Anomaly Detection using Extreme Value Theory

Extreme Value Theory (EVT) is used to model extreme events like 100-year old floods. Detecting anomalies using EVT reduces falsely identifying observations as anomalies. This set of papers are methodological and applied contributions using EVT to detect anomalies. The applications mostly come from cyber security.

Leave-one-out kernel density estimates for outlier detection

Authors: Sevvandi Kandanaarachchi, Rob J. Hyndman
Venue: Journal of Computational and Graphical Statistics, 2021
TLDR: Persistent homology-based bandwidths help to find anomalies in data using Extreme Value Theory.
lookout: Leave-one-out kernel density estimates for outlier detection
lookout
The data and the anomaly persistence diagram. Anomalies are in the middle of the annulus and the anomalies are persistently identified for different bandwidth values.
Lookout is an unsupervised anomaly detection method that combines kernel density estimation with extreme value theory, without requiring any user‑defined parameters. Instead of relying on manually chosen bandwidths, lookout uses persistent homology to automatically determine a bandwidth well suited for identifying anomalies. The method also introduces anomaly persistence, which captures how anomalies emerge and disappear as bandwidths change, providing deeper insight into anomaly behaviour. The algorithm is available as the R package lookout.

When lookout sees crackle: Anomaly detection via kernel density estimation

Authors: Rob J. Hyndman, Sevvandi Kandanaarachchi, Katharine Turner
TLDR: An updated version of lookout algorithm using theoretical underpinnings of persistent homology.
When lookout sees crackle: Anomaly detection via kernel density estimation
We do theoretical proofs of bandwidth convergence and update the lookout algorithm accordingly. In addition, we scale the data usinga robust multivariate scaling. These updates make the lookout algorithm more robust and efficient.

Extreme value modelling of feature fesiduals for anomaly detection in dynamic graphs

Authors: Sevvandi Kandanaarachchi, Rob J. Hyndman, Conrad Sanderson
Venue: 11th International Conference on Soft Computing & Machine Intelligence (ISCMI), 2024
TLDR: Model the network’s time dynamics first, then use extreme value theory to flag true anomalies reducing false positives.
Extreme value modelling of feature fesiduals for anomaly detection in dynamic graphs
oddnet
The main components of the algorithm.
Detecting anomalies in evolving networks is crucial for applications such as identifying transport disruptions or cyber attacks, yet existing methods often struggle with high false positive rates and complex graph dynamics. This work introduces a new approach that explicitly models temporal dependencies by analysing time series of graph features and removing these effects through analysing residuals. Extreme Value Theory is then applied to reliably identify truly abnormal behaviour, leading to more accurate detection with fewer false alarms.

Honeyboost: Boosting honeypot performance with data fusion and anomaly detection

Authors: Sevvandi Kandanaarachchi, Hideya Ochiai, Asha Rao
Venue: Expert Systems with Applications, 2022
TLDR: Honeyboost detects insider threats early by monitoring internal network traffic with low false positives, combining anomaly detection and honeypots inside the LAN rather than at the network perimeter.
Honeyboost: Boosting honeypot performance with data fusion and anomaly detection
honeyboost
Honeyboost sits within the local area network.
As insider cyber threats continue to rise, early detection within internal networks is becoming increasingly important. Honeyboost is a framework designed to predict malicious insider activity or malware by combining network anomaly detection with honeypots deployed inside the local network rather than at the perimeter. By using lookout—an anomaly detection method based on extreme value theory—Honeyboost achieves low false positive rates while identifying suspicious nodes before they interact with the honeypot. Through a combination of temporal (horizontal) and protocol‑specific (vertical) analysis, the framework provides effective, unsupervised detection of anomalous behaviour in LAN traffic, showing strong potential for early cyber‑attack prediction.

Detection of anomalous network nodes via hierarchical prediction and Extreme Value Theory

Authors: Sevvandi Kandanaarachchi, Mahdi Abolghasemi, Hideya Ochiai, Asha Rao, Conrad Sanderson
TLDR: Model ARP behaviour over time and use extreme value theory to spot truly abnormal activity, reducing false positives when detecting compromised devices in industrial networks.
Detection of anomalous network nodes via hierarchical prediction and Extreme Value Theory
As cyber‑attacks on industrial networks grow more sophisticated, traditional signature‑based defences are becoming less effective—especially once malware is already inside the network. Infected devices often reveal themselves through unusual patterns in Address Resolution Protocol (ARP) traffic. This work introduces a two‑stage approach that first models normal ARP behaviour using time‑series prediction, then applies Extreme Value Theory to reliably flag truly abnormal activity. By accounting for the heavy‑tailed nature of network traffic, the method significantly reduces false alarms, helping address alert fatigue while enabling more reliable detection of compromised devices.