Rui Wen,Jianyu Wang,Chunming Wu,Jian Xiong

DOI: https://doi.org/10.1145/3366424.3391266

2020-01-01

Abstract:Given a large graph with millions of vertices and different types, how can we spot anomalies and find potential adversaries in time? Most graph-based fraud detection algorithms focus on finding dense blocks, discovering local subgraphs, designing belief propagation, and latent factor models. However, as fraudsters in online social networks gradually become adversarial, distributed, and invisible, it is easy for them to evade traditional detection methods. Even worse, existing detection systems are fragile to the new attacks. Once attackers update their tragedies, they will be inefficient. Our focus is to detect potential adversaries as soon as possible. We design and propose ASA (Adversary Situation Awareness), a system that (a) uncovers potential adversaries in time, (b) utilizes heterogeneous information in the graph, and (c)is effective in real-world data. We do experiments on a heterogeneous graph including 198,541 nodes with five types and 224,384 edges. The result shows that ASA can spot potential adversaries and successfully recovers 60 of potential abnormal users within a few minutes. Additionally, after two months we deployed it, ASA could achieve 90 recall, which means ASA can well discover a small number of adversaries with a latent period in time.

Xiaoyu Wang,Yongwang Zhou,Dongbiao Li,Chi Zhang

DOI: https://doi.org/10.1109/iccc62479.2024.10681973

2024-01-01

Abstract:Anomaly detection in dynamic and temporal graphs is frequently accomplished using unsupervised learning. This involves clustering to group similar data instances and identify outliers. Nonetheless, the accuracy of unsupervised learning algorithms is limited when anomalous data instances exhibit similar features. Existing graph theory-based methods can only detect significant anomalies that affect the entire network structure but fail to detect subtle anomalies such as small-scale DDoS attacks within node groups. Conversely, monitoring the behavior of every node in a real-time network can be expensive. In this paper, we propose a real-time anomaly detection method that leverages community detection and graph spectral theory. Specifically, each graph is partitioned into groups of densely connected nodes, which serve as detection objects to identify subtle anomalies. To address the challenge of detecting anomalies with similar features, we measured changes in communities between adjacent time steps, allowing us to identify outlier time points. Finally, to strike a balance between accuracy and cost, we utilize a novel graph spectral theory method as a graph distance function. Experimental evaluations demonstrate the efficacy of our approach in detecting subtle anomalies.

Sheng Tian,Jihai Dong,Jintang Li,Wenlong Zhao,Xiaolong Xu,Baokun wang,Bowen Song,Changhua Meng,Tianyi Zhang,Liang Chen

2023-05-23

Abstract:Anomaly detection aims to distinguish abnormal instances that deviate significantly from the majority of benign ones. As instances that appear in the real world are naturally connected and can be represented with graphs, graph neural networks become increasingly popular in tackling the anomaly detection problem. Despite the promising results, research on anomaly detection has almost exclusively focused on static graphs while the mining of anomalous patterns from dynamic graphs is rarely studied but has significant application value. In addition, anomaly detection is typically tackled from semi-supervised perspectives due to the lack of sufficient labeled data. However, most proposed methods are limited to merely exploiting labeled data, leaving a large number of unlabeled samples unexplored. In this work, we present semi-supervised anomaly detection (SAD), an end-to-end framework for anomaly detection on dynamic graphs. By a combination of a time-equipped memory bank and a pseudo-label contrastive learning module, SAD is able to fully exploit the potential of large unlabeled samples and uncover underlying anomalies on evolving graph streams. Extensive experiments on four real-world datasets demonstrate that SAD efficiently discovers anomalies from dynamic graphs and outperforms existing advanced methods even when provided with only little labeled data.

