Xiaoyu Wang,Yongwang Zhou,Dongbiao Li,Chi Zhang

DOI: https://doi.org/10.1109/iccc62479.2024.10681973

2024-01-01

Abstract:Anomaly detection in dynamic and temporal graphs is frequently accomplished using unsupervised learning. This involves clustering to group similar data instances and identify outliers. Nonetheless, the accuracy of unsupervised learning algorithms is limited when anomalous data instances exhibit similar features. Existing graph theory-based methods can only detect significant anomalies that affect the entire network structure but fail to detect subtle anomalies such as small-scale DDoS attacks within node groups. Conversely, monitoring the behavior of every node in a real-time network can be expensive. In this paper, we propose a real-time anomaly detection method that leverages community detection and graph spectral theory. Specifically, each graph is partitioned into groups of densely connected nodes, which serve as detection objects to identify subtle anomalies. To address the challenge of detecting anomalies with similar features, we measured changes in communities between adjacent time steps, allowing us to identify outlier time points. Finally, to strike a balance between accuracy and cost, we utilize a novel graph spectral theory method as a graph distance function. Experimental evaluations demonstrate the efficacy of our approach in detecting subtle anomalies.

Rodrigo Francisquini,Ana Carolina Lorena,Mariá C. V. Nascimento

DOI: https://doi.org/10.48550/arXiv.2201.09936

2022-01-25

Abstract:Several applications have a community structure where the nodes of the same community share similar attributes. Anomaly or outlier detection in networks is a relevant and widely studied research topic with applications in various domains. Despite a significant amount of anomaly detection frameworks, there is a dearth on the literature of methods that consider both attributed graphs and the community structure of the networks. This paper proposes a community-based anomaly detection algorithm using a spectral graph-based filter that includes the network community structure into the Laplacian matrix adopted as the basis for the Fourier transform. In addition, the choice of the cutoff frequency of the filter considers the number of communities found. In computational experiments, the proposed strategy, called SpecF, showed an outstanding performance in successfully identifying even discrete anomalies. SpecF is better than a baseline disregarding the community structure, especially for networks with a higher community overlapping. Additionally, we present a case study to validate the proposed method to study the dissemination of COVID-19 in the different districts of São José dos Campos, Brazil.

Social and Information Networks,Machine Learning

Ding De Jiang,Cheng Yao,Wei Han Zhang,Zheng

DOI: https://doi.org/10.4028/www.scientific.net/amr.765-767.1461

2013-01-01

Advanced Materials Research

Abstract:This paper presents a detection algorithm for anomaly network traffic, which is based on spectral kurtosis analysis. Firstly, we turn network traffic into time-frequency signals at different scales. These time-frequency signals hold the more detailed nature corresponding to different scales. Secondly, the time-frequency signals at different scales are transformed into a series of new time signals by time-frequency analysis theory. These new time signals hold obvious narrowband nature and embody the local properties of network traffic. Thirdly, we calculate the spectral kurtosis values of the new time signals and then perform the feature extractions. As a result, the abnormal network traffic can be correctly identified. Simulation results show that our algorithm is feasible and promising.

Bo Wang,Yanping Zhao,Fengye Hu,Ying-Chang Liang

DOI: https://doi.org/10.1109/tsp.2018.2866847

IF: 4.875

2018-01-01

IEEE Transactions on Signal Processing

Abstract:We study network anomaly detection problem with subgraph search and vertex classification techniques in Chung-Lu networks, where small anomalous networks are embedded in background networks. The general detectors traditionally utilize the spectral characteristics of whole networks to decide whether the anomalous networks exist or not. Moreover, many algorithms model the background networks with special random graphs, such as Erdős–Rényi random graphs. However, these methods may not achieve good detection performance because the spectral information of anomalous networks extracting from the relational data of the whole networks is subtle. Furthermore, the assumptions of the models limit the applications of the methods. In order to improve the detection capability of algorithms and relax the restriction of the background networks models, we develop two preprocessing approaches, referred to as subgraph search and vertex classification, and propose two detection algorithms, which can be applicable to the generalized network model (Chung-Lu random graph). By leveraging statistic features of priori data, the subgraph search method can obtain local network nodes that are more anomalous than the remainder. Moreover, the vertex classification is used to further distinguish the anomalous nodes from the local ones. And then, by using the relational data corresponding to the local nodes, the detection statistics are constructed to detect the anomalous network. Additionally, based on concentration of measure theory, the probability bounds of performance analysis are derived for the presented algorithms. Simulation examples are provided to illustrate that the proposed detectors can achieve better detection performance than the existing algorithms.

