种,而这种所谓的density密度评估方法也其实其中一种思想,不要固话地认为社区划分就只有这一种方法。
2. LOUVAIN算法模型
0x1:Modularity的定义 - 描述社区内紧密程度的值Q
模块度是评估一个社区网络划分好坏的度量方法,它的物理含义是社区内节点的连边数与随机情况下的边数只差,它的取值范围是 [−1/2,1),其定义如下:

A为邻接矩阵,Aij代表了节点 i 和节点 j 之间 边的权重,网络不是带权图时,所有边的权重可以看做是 1;
是所有与节点 i 相连的 边的权重之和(度数),kj也是同样;
是节点 i 的社区,
函数表示若节点 i 和节点 j 在同一个社区内,则返回 1,否则返回 0;
其中 Σin 表示社区 C 内的边的权重之和;Σtot 表示与社区 C 内的节点相连的所有边的权重之和。
modularity Q的计算公式背后体现了这种思想:社区内部边的权重减去所有与社区节点相连的边的权重和,对无向图更好理解,即社区内部边的度数减去社区内节点的总度数。
在一轮迭代后,若整个 Q 没有变化,则停止迭代,否则继续迭代,直至收敛。
0x2:模块度增量 delta Q
代表由节点 i 入射集群 C 的权重之和;
代表入射集群 C 的总权重;ki 代表入射节点 i 的总权重;
在算法的first phase,判断一个节点加入到哪个社区,需要找到一个delta Q最大的节点 i,具体的算法我们后面会详细讨论,这里只需要记住 delta Q的作用类似决策树中的信息增益评估的作用,它帮助整个模型向着Modularity不断增大的方向去靠拢。
3. LOUVAIN算法策略
1. 两台主机拥有类似的网络对外发包模式
2. 两台主机间拥有累计的event log序列
3. 两个攻击payload拥有类似的词频特征,可以认为是同一组漏洞利用方式
4. 在netword gateway上发现了类似的网络raw流量,也可以反过来用一直的label流量特征进行有监督的聚类
如果按照启发式/贪婪思想进行”one-step one node“的社区聚类,O9、O10、O11会被先加入到社区D中,因为在每次这样的迭代中,D社区内部的紧密度(不管基于node密度还是edge得modularity评估)都是不断提高,符合算法的check条件,因此,O9、O10、O11会被加入到社区D中。
随后,O1 ~ O8也会被逐个被加入到社区D中,加入的原因和O9、O10、O11被加入是一样的。
A - B:2 A - C:2 B - C:2 D - E:12(明显和2不一样) D - F:13 E - F:14 F - G:11 A - D:1(社区间存在弱关系) B - F:1
4. LOUVAIN算法流程
2)开始first phase迭代 - 社区间节点转移:
对每个节点i,依次尝试把节点 i 分配到其每个邻居节点所在的社区,计算分配前与分配后的模块度变化ΔQ,并记录ΔQ最大的那个邻居节点,如果maxΔQ>0,则把节点 i 分配ΔQ最大的那个邻居节点所在的社区,否则保持不变;
3)重复2)- 继续进行社区间节点转移评估:
直到所有节点的所属社区不再变化,即社区间的节点转移结束,可以理解为本轮迭代的 Local Maximization 已达到;
4)second phase - Rebuilding Graph:
因为在这轮的first phase中,社区 C 中新增了一个新的节点 i,而 i 所在的旧的社区少了一个节点,因此需要对整个图进行一个rebuild。
5)重复2)- 继续开始下一轮的first/second phase:

DeltaQ 分了两部分,前面部分表示把节点i加入到社区c后的模块度,后一部分是节点i作为一个独立社区和社区c的模块度
5. A Python implementation of the Louvain method to find communities in large networks
#!/usr/bin/env python3 # -*- coding: utf-8 -*- ''' Implements the Louvain method. Input: a weighted undirected graph Ouput: a (partition, modularity) pair where modularity is maximum ''' class PyLouvain: ''' Builds a graph from _path. _path: a path to a file containing "node_from node_to" edges (one per line) ''' @classmethod def from_file(cls, path): f = open(path, 'r') lines = f.readlines() f.close() nodes = {} edges = [] for line in lines: n = line.split() if not n: break nodes[n[0]] = 1 nodes[n[1]] = 1 w = 1 if len(n) == 3: w = int(n[2]) edges.append(((n[0], n[1]), w)) # rebuild graph with successive identifiers nodes_, edges_ = in_order(nodes, edges) print("%d nodes, %d edges" % (len(nodes_), len(edges_))) return cls(nodes_, edges_) ''' Builds a graph from _path. _path: a path to a file following the Graph Modeling Language specification ''' @classmethod def from_gml_file(cls, path): f = open(path, 'r') lines = f.readlines() f.close() nodes = {} edges = [] current_edge = (-1, -1, 1) in_edge = 0 for line in lines: words = line.split() if not words: break if words[0] == 'id': nodes[int(words[1])] = 1 elif words[0] == 'source': in_edge = 1 current_edge = (int(words[1]), current_edge[1], current_edge[2]) elif words[0] == 'target' and in_edge: current_edge = (current_edge[0], int(words[1]), current_edge[2]) elif words[0] == 'value' and in_edge: current_edge = (current_edge[0], current_edge[1], int(words[1])) elif words[0] == ']' and in_edge: edges.append(((current_edge[0], current_edge[1]), 1)) current_edge = (-1, -1, 1) in_edge = 0 nodes, edges = in_order(nodes, edges) print("%d nodes, %d