HYPA: Efficient Detection of Path Anomalies in Time Series Data on Networks

The unsupervised detection of anomalies in time series data has important applications in user behavioral modeling, fraud detection, and cybersecurity. Anomaly detection has, in fact, been extensively studied in categorical sequences. However, we often have access to time series data that represent paths through networks. Examples include transaction sequences in financial networks, click streams of users in networks of cross-referenced documents, or travel itineraries in transportation networks. To reliably detect anomalies, we must account for the fact that such data contain a large number of independent observations of paths constrained by a graph topology. Moreover, the heterogeneity of real systems rules out frequency-based anomaly detection techniques, which do not account for highly skewed edge and degree statistics. To address this problem, we introduce HYPA, a novel framework for the unsupervised detection of anomalies in large corpora of variable-length temporal paths in a graph. HYPA provides an efficient analytical method to detect paths with anomalous frequencies that result from nodes being traversed in unexpected chronological order.

💡 Research Summary

The paper addresses the problem of unsupervised anomaly detection in time‑series data that consist of paths traversing a directed graph. Traditional anomaly detection methods for categorical sequences or simple frequency‑based approaches (FBAD) assume uniform edge statistics and therefore fail when the underlying network exhibits highly skewed degree or edge weight distributions. To overcome these limitations, the authors propose HYPA (Higher‑order Hyper‑geometric Path Anomaly detection), a framework that detects paths whose observed frequencies deviate significantly from a statistically grounded null model.

The core idea is to map variable‑length paths onto a higher‑order De Bruijn graph. For a given order k, each node of the De Bruijn graph represents a (k‑1)‑length sub‑path in the original graph, and each directed edge corresponds to a length‑k path. By counting how many times each edge appears in the observed path set S, the problem of detecting anomalous length‑k paths reduces to detecting anomalous edge weights in the k‑order De Bruijn graph.

To assess whether an edge weight is anomalous, HYPA constructs a null model based on an (k‑1)‑order De Bruijn graph. This null model is an edge‑weighted random walk that preserves the topology of the original graph and the empirical frequencies of (k‑1)‑length sub‑paths. The authors model the random allocation of edge weights as a multivariate hypergeometric (urn) process, which yields closed‑form expressions for the expected weight, variance, and cumulative distribution function (CDF) of each edge. Consequently, a HYPA‑score (essentially a p‑value or Z‑score) can be computed analytically for every edge, indicating over‑representation (positive score) or under‑representation (negative score) relative to the null model.

Key technical contributions include:

1. Formal definition of “path anomalies” that isolates anomalies at a specific length k by conditioning on the (k‑1)‑order baseline, thus preventing shorter‑path anomalies from contaminating longer‑path assessments.
2. Efficient construction of k‑order De Bruijn graphs via iterative line‑graph transformations, enabling linear‑time processing O(|E|·k).
3. Derivation of closed‑form CDFs for edge weights using the multivariate hypergeometric distribution, which avoids costly Monte‑Carlo simulations.
4. A statistical testing pipeline that incorporates multiple‑testing correction (e.g., Benjamini‑Hochberg) to control false discovery rates.

The authors validate HYPA on both synthetic and real datasets. In synthetic graphs with heterogeneous edge frequencies, HYPA achieves >95 % precision and recall, dramatically outperforming FBAD and Markov‑chain‑based baselines, which suffer from high false‑positive rates. In a real‑world airline itinerary dataset (airports as nodes, flights as edges, passenger trips as paths), HYPA uncovers statistically significant over‑ and under‑represented itineraries. These findings align with known operational anomalies such as seasonal route spikes, unexpected hub‑to‑hub transfers, and irregular routing caused by flight cancellations or re‑routing, confirming the practical relevance of the method.

Overall, HYPA provides a mathematically rigorous, scalable, and domain‑agnostic solution for detecting path‑level anomalies in networked time‑series data. Its reliance on analytically tractable statistical ensembles makes it suitable for large‑scale applications in finance (transaction networks), web navigation (click‑stream graphs), and transportation (traffic or logistics networks). The paper suggests future extensions to dynamic graphs (where topology evolves over time) and multi‑scale analysis (simultaneous detection across multiple k values).