Suhwan Lee,Xixi Lu,Hajo A. Reijers

DOI: https://doi.org/10.48550/arXiv.2203.09619

2022-03-18

Abstract:Anomaly detection in process mining focuses on identifying anomalous cases or events in process executions. The resulting diagnostics are used to provide measures to prevent fraudulent behavior, as well as to derive recommendations for improving process compliance and security. Most existing techniques focus on detecting anomalous cases in an offline setting. However, to identify potential anomalies in a timely manner and take immediate countermeasures, it is necessary to detect event-level anomalies online, in real-time. In this paper, we propose to tackle the online event anomaly detection problem using next-activity prediction methods. More specifically, we investigate the use of both ML models (such as RF and XGBoost) and deep models (such as LSTM) to predict the probabilities of next-activities and consider the events predicted unlikely as anomalies. We compare these predictive anomaly detection methods to four classical unsupervised anomaly detection approaches (such as Isolation forest and LOF) in the online setting. Our evaluation shows that the proposed method using ML models tends to outperform the one using a deep model, while both methods outperform the classical unsupervised approaches in detecting anomalous events.

Machine Learning,Databases

Yan Fu,Jun-Lin Zhou,Yue Wu

DOI: https://doi.org/10.1109/icacia.2008.4770026

2008-01-01

Abstract:Outlier detection over data streams has attracted attention for many emerging applications, such as network intrusion detection, web click stream and aircraft health anomaly detection. Since the data stream is likely to change over time, it is important to be able to modify the outlier detection model appropriately with the evolution of the stream. Most existing approaches were using incremental or periodical models to deal with evolving stream data. However, in these approaches, model updates were either more frequently and risk wasting resources on insignificant changes or more infrequently and risk model inaccuracy. In this paper, a hybrid framework by combining LOF (Local outlier Factor) and BPNN (Back propagation Neural Network), appropriate for online detecting outliers in data streams, is proposed. The proposed framework provides equivalent detection performance as the iterated static LOF algorithm (applied after insertion of each data record), while requiring significantly less computational time.

Tianyuan Lu,Lei Wang,Xiaoyong Zhao

DOI: https://doi.org/10.3390/app13106353

2023-05-22

Applied Sciences

Abstract:With the rapid development of emerging technologies such as self-media, the Internet of Things, and cloud computing, massive data applications are crossing the threshold of the era of real-time analysis and value realization, which makes data streams ubiquitous in all kinds of industries. Therefore, detecting anomalies in such data streams could be very important and full of challenges. For example, in industries such as electricity and finance, data stream anomalies often contain information that can help avoiding risks and support decision making. However, most traditional anomaly detection algorithms rely on acquiring global information about the data, which is hard to apply to stream data scenarios. Currently, the reviews of the algorithm in the field of anomaly detection, both domestically and internationally, tend to focus on the exposition of anomaly detection algorithms in static data environments, while lacking in the induction and analysis of anomaly detection algorithms in the context of streaming data. As a result, unlike the existing literature reviews, this review provides the current mainstream anomaly detection algorithms in data streaming scenarios and categorizes them into three types on the basis of their fundamental principles: (1) based on offline learning; (2) based on semi-online learning; (3) based on online learning. This review discusses the current state of research on data stream anomaly detection and studies the key issues in various algorithms for detecting anomalies in data streams on the basis of concise summarization. Moreover, the review conducts a detailed comparison of the pros and cons of the algorithms. Finally, the future challenges in the field are analyzed, and future research directions are proposed.

materials science, multidisciplinary,engineering,chemistry,physics, applied

Chengkun He,Xiangmin Zhou,Chen Wang,Iqbal Gondal,Jie Shao,Xun Yi

2023-12-02

Abstract:Social video anomaly is an observation in video streams that does not conform to a common pattern of dataset's behaviour. Social video anomaly detection plays a critical role in applications from e-commerce to e-learning. Traditionally, anomaly detection techniques are applied to find anomalies in video broadcasting. However, they neglect the live social video streams which contain interactive talk, speech, or lecture with audience. In this paper, we propose a generic framework for effectively online detecting Anomalies Over social Video LIve Streaming (AOVLIS). Specifically, we propose a novel deep neural network model called Coupling Long Short-Term Memory (CLSTM) that adaptively captures the history behaviours of the presenters and audience, and their mutual interactions to predict their behaviour at next time point over streams. Then we well integrate the CLSTM with a decoder layer, and propose a new reconstruction error-based scoring function $RE_{IA}$ to calculate the anomaly score of each video segment for anomaly detection. After that, we propose a novel model update scheme that incrementally maintains CLSTM and decoder. Moreover, we design a novel upper bound and ADaptive Optimisation Strategy (ADOS) for improving the efficiency of our solution. Extensive experiments are conducted to prove the superiority of AOVLIS.

Computer Vision and Pattern Recognition

Alireza Ostovar,Abderrahmane Maaradji,Marcello La Rosa,Arthur H. M. ter Hofstede,Boudewijn F. V. van Dongen

DOI: https://doi.org/10.1007/978-3-319-46397-1_26

2016-01-01

Abstract:Existing business process drift detection methods do not work with event streams. As such, they are designed to detect intertrace drifts only, i.e. drifts that occur between complete process executions (traces), as recorded in event logs. However, process drift may also occur during the execution of a process, and may impact ongoing executions. Existing methods either do not detect such intra-trace drifts, or detect them with a long delay. Moreover, they do not perform well with unpredictable processes, i.e. processes whose logs exhibit a high number of distinct executions to the total number of executions. We address these two issues by proposing a fully automated and scalable method for online detection of process drift from event streams. We perform statistical tests over distributions of behavioral relations between events, as observed in two adjacent windows of adaptive size, sliding along with the stream. An extensive evaluation on synthetic and real-life logs shows that our method is fast and accurate in the detection of typical change patterns, and performs significantly better than the state of the art.

