pith. sign in

arxiv: 1907.04098 · v1 · pith:A5YHNHOZnew · submitted 2019-07-09 · 💻 cs.CR · cs.IR

Using Temporal and Topological Features for Intrusion Detection in Operational Networks

Simon D. Duque Anton , Daniel Fraunholz , Hans Dieter Schotten This is my paper

Pith reviewed 2026-05-25 00:36 UTC · model grok-4.3

classification 💻 cs.CR cs.IR
keywords intrusion detectionindustrial control systemsmatrix profilesgraph analysisanomaly detectiontime series analysisnetwork securityoperational technology
0
0 comments X

The pith

Matrix Profiles detect timing outliers and graph analysis identifies anomalous communication patterns for intrusion detection in industrial networks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper shows how Matrix Profiles can be applied to time series data from an industrial process to find outliers in timing behaviour, using an experimental setup with ground truth attack labels. It also demonstrates using graph representations of emulated industrial network data to spot malicious activities via anomalous edges in communication patterns. The approach meets requirements for industrial intrusion detection like operating without process feedback and working with legacy systems that lack built-in security. A reader would care because industrial networks are vulnerable to attacks once the perimeter is breached, and these methods offer detection tailored to their constraints.

Core claim

The central discovery is that Matrix Profiles, an algorithm for motif discovery in time series, detect outliers in the timing behaviour of an industrial process in an experimental environment with ground truth after attacks, while graph representations of a different emulated industrial dataset detect malicious activities from anomalous communication patterns as edges, with an integration concept proposed for both.

What carries the argument

Matrix Profiles for detecting timing outliers in time series and graph representations for identifying anomalous communication edges.

If this is right

  • Intrusion detection solutions can function without providing feedback to the industrial process.
  • Methods are compatible with legacy systems used for decades where updates are difficult.
  • Detects easy lateral movement by intruders due to lack of authentication in industrial protocols.
  • Combines temporal and topological features for more comprehensive detection.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • These techniques could be tested on additional real-world industrial datasets to validate generalizability beyond emulation.
  • Integration might allow for hybrid detection that reduces reliance on any single feature type.
  • Application to other critical infrastructure networks could follow similar patterns of timing and communication analysis.

Load-bearing premise

The experimental environment and emulated dataset sufficiently represent real operational industrial networks such that detected timing outliers and anomalous graph edges reliably indicate intrusions rather than normal variations or false positives.

What would settle it

Observing a high rate of timing outliers or anomalous edges in data from an unattacked real industrial network would indicate the methods do not reliably distinguish intrusions.

Figures

Figures reproduced from arXiv: 1907.04098 by Daniel Fraunholz, Hans Dieter Schotten, Simon D. Duque Anton.

Figure 1
Figure 1. Figure 1: Relation of Sub-Processes systems are evaluated by Ponomarev and Atkison [38]. Ghaeini and Tippenhauer present a hierarchical model for industrial intrusion detection to combine information from the physical, as well as the Programmable Logic Controller (PLC) layer [20]. 3 DATA SET In this work, a data set containing network and process data of a research facility is investigated. The process has been moni… view at source ↗
Figure 3
Figure 3. Figure 3: Matrix Profile of LIT-401 position with length m from any other motif. For this sensor, m was set to 500 seconds. It can be seen that seven of the attacks correspond to drastic increases in the minimal distance, indicating anomalous behaviour. The sensor LIT-301 can be used to detect attack number eigth, indicated by the second right peak in the attack-line of [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 6
Figure 6. Figure 6: Matrix Profile of DPIT-301 as well, since it is easy to compute. Starting from this value, the quality of attack detection increases. Preliminary analyses indicate that a value of m of the first period or larger significantly improves the performance of Matrix Profiles. AIT-502 does not have a clear period, but the quality of detection also increases with m. In this evaluation, a value of 5000 seconds was … view at source ↗
Figure 7
Figure 7. Figure 7: Matrix Profile of AIT-502 0 100 200 Value in l 25 50 75 Min. Dist. 0 50000 100000 150000 200000 Seconds 0 1 Attack 1, 2, 3 4 5 6, 7 8 9, 10 [PITH_FULL_IMAGE:figures/full_fig_p006_7.png] view at source ↗
Figure 9
Figure 9. Figure 9: Communication Structure of Data Set CnC_ uploading_exe_modbus_6RTU_with_operate PLC 1 PLC 2 PLC 3 PLC 4 PLC 5 Broadcast PLC 6 MTU [PITH_FULL_IMAGE:figures/full_fig_p006_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Communication Structure of Data Set Moving_ two_files_Modbus_6RTU addressed at the broadcast address. Additionally, there are mali￾cious communication activities among the entities. This depicts the attempt to move laterally. In every scenario, PLC 1 is infected by a malware and performs different attempts to maliciously affect other entities. Furthermore, in the scenarios CnC_uploading_exe_ [PITH_FULL_I… view at source ↗
Figure 11
Figure 11. Figure 11: Communication Structure of Data Set Send_a_ fake_command_Modbus_6RTU_with_operate modbus_6RTU_with_operate and Moving_two_files_Modbus_6RTU, the MTU is infected and performs malicious activities. These kinds of attacks are relatively easy to detect, e.g. by con￾sidering the fan-in and fan-out of nodes. If it is considered as a time series that corresponds to the polling intervals, malicious changes in the… view at source ↗
read the original abstract