James Sharpnack,Akshay Krishnamurthy,Aarti Singh

DOI: https://doi.org/10.48550/arXiv.1312.3291

2013-12-12

Abstract:The detection of anomalous activity in graphs is a statistical problem that arises in many applications, such as network surveillance, disease outbreak detection, and activity monitoring in social networks. Beyond its wide applicability, graph structured anomaly detection serves as a case study in the difficulty of balancing computational complexity with statistical power. In this work, we develop from first principles the generalized likelihood ratio test for determining if there is a well connected region of activation over the vertices in the graph in Gaussian noise. Because this test is computationally infeasible, we provide a relaxation, called the Lovasz extended scan statistic (LESS) that uses submodularity to approximate the intractable generalized likelihood ratio. We demonstrate a connection between LESS and maximum a-posteriori inference in Markov random fields, which provides us with a poly-time algorithm for LESS. Using electrical network theory, we are able to control type 1 error for LESS and prove conditions under which LESS is risk consistent. Finally, we consider specific graph models, the torus, k-nearest neighbor graphs, and epsilon-random graphs. We show that on these graphs our results provide near-optimal performance by matching our results to known lower bounds.

Machine Learning

Chi Zhang,Wenkai Xiang,Xingzhi Guo,Baojian Zhou,Deqing Yang

2023-12-17

Abstract:Given a dynamic graph, the efficient tracking of anomalous subgraphs via their node embeddings poses a significant challenge. Addressing this issue necessitates an effective scoring mechanism and an innovative anomalous subgraph strategy. Existing methods predominantly focus on designing scoring strategies or employing graph structures that consider nodes in isolation, resulting in ineffective capture of the anomalous subgraph structure information. In this paper, we introduce SUBANOM, a novel framework for subgraph anomaly detection that is adept at identifying anomalous subgraphs. SUBANOM has three key components: 1) We implement current state-of-the-art dynamic embedding methods to efficiently calculate node embeddings, thereby capturing all node-level anomalies successfully; 2) We devise novel subgraph identification strategies, which include k-hop and triadic-closure. These strategies form the crucial component that can proficiently differentiate between strong and weak neighbors, thus effectively capturing the anomaly structure information; 3) For qualifying the anomaly subgraphs, we propose using Lp-norm-based score aggregation functions. These iterative steps enable us to process large-scale dynamic graphs effectively. Experiments conducted on a real-world dynamic graph underscore the efficacy of our framework in detecting anomalous subgraphs, outperforming state-of-the-art methods. Experimental results further signify that our framework is a potent tool for identifying anomalous subgraphs in real-world scenarios. For instance, the F1 score under the optimal subgraph identification strategy, can peak at 0.6679, while the highest achievable score using the corresponding baseline method is 0.5677.

Social and Information Networks

Siwei Liang,Jipeng Zeng,Cuiping Li,Hong Chen

DOI: https://doi.org/10.1109/fskd.2010.5569320

2010-01-01

Abstract:Detecting anomaly nodes from graphs is an important objective in many applications ranging from social networks to World Wide Web. Recently several methods have been proposed to address this problem. A limitation of most of these methods is that they are based on the random walk of the graph, and often fail to be effective. In this paper, we propose a new framework to detect anomaly nodes within a graph. The approach relies on a novel mapping strategy that maps nodes to a multidimensional space wherein sparse areas in the mapped space correspond to anomaly nodes. The algorithm then spots the sparse regions in the mapped space to output the anomaly nodes of the graph. Our experiments on real datasets prove that the proposed framework is effective.

