Real-time detection of malicious activity through collaborative filtering

What is claimed: 1. A computer-implemented method, comprising: monitoring network traffic flow through a plurality of open ports of a plurality of entities of a network; constructing an entity-port matrix based on implicit datasets, the implicit datasets comprising a plurality of usage patterns of the plurality of open ports of the plurality of entities for legitimate workloads, wherein the entity-port matrix includes a plurality of entity-port pairs, wherein an entity-port pair contains a frequency of a select one of the plurality of entities with a select one of the plurality of open ports; decomposing the entity-port matrix into a first matrix and a second matrix, wherein the first matrix comprises a plurality of entity vectors, wherein each of the plurality of entity vectors is associated with a corresponding entity, wherein the second matrix comprises a plurality of port vectors, wherein each of the plurality of port vectors is associated with a corresponding open port; detecting a newly-opened port on a first entity; determining whether the newly-opened port on the first entity is likely to be used for malicious activity from a recommendation score based on an entity vector for the first entity from the first matrix and the port vectors of the second matrix; and issuing an alert when the recommendation score determines that the newly-opened port is used for malicious activity. 2. The computer-implemented method of claim 1 , further comprising: transforming each entity-port pair of the plurality of entity-port pairs into a preference and confidence pair; and predicting missing values for a select entity-port pair using the preference and confidence pair for the select entity-port pair. 3. The computer-implemented method of claim 2 , further comprising: performing single value decomposition with alternating least squares to decompose the entity-port matrix into the first matrix and the second matrix. 4. The computer-implemented method of claim 1 , further comprising: obtaining the plurality of usage patterns from synchronize (SYN) and acknowledgement (ACK) settings in transmission control protocol (TCP) packets. 5. The computer-implemented method of claim 1 , wherein the plurality of usage patterns is derived from Internet Protocol Flow Information Export (IPFIX) data. 6. The computer-implemented method of claim 1 , further comprising: updating the entity-port matrix with additional data from the network traffic flow at periodic intervals. 7. The computer-implemented method of claim 1 , further comprising: generating a dot product of the entity vector for the first entity and a transpose of the second matrix; and obtaining the recommendation score from a value from the dot product representing the first entity and the newly-opened port. 8. A computer-implemented method, comprising: obtaining an entity-port model of a network, wherein the entity-port model comprises a plurality of entity-port pairs, wherein an entity-port pair represents normal usage of a select open port by a select entity for a legitimate workload; decomposing the entity-port model into an entity matrix and a port matrix, wherein the entity matrix comprises a plurality of entity factors, wherein the port matrix includes a plurality of port factors; detecting a newly-opened port of a first entity; comparing similarity of usage of the first entity with the newly-opened port for a legitimate workload with other entities of the network, wherein the comparison is based on a dot product of the entity factor of the first entity and the port matrix; obtaining a recommendation score as a value from the dot product matrix for the first entity and the newly-opened port; and raising an alert when the recommendation score is indicative of a likelihood that the newly-opened port is an anomalous port. 9. The computer-implemented method of claim 8 , further comprising: computing preference and confidence pairs for each value of an entity-port pair; and estimating a missing value for each entity-port pair of the entity-port model lacking a value from the preference and confidence pairs. 10. The computer-implemented method of claim 9 , wherein a preference and confidence pair for an entity-port pair includes a preference value and a confidence level, wherein the preference value indicates whether or not entity u uses port i for legitimate workloads, wherein the confidence level represents a level of confidence for the preference value. 11. The computer-implemented method of claim 9 , further comprising: decomposing the entity-port model into the entity matrix and the port matrix through singular value decomposition with alternating least squares. 12. The computer-implemented method of claim 9 , further comprising: applying matrix factorization to the entity-port model to produce the entity matrix and the port matrix. 13. The computer-implemented method of claim 8 , wherein each entity-port pair of the entity-port model is derived from synchronize (SYN) and acknowledgement (ACK) settings in transmission control protocol (TCP) packets. 14. The computer-implemented method of claim 8 , further comprising: constructing the entity-port model using implicit datasets, wherein the implicit datasets are derived from settings in transmission packets distributed in the network. 15. The computer-implemented method of claim 8 , further comprising: receiving network flow data from the first entity; and analyzing the network flow data to detect the newly-opened port on the first entity. 16. A computer-implemented method, comprising: obtaining an entity-port model to represent normal usage of a plurality of open ports of a plurality of entities of a network for a legitimate workload, wherein the entity-port model comprises a plurality of entity-port pairs; constructing a first matrix and a second matrix from the entity-port model, wherein the first matrix including a plurality of entity vectors, wherein the second matrix including a plurality of port vectors; detecting in real-time a newly-opened port for a first entity of the plurality of entities; computing a third matrix as a product of the entity vector of the first entity and the second matrix; utilizing a recommendation score to determine a likelihood that the newly-opened port is an anomalous port from the value of third matrix representing the first entity and the newly-opened port; and upon the determination from the recommendation score that the newly-opened port is anomalous, raising an alert in real-time to deter usage of the anomalous port. 17. The computer-implemented method of claim 16 , further comprising: constructing the entity-port model using implicit datasets, wherein the implicit datasets are derived from settings in transmission packets distributed in the network. 18. The computer-implemented method of claim 16 , further comprising: transforming each entity-port pair of the plurality of entity-port pairs into a preference and confidence pair; and estimating missing values for the entity-port pairs from a corresponding preference and confidence pair. 19. The computer-implemented method of claim 18 , wherein a preference and confidence pair for an entity-port pair includes a preference value and a confidence level, wherein the preference value indicates whether or not entity u uses port i for legitimate workloads, wherein the confidence level represents a level of confidence for the preference value. 20. The computer-implemented method of claim 16 , furt