edges" % (len(nodes), len(edges))) return cls(nodes, edges) ''' Initializes the method. _nodes: a list of ints _edges: a list of ((int, int), weight) pairs ''' def __init__(self, nodes, edges): self.nodes = nodes self.edges = edges # precompute m (sum of the weights of all links in network) # k_i (sum of the weights of the links incident to node i) self.m = 0 self.k_i = [0 for n in nodes] self.edges_of_node = {} self.w = [0 for n in nodes] for e in edges: self.m += e[1] self.k_i[e[0][0]] += e[1] self.k_i[e[0][1]] += e[1] # there's no self-loop initially # save edges by node if e[0][0] not in self.edges_of_node: self.edges_of_node[e[0][0]] = [e] else: self.edges_of_node[e[0][0]].append(e) if e[0][1] not in self.edges_of_node: self.edges_of_node[e[0][1]] = [e] elif e[0][0] != e[0][1]: self.edges_of_node[e[0][1]].append(e) # access community of a node in O(1) time self.communities = [n for n in nodes] self.actual_partition = [] ''' Applies the Louvain method. ''' def apply_method(self): network = (self.nodes, self.edges) best_partition = [[node] for node in network[0]] best_q = -1 i = 1 while 1: i += 1 partition = self.first_phase(network) q = self.compute_modularity(partition) partition = [c for c in partition if c] # clustering initial nodes with partition if self.actual_partition: actual = [] for p in partition: part = [] for n in p: part.extend(self.actual_partition[n]) actual.append(part) self.actual_partition = actual else: self.actual_partition = partition if q == best_q: # 如果本轮迭代modularity没有改变,则认为收敛,停止 break network = self.second_phase(network, partition) best_partition = partition best_q = q return (self.actual_partition, best_q) ''' Computes the modularity of the current network. _partition: a list of lists of nodes ''' def compute_modularity(self, partition): q = 0 m2 = self.m * 2 for i in range(len(partition)): q += self.s_in[i] / m2 - (self.s_tot[i] / m2) ** 2 return q ''' Computes the modularity gain of having node in community _c. _node: an int _c: an int _k_i_in: the sum of the weights of the links from _node to nodes in _c ''' def compute_modularity_gain(self, node, c, k_i_in): return 2 * k_i_in - self.s_tot[c] * self.k_i[node] / self.m ''' Performs the first phase of the method. _network: a (nodes, edges) pair ''' def first_phase(self, network): # make initial partition best_partition = self.make_initial_partition(network) while 1: improvement = 0 for node in network[0]: node_community = self.communities[node] # default best community is its own best_community = node_community best_gain = 0 # remove _node from its community best_partition[node_community].remove(node) best_shared_links = 0 for e in self.edges_of_node[node]: if e[0][0] == e[0][1]: continue if e[0][0] == node and self.communities[e[0][1]] == node_community or e[0][1] == node and self.communities[e[0][0]] == node_community: best_shared_links += e[1] self.s_in[node_community] -= 2 * (best_shared_links + self.w[node]) self.s_tot[node_community] -= self.k_i[node] self.communities[node] = -1 communities = {} # only consider neighbors of different communities for neighbor in self.get_neighbors(node): community = self.communities[neighbor] if community in communities: continue communities[community] = 1 shared_links = 0 for e in self.edges_of_node[node]: if