Junchi Xing,Chunming Wu

DOI: https://doi.org/10.1109/INFOCOMWKSHPS50562.2020.9162940

2020-01-01

Abstract:The widely used encryption of network traffic poses a great challenge to anomaly detection. Currently, the supervised and semi-supervised solutions suffer from the problems of noisy label of data, non-stationary traffic distribution, and huge resource consumption for offline training. To address this, in this paper, we present an unsupervised, robust, and online anomaly detection method for encrypted traffic by using deep dictionary learning, called D2LAD. D2LAD offers the potential to extract sequential features from raw encrypted traffic data with the help of an LSTM-based autoencoder. Then, according to the sequential features, D2LAD is able to explore the hidden normal patterns by iterative deep dictionary learning. Eventually, D2LAD can obtain the anomaly score of raw data by calculating its relevance to the deep dictionary. We implement a prototype of D2LAD and evaluate its effectiveness and performance by experiments using realistic datasets. The experimental results show that our method achieves high accuracy and low resource usage, and outperforms the representative state-of-the-art methods in real-world settings.

Wenhao Hu,Yingying Liu,Jiazhen Xu,Xuanyu Chen,Gaoang Wang

DOI: https://doi.org/10.1109/ICME55011.2023.00269

2023-01-01

Abstract:Anomaly detection aims at identifying deviant samples from the normal data distribution. Much progress has been made in recent years for anomaly detection with self-supervised representation learning. However, most existing approaches assume the training set contains either only clean normal samples or some labeled abnormal samples. With a contaminated unlabeled training set, the performance is degraded with unclear discrimination between normal and abnormal samples. To address the above challenge, in this paper, we propose a novel unsupervised representation learning framework that takes advantage of the extra information provided by the anomalies in the unlabeled contaminated data for anomaly detection. Specifically, anomaly discrimination learning with pseudo normality score generation and multi-instance contrastive learning is proposed for distinguishing abnormal samples from the unlabeled set. Meanwhile, we combine the discrimination learning with mean-shifted contrastive learning and distribution-shifting transformation classification into a multi-task representation learning framework to improve the stability and robustness of the training. Our proposed method achieves state-of-the-art performance on CIFAR-10, ImageNet-10, MNIST and F-MNIST datasets. Extensive ablation studies further demonstrate the effectiveness of different components of the proposed framework.

Paul Irofti,Iulian-Andrei Hîji,Andrei Pătraşcu,Nicolae Cleju

2024-04-05

Abstract:We study in this paper the improvement of one-class support vector machines (OC-SVM) through sparse representation techniques for unsupervised anomaly detection. As Dictionary Learning (DL) became recently a common analysis technique that reveals hidden sparse patterns of data, our approach uses this insight to endow unsupervised detection with more control on pattern finding and dimensions. We introduce a new anomaly detection model that unifies the OC-SVM and DL residual functions into a single composite objective, subsequently solved through K-SVD-type iterative algorithms. A closed-form of the alternating K-SVD iteration is explicitly derived for the new composite model and practical implementable schemes are discussed. The standard DL model is adapted for the Dictionary Pair Learning (DPL) context, where the usual sparsity constraints are naturally eliminated. Finally, we extend both objectives to the more general setting that allows the use of kernel functions. The empirical convergence properties of the resulting algorithms are provided and an in-depth analysis of their parametrization is performed while also demonstrating their numerical performance in comparison with existing methods.

Machine Learning,Cryptography and Security,Numerical Analysis

Denis C. Ilie-Ablachim,Bogdan Dumitrescu

DOI: https://doi.org/10.48550/arXiv.2307.08807

2023-07-18

Abstract:In this paper we present new methods of anomaly detection based on Dictionary Learning (DL) and Kernel Dictionary Learning (KDL). The main contribution consists in the adaption of known DL and KDL algorithms in the form of unsupervised methods, used for outlier detection. We propose a reduced kernel version (RKDL), which is useful for problems with large data sets, due to the large kernel matrix. We also improve the DL and RKDL methods by the use of a random selection of signals, which aims to eliminate the outliers from the training procedure. All our algorithms are introduced in an anomaly detection toolbox and are compared to standard benchmark results.

