Leting Wu,Xintao Wu,Aidong Lu,Zhi-Hua Zhou

DOI: https://doi.org/10.1007/s10844-013-0246-7

2013-01-01

Journal of Intelligent Information Systems

Abstract:In this paper we investigate the problem of detecting small and subtle subgraphs embedded into a large graph with a common structure. We call the embedded small and subtle subgraphs as signals or anomalies and the large graph as background. Those small and subtle signals, which are structurally dissimilar to the background, are often hidden within graph communities and cannot be revealed in the graph’s global structure. We explore the minor eigenvectors of the graph’s adjacency matrix to detect subtle anomalies from a background graph. We demonstrate that when there are such subtle anomalies, there exist some minor eigenvectors with extreme values on some entries corresponding to the anomalies. Under the assumption of the Erdos–Renyi random graph model, we derive the formula that show how eigenvector entries are changed and give detectability conditions. We then extend our theoretical study to the general case where multiple anomalies are embedded in a background graph with community structure. We develop an algorithm that uses the eigenvector kurtosis to filter out the eigenvectors that capture the signals. Our theoretical analysis and empirical evaluations on both synthetic data and real social networks show effectiveness of our approach to detecting subtle signals.

Dong Chen,Xiang Zhao,Weidong Xiao

DOI: https://doi.org/10.1109/icde60146.2024.00246

2024-01-01

Abstract:Dynamic graphs are ubiquitous in our lives, yet they are also susceptible to the risks imposed by malicious activities. However, identifying anomalies in these dynamic graphs presents a challenging task due to the complex graph structures. Existing methods for dynamic anomaly detection primarily focus on learning representations for each timestamp and using sequence modeling techniques to capture and model the temporal information. Despite extensive research, dynamic anomaly detection still faces two key challenges. First, existing methods are limited in effectively using fine-grained temporal information. Second, they have limited generalization capabilities under unsupervised settings. Overcoming these challenges is crucial for advances in dynamic anomaly detection. In this paper, we propose a novel unsupervised anomaly detection method for dynamic graphs. Our approach leverages complex temporal information through fine-grained sampling and embedding modules. Additionally, we introduce an attention alignment strategy to minimize discrepancies in contextual attention between source and target nodes. Through a comprehensive evaluation, we demonstrate that our strategy effectively mitigates overfitting and improves generalization. Experiments on ten dynamic graph datasets validate the effectiveness of our proposed method in detecting anomalies.

HAN Tao,LAN Yuqing,XIAO Limin,LIU Yanfang

DOI: https://doi.org/10.13700/j.bh.1001-5965.2017.0019

2018-01-01

Abstract:Financial fraud behavior, network intrusion and suspicious social actions can be detected by structural anomaly detection in graphs.The existing anomaly detection algorithms require high computational complexity and cannot process large-scale dynamic graphs.So an incremental and parallel algorithm is pro-posed to discover and detect abnormal patterns in dynamic graphs effectively and efficiently.The whole graph was partitioned into subgraphs by time sliding windows.N subgraphs in time sliding windows were processed in parallel by minimum description length (MDL) principle to discover both normal and abnormal patterns.Struc-tural outliers can be detected gradually in parallel based on normal patterns.The results of experiments conduc-ted in multiple large-scale graphs show that the precision rate for detecting the abnormal patterns of dynamic graph reaches 96％, recall rate reaches 85％, and running time reduces by an order of magnitude.The impact of the size of sliding windows and the number of parallel on running time of the algorithm is also discussed.