Until two decades ago, industrial networks were deemed secure due to physical separation from public networks. An abundance of successful attacks proved that assumption wrong. Intrusion detection solutions for industrial application need to meet certain requirements that differ from home- and office-environments, such as working without feedback to the process and compatibility with legacy systems. Industrial systems are commonly used for several decades, updates are often difficult and expensive. Furthermore, most industrial protocols do not have inherent authentication or encryption mechanisms, allowing for easy lateral movement of an intruder once the perimeter is breached. In this work, an algorithm for motif discovery in time series, Matrix Profiles, is used to detect outliers in the timing behaviour of an industrial process. This process was monitored in an experimental environment, containing ground truth labels after attacks were performed. Furthermore, the graph representations of a different industrial data set that has been emulated are used to detect malicious activities. These activities can be derived from anomalous communication patterns, represented as edges in the graph. Finally, an integration concept for both methods is proposed.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper claims that Matrix Profiles can detect outliers in the timing behavior of an industrial process monitored in an experimental environment with ground-truth attack labels, that graph representations of a separate emulated industrial dataset can identify malicious activities via anomalous communication patterns (edges), and that an integration concept for the two approaches is feasible for intrusion detection in operational networks.

Significance. If the central mapping from detected timing outliers and anomalous graph edges to actual intrusions holds with acceptable false-positive rates on representative data, the work would offer a practical, non-intrusive method for securing legacy industrial control systems that lack authentication or encryption, by exploiting readily available timing and topological features.

major comments (2)
  1. [Abstract] Abstract: the manuscript asserts that Matrix Profiles detect outliers corresponding to attacks and that graph analysis detects malicious activities, yet supplies no quantitative performance metrics, validation details, dataset characteristics, baseline establishment procedure, or error analysis; this absence is load-bearing because the central claim requires demonstrating that the detected anomalies reliably indicate intrusions rather than normal variation.
  2. [Abstract] Experimental evaluation (implied by the abstract's description of the monitored process and emulated dataset): no argument or comparison is provided showing that the experimental environment or emulated topology and timing distributions match those of real, decades-old industrial networks under sustained operation; without this, the mapping from outliers/anomalous edges to intrusions cannot be assessed and the weakest assumption remains untested.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments. We address each major comment point by point below.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the manuscript asserts that Matrix Profiles detect outliers corresponding to attacks and that graph analysis detects malicious activities, yet supplies no quantitative performance metrics, validation details, dataset characteristics, baseline establishment procedure, or error analysis; this absence is load-bearing because the central claim requires demonstrating that the detected anomalies reliably indicate intrusions rather than normal variation.

    Authors: The abstract is a concise summary. The full manuscript describes the experimental dataset with ground-truth attack labels, the emulated dataset, the Matrix Profile application to timing outliers, and graph-based detection of anomalous edges. Quantitative evaluation against the labels, including performance assessment, appears in the evaluation sections. To address the concern directly in the abstract, we will revise it to include summary quantitative metrics (e.g., detection rates on labeled attacks) and a brief note on validation. revision: yes

  2. Referee: [Abstract] Experimental evaluation (implied by the abstract's description of the monitored process and emulated topology and timing distributions match those of real, decades-old industrial networks under sustained operation; without this, the mapping from outliers/anomalous edges to intrusions cannot be assessed and the weakest assumption remains untested.

