Anomalous Event Sequence Detection

Anomaly detection has been widely applied in modern data-driven security applications to detect abnormal events/entities that deviate from the majority. However, less work has been done in terms of detecting suspicious event sequences/paths, which are better discriminators than single events/entities for distinguishing normal and abnormal behaviors in complex systems such as cyber-physical systems. A key and challenging step in this endeavor is how to discover those abnormal event sequences from millions of system event records in an efficient and accurate way. To address this issue, we propose NINA, a network diffusion based algorithm for identifying anomalous event sequences. Experimental results on both static and streaming data show that NINA is efficient (processes about 2 million records per minute) and accurate.

Authors

• Boxiang Dong
• Zhengzhang Chen
• Lu-An Tang
• Haifeng Chen NEC Laboratories America
• Hui Wang
• Kai Zhang
• Ying Lin University of Houston
• Zhichun Li

Keywords

• Convergence
• Receivers
• Anomaly detection
• Surveillance
• Mathematical model
• Intelligent systems
• Complex systems
• Sequence Of Events
• Monitoring Data
• Abnormal Behavior
• Data Streams
• Curse Of Dimensionality
• Search Procedure
• Cyber-physical Systems
• Linear Graph
• Entity Types
• Fraud Detection
• System Entities
• Anomaly Score
• Enterprise Network
• Thousands Of Events
• Detection Accuracy
• Random Walk
• Graphical Model
• Square Matrix
• Types Of Attacks
• Candidate Paths
• Box-Cox Transformation
• Vector Core
• Monotonicity Property
• Valid Path
• Breadth-first Search
• Threshold Algorithm
• Path Search
• Convergence Condition
• Rate Of State
• intrusion detection
• graph mining
• sequence discovery