Hao Yan,Qianzhen Zhang,Deming Mao,Ziyue Lu,Deke Guo,Sheng Chen

DOI: https://doi.org/10.1109/icccn52240.2021.9522263

2021-01-01

Abstract:We consider cyber security as one of the most significant technical challenges in current times. One of the main tasks is to detect anomalous patterns in the network streams as soon as they appear. In order to solve the above problem, previous propositions use statistical or machine learning-based methods to detect anomalous patterns in the network streams. However, these solutions incur significant low efficiency and precision due to the frequent recomputation of the results from scratch and unreasonable assumptions. In graph theory, dense subgraphs can be used to model the anomalous patterns if we abstract the network streams as a dynamic graph. This motivates us to explore dense subgraph discovery under the scenario where the network is updating. In this paper, we propose a graph-based framework, referred to as SAD, towards continuous dense subgraph discovery over network streams. In specific, we design an auxiliary data structure that is a concise representation of intermediate results, and its execution model allows a fast incremental maintenance strategy. In this way, we can detect anomalous patterns in the network streams in near real-time. Experiments demonstrate that SAD can not only get a higher accuracy of 90.2% but also faster than $11.4\times$ times compared to the state-of-the-art anomaly detection algorithms.

Hadiseh Safdari,Caterina De Bacco

2024-04-16

Abstract:Anomaly detection is an essential task in the analysis of dynamic networks, as it can provide early warning of potential threats or abnormal behavior. We present a principled approach to detect anomalies in dynamic networks that integrates community structure as a foundational model for regular behavior. Our model identifies anomalies as irregular edges while capturing structural changes. Leveraging a Markovian approach for temporal transitions and incorporating structural information via latent variables for communities and anomaly detection, our model infers these hidden parameters to pinpoint abnormal interactions within the network. Our approach is evaluated on both synthetic and real-world datasets. Real-world network analysis shows strong anomaly detection across diverse scenarios. In a more specific study of transfers of professional male football players, we observe various types of unexpected patterns and investigate how the country and wealth of clubs influence interactions. Additionally, we identify anomalies between clubs with incompatible community memberships, but also instances of anomalous transactions between clubs with similar memberships. The latter is due in particular to the dynamic nature of the transactions, as we find that the frequency of transfers results in anomalous behaviors that are otherwise expected to interact as they belong to similar communities.

Social and Information Networks

DunHuang Shi,Tao Zhang,Lei Sun

DOI: https://doi.org/10.1145/3674700.3674705

2024-01-01

Abstract:The widespread adoption of information technology has led to the proliferation of data applications, underscoring the importance of identifying potential anomalies within datasets. However, developing anomaly detection models for intricate data presents a formidable challenge. Issues such as the scarcity and inferior quality of anomaly data hinder the effectiveness of supervised models, necessitating the exploration of unsupervised detection methods. This manuscript proposes an unsupervised learning-based multivariate anomaly detection method for dynamic attention graphs (ADDAG), which combines the characteristics of graph convolutional neural networks that fuse the relationships between data while updating their own nodes to reconstruct the data and extract the anomalous data. Compared with the traditional static attention graph, the use of dynamic attention graph enhances the ability to express the features of complex associated time-series variables. In the experimental part, the performance of the proposed method in this paper outperforms conventional anomaly detection algorithms when tested on multiple datasets.

Dongpo Wang,Chengli Zhao,Xue Zhang,Boyu Liu,Xiang Li,Dongyun Yi

DOI: https://doi.org/10.1088/1742-6596/1693/1/012050

2020-01-01

Journal of Physics Conference Series

Abstract:With the increasing network threat, network anomaly detection has become a very challenging and indispensable task. In this article, we propose an anomaly detection algorithm through modeling computer network as temporal network. The active subnetwork is extracted from the original computer communication network and then projected to an undirected weighted network series, finally the abnormal behavior patterns of network series are detected based on eigenvectors. Data test experiment shows that the proposed algorithm has achieved very good results.

