MIDAS: Microcluster-Based Detector of Anomalies in Edge Streams

Given a stream of graph edges from a dynamic graph, how can we assign anomaly scores to edges in an online manner, for the purpose of detecting unusual behavior, using constant time and memory? Existing approaches aim to detect individually surprising edges. In this work, we propose MIDAS, which focuses on detecting microcluster anomalies, or suddenly arriving groups of suspiciously similar edges, such as lockstep behavior, including denial of service attacks in network traffic data. MIDAS has the following properties: (a) it detects microcluster anomalies while providing theoretical guarantees about its false positive probability; (b) it is online, thus processing each edge in constant time and constant memory, and also processes the data 108-505 times faster than state-of-the-art approaches; (c) it provides 46 of AUC) than state-of-the-art approaches.


page 1

page 2

page 3

page 4


Real-Time Streaming Anomaly Detection in Dynamic Graphs

Given a stream of graph edges from a dynamic graph, how can we assign an...

Distributed Anomaly Detection in Edge Streams using Frequency based Sketch Datastructures

Often logs hosted in large data centers represent network traffic data o...

Sketch-Based Streaming Anomaly Detection in Dynamic Graphs

Given a stream of graph edges from a dynamic graph, how can we assign an...

F-FADE: Frequency Factorization for Anomaly Detection in Edge Streams

Edge streams are commonly used to capture interactions in dynamic networ...

MStream: Fast Streaming Multi-Aspect Group Anomaly Detection

Given a stream of entries in a multi-aspect data setting i.e., entries h...

Anomalous Edge Detection in Edge Exchangeable Social Network Models

This paper studies detecting anomalous edges in directed graphs that mod...

GraphSAC: Detecting anomalies in large-scale graphs

A graph-based sampling and consensus (GraphSAC) approach is introduced t...

Code Repositories


Anomaly Detection on Dynamic (time-evolving) Graphs in Real-time and Streaming manner. Detecting intrusions (DoS and DDoS attacks), frauds, fake rating anomalies.

view repo


Detecting Microcluster Anomalies in Edge Streams

view repo


Anomaly detection in graphs is a critical problem for finding suspicious behavior in innumerable systems, such as intrusion detection, fake ratings, and financial fraud. This has been a well-researched problem with majority of the proposed approaches [1, 4, 9, 10, 11, 17] focusing on static graphs. However, many real-world graphs are dynamic in nature, and methods based on static connections may miss temporal characteristics of the graphs and anomalies.

Among the methods focusing on dynamic graphs, most of them have edges aggregated into graph snapshots [6, 21, 20, 12, 19, 8]. However, to minimize the effect of malicious activities and start recovery as soon as possible, we need to detect anomalies in real-time or near real-time i.e. to identify whether an incoming edge is anomalous or not, as soon as we receive it. In addition, since the number of vertices can increase as we process the stream of edges, we need an algorithm which uses constant memory in graph size.

Moreover, fraudulent or anomalous events in many applications occur in microclusters or suddenly arriving groups of suspiciously similar edges e.g. denial of service attacks in network traffic data and lockstep behavior. However, existing methods which process edge streams in an online manner, including [7, 14], aim to detect individually surprising edges, not microclusters, and can thus miss large amounts of suspicious activity.

In this work, we propose Midas, which detects microcluster anomalies, or suddenly arriving groups of suspiciously similar edges, in edge streams, using constant time and memory. In addition, by using a principled hypothesis testing framework, Midas provides theoretical bounds on the false positive probability, which these methods do not provide.

Our main contributions are as follows:

  1. Streaming Microcluster Detection: We propose a novel streaming approach for detecting microcluster anomalies, requiring constant time and memory.

  2. Theoretical Guarantees: In Theorem 1, we show guarantees on the false positive probability of Midas.

  3. Effectiveness: Our experimental results show that Midas outperforms baseline approaches by - accuracy (in terms of AUC), and processes the data times faster than baseline approaches.

Reproducibility: Our code and datasets are publicly available at https://github.com/bhatiasiddharth/MIDAS.