    Authors: The manuscript explicitly uses an experimental environment with ground-truth labels and a separate emulated industrial dataset to demonstrate the methods on timing and topological features. We will add a paragraph in the revised manuscript discussing the characteristics of these setups (legacy-protocol compatibility, long-term process timing) relative to typical operational industrial networks and the rationale for using them as proxies. revision: yes

Circularity Check

0 steps flagged

No circularity; empirical application of existing algorithms to datasets

full rationale

The paper applies the pre-existing Matrix Profile algorithm for motif discovery in time series and standard graph representations to two datasets (one experimental with ground-truth attack labels, one emulated). No derivation chain, parameter fitting presented as prediction, self-definitional steps, or load-bearing self-citations appear in the abstract or described methods. The work is a straightforward empirical evaluation without any claimed first-principles derivation that reduces to its own inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review yields no identifiable free parameters, axioms, or invented entities; the work relies on pre-existing algorithms applied to described datasets.

pith-pipeline@v0.9.0 · 5712 in / 1079 out tokens · 32131 ms · 2026-05-25T00:36:17.636769+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

53 extracted references · 53 canonical work pages

  1. [1]

    Leman Akoglu and Christos Faloutsos. 2010. Event Detection in Time Series of Mobile Communication Graphs. In Army Science Conference. 77–79

    work page 2010

  2. [2]

    Leman Akoglu, Hanghang Tong, and Danai Koutra. 2014. Graph based Anomaly Detection and Description: A Survey. In Data Mining and Knowledge Discovery , Vol. 29. 626–688

    work page 2014

  3. [3]

    Marco Caselli, Emmanuele Zambon, and Frank Kargl. 2015. Sequence-aware Intrusion Detection in Industrial Control Systems. In Proceedings of the 1st ACM Workshop on Cyber-Physical System Security (CPSS ’15) . ACM, New York, NY, USA, 13–24. https://doi.org/10.1145/2732198.2732200

    work page doi:10.1145/2732198.2732200 2015

  4. [4]

    Wee, Stuart Staniford-Chen, Raymond Yip, and Dan Zerkle

    Steven Cheung, Rick Crawford, Mark Dilger, Jeremy Frank, Jim Hoagland, Karl Levitt, C. Wee, Stuart Staniford-Chen, Raymond Yip, and Dan Zerkle. 1996. The Design of GrIDS: A Graph Based Intrusion Detection System for Large Networks . CSE-99-2. UC Davis Computer Science Department

    work page 1996

  5. [5]

    Hoang Anh Dau and Eamonn Keogh. 2017. Matrix Profile V: A Generic Technique to Incorporate Domain Knowledge into Motif Discovery. In Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD ’17). ACM, New York, NY, USA, 125–134. https://doi.org/10.1145/ 3097983.3097993

    work page arXiv 2017

  6. [6]

    Herve Debar, Monique Becker, and Didier Siboni. 1992. A Neural Network Component for an Intrusion Detection System. In IEEE Symposium on Security and Privacy. 240–250

    work page 1992

  7. [7]

    Robert Dethlefs. 2015. How cyber attacks became more profitable than the drug trade. Fortune (2015)

    work page 2015

  8. [8]

    Simon Duque Anton, Lia Ahrens, Daniel Fraunholz, and Hans Dieter Schotten

    work page

  9. [9]

    In Proceedings of the 2018 IEEE International Conference on Data Mining Workshops (ICDMW)

    Time is of the Essence: Machine Learning-based Intrusion Detection in Industrial Time Series Data. In Proceedings of the 2018 IEEE International Conference on Data Mining Workshops (ICDMW) . IEEE

    work page 2018

  10. [10]

    Simon Duque Anton, Daniel Fraunholz, Christoph Lipps, Frederic Pohl, Marc Zimmermann, and Hans Dieter Schotten. 2017. Two Decades of SCADA Exploita- tion: A Brief History. In 2017 IEEE Conference on Application, Information and Network Security (AINS). 98–104. https://doi.org/10.1109/AINS.2017.8270432

    work page doi:10.1109/ains.2017.8270432 2017

  11. [11]

    Simon Duque Anton, Daniel Fraunholz, Janis Zemitis, Frederic Pohl, and Hans Di- eter Schotten. 2017. Highly Scalable and Flexible Model for Effective Aggrega- tion of Context-based Data in Generic IIoT Scenarios. In 9th Central European Workshop on Services and their Composition (ZEUS-2017), February 13-14, Lugano, Switzerland. 51–58

    work page 2017

  12. [12]

    Simon Duque Anton, Suneetha Kanoor, Daniel Fraunholz, and Hans Dieter Schot- ten. 2018. Evaluation of Machine Learning-based Anomaly Detection Algorithms on an Industrial Modbus/TCP Data Set. In Proceedings of the 13th International Conference on A vailability, Reliability and Security (ARES). ACM

    work page 2018

  13. [13]

