Engineering Applications of Artificial Intelligence 94 (2020) 103741 Contents lists available at ScienceDirect Engineering Applications of Artificial Intelligence journal homepage: www.elsevier.com/locate/engappai Extra-adaptive robust online subspace tracker for anomaly detection from streaming networks Maryam Amoozegar a , Behrouz Minaei-Bidgoli a,∗ , Mansoor Rezghi b , Hadi Fanaee-T c a School of Computer Engineering, Iran University of Science and Technology, Narmak, Tehran, 1684613114, Iran b Department of Computer Science, Tarbiat Modares University, Tehran, 14115-175, Iran c Center for Applied Intelligent Systems Research (CAISR), Halmstad University, Halmstad, Sweden ARTICLE INFO Keywords: Anomaly detection Robust online subspace tracker Dynamic network CP tensor decomposition Low rank and sparse analysis ABSTRACT Anomaly detection in time-evolving networks has many applications, for instance, traffic analysis in trans- portation networks and intrusion detection in computer networks. One group of popular methods for anomaly detection from evolving networks are robust online subspace trackers. However, these methods suffer from problem of insensitivity to drastic changes in the evolving subspace. In order to solve this problem, we propose a new robust online subspace and anomaly tracker, which is more adaptive and robust against sudden drastic changes in the subspace. More accurate estimation of low rank and sparse components by this tracker leads to more accurate anomaly detection. We evaluate the accuracy of our method with real-world dynamic network data sets with varying sparsity levels. The result is promising and our method outperforms the state-of-the-art. 1. Introduction There are many criteria can be used to detect anomalies in a time- evolving networks, but the most common are finding anomalous nodes or edges, detecting irregular subgraphs and sometimes searching the anomalies in the global structure of the network (Akoglu et al., 2015; Ranshous et al., 2015; Salehi and Rashidi, 2018). Among those, ob- serving edges with time-varying weights are the most powerful signals to discover anomalies. Therefore, analyzing the temporal behavior of the edge’s weight over time is very relevant task, and there are many applications for it. For example, traffic analysis in transportation networks (Fanaee and Gama, 2016a; Wang et al., 2018; Xu et al., 2018), intrusion detection in computer networks (Baddar et al., 2014) and data volume exchange analysis in social networks (Yu et al., 2016) are some important applications. One of the appropriate tools for analysis of time-evolving networks are tensor decompositions (TD) methods. TDs learn the low-rank struc- ture of data, which leads to simultaneously modeling the interaction between the nodes and also the evolution of nodes’ evolution over time (Ranshous et al., 2015). TDs can be considered as a sophisticated extension of matrix de- composition techniques, which normally are based on PCA and SVD (Ding and Tian, 2016; Idé and Kashima, 2004; Wang et al., 2012; Yu et al., 2013). Some researchers also extended matrix factorization in an adaptive way to capture the temporal dynamics. For instance, in Yu et al. (2017) the authors factorize the adjacency matrices congress ∗ Corresponding author. E-mail addresses: amoozegar_m@comp.iust.ac.ir (M. Amoozegar), b_minaei@iust.ac.ir (B. Minaei-Bidgoli), rezghi@modares.ac.ir (M. Rezghi), hadi.fanaee@hh.se (H. Fanaee-T). in each time instant in a streaming fashion, in order to extract the low rank and anomalies. However, one of the main shortcomings of matrix-based decomposition methods is that they are not able to simultaneously model the intrinsic multi-way interactions of data. The main benefit of TDs in comparison to matrix factorization methods is that they can model the spatio-temporal fluctuations and model data in its natural structure. Consequently, it is assumed that discovered patterns via TDs are more realistic (Fanaee and Gama, 2016b). Several approaches have been proposed that decompose batch tensor data into main factors and post-process the results manually or by statistical metric to detect the anomalies (Fanaee and Gama, 2016a; Mao et al., 2014; Sapienza et al., 2015). However, these approaches need the availability of the full data and large memory. Incremental Tensor Analysis (ITA) (Sun et al., 2008, 2006) was the first effort to resolve this issue. ITA updates the covariance matrix incrementally. However, diagonalizing the covariance matrix for each mode is a critical bottleneck of this approach. Therefore, other methods were conducted based on incremental SVD to improve its performance (Shi et al., 2015; Xu et al., 2018). With growing the network size and real-time processing requirements, these approaches face with scalability issues. A more recent and efforts towards this are online subspace tracking methods that try to track the latent subspace (low-rank) of data in an incremental way. Updating the low dimensional subspace over https://doi.org/10.1016/j.engappai.2020.103741 Received 6 December 2019; Received in revised form 7 April 2020; Accepted 1 June 2020 Available online xxxx 0952-1976/© 2020 Elsevier Ltd. All rights reserved.