e[0][0] == e[0][1]: continue if e[0][0] == node and self.communities[e[0][1]] == community or e[0][1] == node and self.communities[e[0][0]] == community: shared_links += e[1] # compute modularity gain obtained by moving _node to the community of _neighbor gain = self.compute_modularity_gain(node, community, shared_links) if gain > best_gain: best_community = community best_gain = gain best_shared_links = shared_links # insert _node into the community maximizing the modularity gain best_partition[best_community].append(node) self.communities[node] = best_community self.s_in[best_community] += 2 * (best_shared_links + self.w[node]) self.s_tot[best_community] += self.k_i[node] if node_community != best_community: improvement = 1 if not improvement: break return best_partition ''' Yields the nodes adjacent to _node. _node: an int ''' def get_neighbors(self, node): for e in self.edges_of_node[node]: if e[0][0] == e[0][1]: # a node is not neighbor with itself continue if e[0][0] == node: yield e[0][1] if e[0][1] == node: yield e[0][0] ''' Builds the initial partition from _network. _network: a (nodes, edges) pair ''' def make_initial_partition(self, network): partition = [[node] for node in network[0]] self.s_in = [0 for node in network[0]] self.s_tot = [self.k_i[node] for node in network[0]] for e in network[1]: if e[0][0] == e[0][1]: # only self-loops self.s_in[e[0][0]] += e[1] self.s_in[e[0][1]] += e[1] return partition ''' Performs the second phase of the method. _network: a (nodes, edges) pair _partition: a list of lists of nodes ''' def second_phase(self, network, partition): nodes_ = [i for i in range(len(partition))] # relabelling communities communities_ = [] d = {} i = 0 for community in self.communities: if community in d: communities_.append(d[community]) else: d[community] = i communities_.append(i) i += 1 self.communities = communities_ # building relabelled edges edges_ = {} for e in network[1]: ci = self.communities[e[0][0]] cj = self.communities[e[0][1]] try: edges_[(ci, cj)] += e[1] except KeyError: edges_[(ci, cj)] = e[1] edges_ = [(k, v) for k, v in edges_.items()] # recomputing k_i vector and storing edges by node self.k_i = [0 for n in nodes_] self.edges_of_node = {} self.w = [0 for n in nodes_] for e in edges_: self.k_i[e[0][0]] += e[1] self.k_i[e[0][1]] += e[1] if e[0][0] == e[0][1]: self.w[e[0][0]] += e[1] if e[0][0] not in self.edges_of_node: self.edges_of_node[e[0][0]] = [e] else: self.edges_of_node[e[0][0]].append(e) if e[0][1] not in self.edges_of_node: self.edges_of_node[e[0][1]] = [e] elif e[0][0] != e[0][1]: self.edges_of_node[e[0][1]].append(e) # resetting communities self.communities = [n for n in nodes_] return (nodes_, edges_) ''' Rebuilds a graph with successive nodes' ids. _nodes: a dict of int _edges: a list of ((int, int), weight) pairs ''' def in_order(nodes, edges): # rebuild graph with successive identifiers nodes = list(nodes.keys()) nodes.sort() i = 0 nodes_ = [] d = {} for n in nodes: nodes_.append(i) d[n] = i i += 1 edges_ = [] for e in edges: edges_.append(((d[e[0][0]], d[e[0][1]]), e[1])) return (nodes_, edges_)
node [ id 16 label "Betrayal" value "c" ] node [ id 17 label "Shut Up and Sing" value "c" ] node [ id 18 label "Meant To Be" value "n" ] node [ id 19 label "The Right Man" value "c" ]
6. 其他社区发现算法
