Semi-supervised Context Discovery for Peer-Based Anomaly Detection in Multi-layer Networks

User-related cyber security attacks could cause tremendous losses to any organization. Detecting such threat can be formulated as anomaly detection problem in multilayer networks where each layer of the multilayer networks contain different contextual information regarding the users. While there have been many works proposed for peer-based anomaly detection, there has been little endeavor in discover the appropriate context (peers) for anomaly detection in multilayer networks. In this paper, we propose a context discovery method, which integrates the relations provided by each individual network layer and detects the anomalous nodes in networks based on the optimized peers of nodes with (or without) limited feedback from cybersecurity experts. The proposed system addresses the frequently encountered challenges when conducting anomaly detection, i.e., feedback sparsity, and the newly emerged challenge associated with multilayer networks, i.e., finding peers of each node based on conflicting information provided by individual layers. The proposed system is capable of capturing the anomalies in multilayer networks and outperforms the widely used peer-based anomaly detection algorithms on both synthetic and real-world sensor network and cybersecurity datasets.