Chi Zhang,Wenkai Xiang,Xingzhi Guo,Baojian Zhou,Deqing Yang

2023-12-17

Abstract:Given a dynamic graph, the efficient tracking of anomalous subgraphs via their node embeddings poses a significant challenge. Addressing this issue necessitates an effective scoring mechanism and an innovative anomalous subgraph strategy. Existing methods predominantly focus on designing scoring strategies or employing graph structures that consider nodes in isolation, resulting in ineffective capture of the anomalous subgraph structure information. In this paper, we introduce SUBANOM, a novel framework for subgraph anomaly detection that is adept at identifying anomalous subgraphs. SUBANOM has three key components: 1) We implement current state-of-the-art dynamic embedding methods to efficiently calculate node embeddings, thereby capturing all node-level anomalies successfully; 2) We devise novel subgraph identification strategies, which include k-hop and triadic-closure. These strategies form the crucial component that can proficiently differentiate between strong and weak neighbors, thus effectively capturing the anomaly structure information; 3) For qualifying the anomaly subgraphs, we propose using Lp-norm-based score aggregation functions. These iterative steps enable us to process large-scale dynamic graphs effectively. Experiments conducted on a real-world dynamic graph underscore the efficacy of our framework in detecting anomalous subgraphs, outperforming state-of-the-art methods. Experimental results further signify that our framework is a potent tool for identifying anomalous subgraphs in real-world scenarios. For instance, the F1 score under the optimal subgraph identification strategy, can peak at 0.6679, while the highest achievable score using the corresponding baseline method is 0.5677.

Social and Information Networks

Qing Cheng,Yun Zhou,Yanghe Feng,Zhong Liu

DOI: https://doi.org/10.1007/s00500-019-04547-6

IF: 3.732

2019-01-01

Soft Computing

Abstract:Large-scale and dynamic networks arise in cyberspace and financial security. Given a dynamic network, it is crucial to detect structural anomalies, such as node behaviors deviate from underlying majority of the network. However, anomaly analysis for dynamic networks is difficult to precisely detect the anomalous behaviors of nodes because it usually ignores the evolutionary behaviors of different nodes. Our work taps into this gap and proposes an unsupervised ensemble framework for node temporal behavior modeling and node behavior real-time anomaly detection. Specifically, a latent space model is used to model the node behavior; each node is assigned a probability distribution across a small set of roles based on that node’s features. The evolutionary behavior of node is represented as node roles change over time and the anomalies of node are identified as deviations from expected roles. The entropy-based ensembles method is proposed to combine with multiple unsupervised anomaly detectors to yield robust performances, which achieves the real-time anomaly detection for different types of node behaviors. Finally, we show the effectiveness of the proposed method on Enron network in the experiments.

Tong Sun,Yan Liu,Jing Chen

DOI: https://doi.org/10.1109/compcomm.2017.8322580

2017-01-01

Abstract:Detecting abnormal behavior during network evolution is an important and challenging data analysis task at present, it is named as dynamic network anomaly detection in this paper. The network abnormal behavior differs from that of normal behavior, the probability of occurrence stays relatively low but may cause serious damages once happened. This paper takes the topological structure of the network as the research object and identifies the network anomaly through the change of network structure. Based on Cox-stuart test, we put forward a new type of method to detect dynamic anomaly. This method refers to an alarm of monitoring the trend change of the network structure parameters. Finally, an experiment was carried out in the real dynamic network-Enron Email Network, which verified that the dynamic network anomaly detection method proposed in this paper can effectively detect the network anomaly behavior.

Guanghua Liu,Jia Zhang,Peng Lv,Chenlong Wang,Huan Wang,Di Wang

DOI: https://doi.org/10.1016/j.ipm.2024.103912

IF: 7.466

2024-10-16

Information Processing & Management

Abstract:The timely detection of anomalous nodes that can cause significant harm is essential in real-world networks. One challenge for anomaly detection in dynamic graphs is the identification of abnormal nodes at newly emerged moments. Unfortunately, existing methods tend to learn nontransferable features from historical moments that do not generalize well to newly emerged moments. In response to this challenge, we propose Time-varying Adversarial Anomaly Detection (TAAD), a generalizable model to learn transferable features from historical moments, which can transfer prior anomaly knowledge to newly emerged moments. It comprises four components: the feature extractor, the anomaly detector, the time-varying discriminator and the score generator. The time-varying discriminator cooperates with the feature extractor to conduct adversarial training, which decreases the distributional differences in the feature representations of nodes between historical and newly emerged moments to learn transferable features. The score generator measures the distributional differences of feature representations between normal and abnormal nodes, and further learns discriminable features. Extensive experiments conducted with four different datasets present that the proposed TAAD outperforms state-of-the-art methods.