Machine Learning

Nico Goernitz,Marius Micha Kloft,Konrad Rieck,Ulf Brefeld

DOI: https://doi.org/10.1613/jair.3623

2014-01-23

Abstract:Anomaly detection is being regarded as an unsupervised learning task as anomalies stem from adversarial or unlikely events with unknown distributions. However, the predictive performance of purely unsupervised anomaly detection often fails to match the required detection rates in many tasks and there exists a need for labeled data to guide the model generation. Our first contribution shows that classical semi-supervised approaches, originating from a supervised classifier, are inappropriate and hardly detect new and unknown anomalies. We argue that semi-supervised anomaly detection needs to ground on the unsupervised learning paradigm and devise a novel algorithm that meets this requirement. Although being intrinsically non-convex, we further show that the optimization problem has a convex equivalent under relatively mild assumptions. Additionally, we propose an active learning strategy to automatically filter candidates for labeling. In an empirical study on network intrusion detection data, we observe that the proposed learning methodology requires much less labeled data than the state-of-the-art, while achieving higher detection accuracies.

Machine Learning

Zhe Feng,Jie Tang,Yishun Dou,Gangshan Wu

DOI: https://doi.org/10.1109/icassp39728.2021.9414285

2021-01-01

Abstract:Anomaly detection is the task of identifying unusual samples in data. Typically anomaly detection is defined on an unlabeled dataset that is assumed most of the samples are normal and others are anomalies. However, in industrial practice, one may have access to a part of annotated data. This gives us the potential for semi-supervised learning. In addition, existing methods assume all training data is normal and neglect the impact of a small number of anomalous samples. In this paper, we consolidate the model’s discriminative power by introducing a transfer learning scheme to anomaly detection, thereby the model suffers less perturbation caused by pollution. We also propose a novel loss function to further adapt to semi-supervised data scenario. We ensure that the contribution of pollution can be well suppressed and reach a harmonious balance in magnitude of loss/gradient between unlabeled and labeled samples. Experiments on three publicly available datasets show that our method achieves state-of-the-art results.

Guansong Pang,Longbing Cao,Charu Aggarwal

DOI: https://doi.org/10.1145/3437963.3441659

2021-03-08

Abstract:In this tutorial we aim to present a comprehensive survey of the advances in deep learning techniques specifically designed for anomaly detection (deep anomaly detection for short). Deep learning has gained tremendous success in transforming many data mining and machine learning tasks, but popular deep learning techniques are inapplicable to anomaly detection due to some unique characteristics of anomalies, e.g., rarity, heterogeneity, boundless nature, and prohibitively high cost of collecting large-scale anomaly data. Through this tutorial, audiences would gain a systematic overview of this area, learn the key intuitions, objective functions, underlying assumptions, advantages and disadvantages of different categories of state-of-the-art deep anomaly detection methods, and recognize its broad real-world applicability in diverse domains. We also discuss what challenges the current deep anomaly detection methods can address and envision this area from multiple different perspectives. Any audience who may be interested in deep learning, anomaly/outlier/novelty detection, out-of-distribution detection, representation learning with limited labeled data, and self-supervised representation learning would find it very helpful in attending this tutorial. Researchers and practitioners in finance, cybersecurity, healthcare would also find the tutorial helpful in practice.

Mahsa Mozaffari,Keval Doshi,Yasin Yilmaz

DOI: https://doi.org/10.3390/electronics12091971

IF: 2.9

2023-04-25

Electronics

Abstract:In this paper, we address the problem of detecting and learning anomalies in high-dimensional data-streams in real-time. Following a data-driven approach, we propose an online and multivariate anomaly detection method that is suitable for the timely and accurate detection of anomalies. We propose our method for both semi-supervised and supervised settings. By combining the semi-supervised and supervised algorithms, we present a self-supervised online learning algorithm in which the semi-supervised algorithm trains the supervised algorithm to improve its detection performance over time. The methods are comprehensively analyzed in terms of computational complexity, asymptotic optimality, and false alarm rate. The performances of the proposed algorithms are also evaluated using real-world cybersecurity datasets, that show a significant improvement over the state-of-the-art results.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yachao Yuan,Yu Huang,Yali Yuan,Jin Wang

2024-10-30

Abstract:The proliferation of the Internet of Things (IoT) has heightened the vulnerability to cyber threats, making it imperative to develop Anomaly Detection Systems (ADSs) capable of adapting to emerging or novel attacks. Prior research has predominantly concentrated on offline unsupervised learning techniques to protect ADSs, which are impractical for real-world applications. Furthermore, these studies often rely heavily on the assumption of known legitimate behaviors and fall short of meeting the interpretability requirements in security contexts, thereby hindering their practical adoption. In response, this paper introduces Adaptive NAD, a comprehensive framework aimed at enhancing and interpreting online unsupervised anomaly detection within security domains. We propose an interpretable two-layer anomaly detection approach that generates dependable, high-confidence pseudo-labels. Subsequently, we incorporate an online learning mechanism that updates Adaptive NAD using an innovative threshold adjustment method to accommodate new threats. Experimental findings reveal that Adaptive NAD surpasses state-of-the-art solutions by achieving improvements of over 5.4% and 23.0% in SPAUC on the CIC-Darknet2020 and CIC-DoHBrw-2020 datasets, respectively. The code for Adaptive NAD is publicly available at <a class="link-external link-https" href="https://github.com/MyLearnCodeSpace/Adaptive-NAD" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Signal Processing