Related Work

In this section, we review previous approaches to detect anomalous signs on static and dynamic graphs. See [2] for an extensive survey on graph-based anomaly detection.
Anomaly detection in static graphs

can be classified by which anomalous entities (nodes, edges, subgraph, etc.) are spotted.

  • Anomalous node detection: [1]

    extracts egonet-based features and finds empirical patterns with respect to the features. Then, it identifies nodes whose egonets deviate from the patterns, including the count of triangles, total weight, and principal eigenvalues.

    [10] computes node features, including degree and authoritativeness [11], then spots nodes whose neighbors are notably close in the feature space.

  • Anomalous subgraph detection: [9] and [17] measure the anomalousness of nodes and edges, detecting a dense subgraph consisting of many anomalous nodes and edges.

  • Anomalous edge detection: [4] encodes an input graph based on similar connectivity among nodes, then spots edges whose removal reduces the total encoding cost significantly. [22]

    factorize the adjacency matrix and flag edges with high reconstruction error as outliers.

Anomaly detection in graph streams use as input a series of graph snapshots over time. We categorize them similarly according to the type of anomaly detected:

  • Anomalous node detection: [21] approximates the adjacency matrix of the current snapshot based on incremental matrix factorization, then spots nodes corresponding to rows with high reconstruction error.

  • Anomalous subgraph detection: Given a graph with timestamps on edges, [3] spots near-bipartite cores where each node is connected to others in the same core densly within a short time. [10] detects groups of nodes who form dense subgraphs in a temporally synchronized manner.

  • Anomalous event detection: [6] detects sudden appearance of many unexpected edges, and [23] spots sudden changes in 1st and 2nd derivatives of PageRank.

Anomaly detection in edge streams use as input a stream of edges over time. Categorizing them according to the type of anomaly detected:

  • Anomalous node detection: Given an edge stream, [24] detects nodes whose egonets suddenly and significantly change.

  • Anomalous subgraph detection: Given an edge stream, [18] identifies dense subtensors created within a short time.

  • Anomalous edge detection: [14] focuses on sparsely-connected parts of a graph, while [7] identifies edge anomalies based on edge occurrence, preferential attachment, and mutual neighbors.

Only the 2 methods in the last category are applicable to our task, as they operate on edge streams and output a score per edge. However, as shown in Table 1, neither method aims to detect microclusters, or provides guarantees on false positive probability.

SedanSpot eswaran2018sedanspot

RHSS ranshous2016scalable


Microcluster Detection
Guarantee on False Positive Probability
Constant Memory
Constant Update Time
Table 1: Comparison of relevant edge stream anomaly detection approaches.


Let be a stream of edges from a time-evolving graph . Each arriving edge is a tuple consisting of a source node , a destination node , and a time of occurrence , which is the time at which the edge was added to the graph. For example, in a network traffic stream, an edge could represent a connection made from a source IP address to a destination IP address at time . We do not assume that the set of vertices is known a priori: for example, new IP addresses or user IDs may be created over the course of the stream.

We model as a directed graph. Undirected graphs can simply be handled by treating an incoming undirected as two simultaneous directed edges, one in either direction.

We also allow to be a multigraph: edges can be created multiple times between the same pair of nodes. Edges are allowed to arrive simultaneously: i.e. , since in many applications are given in the form of discrete time ticks.

The desired properties of our algorithm are as follows:

  • Microcluster Detection: It should detect suddenly appearing bursts of activity which share many repeated nodes or edges, which we refer to as microclusters.

  • Guarantees on False Positive Probability: Given any user-specified probability level (e.g. ), the algorithm should be adjustable so as to provide false positive probability of at most (e.g. by adjusting a threshold that depends on ). Moreover, while guarantees on the false positive probability rely on assumptions about the data distribution, we aim to make our assumptions as weak as possible.

  • Constant Memory and Update Time: For scalability in the streaming setting, the algorithm should run in constant memory and constant update time per newly arriving edge. Thus, its memory usage and update time should not grow with the length of the stream, or the number of nodes in the graph.