    WIlliam Eberle and Lawrence Holder. 2007. Discovering Structural Anomalies in Graph-Based Data. In Seventh IEEE International Conference on Data Mining Workshops (ICDMW 2007). 393–398

    work page 2007

  14. [14]

    Dhivya Eswaran and Christos Faloutsos. 2018. SedanSpot: Detecting Anomalies in Edge Streams. In 2018 IEEE International Conference on Data Mining (ICDM) . 953–958. https://doi.org/10.1109/ICDM.2018.00117

    work page doi:10.1109/icdm.2018.00117 2018

  15. [15]

    Ferdousi and A

    Z. Ferdousi and A. Maeda. 2006. Unsupervised Outlier Detection in Time Series Data. In 22nd International Conference on Data Engineering Workshops (ICDEW’06). https://doi.org/10.1109/ICDEW.2006.157

    work page doi:10.1109/icdew.2006.157 2006

  16. [16]

    Igor Nai Fovino, Andrea Carcano, Thibault De Lacheze Murel, Alberto Trombetta, and Marcelo Masera. 2010. Modbus/DNP3 State-Based Intrusion Detection Sys- tem. In 24th IEEE International Conference on Advanced Information Networking and Applications(AINA). 729–736

    work page 2010

  17. [17]

    Daniel Fraunholz, Simon Duque Anton, and Hans Dieter Schotten. 2017. Introduc- ing GAMfIS: A Generic Attacker Model for Information Security. International Conference on Software, Telecommunications and Computer Networks 25 (2017)

    work page 2017

  18. [18]

    Daniel Fraunholz, Daniel Krohmer, Simon Duque Anton, and Hans Dieter Schot- ten. 2017. YAAS - On the Attribution of Honeypot Data. International Journal on Cyber Situational A wareness2, 1 (2017), 31–48

    work page 2017

  19. [19]

    Wei Gao and Thomas H. Morris. 2014. On Cyber Attacks and Signature Based Intrusion Detection for Modbus Based Industrial Control Systems. Journal of Digital Forensics, Security and Law 9, 1 (2014)

    work page 2014

  20. [20]

    Garcia-Teodoro, J

    P. Garcia-Teodoro, J. Diaz-Verdejo, G. Macia-Fernandez, and E. Vazquez. 2008. Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security 28, 1-2 (August 2008), 18–28

    work page 2008

  21. [21]

    Hamid Reza Ghaeini and Nils Ole Tippenhauer. 2016. HAMIDS: Hierarchical Monitoring Intrusion Detection System for Industrial Control Systems. In Pro- ceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy (CPS-SPC ’16). ACM, New York, NY, USA, 103–111. https://doi.org/10.1145/ 2994487.2994492

    work page arXiv 2016

  22. [22]

    Jonathan Goh, Sridhar Adepu, Khurum Nazir Junejo, and Aditya Mathur. 2016. A Dataset to Support Research in the Design of Secure Water Treatment Sys- tems. In Proceedings of the 11th International Conference on Critical Information Infrastructures Security

    work page 2016

  23. [23]

    Andy Greenberg. 2017. ’Crash Override’: The Malware that Took Down a Power Grid. Wired (2017)

    work page 2017

  24. [24]

    Hadeli Hadeli, Ragnar Schierholz, Markus Braendle, and Cristian Tuduce. 2009. Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration. In 2009 IEEE Conference on Emerg- ing Technologies Factory Automation. 1–8. https://doi.org/10.1109/ETFA.2009. 5347134

    work page doi:10.1109/etfa.2009 2009

  25. [25]

    Stephan Haller, Stamatis Karnouskos, and Christoph Schroth. 2008. The Internet of Things in an Enterprise Context. InFuture Internet Symposium. Springer-Verlag, Berlin, Heidelberg, 14–28. https://doi.org/10.1007/978-3-642-00985-3_2

    work page doi:10.1007/978-3-642-00985-3_2 2008

  26. [26]

    Mohamed Hamdi and Noureddine Boudriga. 2009. Detecting Denial-of-Service attacks using the wavelet transform.Computer Communications 30, 16 (November 2009). https://doi.org/10.1016/j.comcom.2007.05.061

    work page doi:10.1016/j.comcom.2007.05.061 2009

  27. [27]

    iTrust Centre for Research in Cyber Security. 2018. Secure Water Treatment (SWaT) Testbed. Technical Report 4.2. Singapore University of Technology and Design

    work page 2018

  28. [28]

