Abstract
Given a stream of entries in a multi-aspect data setting i.e., entries havingmultiple dimensions, how can we detect anomalous activities? For example, inthe intrusion detection setting, existing work seeks to detect anomalous eventsor edges in dynamic graph streams, but this does not allow us to take intoaccount additional attributes of each entry. Our work aims to define astreaming multi-aspect data anomaly detection framework, termed MStream, whichcan detect unusual group anomalies as they occur, in a dynamic manner. MStreamhas the following properties: (a) it detects anomalies in multi-aspect dataincluding both categorical and numeric attributes; (b) it is online, thusprocessing each record in constant time and constant memory; (c) it can capturethe correlation between multiple aspects of the data. MStream is evaluated overthe KDDCUP99, CICIDS-DoS, UNSW-NB 15 and CICIDS-DDoS datasets, and outperformsstate-of-the-art baselines.