Size-Consistent Statistics for Anomaly Detection in Dynamic Networks
This work addresses the issue of false positives and negatives in network anomaly detection for applications like security and monitoring, but it appears incremental as it builds on existing hypothesis testing frameworks.
The dissertation tackles the problem of anomaly detection in dynamic networks by addressing confounding factors like node and edge counts that cause errors, and provides solutions including size-consistent statistics and randomization testing to improve accuracy.
An important task in network analysis is the detection of anomalous events in a network time series. These events could merely be times of interest in the network timeline or they could be examples of malicious activity or network malfunction. Hypothesis testing using network statistics to summarize the behavior of the network provides a robust framework for the anomaly detection decision process. Unfortunately, choosing network statistics that are dependent on confounding factors like the total number of nodes or edges can lead to incorrect conclusions (e.g., false positives and false negatives). In this dissertation we describe the challenges that face anomaly detection in dynamic network streams regarding confounding factors. We also provide two solutions to avoiding error due to confounding factors: the first is a randomization testing method that controls for confounding factors, and the second is a set of size-consistent network statistics which avoid confounding due to the most common factors, edge count and node count.