Chao Chen,Dawei Wang,Feng Mao,Zongzhang Zhang,Yang Yu

DOI: https://doi.org/10.48550/arXiv.2208.14834

2022-10-26

Abstract:Semi-supervised Anomaly Detection (AD) is a kind of data mining task which aims at learning features from partially-labeled datasets to help detect outliers. In this paper, we classify existing semi-supervised AD methods into two categories: unsupervised-based and supervised-based, and point out that most of them suffer from insufficient exploitation of labeled data and under-exploration of unlabeled data. To tackle these problems, we propose Deep Anomaly Detection and Search (DADS), which applies Reinforcement Learning (RL) to balance exploitation and exploration. During the training process, the agent searches for possible anomalies with hierarchically-structured datasets and uses the searched anomalies to enhance performance, which in essence draws lessons from the idea of ensemble learning. Experimentally, we compare DADS with several state-of-the-art methods in the settings of leveraging labeled known anomalies to detect both other known anomalies and unknown anomalies. Results show that DADS can efficiently and precisely search anomalies from unlabeled data and learn from them, thus achieving good performance.

Machine Learning

Saikiran Bulusu,Bhavya Kailkhura,Bo Li,Pramod K. Varshney,Dawn Song

DOI: https://doi.org/10.48550/arXiv.2003.06979

2021-02-20

Abstract:Deep Learning (DL) is vulnerable to out-of-distribution and adversarial examples resulting in incorrect outputs. To make DL more robust, several posthoc (or runtime) anomaly detection techniques to detect (and discard) these anomalous samples have been proposed in the recent past. This survey tries to provide a structured and comprehensive overview of the research on anomaly detection for DL based applications. We provide a taxonomy for existing techniques based on their underlying assumptions and adopted approaches. We discuss various techniques in each of the categories and provide the relative strengths and weaknesses of the approaches. Our goal in this survey is to provide an easier yet better understanding of the techniques belonging to different categories in which research has been done on this topic. Finally, we highlight the unsolved research challenges while applying anomaly detection techniques in DL systems and present some high-impact future research directions.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Junlin Zhou,Aleksandar Lazarevic,Kuo-Wei Hsu,Jaideep Srivastava,Yan Fu,Yue Wu

DOI: https://doi.org/10.1142/s0219622010004172

2010-01-01

International Journal of Information Technology & Decision Making

Abstract:Anomaly detection has recently become an important problem in many industrial and financial applications. Very often, the databases from which anomalies have to be found are located at multiple local sites and cannot be merged due to privacy reasons or communication overhead. In this paper, a novel general framework for distributed anomaly detection is proposed. The proposed method consists of three steps: (i) building local models for distributed data sources with unsupervised anomaly detection methods and computing quality measure of local models; (ii) transforming local unsupervised local models into sharing models; and (iii) reusing sharing models for new data and combining their results by considering both quality and diversity of them to detect anomalies in a global view. In experiments performed on synthetic and real-life large data set, the proposed distributed anomaly detection method achieved prediction performance comparable or even slightly better than the global anomaly detection algorithm applied on the data set obtained when all distributed data set were merged.

Guansong Pang,Anton van den Hengel,Chunhua Shen,Longbing Cao

DOI: https://doi.org/10.1145/3447548.3467417

2021-06-10

Abstract:We consider the problem of anomaly detection with a small set of partially labeled anomaly examples and a large-scale unlabeled dataset. This is a common scenario in many important applications. Existing related methods either exclusively fit the limited anomaly examples that typically do not span the entire set of anomalies, or proceed with unsupervised learning from the unlabeled data. We propose here instead a deep reinforcement learning-based approach that enables an end-to-end optimization of the detection of both labeled and unlabeled anomalies. This approach learns the known abnormality by automatically interacting with an anomaly-biased simulation environment, while continuously extending the learned abnormality to novel classes of anomaly (i.e., unknown anomalies) by actively exploring possible anomalies in the unlabeled data. This is achieved by jointly optimizing the exploitation of the small labeled anomaly data and the exploration of the rare unlabeled anomalies. Extensive experiments on 48 real-world datasets show that our model significantly outperforms five state-of-the-art competing methods.

