Detection of anomalies in dynamic graphs with applications in cybersecurity for OT
Abstract
Aggregating instantaneous graphs can achieve approximate independence between the resulting aggregated graphs, a property supported by both (asymptotic) theoretical and (finite sample size) empirical evidence. This justifies the use of a multilayer Poisson-directed Stochastic Block Model (SBM) under the assumption of independence between layers. Within this unusual simplied framework for dynamic graphs, we propose a statistical test for anomaly detection. Furthermore, we extend the model to accommodate variations in the number of nodes over time by employing a missing data paradigm, overpassing in that way main litterature advances which are limited to the number of edges variations. Finally, we demonstrate that initializing the Variational Expectation-Maximization (VEM) algorithm using Singular Value Decomposition (SVD) is effective, even in the presence of missing data.