[shivin9]

Impressive results! Few questions though:-

1) Do you use sliding window approach or exponential decay?

2) When you say groups of similar edges, do they have to be spatially close to each other? or can they be equally distributed in the graph?

3) Can an attacker figure out the optimum time difference between his attacks such that MIDAS doesn't detect it as an anomaly? The time gap is just sufficient enough for the algorithm to weed out the potentially malicious micro-cluster as obsolete.

Seems like an interesting extension to your work. Best of luck!

[siddharthbhatia]

Thank you :) 1. We use a temporal decay (alpha). 2. Good question! We consider similar edges as those having at least one of source and destination node as the same. 3. Very interesting direction for future work! We can try using a variable decay instead of a fixed one to tackle the adversary.

[shivin9]

Thanks. It would be nice to have similarity methods that are not dependent on spatial locality to detect DDoS like attacks.

[siddharthbhatia]

We handle spatial locality in terms of not just the source but also the destination, therefore we should be able to handle DDoS like attacks when simultaneous edges come from several sources trying to deny one particular destination.

[shivin9]

Ah alright, that makes sense. But it works only when the destination is the same. In a setting where there are multiple web-hosting servers, you would need to treat a group of source and destination points as micro-clusters themselves.

Can you extend MIDAS to adapt to that scenario?

[siddharthbhatia]

In Figure 7 of the paper, we show an example of detection when neither edge/source/destination is individually anomalous but as a whole, it is a microcluster anomaly. It can similarly be detected when there are multiple web-hosting servers.