Machine Learning,Social and Information Networks

ZHENG Jun,HU Ming-zeng,YUN Xiao-chun,ZHENG Zhong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2006.02.001

2006-01-01

Abstract:The anomaly detection algorithms of the large scale network(LSN) were required to analysis the vast network traffic of G bit level in real-time and on-the-fly.A novel monitoring mechanism of LSN anomaly detection based on the data stream approach was proposed.The main contributions included: the sketch data structure and the frequent sketch algorithm of data streams were designed for anomaly detection of LSN.Optimized query methods were designed for customizing the security monitoring and detection policy with the correlations of multi data streams.The data reduction was proposed to make it possible that the whole network traffic character could be got using a few of special data streams.The experiments of the real networking environments validate the effectivity of LSN anomaly detection methods.

Emaad A. Manzoor,Sadegh Momeni,Venkat N. Venkatakrishnan,Leman Akoglu

DOI: https://doi.org/10.48550/arXiv.1602.04844

2016-02-22

Abstract:Given a stream of heterogeneous graphs containing different types of nodes and edges, how can we spot anomalous ones in real-time while consuming bounded memory? This problem is motivated by and generalizes from its application in security to host-level advanced persistent threat (APT) detection. We propose StreamSpot, a clustering based anomaly detection approach that addresses challenges in two key fronts: (1) heterogeneity, and (2) streaming nature. We introduce a new similarity function for heterogeneous graphs that compares two graphs based on their relative frequency of local substructures, represented as short strings. This function lends itself to a vector representation of a graph, which is (a) fast to compute, and (b) amenable to a sketched version with bounded size that preserves similarity. StreamSpot exhibits desirable properties that a streaming application requires---it is (i) fully-streaming; processing the stream one edge at a time as it arrives, (ii) memory-efficient; requiring constant space for the sketches and the clustering, (iii) fast; taking constant time to update the graph sketches and the cluster summaries that can process over 100K edges per second, and (iv) online; scoring and flagging anomalies in real time. Experiments on datasets containing simulated system-call flow graphs from normal browser activity and various attack scenarios (ground truth) show that our proposed StreamSpot is high-performance; achieving above 95% detection accuracy with small delay, as well as competitive time and memory usage.

Social and Information Networks

Siddharth Bhatia,Mohit Wadhwa,Kenji Kawaguchi,Neil Shah,Philip S. Yu,Bryan Hooi

2023-07-13

Abstract:Given a stream of graph edges from a dynamic graph, how can we assign anomaly scores to edges and subgraphs in an online manner, for the purpose of detecting unusual behavior, using constant time and memory? For example, in intrusion detection, existing work seeks to detect either anomalous edges or anomalous subgraphs, but not both. In this paper, we first extend the count-min sketch data structure to a higher-order sketch. This higher-order sketch has the useful property of preserving the dense subgraph structure (dense subgraphs in the input turn into dense submatrices in the data structure). We then propose 4 online algorithms that utilize this enhanced data structure, which (a) detect both edge and graph anomalies; (b) process each edge and graph in constant memory and constant update time per newly arriving edge, and; (c) outperform state-of-the-art baselines on 4 real-world datasets. Our method is the first streaming approach that incorporates dense subgraph search to detect graph anomalies in constant memory and time.

Data Structures and Algorithms,Artificial Intelligence,Machine Learning

Shiqi Lou,Qingyue Zhang,Shujie Yang,Yuyang Tian,Zhaoxuan Tan,Minnan Luo

DOI: https://doi.org/10.48550/arxiv.2310.16376

2023-01-01

Abstract:Anomaly detection on dynamic graphs refers to detecting entities whose behaviors obviously deviate from the norms observed within graphs and their temporal information. This field has drawn increasing attention due to its application in finance, network security, social networks, and more. However, existing methods face two challenges: dynamic structure constructing challenge - difficulties in capturing graph structure with complex time information and negative sampling challenge - unable to construct excellent negative samples for unsupervised learning. To address these challenges, we propose Unsupervised Generative Anomaly Detection on Dynamic Graphs (GADY). To tackle the first challenge, we propose a continuous dynamic graph model to capture the fine-grained information, which breaks the limit of existing discrete methods. Specifically, we employ a message-passing framework combined with positional features to get edge embeddings, which are decoded to identify anomalies. For the second challenge, we pioneer the use of Generative Adversarial Networks to generate negative interactions. Moreover, we design a loss function to alter the training goal of the generator while ensuring the diversity and quality of generated samples. Extensive experiments demonstrate that our proposed GADY significantly outperforms the previous state-of-the-art method on three real-world datasets. Supplementary experiments further validate the effectiveness of our model design and the necessity of each module.

