Anomaly detection systems generally try to detect anomalous phenomena by collecting samples from a computer network at different granularities and abstraction levels (e.g., packets, flows, connections, sessions, etc.). In turn, an anomaly detection system may convert the collected data into quantitative measurements, which are sometimes called features (e.g., the number of bytes exchanged between host A and host B during time interval T, the number of packets exchanged between host A and server C in a given transaction, etc.). In some systems, these features are used as inputs for machine learning models trained to quantify how anomalous a particular sample is.
Typically, a machine learning-based anomaly detector outputs a set of records after each time interval. However, during a network attack or other anomalous event, this may result in a large number of anomalous records, which may be too cumbersome for a user to assess.