MSTREAM: Fast Anomaly Detection in Multi-Aspect Streams

TL;DR

MSTREAM is an online framework for detecting anomalies in multi-aspect data streams, capable of handling categorical and numeric attributes, capturing correlations, and outperforming existing methods on multiple datasets.

Contribution

It introduces MSTREAM, a novel unsupervised, real-time anomaly detection method for multi-aspect data streams that considers attribute correlations and operates efficiently.

Findings

MSTREAM outperforms state-of-the-art baselines on multiple datasets.

It detects anomalies in constant time and memory.

It effectively captures correlations among multiple data aspects.

Abstract

Given a stream of entries in a multi-aspect data setting i.e., entries having multiple dimensions, how can we detect anomalous activities in an unsupervised manner? For example, in the intrusion detection setting, existing work seeks to detect anomalous events or edges in dynamic graph streams, but this does not allow us to take into account additional attributes of each entry. Our work aims to define a streaming multi-aspect data anomaly detection framework, termed MSTREAM which can detect unusual group anomalies as they occur, in a dynamic manner. MSTREAM has the following properties: (a) it detects anomalies in multi-aspect data including both categorical and numeric attributes; (b) it is online, thus processing each record in constant time and constant memory; (c) it can capture the correlation between multiple aspects of the data. MSTREAM is evaluated over the KDDCUP99, CICIDS-DoS, UNSW-NB 15 and CICIDS-DDoS datasets, and outperforms state-of-the-art baselines.