Sketch-Based Anomaly Detection in Streaming Graphs
About
Given a stream of graph edges from a dynamic graph, how can we assign anomaly scores to edges and subgraphs in an online manner, for the purpose of detecting unusual behavior, using constant time and memory? For example, in intrusion detection, existing work seeks to detect either anomalous edges or anomalous subgraphs, but not both. In this paper, we first extend the count-min sketch data structure to a higher-order sketch. This higher-order sketch has the useful property of preserving the dense subgraph structure (dense subgraphs in the input turn into dense submatrices in the data structure). We then propose 4 online algorithms that utilize this enhanced data structure, which (a) detect both edge and graph anomalies; (b) process each edge and graph in constant memory and constant update time per newly arriving edge, and; (c) outperform state-of-the-art baselines on 4 real-world datasets. Our method is the first streaming approach that incorporates dense subgraph search to detect graph anomalies in constant memory and time.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Anomaly Detection | UNSW | Running Time (s)0.32 | 17 | |
| Anomaly Recognition | CTU-13 Scenario 1 | Running Time (s)2.29 | 8 | |
| Anomaly Recognition | CTU-13 Scenario 10 | Running time (s)0.71 | 8 | |
| Anomaly Recognition | CTU-13 Scenario 13 | Running Time (s)0.93 | 8 | |
| Anomaly Detection | CTU-13 Scenario 10 (test) | F1-Score0.331 | 8 | |
| Anomaly Recognition | DARPA | Running Time (s)0.33 | 8 | |
| Anomaly Recognition | ISCX 2012 | Running Time (s)0.22 | 8 | |
| Anomaly Detection | CIC-IDS 2017 (test) | F1-Score73.4 | 8 | |
| Anomaly Recognition | CIC-IDS 2017 | Inference Time (s)0.64 | 8 | |
| Anomaly Detection | DARPA (test) | F1 Score80.9 | 8 |