computer science, information systems,information science & library science

Ding De Jiang,Cheng Yao,Wei Han Zhang,Zheng

DOI: https://doi.org/10.4028/www.scientific.net/amr.765-767.1461

2013-01-01

Advanced Materials Research

Abstract:This paper presents a detection algorithm for anomaly network traffic, which is based on spectral kurtosis analysis. Firstly, we turn network traffic into time-frequency signals at different scales. These time-frequency signals hold the more detailed nature corresponding to different scales. Secondly, the time-frequency signals at different scales are transformed into a series of new time signals by time-frequency analysis theory. These new time signals hold obvious narrowband nature and embody the local properties of network traffic. Thirdly, we calculate the spectral kurtosis values of the new time signals and then perform the feature extractions. As a result, the abnormal network traffic can be correctly identified. Simulation results show that our algorithm is feasible and promising.

Minji Yoon,Bryan Hooi,Kijung Shin,Christos Faloutsos

DOI: https://doi.org/10.48550/arXiv.2011.13085

2020-11-26

Abstract:Given a dynamic graph stream, how can we detect the sudden appearance of anomalous patterns, such as link spam, follower boosting, or denial of service attacks? Additionally, can we categorize the types of anomalies that occur in practice, and theoretically analyze the anomalous signs arising from each type? In this work, we propose AnomRank, an online algorithm for anomaly detection in dynamic graphs. AnomRank uses a two-pronged approach defining two novel metrics for anomalousness. Each metric tracks the derivatives of its own version of a 'node score' (or node importance) function. This allows us to detect sudden changes in the importance of any node. We show theoretically and experimentally that the two-pronged approach successfully detects two common types of anomalies: sudden weight changes along an edge, and sudden structural changes to the graph. AnomRank is (a) Fast and Accurate: up to 49.5x faster or 35% more accurate than state-of-the-art methods, (b) Scalable: linear in the number of edges in the input graph, processing millions of edges within 2 seconds on a stock laptop/desktop, and (c) Theoretically Sound: providing theoretical guarantees of the two-pronged approach.

Social and Information Networks,Artificial Intelligence

Xiao Yang,Xuejiao Zhao,Zhiqi Shen

2024-12-21

Abstract:Anomaly detection aims to identify deviations from normal patterns within data. This task is particularly crucial in dynamic graphs, which are common in applications like social networks and cybersecurity, due to their evolving structures and complex relationships. Although recent deep learning-based methods have shown promising results in anomaly detection on dynamic graphs, they often lack of generalizability. In this study, we propose GeneralDyG, a method that samples temporal ego-graphs and sequentially extracts structural and temporal features to address the three key challenges in achieving generalizability: Data Diversity, Dynamic Feature Capture, and Computational Cost. Extensive experimental results demonstrate that our proposed GeneralDyG significantly outperforms state-of-the-art methods on four real-world datasets.