    Jyothsna and V

    V. Jyothsna and V. V. Rama Prasad. 2011. A Review of Anomaly based Intru- sionDetection Systems. International Journal of Computer Applications 28, 7 (September 2011), 26–35

    work page 2011

  29. [29]

    Abdullah Khalili and Ashkan Sami. 2015. SysDetect: A systematic approach to critical state determination for Industrial Intrusion Detection Systems using Apriori algorithm. Journal of Process Control 32 (January 2015), 154–160. https: //doi.org/10.1016/j.jprocont.2015.04.005

    work page doi:10.1016/j.jprocont.2015.04.005 2015

  30. [30]

    Ralph Langner. 2013. To Kill a Centrifuge. Technical Report. The Langner Group

    work page 2013

  31. [31]

    Fernandez

    Antoine Lemay and Jose M. Fernandez. 2016. Providing SCADA Network Data Sets for Intrusion Detection Research. In 9th Workshop on Cyber Security Experi- mentation and Test (CSET 16) . Austin, TX

    work page 2016

  32. [32]

    Ghorbani

    Wei Lu and Ali A. Ghorbani. 2009. Network Anomaly Detection Based on Wavelet Analysis. EURASIP J. Adv. Signal Process 2009, Article 4 (January 2009), 16 pages. https://doi.org/10.1155/2009/837601

    work page doi:10.1155/2009/837601 2009

  33. [33]

    Ma and S

    J. Ma and S. Perkins. 2003. Time-series novelty detection using one-class support vector machines. In Proceedings of the International Joint Conference on Neural Networks, Vol. 3. 1741–1745. https://doi.org/10.1109/IJCNN.2003.1223670

    work page doi:10.1109/ijcnn.2003.1223670 2003

  34. [34]

    Zare Moayedi and M

    H. Zare Moayedi and M. A. Masnadi-Shirazi. 2008. Arima model for network traffic prediction and anomaly detection. In 2008 International Symposium on Information Technology, Vol. 4. 1–6. https://doi.org/10.1109/ITSIM.2008.4631947

    work page doi:10.1109/itsim.2008.4631947 2008

  35. [35]

    Thomas Morris, Rayford Vaughn, and Yoginder Dandass. 2012. A Retrofit Network Intrusion Detection System for MODBUS RTU and ASCII Industrial Control Systems. In 2012 45th Hawaii International Conference on System Sciences . 2338–

    work page 2012

  36. [36]

    https://doi.org/10.1109/HICSS.2012.78

    work page doi:10.1109/hicss.2012.78 2012

  37. [37]

    Gerhard Munz and Georg Carle. 2007. Real-time Analysis of Flow Data for Network Attack Detection. In 2007 10th IFIP/IEEE International Symposium on Integrated Network Management . 100–108. https://doi.org/10.1109/INM.2007. 374774

    work page doi:10.1109/inm.2007 2007

  38. [38]

    Noble and Diane J

    Caleb C. Noble and Diane J. Cook. 2003. Graph-based Anomaly Detection. In Proceedings of the Ninth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD ’03). ACM, New York, NY, USA, 631–636. https: //doi.org/10.1145/956750.956831

    work page doi:10.1145/956750.956831 2003

  39. [39]

    Fabio Pasqualetti, Florian Doerfler, and Franceso Bullo. 2013. Attack Detection and Identification in Cyber-Physical Systems. IEEE Trans. Automat. Control 58, 11 (November 2013), 2715–2729. https://doi.org/10.1109/TAC.2013.2266831

    work page doi:10.1109/tac.2013.2266831 2013

  40. [40]

    Stanislav Ponomarev and Travis Atkison. 2016. Industrial Control System Net- work Intrusion Detection by Telemetry Analysis.IEEE Transactions on Dependable and Secure Computing 13, 2 (March 2016), 252–260. https://doi.org/10.1109/TDSC. 2015.2443793

    work page doi:10.1109/tdsc 2016

  41. [41]

    Rafael Ramos Regis Barbosa and Aiko Pras. 2010. Intrusion Detection in SCADA Networks. Mechanisms for Autonomous Management of Networks and Services Temporal and Topological Intrusion Detection in OT Networks ARES ’19, August 26–29, 2019, Canterbury, United Kingdom 6155 (2010). https://doi.org/10.1007/978-3-642-13986-4_23

    work page doi:10.1007/978-3-642-13986-4_23 2010

  42. [42]