Yuemeng Li,Xintao Wu,Aidong Lu

DOI: https://doi.org/10.48550/arXiv.1612.08102

2016-12-24

Abstract:It has been shown that the adjacency eigenspace of a network contains key information of its underlying structure. However, there has been no study on spectral analysis of the adjacency matrices of directed signed graphs. In this paper, we derive theoretical approximations of spectral projections from such directed signed networks using matrix perturbation theory. We use the derived theoretical results to study the influences of negative intra cluster and inter cluster directed edges on node spectral projections. We then develop a spectral clustering based graph partition algorithm, SC-DSG, and conduct evaluations on both synthetic and real datasets. Both theoretical analysis and empirical evaluation demonstrate the effectiveness of the proposed algorithm.

Social and Information Networks,Machine Learning,Physics and Society

Sevvandi Kandanaarachchi,Conrad Sanderson,Rob J. Hyndman

2024-10-08

Abstract:Detecting anomalies in a temporal sequence of graphs can be applied is areas such as the detection of accidents in transport networks and cyber attacks in computer networks. Existing methods for detecting abnormal graphs can suffer from multiple limitations, such as high false positive rates as well as difficulties with handling variable-sized graphs and non-trivial temporal dynamics. To address this, we propose a technique where temporal dependencies are explicitly modelled via time series analysis of a large set of pertinent graph features, followed by using residuals to remove the dependencies. Extreme Value Theory is then used to robustly model and classify any remaining extremes, aiming to produce low false positives rates. Comparative evaluations on a multitude of graph instances show that the proposed approach obtains considerably better accuracy than TensorSplat and Laplacian Anomaly Detection.

Machine Learning

Leting Wu,Xiaowei Ying,Xintao Wu,Aidong Lu,Zhi-Hua Zhou

DOI: https://doi.org/10.1007/978-3-642-20847-8_1

2011-01-01

Abstract:Previous studies on social networks are often focused on networks with only positive relations between individual nodes. As a significant extension, we conduct the spectral analysis on graphs with both positive and negative edges. Specifically, we investigate the impacts of introducing negative edges and examine patterns in the spectral space of the graph's adjacency matrix. Our theoretical results show that communities in a k-balanced signed graph are distinguishable in the spectral space of its signed adjacency matrix even if connections between communities are dense. This is quite different from recent findings on unsigned graphs, where communities tend to mix together in the spectral space when connections between communities increase. We further conduct theoretical studies based on graph perturbation to examine spectral patterns of general unbalanced signed graphs. We illustrate our theoretical findings with various empirical evaluations.

Jeffrey Q. Jiang,Andreas W. M. Dress,Genke Yang

DOI: https://doi.org/10.1016/j.aml.2009.02.005

IF: 4.294

2009-01-01

Applied Mathematics Letters

Abstract:Exploring recent developments in spectral clustering, we discovered that relaxing a spectral reformulation of Newman’s Q-measure (a measure that may guide the search for–and help to evaluate the fit of - community structures in networks) yields a new framework for use in detecting fuzzy communities and identifying so-called unstable nodes. In this note, we present and illustrate this approach, which we expect to further enhance our understanding of the intrinsic structure of networks and of network-based clustering procedures. We applied a variation of the fuzzy k-means algorithm, an instance of our framework, to two social networks. The computational results illustrate its potential.

Minglai Shao,Jianxin Li,Feng Chen,Xunxun Chen

DOI: https://doi.org/10.1109/INFOCOM.2018.8485830

2018-01-01

Abstract:Evolving anomalous subgraphs detection in dynamic networks is an important and challenging problem that has arisen in multiple applications and is NP-hard in general. The evolving characteristic makes most existing methods incapable to tackle this problem effectively and efficiently, as it involves huge search spaces and continuous changes of evolving connected subgraphs, especially when the data are free of distributions. This paper presents a generic efficient framework, namely dynamic evolving anomalous subgraphs scanning (dGraphScan), to address this problem. We generalize traditional nonparametric scan statistics, and propose a large class of scan statistic functions for measuring the significance of evolving subgraphs in dynamic networks. Furthermore, we make a number of computational studies to optimize this large class of nonparametric scan statistic functions. Specifically, we first decompose each scan statistic function as a sequence of subproblems with provable guarantees, and then propose efficient approximation algorithms for tackling each subproblem, while analyzing their theoretical properties and providing rigorous approximation guarantees. Extensive experiments on three real-world datasets demonstrate that our general framework performs superior over state-of-the-art methods.