Fengrui Liu,Yang Wang,Zhenyu Li,Hongtao Guan,Gaogang Xie

DOI: https://doi.org/10.1016/j.comcom.2023.06.027

IF: 5.047

2023-09-01

Computer Communications

Abstract:With the widespread use of Internet applications, ensuring the quality and reliability of online services has become increasingly important. Therefore, anomaly detection methods play a critical role in identifying potential anomalies in the data streams of infrastructure systems and service applications. However, most of known detection methods have an underlying assumption that the data streams are continuous. In practice, we learn that many real-world data streams can be sporadic. It incurs particular challenges for the task of anomaly detection, for which the common preprocessing of downsampling on sporadic data can omit potential anomalies and delay alarms. In this paper, we propose an ensemble learning-based anomaly detection method on sporadic data streams named AD 2 S . It consists of two modules: a monitor module to continuously and adaptively determine the measure windows for observations, and a detection module that utilizes an isolation partition strategy to estimate the anomaly degree of each incoming observation. Based on experimental results on eight synthetic and public real-world datasets, our method outperforms other state-of-the-art methods with an average AUC score of 0.923. Additionally, our analysis demonstrates that the proposed method has constant amortized time and space complexity, enabling once detection within an average of 9.9 ms and maximum memory usage of 26.14 KB. The code of AD 2 S is open-sourced for further research.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shuyu Pei,Jigang Wen,Kun Xie,Gaogang Xie,Kenli Li

DOI: https://doi.org/10.1109/tpds.2023.3316717

IF: 5.3

2023-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Network traffic anomaly detection is critical for advanced network applications. However, network traffic monitoring data arrive in a streaming fashion and could be infinite, which makes the offline algorithms that attempt to store the entire stream monitoring data for analysis not scalable. To well utilize the strong ability of tensor model, we use a tensor to represent the prior non-anomalous traffic matrices and propose a novel unsupervised anomaly detection framework that can be used to detect anomalies in a streaming fashion by making only one pass over the data while utilizing limited storage. In the framework, we propose a succinct tensor sketch to maintain, in a streaming model, the subspace that can well represent all prior non-anomalous data detected. Using the subspace, anomalies in each new incoming traffic monitoring data can be quickly detected based on a simple outlier score calculation. Further, we prove that the tensor sketch is mergeable. Exploiting this property, we propose a distributed anomaly detection framework in which the distributed node only needs to upload its succinct tensor sketch instead of the raw monitoring data to the central node to calculate the global subspace of the whole network, which greatly saves the transmission cost. We theoretically prove that our tensor sketch based anomaly detection algorithm compares favorably with the offline approach which calculates the subspace based on expensive global Singular Value Decomposition (SVD). The experimental results demonstrate the effectiveness and efficiency of our approach over other popular online anomaly detection algorithms.

