3 D's of Anomaly Mining in Complex Graphs: Definition, Detection, and Description

Anomaly mining is critical for a large variety of real-world tasks in security, finance, medicine, and so on. Despite its immense popularity however, the problem is under-specified for many practical applications, such as insider threat detection, as the true goals are often difficult to specify. Research community has long focused on a few simple formulations that do not meet the needs of modern anomaly mining tasks in complex systems. The problem of anomaly mining presents pressing challenges along three main dimensions: in providing precise ‘D’efinitions of what an anomaly is, in effectively ‘D’etecting anomalies, and finally in providing practitioners with actionable ‘D’escriptions of the detected anomalies. My research focuses broadly on building new descriptive models and methods for anomaly mining in large complex graphs, and addresses challenges arising from scale, heterogeneity, dynamics, robustness and interpretability. In this talk I will first focus on a new model of neighborhoods in graphs with node attributes. The model utilizes both the structure and the attributes to characterize and quantify normality, and can be used for spotting anomalies. I will next shift focus to a new formalization for detecting suspicious nodes in heterogeneous graphs, motivated by but generalizes from its application to bank fraud. I will then present a new model to summarize individual node anomalies through the groups that they form in the graph. These work constitute representative steps on all three fronts of the aforementioned challenges, namely the three ‘D’s of anomaly mining.