Proposed Algorithm


Next, we describe our Midas and Midas-R approaches. The following provides an overview:

  1. Streaming Hypothesis Testing Approach: We describe our Midas algorithm, which uses streaming data structures within a hypothesis testing-based framework, allowing us to obtain guarantees on false positive probability.

  2. Detection and Guarantees: We describe our decision procedure for determining whether a point is anomalous, and our guarantees on false positive probability.

  3. Incorporating Relations: We extend our approach to the Midas-R algorithm, which incorporates relationships between edges temporally and spatially111We use ‘spatially’ in a graph sense, i.e. connecting nearby nodes, not to refer to any other continuous spatial dimension..

Midas: Streaming Hypothesis Testing Approach

Figure 1: Time series of a single source-destination pair , with a large burst of activity at time tick .

Consider the example in Figure 1 of a single source-destination pair , which shows a large burst of activity at time . This burst is the simplest example of a microcluster, as it consists of a large group of edges which are very similar to one another (in fact identical), both spatially (i.e. in terms of the nodes they connect) and temporally.

Streaming Data Structures

In an offline setting, there are many time-series methods which could detect such bursts of activity. However, in an online setting, recall that we want memory usage to be bounded, so we cannot keep track of even a single such time series. Moreover, there are many such source-destination pairs, and the set of sources and destinations is not fixed a priori.

To circumvent these problems, we maintain two types of Count-Min-Sketch (CMS) [5] data structures. Assume we are at a particular fixed time tick in the stream; we treat time as a discrete variable for simplicity. Let be the total number of edges from to up to the current time. Then, we use a single CMS data structure to approximately maintain all such counts (for all edges ) in constant memory: at any time, we can query the data structure to obtain an approximate count .

Secondly, let be the number of edges from to in the current time tick (but not including past time ticks). We keep track of using a similar CMS data structure, the only difference being that we reset this CMS data structure every time we transition to the next time tick. Hence, this CMS data structure provides approximate counts for the number of edges from to in the current time tick .

Hypothesis Testing Framework

Given approximate counts and , how can we detect microclusters? Moreover, how can we do this in a principled framework that allows for theoretical guarantees?

Fix a particular source and destination pair of nodes, , as in Figure 1. One approach would be to assume that the time series in Figure 1

follows a particular generative model: for example, a Gaussian distribution. We could then find the mean and standard deviation of this Gaussian distribution. Then, at time

, we could compute the Gaussian likelihood of the number of edge occurrences in the current time tick, and declare an anomaly if this likelihood is below a specified threshold.

However, this requires a restrictive Gaussian assumption, which can lead to excessive false positives or negatives if the data follows a very different distribution. Instead, we use a weaker assumption: that the mean level (i.e. the average rate at which edges appear) in the current time tick (e.g. ) is the same as the mean level before the current time tick . Note that this avoids assuming any particular distribution for each time tick, and also avoids a strict assumption of stationarity over time.

Hence, we can divide the past edges into two classes: the current time tick and all past time ticks . Recalling our previous notation, the number of events at is , while the number of edges in past time ticks is .

Under the chi-squared goodness-of-fit test, the chi-squared statistic is defined as the sum over categories of . In this case, our categories are and . Under our mean level assumption, since we have total edges (for this source-destination pair), the expected number at is , and the expected number for is the remaining, i.e. . Thus the chi-squared statistic is:

Note that both and

can be estimated by our CMS data structures, obtaining approximations

and respectively. This leads to our following anomaly score, using which we can evaluate a newly arriving edge with source-destination pair :

Definition 1 (Anomaly Score).

Given a newly arriving edge , our anomaly score is computed as:


Algorithm 1 summarizes our Midas algorithm.

Input: Stream of graph edges over time
Output: Anomaly scores per edge
1 Initialize CMS data structures:
2 Initialize CMS for total count and current count
3 while new edge is received: do
4       Update Counts:
5       Update CMS data structures for the new edge
6       Query Counts:
7       Retrieve updated counts and
8       Anomaly Score:
9       output
Algorithm 1 Midas: Streaming Anomaly Scoring

Detection and Guarantees

While Algorithm 1 computes an anomaly score for each edge, it does not provide a binary decision for whether an edge is anomalous or not. We want a decision procedure that provides binary decisions and a guarantee on the false positive probability: i.e. given a user-defined threshold , the probability of a false positive should be at most

. Intuitively, the key idea is to combine the approximation guarantees of CMS data structures with properties of a chi-squared random variable.