Dennis Ippoliti,Changjun Jiang,Zhijun Ding,Xiaobo Zhou

DOI: https://doi.org/10.1145/2934686

2016-01-01

ACM Transactions on Autonomous and Adaptive Systems

Abstract:Traditional network anomaly detection involves developing models that rely on packet inspection. However, increasing network speeds and use of encrypted protocols make per-packet inspection unsuited for today’s networks. One method of overcoming this obstacle is aggregating packet header information and performing flow-based analysis where data flow patterns are examined rather than deep packet inspection. Many existing approaches are special purpose limited to detecting specific behavior. Also, the data reduction inherent in identifying anomalous flows hinders alert correlation. In this article, we propose and develop a dynamic anomaly detection approach for augmented network flows. We sketch network state during flow creation, enabling general-purpose threat detection. We describe an efficient flow augmentation approach based on the count-min sketch that provides per-flow-, per-node-, and per-network-level statistics parallel to flow record generation. We design and develop a support vector machine-based adaptive anomaly detection and correlation mechanism, which is capable of aggregating alerts without a priori alert classification and evolving models online. We further develop a lightweight evolving alert aggregation method and combine it with a confidence forwarding mechanism identifying a small percentage predictions for additional processing. We show effectiveness of our methods on both enterprise and backbone traces. Experimental results demonstrate its ability to maintain high accuracy without the need for offline training.

Fangyuan Cheng,Xiaofeng Qiu

DOI: https://doi.org/10.1109/icnidc.2016.7974527

2016-01-01

Abstract:In this paper, an anomaly detection method based on frequent sub-graph mining and association analysis is introduced to ensure the security of the SDN. With this method, the network behavior data in SDN are represented as a graph, abnormal sub-graphs of which are readily detectable. And patterns of the detected abnormal behaviors are able to be identified. Furthermore, an ensemble method based on Bagging algorithm is proposed to improve the detection accuracy. Experiment with global flow table data based on SDN indicated that this approach was capable of detecting anomalies in SDN. Moreover, to illustrate the effectiveness of this method in other aspects, comparisons with KDD99 data set were conducted. And the results verified its excellent ability in reducing false alarms and the effect of the ensemble method on improving the detection accuracy.

HAN Tao,LAN Yuqing,XIAO Limin,LIU Yanfang

DOI: https://doi.org/10.13700/j.bh.1001-5965.2017.0019

2018-01-01

Abstract:Financial fraud behavior, network intrusion and suspicious social actions can be detected by structural anomaly detection in graphs.The existing anomaly detection algorithms require high computational complexity and cannot process large-scale dynamic graphs.So an incremental and parallel algorithm is pro-posed to discover and detect abnormal patterns in dynamic graphs effectively and efficiently.The whole graph was partitioned into subgraphs by time sliding windows.N subgraphs in time sliding windows were processed in parallel by minimum description length (MDL) principle to discover both normal and abnormal patterns.Struc-tural outliers can be detected gradually in parallel based on normal patterns.The results of experiments conduc-ted in multiple large-scale graphs show that the precision rate for detecting the abnormal patterns of dynamic graph reaches 96％, recall rate reaches 85％, and running time reduces by an order of magnitude.The impact of the size of sliding windows and the number of parallel on running time of the algorithm is also discussed.

Yulong Pei,Fang Lyu,Werner van Ipenburg,Mykola Pechenizkiy

DOI: https://doi.org/10.1145/3383455.3422548

2020-01-01

Abstract:Effective anomaly detection is crucial for the success of many AI-based solutions in the financial domain, including e.g. fraud detection and risk modeling. Identifying anomaly from financial transaction networks is one of the challenging tasks that can be cast as a special instance of anomaly detection in networks. Existing methods typically attempt to detect only node-level anomalies, and assume prior knowledge to extract representative features for identifying anomalies. However, there exist collective fraudulent behaviors at the level of subgraphs rather than individual node. A ring structure for money laundering and a tree structure for pyramid schemes would be common examples. Also, in practice it is difficult to decide which features are more representative beforehand. In this paper, we introduce SADE (Subgraph Anomaly DEtection) framework that addresses these needs. SADE consists of two steps: 1) role-guided subgraph embedding, and 2) subgraph anomaly detection. Our approach for learning the subgraph embeddings allows to preserve both the local structure of subgraphs and the global structure of entire network by making use of global roles and local connections of nodes. The learnt representation allows effective use of the state of art anomaly detection approaches. Our extensive experiments on synthetic and real-world financial transaction networks demonstrate the effectiveness of SADE in learning subgraph embeddings without requiring any prior knowledge and detecting anomalous subgraphs.