Machine Learning,Artificial Intelligence,Cryptography and Security,Computer Vision and Pattern Recognition

Kai Tian,Shuigeng Zhou,Jianping Fan,Jihong Guan

DOI: https://doi.org/10.48550/arXiv.1903.07058

2019-03-17

Abstract:Most of the existing methods for anomaly detection use only positive data to learn the data distribution, thus they usually need a pre-defined threshold at the detection stage to determine whether a test instance is an outlier. Unfortunately, a good threshold is vital for the performance and it is really hard to find an optimal one. In this paper, we take the discriminative information implied in unlabeled data into consideration and propose a new method for anomaly detection that can learn the labels of unlabelled data directly. Our proposed method has an end-to-end architecture with one encoder and two decoders that are trained to model inliers and outliers' data distributions in a competitive way. This architecture works in a discriminative manner without suffering from overfitting, and the training algorithm of our model is adopted from SGD, thus it is efficient and scalable even for large-scale datasets. Empirical studies on 7 datasets including KDD99, MNIST, Caltech-256, and ImageNet etc. show that our model outperforms the state-of-the-art methods.

Machine Learning

Lorenzo Perini,Jesse Davis

2023-10-18

Abstract:Anomaly detection aims at detecting unexpected behaviours in the data. Because anomaly detection is usually an unsupervised task, traditional anomaly detectors learn a decision boundary by employing heuristics based on intuitions, which are hard to verify in practice. This introduces some uncertainty, especially close to the decision boundary, that may reduce the user trust in the detector's predictions. A way to combat this is by allowing the detector to reject examples with high uncertainty (Learning to Reject). This requires employing a confidence metric that captures the distance to the decision boundary and setting a rejection threshold to reject low-confidence predictions. However, selecting a proper metric and setting the rejection threshold without labels are challenging tasks. In this paper, we solve these challenges by setting a constant rejection threshold on the stability metric computed by ExCeeD. Our insight relies on a theoretical analysis of such a metric. Moreover, setting a constant threshold results in strong guarantees: we estimate the test rejection rate, and derive a theoretical upper bound for both the rejection rate and the expected prediction cost. Experimentally, we show that our method outperforms some metric-based methods.

Machine Learning

Alireza Vafaei Sadr,Bruce A. Bassett,Emmanuel Sekyi

DOI: https://doi.org/10.48550/arXiv.2210.16334

2022-10-29

Abstract:Anomaly detection algorithms are typically applied to static, unchanging, data features hand-crafted by the user. But how does a user systematically craft good features for anomalies that have never been seen? Here we couple deep learning with active learning -- in which an Oracle iteratively labels small amounts of data selected algorithmically over a series of rounds -- to automatically and dynamically improve the data features for efficient outlier detection. This approach, AHUNT, shows excellent performance on MNIST, CIFAR10, and Galaxy-DESI data, significantly outperforming both standard anomaly detection and active learning algorithms with static feature spaces. Beyond improved performance, AHUNT also allows the number of anomaly classes to grow organically in response to Oracle's evaluations. Extensive ablation studies explore the impact of Oracle question selection strategy and loss function on performance. We illustrate how the dynamic anomaly class taxonomy represents another step towards fully personalized rankings of different anomaly classes that reflect a user's interests, allowing the algorithm to learn to ignore statistically significant but uninteresting outliers (e.g., noise). This should prove useful in the era of massive astronomical datasets serving diverse sets of users who can only review a tiny subset of the incoming data.

Machine Learning,Instrumentation and Methods for Astrophysics,Artificial Intelligence,High Energy Physics - Experiment,Data Analysis, Statistics and Probability

Xinggan Peng,Hanhui Li,Feng Yuan,Sirajudeen Gulam Razul,Zhebin Chen,Zhiping Lin

DOI: https://doi.org/10.1016/j.neucom.2022.06.042

IF: 6

2022-01-01

Neurocomputing

Abstract:Unsupervised anomaly detection in time series remains challenging, due to the rare and complex patterns of anomalous data. Previous change point detection methods based on extreme learning machine and mutual information (ELM-MI) are potential solutions for this problem. However, the kernels in these methods are randomly initialized on test data, which imposes a constraint that these methods can only be used for offline inference. Moreover, these methods are limited in utilizing temporal contexts, and require the ensemble of multiple models to improve the robustness. To tackle these problems, we introduce a multivariate ELM-MI framework, and combine it with a dynamic kernel selection method, which performs a hierarchical clustering procedure on unlabeled training data and utilizes the clusters to determine the kernels in ELM-MI. In this way, our method can tackle the unsupervised online detection of various anomalous (e.g., point anomalies and group anomalies) and reduce the computational cost. Extensive experiments on three public datasets and our collection of real-life 4G Long-Term Evolution data demonstrate that the proposed method outperforms state-of-the-art methods in terms of effectiveness and efficiency. For demo, see this link: https://personal.ntu.edu.sg/ezplin/NC-demo.htm.