Qiang Zhou,Shi-Min Cai,Yi-Cheng Zhang

DOI: https://doi.org/10.1109/iccwamtip47768.2019.9067515

2019-01-01

Abstract:Compared with stochastic networks, the distribution of node degrees in real-world networks is characterized by heterogeneity. Spectral strategies based on the matrix eigenvector have been widely applied in the analysis of this type of network data, particularly for spatial division and community detection. Considering the performance of normalized Laplace matrix in heterogeneous networks outperforms some other common matrices, herein, a spectral strategy based on the eigenvector of matrix is proposed to tackle the modularity maximization problem in community detection.

Fu Lin,Haonan Gong,Mingkang Li,Zitong Wang,Yue Zhang,Xuexiong Luo

DOI: https://doi.org/10.1145/3603719.3603739

2023-07-22

Abstract:Graph structure patterns are widely used to model different area data recently. How to detect anomalous graph information on these graph data has become a popular research problem. The objective of this research is centered on the particular issue that how to detect abnormal graphs within a graph set. The previous works have observed that abnormal graphs mainly show node-level and graph-level anomalies, but these methods equally treat two anomaly forms above in the evaluation of abnormal graphs, which is contrary to the fact that different types of abnormal graph data have different degrees in terms of node-level and graph-level anomalies. Furthermore, abnormal graphs that have subtle differences from normal graphs are easily escaped detection by the existing methods. Thus, we propose a multi-representations space separation based graph-level anomaly-aware detection framework in this paper. To consider the different importance of node-level and graph-level anomalies, we design an anomaly-aware module to learn the specific weight between them in the abnormal graph evaluation process. In addition, we learn strictly separate normal and abnormal graph representation spaces by four types of weighted graph representations against each other including anchor normal graphs, anchor abnormal graphs, training normal graphs, and training abnormal graphs. Based on the distance error between the graph representations of the test graph and both normal and abnormal graph representation spaces, we can accurately determine whether the test graph is anomalous. Our approach has been extensively evaluated against baseline methods using ten public graph datasets, and the results demonstrate its effectiveness.

Machine Learning,Artificial Intelligence

Xuandi Sun,Roula Nassif,Cédric Richard,Ziye Yang,Jie Chen,Haiyan Wang

DOI: https://doi.org/10.1109/tcsi.2024.3491152

2024-01-01

IEEE Transactions on Circuits and Systems I Regular Papers

Abstract:Data generated by network-structured applications, such as sensor networks or communication networks, typically reside on complex and irregular structures. These data necessitate specific graph signal processing tools to harness their characteristics. Detecting anomalous events in graph signals is significant in enhancing reliability of systems, where anomalies often activate localized groups of vertices. In this paper, we introduce a novel approach, the Joint Graph Wavelet Canonical Correlation Analysis, for detecting anomalies in graph signals through cooperative filtering while identifying their locations. This approach conducts canonical correlation analysis on graph signals to achieve data fusion within the wavelet domain while accounting for the graph topology. Subsequently, we devise an optimization algorithm specifically tailored for anomaly detection in graph signals. Finally, we illustrate its effectiveness through numerical simulations on synthetic data and by presenting test results from a multi-microphone network.

Supriya Pandhre,Manish Gupta,Vineeth N Balasubramanian

DOI: https://doi.org/10.48550/arXiv.1612.09435

2017-11-11

Abstract:The study of networks has emerged in diverse disciplines as a means of analyzing complex relationship data. Beyond graph analysis tasks like graph query processing, link analysis, influence propagation, there has recently been some work in the area of outlier detection for information network data. Although various kinds of outliers have been studied for graph data, there is not much work on anomaly detection from edge-attributed graphs. In this paper, we introduce a method that detects novel outlier graph nodes by taking into account the node data and edge data simultaneously to detect anomalies. We model the problem as a community detection task, where outliers form a separate community. We propose a method that uses a probabilistic graph model (Hidden Markov Random Field) for joint modeling of nodes and edges in the network to compute Holistic Community Outliers (HCOutliers). Thus, our model presents a natural setting for heterogeneous graphs that have multiple edges/relationships between two nodes. EM (Expectation Maximization) is used to learn model parameters, and infer hidden community labels. Experimental results on synthetic datasets and the DBLP dataset show the effectiveness of our approach for finding novel outliers from networks.