Machine Learning,Artificial Intelligence

Tim Poštuvan,Claas Grohnfeldt,Michele Russo,Giulio Lovisotto

2024-09-28

Abstract:Anomaly detection in continuous-time dynamic graphs is an emerging field yet under-explored in the context of learning algorithms. In this paper, we pioneer structured analyses of link-level anomalies and graph representation learning for identifying categorically anomalous graph links. First, we introduce a fine-grained taxonomy for edge-level anomalies leveraging structural, temporal, and contextual graph properties. Based on these properties, we introduce a method for generating and injecting typed anomalies into graphs. Next, we introduce a novel method to generate continuous-time dynamic graphs featuring consistencies across either or combinations of time, structure, and context. To enable temporal graph learning methods to detect specific types of anomalous links rather than the bare existence of a link, we extend the generic link prediction setting by: (1) conditioning link existence on contextual edge attributes; and (2) refining the training regime to accommodate diverse perturbations in the negative edge sampler. Comprehensive benchmarks on synthetic and real-world datasets -- featuring synthetic and labeled organic anomalies and employing six state-of-the-art link prediction methods -- validate our taxonomy and generation processes for anomalies and benign graphs, as well as our approach to adapting methods for anomaly detection. Our results reveal that different learning methods excel in capturing different aspects of graph normality and detecting different types of anomalies. We conclude with a comprehensive list of findings highlighting opportunities for future research.

Machine Learning,Artificial Intelligence,Cryptography and Security

Bo Wang,Yanping Zhao,Fengye Hu,Ying-Chang Liang

DOI: https://doi.org/10.1109/tsp.2018.2866847

IF: 4.875

2018-01-01

IEEE Transactions on Signal Processing

Abstract:We study network anomaly detection problem with subgraph search and vertex classification techniques in Chung-Lu networks, where small anomalous networks are embedded in background networks. The general detectors traditionally utilize the spectral characteristics of whole networks to decide whether the anomalous networks exist or not. Moreover, many algorithms model the background networks with special random graphs, such as Erdős–Rényi random graphs. However, these methods may not achieve good detection performance because the spectral information of anomalous networks extracting from the relational data of the whole networks is subtle. Furthermore, the assumptions of the models limit the applications of the methods. In order to improve the detection capability of algorithms and relax the restriction of the background networks models, we develop two preprocessing approaches, referred to as subgraph search and vertex classification, and propose two detection algorithms, which can be applicable to the generalized network model (Chung-Lu random graph). By leveraging statistic features of priori data, the subgraph search method can obtain local network nodes that are more anomalous than the remainder. Moreover, the vertex classification is used to further distinguish the anomalous nodes from the local ones. And then, by using the relational data corresponding to the local nodes, the detection statistics are constructed to detect the anomalous network. Additionally, based on concentration of measure theory, the probability bounds of performance analysis are derived for the presented algorithms. Simulation examples are provided to illustrate that the proposed detectors can achieve better detection performance than the existing algorithms.

Guanghan Duan,Hongwu Lv,Huiqiang Wang,Guangsheng Feng,Xiaoli Li

DOI: https://doi.org/10.1109/tifs.2024.3385321

IF: 7.231

2024-05-10

IEEE Transactions on Information Forensics and Security

Abstract:Deep learning (DL) greatly enhances cyber anomaly detection capabilities through effective statistical network characteristic. However, previous methods have not fully addressed two real-world scenario-driven challenges. 1) Frequent node access and disconnection sourced from free-bounded 5G/B5G cyberspace introduce unfamiliar communication behavior patterns, reducing the detection ability of the pre-trained DL model. 2) Low-frequency or sporadic communication behaviors lack stable patterns, posing a challenge for existing AI-driven models, including DL-based detection methods. To address these issues, we propose a cyber anomaly detection framework based on Continuous Temporal Graph (CTG) neural network from a new interaction-centered perspective. The proposed framework refines the concrete information interaction between network entities into the CTG evolution process, thereby naturally incorporating new node access behaviors into feature extraction on CTG neural network. We furthermore present a message aggregation scheme on CTG with fusion of spatio-temporal neighborhood, the actual time distribution and the historical state, thus transforming communication into a more stable pattern for the learning of low-frequency interactions. Extensive experiments on 4 novel datasets, including ToN-IoT, UNSWNB15, CIC-Dark2020, J.P. Morgan payment, demonstrate that our approach outperforms state-of-the-art methods, particularly in detecting new access and low-frequency behaviors.

