Use sweep or stats::mahalanobis (the latter does give the same results and is faster).

Found no calls to: 'R_registerRoutines', 'R_useDynamicSymbols'

Switching to RcppArmadillo makes horns_curve roughly five times faster!

#include <RcppArmadillo.h>
using namespace Rcpp;

// [[Rcpp::depends(RcppArmadillo)]]
// [[Rcpp::export]]

arma::mat horns_curve_cpp(int n, int p, int nsim) {
  arma::mat M(n,p);
  arma::mat C(p,p);
  arma::vec E(p);
  arma::mat EM(nsim, p);
  arma::vec EV(p);
  for(int i = 0; i < nsim; ++i) {
    M = arma::randn(n, p);
    C = arma::cov(M);
    E = arma::eig_sym(C);
    EM.row(i) = arma::sort(E, "descend").t();
  }
  EV = arma::mean(EM, 0).t();
  return EV;
}


/*** R
# Load required packages
library(anomalyDetection)
library(ggplot2)
library(microbenchmark)

# Faster horns_curve function
horns_curve_2 <- function(x) {
  horns_curve_cpp(n = nrow(x), p = ncol(x), nsim = 1000)
}

# Security logs data
x <- security_logs %>%
  tabulate_state_vector(10)

# Compare values
head(cbind(horns_curve(x), horns_curve_2(x)))
plot(horns_curve(x), horns_curve_2(x))
abline(0, 1)

# Compare speed
mb <- microbenchmark(
  horns_curve(x),
  horns_curve_2(x),
  times = 100L
)
autoplot(mb)
*/

In security_logs data frame, Src_Port and Dst_Port are integers and get summed when you create your state vector creation. "host (website) addresses and port numbers are necessarily part of the underlying TCP/IP protocols", so ports should be of character data type just like IP address.

This changes some of your results listed out in introduction.Rmd. Still after changing the data types, this data's boxplot calculations after multivariate analysis still show interesting outliers!

+1 for this package from me.

Reviewer comment: Another area to explore would be distributable systems like spark and SparkR where such a tool would be welcome.

This is a great point, we should look to see how we can leverage packages like SparkR to make anomalyDetection directly compatible with distributed systems.

horns_curve has been made into a generic and the number of Monte Carlo simulations has been exposed as one of the function's arguments. The testthat tests will need to be updated to reflect some of these changes.

Might be worth considering alternative metrics in the future, for example: https://cs.nju.edu.cn/zhouzh/zhouzh.files/publication/icdm08b.pdf.

Consider using caret::findCorrelation for identifying which columns to remove. caret is already imported and would eliminate the need for importing qdapTools. Will need to check consistency and compare speed.

Warning in install.packages :
package ‘anomalyDetection’ is not available (for R version 3.5.2)

MASS::ginv's default tolerance produces a very inaccurate inverse of the covariance matrix whenever column Dst_Port is included. This will be fixed once the C++ version is incorporated.