Size-Consistent Statistics for Anomaly Detection in Dynamic Networks

TL;DR

This paper introduces size-consistent network statistics and a randomization testing method to improve anomaly detection in dynamic networks by controlling for confounding factors like node and edge counts.

Contribution

It proposes novel size-consistent statistics and a testing framework that effectively mitigate confounding effects in network anomaly detection.

Findings

Size-consistent statistics reduce false positives and negatives.

The randomization testing method effectively controls for confounding factors.

The approaches improve robustness of anomaly detection in dynamic networks.

Abstract

An important task in network analysis is the detection of anomalous events in a network time series. These events could merely be times of interest in the network timeline or they could be examples of malicious activity or network malfunction. Hypothesis testing using network statistics to summarize the behavior of the network provides a robust framework for the anomaly detection decision process. Unfortunately, choosing network statistics that are dependent on confounding factors like the total number of nodes or edges can lead to incorrect conclusions (e.g., false positives and false negatives). In this dissertation we describe the challenges that face anomaly detection in dynamic network streams regarding confounding factors. We also provide two solutions to avoiding error due to confounding factors: the first is a randomization testing method that controls for confounding factors, and the second is a set of size-consistent network statistics which avoid confounding due to the most common factors, edge count and node count.