Felix Meissen,Johannes Getzner,Alexander Ziller,Georgios Kaissis,Daniel Rueckert

2023-12-06

Abstract:Unsupervised anomaly detection (UAD) alleviates large labeling efforts by training exclusively on unlabeled in-distribution data and detecting outliers as anomalies. Generally, the assumption prevails that large training datasets allow the training of higher-performing UAD models. However, in this work, we show that using only very few training samples can already match - and in some cases even improve - anomaly detection compared to training with the whole training dataset. We propose three methods to identify prototypical samples from a large dataset of in-distribution samples. We demonstrate that by training with a subset of just ten such samples, we achieve an area under the receiver operating characteristics curve (AUROC) of $96.37 \%$ on CIFAR10, $92.59 \%$ on CIFAR100, $95.37 \%$ on MNIST, $95.38 \%$ on Fashion-MNIST, $96.37 \%$ on MVTec-AD, $98.81 \%$ on BraTS, and $81.95 \%$ on RSNA pneumonia detection, even exceeding the performance of full training in $25/67$ classes we tested. Additionally, we show that the prototypical in-distribution samples identified by our proposed methods translate well to different models and other datasets and that using their characteristics as guidance allows for successful manual selection of small subsets of high-performing samples. Our code is available at https://anonymous.4open.science/r/uad_prototypical_samples/

Computer Vision and Pattern Recognition

Seungdong Yoa,Seungjun Lee,Chiyoon Kim,Hyunwoo J Kim

DOI: https://doi.org/10.1109/access.2021.3124525

IF: 3.9

2021-01-01

IEEE Access

Abstract:Anomaly detection is an important problem for recent advances in machine learning. To this end, many attempts have emerged to detect unknown anomalies of the images by learning representations and designing score functions. In this paper, we propose a simple yet effective framework for unsupervised anomaly detection using self-supervised learning. We extend conventional self-supervised learning for an anomaly detection problem. In anomaly detection, anomalous patterns appear in the local regions of an image, so we employ dynamic local augmentation to generate a negative pair of the images from the normal training dataset. Specifically, in addition to learning the global representation of an image, our framework contrasts a normal sample to a locally augmented sample. To effectively apply the local augmentations regardless of a category or a random location of an image, we use dynamically weighted local augmentations to generate more suitable negative samples. We also present a novel scoring function for detecting unseen anomalous patterns. Our experiment demonstrates the effectiveness of our method, and we show that our framework achieves competitive performance compared to state-of-the-art methods on MVTec Anomaly Detection dataset.

computer science, information systems,telecommunications,engineering, electrical & electronic

Lucas Correia,Jan-Christoph Goos,Philipp Klein,Thomas Bäck,Anna V. Kononova

DOI: https://doi.org/10.1016/j.engappai.2024.109323

2024-09-19

Abstract:Time-series anomaly detection plays an important role in engineering processes, like development, manufacturing and other operations involving dynamic systems. These processes can greatly benefit from advances in the field, as state-of-the-art approaches may aid in cases involving, for example, highly dimensional data. To provide the reader with understanding of the terminology, this survey introduces a novel taxonomy where a distinction between online and offline, and training and inference is made. Additionally, it presents the most popular data sets and evaluation metrics used in the literature, as well as a detailed analysis. Furthermore, this survey provides an extensive overview of the state-of-the-art model-based online semi- and unsupervised anomaly detection approaches for multivariate time-series data, categorising them into different model families and other properties. The biggest research challenge revolves around benchmarking, as currently there is no reliable way to compare different approaches against one another. This problem is two-fold: on the one hand, public data sets suffers from at least one fundamental flaw, while on the other hand, there is a lack of intuitive and representative evaluation metrics in the field. Moreover, the way most publications choose a detection threshold disregards real-world conditions, which hinders the application in the real world. To allow for tangible advances in the field, these issues must be addressed in future work.

Machine Learning,Artificial Intelligence,Systems and Control