Anomaly Detection in Time Series of Graphs using ARMA Processes

There are many situations in which indicators of changes or anomalies in communication networks can be helpful, e.g. in the identification of faults. A dynamic communication network is characterised as a series of graphs with vertices representing IP addresses and edges representing information exchange between these entities weighted by packets sent. Ten graph distance metrics are used to create time series of network changes by sequentially comparing graphs from adjacent periods. These time series are individually modelled as univariate autoregressive moving average (ARMA) processes. Each time series is assessed on the ability of the best ARMA model of it to identify anomalies through residual thresholding.

[1]  Gwilym M. Jenkins,et al.  Time series analysis, forecasting and control , 1971 .

[2]  H. Akaike,et al.  Information Theory and an Extension of the Maximum Likelihood Principle , 1973 .

[3]  G. Schwarz Estimating the Dimension of a Model , 1978 .

[4]  M. Kraetzl,et al.  Detection of abnormal change in dynamic networks , 1999, 1999 Information, Decision and Control. Data and Information Fusion Symposium, Signal Processing and Communications Symposium and Decision and Control Symposium. Proceedings (Cat. No.99EX251).

[5]  H. Bunke,et al.  Median graphs and anomalous change detection in communication networks , 2002, Final Program and Abstracts on Information, Decision and Control.