Robust Anomaly Detection in Dynamic Networks

TL;DR

This paper introduces two robust anomaly detection methods for dynamic networks with time-varying normal traffic, outperforming traditional stationary assumptions through a hypothesis testing framework and large deviations techniques.

Contribution

The paper develops model-free and model-based robust anomaly detection methods that adapt to changing network traffic patterns, improving detection accuracy in dynamic environments.

Findings

Robust methods outperform vanilla approaches in dynamic network scenarios.

Simulation results demonstrate improved detection performance.

Methods effectively handle non-stationary traffic patterns.

Abstract

We propose two robust methods for anomaly detection in dynamic networks in which the properties of normal traffic are time-varying. We formulate the robust anomaly detection problem as a binary composite hypothesis testing problem and propose two methods: a model-free and a model-based one, leveraging techniques from the theory of large deviations. Both methods require a family of Probability Laws (PLs) that represent normal properties of traffic. We devise a two-step procedure to estimate this family of PLs. We compare the performance of our robust methods and their vanilla counterparts, which assume that normal traffic is stationary, on a network with a diurnal normal pattern and a common anomaly related to data exfiltration. Simulation results show that our robust methods perform better than their vanilla counterparts in dynamic networks.