Repository files navigation

C++ implementation of

• Real-time Streaming Anomaly Detection in Dynamic Graphs.Siddharth Bhatia, Rui Liu, Bryan Hooi, Minji Yoon, Kijung Shin, Christos Faloutsos. TKDD, 2022.
• MIDAS: Microcluster-Based Detector of Anomalies in Edge Streams.Siddharth Bhatia, Bryan Hooi, Minji Yoon, Kijung Shin, Christos Faloutsos. AAAI, 2020.

The old implementation is in another branchOldImplementation, it should be considered as being archived and will hardly receive feature updates.

• Features
• Demo
• Customization
• Other Files
• In Other Languages
• Online Coverage
• Citation

• Finds Anomalies in Dynamic/Time-Evolving Graph: (Intrusion Detection, Fake Ratings, Financial Fraud)
• Detects Microcluster Anomalies (suddenly arriving groups of suspiciously similar edges e.g. DoS attack)
• Theoretical Guarantees on False Positive Probability
• Constant Memory (independent of graph size)
• Constant Update Time (real-time anomaly detection to minimize harm)
• Up to 55% more accurate and 929 times faster than the state of the art approaches
• Experiments are performed using the following datasets:
  • DARPA
  • TwitterWorldCup2014
  • TwitterSecurity

If you use Windows:

1. Open a Visual Studio developer command prompt, we want their toolchain
2. cd to the project rootMIDAS/
3. cmake -DCMAKE_BUILD_TYPE=Release -GNinja -S . -B build/release
4. cmake --build build/release --target Demo
5. cd toMIDAS/build/release/
6. .\Demo.exe

If you use Linux/macOS:

1. Open a terminal
2. cd to the project rootMIDAS/
3. cmake -DCMAKE_BUILD_TYPE=Release -S . -B build/release
4. cmake --build build/release --target Demo
5. cd toMIDAS/build/release/
6. ./Demo

The demo runs onMIDAS/data/DARPA/darpa_processed.csv, which has 4.5M records, with the filtering core (MIDAS-F).

The scores will be exported toMIDAS/temp/Score.txt, higher means more anomalous.

All file paths are absolute and "hardcoded" by CMake, but it's suggested NOT to run by double clicking on the executable file.

Core

• C++11
• C++ standard libraries

Demo (if experimental ROC-AUC impl)

• C++ standard libraries

Demo (ifsklearn ROC-AUC impl)

• Python 3 (MIDAS/util/EvaluateScore.py)
  • pandas: I/O
  • scikit-learn: Compute ROC-AUC

Experiment

• (Optional) Intel TBB: Parallelization
• (Optional) OpenMP: Parallelization

Other python utility scripts

• Python 3
  • pandas
  • scikit-learn

InMIDAS/example/Demo.cpp.
Comment out section "Evaluate scores (experimental)"
Uncomment section "Write output scores" and "Evaluate scores".

Those are arguments of cores' constructors, which are atMIDAS/example/Demo.cpp:67-69.

Cores are instantiated atMIDAS/example/Demo.cpp:67-69, uncomment the chosen one.

You need to prepare three files:

• Meta file
  • Only includes an integerN, the number of records in the dataset
  • Use its path forpathMeta
  • E.g.MIDAS/data/DARPA/darpa_shape.txt
• Data file
  • A header-less csv format file of shape[N,3]
  • Columns are sources, destinations, timestamps
  • Use its path forpathData
  • E.g.MIDAS/data/DARPA/darpa_processed.csv
• Label file
  • A header-less csv format file of shape[N,1]
  • The corresponding label for data records
    • 0 means normal record
    • 1 means anomalous record
  • Use its path forpathGroundTruth
  • E.g.MIDAS/data/DARPA/darpa_ground_truth.csv

1. Include the headerMIDAS/src/NormalCore.hpp,MIDAS/src/RelationalCore.hpp orMIDAS/src/FilteringCore.hpp
2. Instantiate cores with required parameters
3. Calloperator() on individual data records, it returns the anomaly score for the input record

The code we used for experiments.
It will try to use Intel TBB or OpenMP for parallelization.
You should comment all but only one runner function call in themain() as most results are exported toMIDAS/temp/Experiiment.csv together with many intermediate files.

Similar toDemo.cpp, but with all random parameters hardcoded and always produce the same result.
It's for other developers and us to test if the implementation in other languages can produce acceptable results.

DeleteTempFile.py,EvaluateScore.py andReproduceROC.py will show their usage and a short description when executed without any argument.

Experimental ROC-AUC implementation in C++11. More info atthis repo.

The code to process the raw dataset into an easy-to-read format.
Datasets are always assumed to be in a folder inMIDAS/data/.
It can process the following dataset(s)

• DARPA/darpa_original.csv ->DARPA/darpa_processed.csv,DARPA/darpa_ground_truth.csv,DARPA/darpa_shape.txt

1. Python:Rui Liu's MIDAS.Python,Ritesh Kumar's pyMIDAS
2. Python (pybind):Wong Mun Hou's MIDAS
3. Golang:Steve Tan's midas
4. Ruby:Andrew Kane's midas
5. Rust:Scott Steele's midas_rs
6. R:Tobias Heidler's MIDASwrappeR
7. Java:Joshua Tokle's MIDAS-Java
8. Julia:Ashrya Agrawal's MIDAS.jl

1. ACM TechNews
2. AIhub
3. Hacker News
4. KDnuggets
5. Microsoft
6. Towards Data Science

If you use this code for your research, please consider citing our TKDD and AAAI papers.

@article{bhatia2022realtime,author ={Bhatia, Siddharth and Liu, Rui and Hooi, Bryan and Yoon, Minji and Shin, Kijung and Faloutsos, Christos},title ={Real-Time Anomaly Detection in Edge Streams},year ={2022},issue_date ={August 2022},publisher ={Association for Computing Machinery},address ={New York, NY, USA},volume ={16},number ={4},issn ={1556-4681},url ={https://doi.org/10.1145/3494564},doi ={10.1145/3494564},journal ={ACM Trans. Knowl. Discov. Data},month ={jan},articleno ={75},numpages ={22}}@inproceedings{bhatia2020midas,title={MIDAS: Microcluster-Based Detector of Anomalies in Edge Streams},author={Siddharth Bhatia and Bryan Hooi and Minji Yoon and Kijung Shin and Christos Faloutsos},booktitle={AAAI Conference on Artificial Intelligence (AAAI)},year={2020}}