MSTREAM: Fast Anomaly Detection in Multi-Aspect Streams
This addresses the need for efficient anomaly detection in streaming data with multiple attributes, such as in intrusion detection, though it appears incremental by extending existing work to handle additional aspects.
The paper tackles the problem of detecting anomalous activities in multi-aspect data streams, where entries have multiple dimensions, by proposing MSTREAM, an unsupervised online framework that processes each record in constant time and memory. It outperforms state-of-the-art baselines on datasets like KDDCUP99, CICIDS-DoS, UNSW-NB 15, and CICIDS-DDoS.
Given a stream of entries in a multi-aspect data setting i.e., entries having multiple dimensions, how can we detect anomalous activities in an unsupervised manner? For example, in the intrusion detection setting, existing work seeks to detect anomalous events or edges in dynamic graph streams, but this does not allow us to take into account additional attributes of each entry. Our work aims to define a streaming multi-aspect data anomaly detection framework, termed MSTREAM which can detect unusual group anomalies as they occur, in a dynamic manner. MSTREAM has the following properties: (a) it detects anomalies in multi-aspect data including both categorical and numeric attributes; (b) it is online, thus processing each record in constant time and constant memory; (c) it can capture the correlation between multiple aspects of the data. MSTREAM is evaluated over the KDDCUP99, CICIDS-DoS, UNSW-NB 15 and CICIDS-DDoS datasets, and outperforms state-of-the-art baselines.