computer science, theory & methods,engineering, electrical & electronic

Katrina Chen,Mingbin Feng,Tony S. Wirjanto

DOI: https://doi.org/10.48550/arXiv.2302.02051

IF: 5.414

2023-02-04

Machine Learning

Abstract:Anomalies in univariate time series often refer to abnormal values and deviations from the temporal patterns from majority of historical observations. In multivariate time series, anomalies also refer to abnormal changes in the inter-series relationship, such as correlation, over time. Existing studies have been able to model such inter-series relationships through graph neural networks. However, most works settle on learning a static graph globally or within a context window to assist a time series forecasting task or a reconstruction task, whose objective is not tailored to explicitly detect the abnormal relationship. Some other works detect anomalies based on reconstructing or forecasting a list of inter-series graphs, which inadvertently weakens their power to capture temporal patterns within the data due to the discrete nature of graphs. In this study, we propose DyGraphAD, a multivariate time series anomaly detection framework based upon a list of dynamic inter-series graphs. The core idea is to detect anomalies based on the deviation of inter-series relationships and intra-series temporal patterns from normal to anomalous states, by leveraging the evolving nature of the graphs in order to assist a graph forecasting task and a time series forecasting task simultaneously. Our numerical experiments on real-world datasets demonstrate that DyGraphAD has superior performance than baseline anomaly detection approaches.

Minglai Shao,Jianxin Li,Feng Chen,Hongyi Huang,Shuai Zhang,Xunxun Chen

DOI: https://doi.org/10.1145/3038912.3052588

2017-01-01

Abstract:Anomalous subgraph detection has been successfully applied to event detection in social media. However, the subgraph detection problembecomes challenging when the social media network incorporates abundant attributes, which leads to a multivariate network. The multivariate characteristic makes most existing methods incapable to tackle this problem effectively and efficiently, as it involves joint feature selection and subgraph detection that has not been well addressed in the current literature, especially, in the dynamic multivariate networks in which attributes evolve over time. This paper presents a generic framework, namely dynamic multivariate evolving anomalous subgraphs scanning (DMGraphScan), to addressthis problem in dynamic multivariate social media networks. We generalize traditional nonparametric statistics, and propose a new class of scan statistic functions for measuring the joint significance of evolving subgraphs and subsets of attributes to indicate the ongoing or forthcoming event in dynamic multivariate networks. We reformulate each scan statistic function as a sequence of subproblems with provable guarantees, and then propose an efficient approximation algorithm for tackling each subproblem. This algorithm resorts to the Lagrangian relaxation and a dynamic programming based on tree-shaped priors. As a case study, we conduct extensive experiments to demonstrate the performance of our proposed approach on two real-world applications (flu outbreak detection, haze detection) in different domains.

Shiqi Lou,Qingyue Zhang,Shujie Yang,Yuyang Tian,Zhaoxuan Tan,Minnan Luo

DOI: https://doi.org/10.48550/arxiv.2310.16376

2023-01-01

Abstract:Anomaly detection on dynamic graphs refers to detecting entities whose behaviors obviously deviate from the norms observed within graphs and their temporal information. This field has drawn increasing attention due to its application in finance, network security, social networks, and more. However, existing methods face two challenges: dynamic structure constructing challenge - difficulties in capturing graph structure with complex time information and negative sampling challenge - unable to construct excellent negative samples for unsupervised learning. To address these challenges, we propose Unsupervised Generative Anomaly Detection on Dynamic Graphs (GADY). To tackle the first challenge, we propose a continuous dynamic graph model to capture the fine-grained information, which breaks the limit of existing discrete methods. Specifically, we employ a message-passing framework combined with positional features to get edge embeddings, which are decoded to identify anomalies. For the second challenge, we pioneer the use of Generative Adversarial Networks to generate negative interactions. Moreover, we design a loss function to alter the training goal of the generator while ensuring the diversity and quality of generated samples. Extensive experiments demonstrate that our proposed GADY significantly outperforms the previous state-of-the-art method on three real-world datasets. Supplementary experiments further validate the effectiveness of our model design and the necessity of each module.