What makes it hard? There’s more!
● Interested in sequential and temporal anomalies, not just point anomalies.
● Mixed data types with varying proportions of categorical, boolean, and
numerical data.
● Context is important.
● Hard to distinguish between noise, anomalies, and actual security events.
High anomaly score ≠ Threat.
see, e.g., Sommer & Paxson, 2010