The key property of CMS data structures we use is that given any and , for appropriately chosen CMS data structure sizes, with probability at least , the estimates satisfy:


where is the total number of edges at time . Since CMS data structures can only overestimate the true counts, we additionally have


Define an adjusted version of our earlier score:


To obtain its probabilistic guarantee, our decision procedure computes , and uses it to compute an adjusted version of our earlier statistic:


Then our main guarantee is as follows:

Theorem 1 (False Positive Probability Bound).

Let be the quantile of a chi-squared random variable with 1 degree of freedom. Then:


In other words, using

as our test statistic and threshold

results in a false positive probability of at most .


Recall that


was defined so that it has a chi-squared distribution. Thus:


At the same time, by the CMS guarantees we have:


By union bound, with probability at least , both these events (8) and (9) hold, in which case:

Finally, we conclude that


Incorporating Relations

In this section, we describe our Midas-R approach, which considers edges in a relational manner: that is, it aims to group together edges which are nearby, either temporally or spatially.

Temporal Relations

Rather than just counting edges in the same time tick (as we do in Midas), we want to allow for some temporal flexibility: i.e. edges in the recent past should also count toward the current time tick, but modified by a reduced weight. A simple and efficient way to do this using our CMS data structures is as follows: at the end of every time tick, rather than resetting our CMS data structures , we reduce all its counts by a fixed fraction . This allows past edges to count toward the current time tick, with a diminishing weight.

Spatial Relations

We would like to catch large groups of spatially nearby edges: e.g. a single source IP address suddenly creating a large number of edges to many destinations, or a small group of nodes suddenly creating an abnormally large number of edges between them. A simple intuition we use is that in either of these two cases, we expect to observe nodes with a sudden appearance of a large number of edges. Hence, we can use CMS data structures to keep track of edge counts like before, except counting all edges adjacent to any node . Specifically, we create CMS counters and to approximate the current and total edge counts adjacent to node . Given each incoming edge , we can then compute three anomalousness scores: one for edge , as in our previous algorithm; one for node , and one for node . Finally, we combine the three scores by taking their maximum value. Another possibility of aggregating the three scores is to take their sum. Algorithm 2 summarizes the resulting Midas-R algorithm.

Input: Stream of graph edges over time
Output: Anomaly scores per edge
1 Initialize CMS data structures:
2 Initialize CMS for total count and current count
3 Initialize CMS for total count and current count
4 while new edge is received: do
5       Update Counts:
6       Update CMS data structures for the new edge
7       Query Counts:
8       Retrieve updated counts and
9       Retrieve updated counts
10       Compute Edge Scores:
12       Compute Node Scores:
15       Final Node Scores:
Algorithm 2 Midas-R: Incorporating Relations

Time and Memory Complexity

In terms of memory, both Midas and Midas-R only need to maintain the CMS data structures over time, which are proportional to , where and are the number of hash functions and the number of buckets in the CMS data structures; which is bounded with respect to the data size.

For time complexity, the only relevant steps in Algorithm 1 and 2 are those that either update or query the CMS data structures, which take (all other operations run in constant time). Thus, time complexity per update step is .


In this section, we evaluate the performance of Midas and Midas-R compared to SedanSpot on dynamic graphs. We aim to answer the following questions:

  1. [label=Q0.]

  2. Accuracy: How accurately does Midas detect real-world anomalies compared to baselines, as evaluated using the ground truth labels?

  3. Scalability: How does it scale with input stream length? How does the time needed to process each input compare to baseline approaches?

  4. Real-World Effectiveness: Does it detect meaningful anomalies in case studies on Twitter graphs?


DARPA [13] has IP-IP communications between source IP and destination IP over minutes. Each communication is a directed edge (srcIP, dstIP, timestamp, attack) where the ground truth attack label indicates whether the communication is an attack or not (anomalies are of total).

