Real-Time Anomaly Detection in Edge Streams

Given a stream of graph edges from dynamic graph, how can we assign anomaly scores to in an online manner, for the purpose detecting unusual behavior, using constant time and memory? Existing approaches aim detect individually surprising edges. In this work, propose Midas , which focuses on microcluster anomalies or suddenly arriving groups suspiciously similar edges, such as lockstep including denial service attacks network traffic data. We further -F, solve problem by are incorporated into algorithm’s internal states, creating “poisoning” effect that allow future slip through undetected. -F introduces two modifications: (1) modify scoring function, aiming reduce newly edges; (2) introduce conditional merge step, updates data structures after each tick, but only if score is below threshold value, also effect. Experiments show has significantly higher accuracy than . general, algorithms proposed work have following properties: (a) they detects while providing theoretical guarantees about false positive probability; (b) online, thus processing edge memory, processes orders-of-magnitude faster state-of-the-art approaches; (c) provides up 62% area under receiver operating characteristic curve approaches.