Social and Information Networks

Renjun Hu,Charu C. Aggarwal,Shuai Ma,Jinpeng Huai

DOI: https://doi.org/10.1109/icde.2016.7498256

2016-01-01

Abstract:Network anomaly detection has become very popular in recent years because of the importance of discovering key regions of structural inconsistency in the network. In addition to application-specific information carried by anomalies, the presence of such structural inconsistency is often an impediment to the effective application of data mining algorithms such as community detection and classification. In this paper, we study the problem of detecting structurally inconsistent nodes that connect to a number of diverse influential communities in large social networks. We show that the use of a network embedding approach, together with a novel dimension reduction technique, is an effective tool to discover such structural inconsistencies. We also experimentally show that the detection of such anomalous nodes has significant applications: one is the specific use of detected anomalies, and the other is the improvement of the effectiveness of community detection.

Huan Wang,Chunming Qiao,Xuan Guo,Ying Sha,Zhiguo Gong

DOI: https://doi.org/10.1145/3487553.3524189

2022-01-01

Abstract:As a long-lasting challenge in dynamic social networks, anomaly analysis research has attracted much attention. Unfortunately, existing methods focus on the macro representation of dynamic social networks and fail to analyze the micro-level nodes. Therefore, this research proposes a multiple-neighbor fluctuation method to exploit anomalous structural nodes in dynamic social networks. Our method proposes a new multiple-neighbor similarity index by incorporating extensional similarity indices, which introduces observation nodes and characterizes the structural similarities of nodes within multiple-neighbor ranges. Subsequently, our method maximally reflects the structural change of each node, using a new superposition similarity fluctuation index from the perspective of diverse multiple-neighbor similarities. As a result, our method not only identifies anomalous structural nodes by detecting the anomalous structural changes of nodes, but also evaluates their anomalous degrees by quantifying these changes. Results obtained by comparing with state-of-the-art methods via extensive experiments show that our method can accurately identify anomalous structural nodes and evaluate their anomalous degrees well.

Xiangyu Dong,Xingyi Zhang,Sibo Wang

2024-03-28

Abstract:Graph-level anomaly detection has gained significant attention as it finds applications in various domains, such as cancer diagnosis and enzyme prediction. However, existing methods fail to capture the spectral properties of graph anomalies, resulting in unexplainable framework design and unsatisfying performance. In this paper, we re-investigate the spectral differences between anomalous and normal graphs. Our main observation shows a significant disparity in the accumulated spectral energy between these two classes. Moreover, we prove that the accumulated spectral energy of the graph signal can be represented by its Rayleigh Quotient, indicating that the Rayleigh Quotient is a driving factor behind the anomalous properties of graphs. Motivated by this, we propose Rayleigh Quotient Graph Neural Network (RQGNN), the first spectral GNN that explores the inherent spectral features of anomalous graphs for graph-level anomaly detection. Specifically, we introduce a novel framework with two components: the Rayleigh Quotient learning component (RQL) and Chebyshev Wavelet GNN with RQ-pooling (CWGNN-RQ). RQL explicitly captures the Rayleigh Quotient of graphs and CWGNN-RQ implicitly explores the spectral space of graphs. Extensive experiments on 10 real-world datasets show that RQGNN outperforms the best rival by 6.74% in Macro-F1 score and 1.44% in AUC, demonstrating the effectiveness of our framework. Our code is available at <a class="link-external link-https" href="https://github.com/xydong127/RQGNN" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Artificial Intelligence

Ming Wang,Yuman Wang,Tianqi Wu,Cen Chen,Kexiang Qian

DOI: https://doi.org/10.1109/ICSP58490.2023.10248606

2023-01-01

Abstract:System logs provide rich information about the current system’s state. To make use of system logs, various existing work extracts a causal graph from the log events, and then applies graph-based machine learning algorithms to detect the anomalous behaviors. One limitation of these work is that they treat the graph in a static way, neglecting the dynamic nature of anomalous behaviors. In this paper, we propose to detect anomalous behaviors based on system logs using dynamic graph modeling. Our method consists of several key steps, including negative sampling which helps to balance the dataset, edge encoding which encodes the spatial information for each behavior, and sequence modeling which further models the temporal information. Experimental evaluations on real datasets demonstrate the effectiveness of the proposed approach.