TwitterSecurity [15, 16] has tweet samples for four months (May-Aug ) containing Department of Homeland Security keywords related to terrorism or domestic security. Entity-entity co-mention temporal graphs are built on daily basis ( time ticks).

TwitterWorldCup [15, 16] has tweet samples for the World Cup season (June -July ). The tweets are filtered by popular/official World Cup hashtags, such as #worldcup, #fifa, #brazil, etc. Similar to TwitterSecurity, entity-entity co-mention temporal graphs are constructed on minute sample rate ( time points).


As described in our Related Work, only RHSS and SedanSpot operate on edge streams and provide a score for each edge. SedanSpot uses personalised PageRank to detect anomalies in sublinear space and constant time per edge. However, RHSS was evaluated in [7] on the DARPA dataset and found to have AUC of (lower than chance). Hence, we only compare with SedanSpot.

Evaluation Metrics:

All the methods output an anomaly score per edge (higher is more anomalous). We calculate the True Positive Rate (TPR) and False Positive Rate (FPR) and plot the ROC curve (TPR vs FPR). We also report the Area under the ROC curve (AUC) and Average Precision Score.

Experimental Setup

All experiments are carried out on a Intel Core processor, RAM, running OS . We implement Midas and Midas-R in C++. We use hash functions for the CMS data structures, and we set the number of CMS buckets to to result in an approximation error of . For Midas-R, we set the temporal decay factor as

. We used an open-sourced implementation of

SedanSpot, provided by the authors, following parameter settings as suggested in the original paper (sample size ).

Q1. Accuracy

Figure 2 plots the ROC curve for Midas-R, Midas and SedanSpot. Figure 3(top) plots accuracy (AUC) vs. running time (log scale, in seconds, excluding I/O). We see that Midas achieves a much higher accuracy compared to the baseline , while also running significantly faster vs. . This is a accuracy improvement at faster speed. Midas-R achieves the highest accuracy which is accuracy improvement compared to the baseline at faster speed.

Figure 3(bottom) plots the average precision score vs. running time. We see that Midas is more precise compared to the baseline . This is a precision improvement. Midas-R achieves the highest average precision score which is more precise than SedanSpot.

We see that Midas and Midas-R greatly outperform SedanSpot on both accuracy and precision metrics.

Figure 2: ROC for DARPA dataset
Figure 3: (top) Accuracy (AUC) vs time, (bottom) Average Precision Score vs time

Q2. Scalability

Figure 4 shows the scalability of Midas and Midas-R. We plot the wall-clock time needed to run on the (chronologically) first edges of the DARPA dataset. This confirms the linear scalability of Midas and Midas-R with respect to the number of edges in the input dynamic graph due to its constant processing time per edge. Note that both Midas and Midas-R process edges within second, allowing real-time anomaly detection.

Figure 5 plots the number of edges (in millions) and time to process each edge for DARPA dataset. Midas processes edges within s each and edges within s each. Midas-R processes edges within s each and edges within s each.

Table 2 shows the time it takes SedanSpot, Midas and Midas-R to run on the TwitterWorldCup, TwitterSecurity and DARPA datasets. For TwitterWorldCup dataset, we see that Midas-R is faster than SedanSpot  vs. and Midas is faster than SedanSpot vs . For TwitterSecurity dataset, we see that Midas-R is faster than SedanSpot  vs. and Midas is faster than SedanSpot vs . For the DARPA dataset, we see that Midas-R is faster than SedanSpot  vs. and Midas is faster than SedanSpot vs .

SedanSpot requires several subprocesses (hashing, random-walking, reordering, sampling, etc), resulting in the large computation time. Midas and Midas-R are both both scalable and fast.

