Online Multivariate Anomaly Detection and Localization for High-dimensional Settings
This addresses the problem of timely anomaly detection for high-dimensional systems, such as in cybersecurity, but is incremental as it builds on existing nonparametric and semi-supervised approaches.
The paper tackles real-time anomaly detection in high-dimensional systems by proposing a sequential multivariate method that scales well and can detect challenging anomalies like correlation changes and stealth cyberattacks, with performance demonstrated on a real IoT-botnet dataset and simulations.
This paper considers the real-time detection of anomalies in high-dimensional systems. The goal is to detect anomalies quickly and accurately so that the appropriate countermeasures could be taken in time, before the system possibly gets harmed. We propose a sequential and multivariate anomaly detection method that scales well to high-dimensional datasets. The proposed method follows a nonparametric, i.e., data-driven, and semi-supervised approach, i.e., trains only on nominal data. Thus, it is applicable to a wide range of applications and data types. Thanks to its multivariate nature, it can quickly and accurately detect challenging anomalies, such as changes in the correlation structure and stealth low-rate cyberattacks. Its asymptotic optimality and computational complexity are comprehensively analyzed. In conjunction with the detection method, an effective technique for localizing the anomalous data dimensions is also proposed. We further extend the proposed detection and localization methods to a supervised setup where an additional anomaly dataset is available, and combine the proposed semi-supervised and supervised algorithms to obtain an online learning algorithm under the semi-supervised framework. The practical use of proposed algorithms are demonstrated in DDoS attack mitigation, and their performances are evaluated using a real IoT-botnet dataset and simulations.