Fast Memory-efficient Anomaly Detection in Streaming Heterogeneous Graphs
Emaad A. Manzoor, Sadegh Momeni, Venkat N. Venkatakrishnan, Leman, Akoglu
TL;DR
StreamSpot is a real-time, memory-efficient clustering method for anomaly detection in streaming heterogeneous graphs, effective in security applications like APT detection, with high accuracy and speed.
Contribution
It introduces a novel similarity function and sketching technique for heterogeneous graphs, enabling fast, online, and memory-bounded anomaly detection in streaming data.
Findings
Achieves over 95% detection accuracy
Processes over 100K edges per second
Requires constant memory for sketches
Abstract
Given a stream of heterogeneous graphs containing different types of nodes and edges, how can we spot anomalous ones in real-time while consuming bounded memory? This problem is motivated by and generalizes from its application in security to host-level advanced persistent threat (APT) detection. We propose StreamSpot, a clustering based anomaly detection approach that addresses challenges in two key fronts: (1) heterogeneity, and (2) streaming nature. We introduce a new similarity function for heterogeneous graphs that compares two graphs based on their relative frequency of local substructures, represented as short strings. This function lends itself to a vector representation of a graph, which is (a) fast to compute, and (b) amenable to a sketched version with bounded size that preserves similarity. StreamSpot exhibits desirable properties that a streaming application requires---it…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsNetwork Security and Intrusion Detection · Complex Network Analysis Techniques · Anomaly Detection Techniques and Applications