MIDAS: Microcluster-Based Detector of Anomalies in Edge Streams
About
Given a stream of graph edges from a dynamic graph, how can we assign anomaly scores to edges in an online manner, for the purpose of detecting unusual behavior, using constant time and memory? Existing approaches aim to detect individually surprising edges. In this work, we propose MIDAS, which focuses on detecting microcluster anomalies, or suddenly arriving groups of suspiciously similar edges, such as lockstep behavior, including denial of service attacks in network traffic data. MIDAS has the following properties: (a) it detects microcluster anomalies while providing theoretical guarantees about its false positive probability; (b) it is online, thus processing each edge in constant time and constant memory, and also processes the data 162-644 times faster than state-of-the-art approaches; (c) it provides 42%-48% higher accuracy (in terms of AUC) than state-of-the-art approaches.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Anomaly Detection | UNSW | Running Time (s)0.1 | 17 | |
| Anomaly Recognition | DARPA | Running Time (s)0.21 | 8 | |
| Anomaly Recognition | ISCX 2012 | Running Time (s)0.21 | 8 | |
| Anomaly Recognition | CIC-IDS 2017 | Inference Time (s)0.42 | 8 | |
| Anomaly Detection | UNSW-NB15 (test) | F1-Score63.6 | 8 | |
| Anomaly Detection | ISCX 2012 (test) | F1-Score48.5 | 8 | |
| Anomaly Detection | CIC-IDS 2017 (test) | F1-Score79.7 | 8 | |
| Anomaly Recognition | CTU-13 Scenario 1 | Running Time (s)3.69 | 8 | |
| Anomaly Recognition | CTU-13 Scenario 10 | Running time (s)1.24 | 8 | |
| Anomaly Recognition | CTU-13 Scenario 13 | Running Time (s)1.89 | 8 |