Figure 4: Midas and Midas-R scale linearly with the number of edges in the input dynamic graph.
Figure 5: Distribution of processing times for edges of DARPA dataset.
SedanSpot Midas Midas-R
TwitterWorldCup s s s
TwitterSecurity s s s
DARPA s s s
Table 2: Running time for different datasets in seconds

Q3. Real-World Effectiveness

We measure anomaly scores using Midas, Midas-R and SedanSpot on the TwitterSecurity dataset. Figure 6 plots anomaly scores vs. day (during the four months of ). To visualise, we aggregate edges occurring in each day by taking the max anomalousness score per day, for a total of days. Anomalies correspond to major world news such as Mpeketoni attack (Event ) or Soma Mine explosion (Event ). Midas and Midas-R show similar trends whereas SedanSpot misses some anomalous events (Events ), and outputs many high scores unrelated to any true events. This is also reflected in the low accuracy and precision of SedanSpot in Figure 3. The anomalies detected by Midas and Midas-R coincide with major events in the TwitterSecurity timeline as follows:

  1. 13-05-2014. Turkey Mine Accident, Hundreds Dead

  2. 24-05-2014. Raid.

  3. 30-05-2014. Attack/Ambush.
    03-06-14. Suicide bombing

  4. 09-06-14. Suicide/Truck bombings.

  5. 10-06-2014. Iraqi Militants Seized Large Regions.
    11-06-2014. Kidnapping

  6. 15-06-14. Attack

  7. 26-06-14. Suicide Bombing/Shootout/Raid

  8. 03-07-14. Israel Conflicts with Hamas in Gaza.

  9. 18-07-14. Airplane with 298 Onboard was Shot Down over Ukraine.

  10. 30-07-14. Ebola Virus Outbreak.

This shows the effectiveness of Midas and Midas-R for catching real-world anomalies.

Microcluster anomalies: Figure 7 corresponds to Event in the TwitterSecurity dataset. All single edges are equivalent to 444 edges and double edges are equivalent to 888 edges between the nodes. This suddenly arriving (within 1 day) group of suspiciously similar edges is an example of a microcluster anomaly which Midas-R detects, but SedanSpot misses.

Figure 6: Anomalies detected by Midas and Midas-R correspond to major security-related events in TwitterSecurity.
Figure 7: Microcluster Anomaly in TwitterSecurity


In this paper, we proposed Midas and Midas

-R for microcluster based detection of anomalies in edge streams. Future work could consider more general types of data, including heterogeneous graphs or tensors. Our contributions are as follows:

  1. Streaming Microcluster Detection: We propose a novel streaming approach for detecting microcluster anomalies, requiring constant time and memory.

  2. Theoretical Guarantees: In Theorem 1, we show guarantees on the false positive probability of Midas.

  3. Effectiveness: Our experimental results show that Midas outperforms baseline approaches by - accuracy (in terms of AUC), and processes the data times faster than baseline approaches.


This work was supported in part by NUS ODPRT Grant R-252-000-A81-133.


  • [1] L. Akoglu, M. McGlohon, and C. Faloutsos (2010) Oddball: spotting anomalies in weighted graphs. In PAKDD, Cited by: Introduction, 1st item.
  • [2] L. Akoglu, H. Tong, and D. Koutra (2015) Graph based anomaly detection and description: a survey. Data Mining and Knowledge Discovery 29 (3), pp. 626–688. Cited by: Related Work.
  • [3] A. Beutel, W. Xu, V. Guruswami, C. Palow, and C. Faloutsos (2013) Copycatch: stopping group attacks by spotting lockstep behavior in social networks. In WWW, Cited by: 2nd item.
  • [4] D. Chakrabarti (2004)

