Given a stream of graph edges from a dynamic graph, how can we assign anomaly scores to edges and subgraphs in an online manner, for the purpose of detecting unusual behavior, using constant time and memory? For example, in intrusion detection, existing work seeks to detect either anomalous edges or anomalous subgraphs, but not both. In this paper, we first extend the count-min sketch data structure to a higher-order sketch. This higher-order sketch has the useful property of preserving the dense subgraph structure (dense subgraphs in the input turn into dense submatrices in the data structure). We then propose 4 online algorithms that utilize this enhanced data structure, which (a) detect both edge and graph anomalies; (b) process each edge and graph in constant memory and constant update time per newly arriving edge, and; (c) outperform state-of-the-art baselines on 4 real-world datasets. Our method is the first streaming approach that incorporates dense subgraph search to detect graph anomalies in constant memory and time.

翻译：给定一个动态图的边流，我们如何在恒定时间和内存下，以在线方式为边和子图分配异常分数，以检测异常行为？例如，在入侵检测中，现有工作要么检测异常边，要么检测异常子图，但无法同时检测两者。在本文中，我们首先将计数最小草图数据结构扩展为高阶草图。这种高阶草图具有保留密集子图结构的有用特性（输入中的密集子图会转变为数据结构中的密集子矩阵）。接着，我们提出了4种利用该增强数据结构的在线算法，这些算法能够：（a）同时检测边异常和图异常；（b）以恒定内存和每条新到达边的恒定更新时间处理每条边和每个图；（c）在4个真实世界数据集上优于最先进的基线方法。我们的方法是首个在恒定内存和时间下通过密集子图搜索来检测图异常的流式处理方法。