Rare Yet Popular: Evidence and Implications from Labeled Datasets for Network Anomaly Detection

TL;DR

This paper systematically analyzes the quality of ground truth datasets for network anomaly detection, revealing that some anomalies are more common than others and that clustering can significantly reduce labeling effort.

Contribution

It provides the first quantitative analysis of ground truth quality in network anomaly detection datasets, highlighting the spatial properties and anomaly popularity.

Findings

Anomalies vary significantly in popularity within datasets.

Clustering reduces labeling effort by 2x-10x.

First quantitative analysis of ground truth in real-world network data.

Abstract

Anomaly detection research works generally propose algorithms or end-to-end systems that are designed to automatically discover outliers in a dataset or a stream. While literature abounds concerning algorithms or the definition of metrics for better evaluation, the quality of the ground truth against which they are evaluated is seldom questioned. In this paper, we present a systematic analysis of available public (and additionally our private) ground truth for anomaly detection in the context of network environments, where data is intrinsically temporal, multivariate and, in particular, exhibits spatial properties, which, to the best of our knowledge, we are the first to explore. Our analysis reveals that, while anomalies are, by definition, temporally rare events, their spatial characterization clearly shows some type of anomalies are significantly more popular than others. We find that simple clustering can reduce the need for human labeling by a factor of 2x-10x, that we are first to quantitatively analyze in the wild.