Multi-source anomaly detection: using across-domain and across-time peer-group consistency checks

Abstract

We present robust anomaly detection in multi-dimensional data. We describe information fusion across multiple levels in a layered architecture to ensure accurate and reliable detection of anomalies from heterogeneous data. We consider the problem of detecting anomalous entities (e.g., people) from observation data (e.g., activities) gathered from multiple contexts or information sources over time. We propose two anomaly detection methods. The first method seeks to identify anomalous behavior that blends within each information source but is inconsistent across sources. A supervised learning approach detects the blend-in anomalies manifested as across-information source inconsistencies. The second method identifies unusual changes in behavior over time using a Markov model approach. Finally, we present a fusion approach that integrates evidence from both methods to improve the accuracy and robustness of the anomaly detection system. We illustrate the performance of our proposed approaches on an insider threat detection problem using a real-world work-practice data set.