Weiren Yu,Charu C. Aggarwal,Shuai Ma,Haixun Wang

DOI: https://doi.org/10.1109/icdm.2013.32

2013-01-01

Abstract:Network streams have become ubiquitous in recent years because of many dynamic applications. Such streams may show localized regions of activity and evolution because of anomalous events. This paper will present methods for dynamically determining anomalous hot spots from network streams. These are localized regions of sudden activity or change in the underlying network. We will design a localized principal component analysis algorithm, which can continuously maintain the information about the changes in the different neighborhoods of the network. We will use a fast incremental eigenvector update algorithm based on von Mises iterations in a lazy way in order to efficiently maintain local correlation information. This is used to discover local change hotspots in dynamic streams. We will finally present an experimental study to demonstrate the effectiveness and efficiency of our approach.

Katie Buchhorn,Edgar Santos-Fernandez,Kerrie Mengersen,Robert Salomone

DOI: https://doi.org/10.12688/f1000research.136097.2

2024-03-28

F1000Research

Abstract:Background Water is the lifeblood of river networks, and its quality plays a crucial role in sustaining both aquatic ecosystems and human societies. Real-time monitoring of water quality is increasingly reliant on in-situ sensor technology. Anomaly detection is crucial for identifying erroneous patterns in sensor data, but can be a challenging task due to the complexity and variability of the data, even under typical conditions. This paper presents a solution to the challenging task of anomaly detection for river network sensor data, which is essential for accurate and continuous monitoring. Methods We use a graph neural network model, the recently proposed Graph Deviation Network (GDN), which employs graph attention-based forecasting to capture the complex spatio-temporal relationships between sensors. We propose an alternate anomaly threshold criteria for the model, GDN+, based on the learned graph. To evaluate the model’s efficacy, we introduce new benchmarking simulation experiments with highly-sophisticated dependency structures and subsequence anomalies of various types. We also introduce software called gnnad. Results We further examine the strengths and weaknesses of this baseline approach, GDN, in comparison to other benchmarking methods on complex real-world river network data. Conclusions Findings suggest that GDN+ outperforms the baseline approach in high-dimensional data, while also providing improved interpretability.

English Else

Limengwei Liu,Modi Hu,Chaoqun Kang,Xiaoyong Li

DOI: https://doi.org/10.3390/info11020105

2020-01-01

Information

Abstract:The development and integration of information technology and industrial control networks have expanded the magnitude of new data; detecting anomalies or discovering other valid information from them is of vital importance to the stable operation of industrial control systems. This paper proposes an incremental unsupervised anomaly detection method that can quickly analyze and process large-scale real-time data. Our evaluation on the Secure Water Treatment dataset shows that the method is converging to its offline counterpart for infinitely growing data streams.

Hongyu Sun,Qiang He,Kewen Liao,Timos Sellis,Longkun Guo,Xuyun Zhang,Jun Shen,Feifei Chen

DOI: https://doi.org/10.1109/bigdata47090.2019.9006354

2019-01-01

Abstract:Multiple multi-dimensional data streams are ubiquitous in the modern world, such as IoT applications, GIS applications and social networks. Detecting anomalies in such data streams in real-time is an important and challenging task. It is able to provide valuable information from data and then assists decision-making. However, exiting approaches for anomaly detection in multi-dimensional data streams have not properly considered the correlations among multiple multi-dimensional streams. Moreover, for multi-dimensional streaming data, online detection speed is often an important concern. In this paper, we propose a fast yet effective anomaly detection approach in multiple multi-dimensional data streams. This is based on a combination of ideas, i.e., stream pre-processing, locality sensitive hashing and dynamic isolation forest. Experiments on real datasets demonstrate that our approach achieves a magnitude increase in its efficiency compared with state-of-the-art approaches while maintaining competitive detection accuracy.