    Autopart: parameter-free graph partitioning and outlier detection

    In PKDD, Cited by: Introduction, 3rd item.
  • [5] G. Cormode and S. Muthukrishnan (2005) An improved data stream summary: the count-min sketch and its applications. Journal of Algorithms 55 (1), pp. 58–75. Cited by: Streaming Data Structures.
  • [6] D. Eswaran, C. Faloutsos, S. Guha, and N. Mishra (2018) SpotLight: detecting anomalies in streaming graphs. In KDD, Cited by: Introduction, 3rd item.
  • [7] D. Eswaran and C. Faloutsos (2018) Sedanspot: detecting anomalies in edge streams. In 2018 IEEE International Conference on Data Mining (ICDM), pp. 953–958. Cited by: Introduction, 3rd item, Baseline:.
  • [8] M. Gupta, J. Gao, Y. Sun, and J. Han (2012) Integrating community matching and outlier detection for mining evolutionary community outliers. In Proceedings of the 18th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD ’12, New York, NY, USA, pp. 859–867. External Links: ISBN 978-1-4503-1462-6, Link, Document Cited by: Introduction.
  • [9] B. Hooi, K. Shin, H. A. Song, A. Beutel, N. Shah, and C. Faloutsos (2017) Graph-based fraud detection in the face of camouflage. TKDD 11 (4), pp. 44. Cited by: Introduction, 2nd item.
  • [10] M. Jiang, P. Cui, A. Beutel, C. Faloutsos, and S. Yang (2016) Catching synchronized behaviors in large networks: a graph mining approach. TKDD 10 (4), pp. 35. Cited by: Introduction, 1st item, 2nd item.
  • [11] J. M. Kleinberg (1999) Authoritative sources in a hyperlinked environment. JACM 46 (5), pp. 604–632. Cited by: Introduction, 1st item.
  • [12] D. Koutra, J. T. Vogelstein, and C. Faloutsos (2013) Deltacon: a principled massive-graph similarity function. arXiv preprint arXiv:1304.4657. Cited by: Introduction.
  • [13] R. Lippmann, R. K. Cunningham, D. J. Fried, I. Graf, K. R. Kendall, S. E. Webster, and M. A. Zissman (1999) Results of the darpa 1998 offline intrusion detection evaluation.. In Recent advances in intrusion detection, Vol. 99, pp. 829–835. Cited by: Datasets:.
  • [14] S. Ranshous, S. Harenberg, K. Sharma, and N. F. Samatova (2016) A scalable approach for outlier detection in edge streams using sketch-based approximations. In Proceedings of the 2016 SIAM International Conference on Data Mining, pp. 189–197. Cited by: Introduction, 3rd item.
  • [15] S. Rayana and L. Akoglu (2015) Less is more: building selective anomaly ensembles with application to event detection in temporal graphs. In Proceedings of the 2015 SIAM International Conference on Data Mining, pp. 622–630. Cited by: Datasets:, Datasets:.
  • [16] S. Rayana and L. Akoglu (2016) Less is more: building selective anomaly ensembles. ACM Transactions on Knowledge Discovery from Data (TKDD) 10 (4), pp. 42. Cited by: Datasets:, Datasets:.
  • [17] K. Shin, T. Eliassi-Rad, and C. Faloutsos (2018) Patterns and anomalies in k-cores of real-world graphs with applications. KAIS 54 (3), pp. 677–710. Cited by: Introduction, 2nd item.
  • [18] K. Shin, B. Hooi, J. Kim, and C. Faloutsos (2017) DenseAlert: incremental dense-subtensor detection in tensor streams. KDD. Cited by: 2nd item.
  • [19] K. Sricharan and K. Das (2014) Localizing anomalous changes in time-evolving graphs. In Proceedings of the 2014 ACM SIGMOD International Conference on Management of Data, SIGMOD ’14, New York, NY, USA, pp. 1347–1358. External Links: ISBN 978-1-4503-2376-5, Link, Document Cited by: Introduction.
  • [20] J. Sun, C. Faloutsos, S. Papadimitriou, and P.S. Yu (2007) GraphScope: parameter-free mining of large time-evolving graphs. In Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 687–696. Cited by: Introduction.
  • [21] J. Sun, D. Tao, and C. Faloutsos (2006) Beyond streams and graphs: dynamic tensor analysis. In KDD, Cited by: Introduction, 1st item.
  • [22] H. Tong and C. Lin (2011) Non-negative residual matrix factorization with application to graph anomaly detection. In SDM, Cited by: 3rd item.
  • [23] M. Yoon, B. Hooi, K. Shin, and C. Faloutsos (2019) Fast and accurate anomaly detection in dynamic graphs with a two-pronged approach. In Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, pp. 647–657. Cited by: 3rd item.
  • [24] W. Yu, C. C. Aggarwal, S. Ma, and H. Wang (2013) On anomalous hotspot discovery in graph streams. In ICDM, Cited by: 1st item.