    Peter Schneider and Konstantin Böttinger. 2018. High-Performance Unsupervised Anomaly Detection for Cyber-Physical System Networks. In Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy (CPS-SPC ’18) . ACM, New York, NY, USA, 1–12. https://doi.org/10.1145/3264888.3264890

    work page doi:10.1145/3264888.3264890 2018

  43. [43]

    Wee, Raymond Yip, and Dan Zerkle

    Stuart Staniford-Chen, Steven Cheung, Rick Crawford, Mark Dilger, Jeremy Frank, Jim Hoagland, Karl Levitt, C. Wee, Raymond Yip, and Dan Zerkle. 1996. GrIDS - A Graph Based Intrusion Detection System for Large Networks. In Proceedings of the 19th National Information Systems Security Conference , Vol. 1. 361–370

    work page 1996

  44. [44]

    Laura Painton Swiler and Cynthia Phillips. 1998. A Graph-Based System for Network-Vulnerability Analysis. (June 1998). https://doi.org/10.2172/573291

    work page doi:10.2172/573291 1998

  45. [45]

    Symantec. 2009. Cyber Crime has Surpassed Illegal Drug Trafficking as a Criminal Moneymaker; 1 in 5 will become a Victim. https://www.symantec.com/about/ newsroom/press-releases/2009/symantec_0910_01

    work page 2009

  46. [46]

    Ghar- avol

    Seyyed Meysam Tabatabaie Nezhad, Mahboubeh Nazari, and Ebrahim A. Ghar- avol. 2016. A Novel DoS and DDoS Attacks Detection Algorithm Using ARIMA Time Series Model and Chaotic System in Computer Networks. IEEE Communi- cations Letters 20, 4 (April 2016), 700–703. https://doi.org/10.1109/LCOMM.2016. 2517622

    work page doi:10.1109/lcomm.2016 2016

  47. [47]

    Jialing Tao, Wang Hui, and Tao Xiong. 2018. Selective Graph Attention Networks for Account Takeover Detection. In 2018 IEEE International Conference on Data Mining Workshops (ICDMW)

    work page 2018

  48. [48]

    Chi-Ho Tsang and S. Kwong. 2005. Multi-agent intrusion detection system in industrial network using ant colony clustering approach and unsupervised feature extraction. In 2005 IEEE International Conference on Industrial Technology . 51–56. https://doi.org/10.1109/ICIT.2005.1600609

    work page doi:10.1109/icit.2005.1600609 2005

  49. [49]

    Dieter Uckelmann, Mark Harrison, and Florian Michahelles. 2011. An Ar- chitectural Approach Towards the Future Internet of Things. In Architect- ing the Internet of Things . Springer-Verlag, Berlin, Heidelberg, 1–24. https: //doi.org/10.1007/978-3-642-19157-2_1

    work page doi:10.1007/978-3-642-19157-2_1 2011

  50. [50]

    A. H. Yaacob, I. K. T. Tan, S. F. Chien, and H. K. Tan. 2010. ARIMA Based Network Anomaly Detection. In 2010 Second International Conference on Communication Software and Networks. 205–209. https://doi.org/10.1109/ICCSN.2010.55

    work page doi:10.1109/iccsn.2010.55 2010

  51. [51]

    Chin-Chia Michael Yeh, Yan Zhu, Liudmila Ulanova, Nurjahan Begum, Yifei Ding, Hoang Anh Dau, Diego Furtado Silva, ABdullah Mueen, and Eamonn Keogh. 2016. Matrix Profile I: All Pairs Similarity Joins for Time Series: A Unifying View That Includes Motifs, Discords and Shapelets. In2016 IEEE 16th International Conference on Data Mining (ICDM) . 1317–1322. ht...

    work page doi:10.1109/icdm.2016.0179 2016

  52. [52]

    Qin Yu, Lyu Jibin, and Lirui Jiang. 2016. An Improved ARIMA-Based Traffic Anomaly Detection Algorithm for Wireless Sensor Networks. International Journal of Distributed Sensor Networks 12, 1 (January 2016). https://doi.org/10. 1155/2016/9653230

    work page 2016

  53. [53]

    Yan Zhu, Makoto Imamura, Daniel Nikovski, and Eamonn Keogh. 2017. Matrix Profile VII: Time Series Chains: A New Primitive for Time Series Data Mining. In 2017 IEEE International Conference on Data Mining (ICDM) . 695–704. https: //doi.org/10.1109/ICDM.2017.79

    work page doi:10.1109/icdm.2017.79 2017