Chi Zhang,Wenkai Xiang,Xingzhi Guo,Baojian Zhou,Deqing Yang

2023-12-17

Abstract:Given a dynamic graph, the efficient tracking of anomalous subgraphs via their node embeddings poses a significant challenge. Addressing this issue necessitates an effective scoring mechanism and an innovative anomalous subgraph strategy. Existing methods predominantly focus on designing scoring strategies or employing graph structures that consider nodes in isolation, resulting in ineffective capture of the anomalous subgraph structure information. In this paper, we introduce SUBANOM, a novel framework for subgraph anomaly detection that is adept at identifying anomalous subgraphs. SUBANOM has three key components: 1) We implement current state-of-the-art dynamic embedding methods to efficiently calculate node embeddings, thereby capturing all node-level anomalies successfully; 2) We devise novel subgraph identification strategies, which include k-hop and triadic-closure. These strategies form the crucial component that can proficiently differentiate between strong and weak neighbors, thus effectively capturing the anomaly structure information; 3) For qualifying the anomaly subgraphs, we propose using Lp-norm-based score aggregation functions. These iterative steps enable us to process large-scale dynamic graphs effectively. Experiments conducted on a real-world dynamic graph underscore the efficacy of our framework in detecting anomalous subgraphs, outperforming state-of-the-art methods. Experimental results further signify that our framework is a potent tool for identifying anomalous subgraphs in real-world scenarios. For instance, the F1 score under the optimal subgraph identification strategy, can peak at 0.6679, while the highest achievable score using the corresponding baseline method is 0.5677.

Social and Information Networks

Shuiyuan Xie,Xiuli Ma,Shiwei Tang

DOI: https://doi.org/10.1007/978-3-642-39527-7_9

2013-01-01

Abstract:In many real networks, the detection and tracking of unusual phenomena, such as the diffusion of contamination and the spreading of disease, is one of the key feature users are great interested in, which is called anomaly with technical terms. In this paper, we present a framework to detect and track anomaly region continuously. First, we build a state transition graph to summarize network's operating regularity, that is, network stays in a state for a period of time and alternates among states over and over again, which exists in many real networks. Second, we employ the state transition graph to predict network's next state. While comparing expected state and current state, we present suspicious region and its anomaly probability. We evaluate our approach on a real water distribution network from the Battle of the Water Sensor Network (BWSN). Experiments show that our approach is effective, efficient and scalable to detect and track anomaly region. © 2013 Springer-Verlag.

Yitong Liu,Caiyun Liu,Jun Li,Yan Sun

DOI: https://doi.org/10.1007/978-981-97-2757-5_49

2024-01-01

Abstract:In today's information age, with the rapid development of network technology and a large number of applications of sensors in daily life. The number of various types of data has shown a great growth. These data not only bring us convenience and benefits, but also pose a great challenge to us, that is, how to explore the information of the data and effectively analyze the specific significance contained in the data has become a hot research direction. In the large amount of data obtained, most of the data are in the normal state and only represent the basic "value" information. Compared with the data in the normal state, the information carried by a small part of the data is more worthy of attention. The emergence of these data is the so-called "exception". The occurrence of exceptions indicates that the system that should be running normally has changed, and these changes often have a negative impact on the system. Looking at these applications, it is not difficult to find that the actual frequency of these anomalies accounts for a very small proportion compared with a large number of normal time, but its value is very huge. Therefore, real-time online anomaly detection of convective data has very important value and significance for scientific research and industrial application. In the process of this research, I have a more comprehensive and detailed understanding of the research field of "anomaly detection of stream data" through theoretical learning, apply the deep learning model to anomaly detection of stream data, and test the performance of the model through experiments. By comparing the performance of traditional anomaly detection algorithms, unsupervised and semi supervised machine learning models and neural networks such as LSTM/HTM in stream data anomaly detection, we try to find an algorithm that can detect stream data information in real time and provide anomaly alarm in time.