ZHENG Jun,HU Ming-zeng,YUN Xiao-chun,ZHENG Zhong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2006.02.001

2006-01-01

Abstract:The anomaly detection algorithms of the large scale network(LSN) were required to analysis the vast network traffic of G bit level in real-time and on-the-fly.A novel monitoring mechanism of LSN anomaly detection based on the data stream approach was proposed.The main contributions included: the sketch data structure and the frequent sketch algorithm of data streams were designed for anomaly detection of LSN.Optimized query methods were designed for customizing the security monitoring and detection policy with the correlations of multi data streams.The data reduction was proposed to make it possible that the whole network traffic character could be got using a few of special data streams.The experiments of the real networking environments validate the effectivity of LSN anomaly detection methods.

Yitong Liu,Caiyun Liu,Jun Li,Yan Sun

DOI: https://doi.org/10.1007/978-981-97-2757-5_49

2024-01-01

Abstract:In today's information age, with the rapid development of network technology and a large number of applications of sensors in daily life. The number of various types of data has shown a great growth. These data not only bring us convenience and benefits, but also pose a great challenge to us, that is, how to explore the information of the data and effectively analyze the specific significance contained in the data has become a hot research direction. In the large amount of data obtained, most of the data are in the normal state and only represent the basic "value" information. Compared with the data in the normal state, the information carried by a small part of the data is more worthy of attention. The emergence of these data is the so-called "exception". The occurrence of exceptions indicates that the system that should be running normally has changed, and these changes often have a negative impact on the system. Looking at these applications, it is not difficult to find that the actual frequency of these anomalies accounts for a very small proportion compared with a large number of normal time, but its value is very huge. Therefore, real-time online anomaly detection of convective data has very important value and significance for scientific research and industrial application. In the process of this research, I have a more comprehensive and detailed understanding of the research field of "anomaly detection of stream data" through theoretical learning, apply the deep learning model to anomaly detection of stream data, and test the performance of the model through experiments. By comparing the performance of traditional anomaly detection algorithms, unsupervised and semi supervised machine learning models and neural networks such as LSTM/HTM in stream data anomaly detection, we try to find an algorithm that can detect stream data information in real time and provide anomaly alarm in time.

Mahsa Mozaffari,Keval Doshi,Yasin Yilmaz

DOI: https://doi.org/10.3390/electronics12091971

IF: 2.9

2023-04-25

Electronics

Abstract:In this paper, we address the problem of detecting and learning anomalies in high-dimensional data-streams in real-time. Following a data-driven approach, we propose an online and multivariate anomaly detection method that is suitable for the timely and accurate detection of anomalies. We propose our method for both semi-supervised and supervised settings. By combining the semi-supervised and supervised algorithms, we present a self-supervised online learning algorithm in which the semi-supervised algorithm trains the supervised algorithm to improve its detection performance over time. The methods are comprehensively analyzed in terms of computational complexity, asymptotic optimality, and false alarm rate. The performances of the proposed algorithms are also evaluated using real-world cybersecurity datasets, that show a significant improvement over the state-of-the-art results.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xiufeng Liu,Per Sieverts Nielsen

DOI: https://doi.org/10.48550/arXiv.1606.05781

2016-06-19

Abstract:With the widely used smart meters in the energy sector, anomaly detection becomes a crucial mean to study the unusual consumption behaviors of customers, and to discover unexpected events of using energy promptly. Detecting consumption anomalies is, essentially, a real-time big data analytics problem, which does data mining on a large amount of parallel data streams from smart meters. In this paper, we propose a supervised learning and statistical-based anomaly detection method, and implement a Lambda system using the in-memory distributed computing framework, Spark and its extension Spark Streaming. The system supports not only iterative detection model refreshment from scalable data sets, but also real-time detection on scalable live data streams. This paper empirically evaluates the system and the detection algorithm, and the results show the effectiveness and the scalability of the proposed lambda detection system.

Databases

Wei Xu,Ling Huang,Armando Fox,David Patterson,Michael Jordan

DOI: https://doi.org/10.1109/icdm.2009.19

2009-01-01

Abstract:We describe a novel application of using data mining and statistical learning methods to automatically monitor and detect abnormal execution traces from console logs in an online setting. Different from existing solutions, we use a two stage detection system. The first stage uses frequent pattern mining and distribution estimation techniques to capture the dominant patterns (both frequent sequences and time duration). The second stage use principal component analysis based anomaly detection technique to identify actual problems. Using real system data from a 203-node Hadoop [1] cluster, we show that we can not only achieve highly accurate and fast problem detection, but also help operators better understand execution patterns in their system.

Nadun Wijesinghe,Hadi Hemmati

2023-10-31

Abstract:Most enterprise applications use logging as a mechanism to diagnose anomalies, which could help with reducing system downtime. Anomaly detection using software execution logs has been explored in several prior studies, using both classical and deep neural network-based machine learning models. In recent years, the research has largely focused in using variations of sequence-based deep neural networks (e.g., Long-Short Term Memory and Transformer-based models) for log-based anomaly detection on open-source data. However, they have not been applied in industrial datasets, as often. In addition, the studied open-source datasets are typically very large in size with logging statements that do not change much over time, which may not be the case with a dataset from an industrial service that is relatively new. In this paper, we evaluate several state-of-the-art anomaly detection models on an industrial dataset from our research partner, which is much smaller and loosely structured than most large scale open-source benchmark datasets. Results show that while all models are capable of detecting anomalies, certain models are better suited for less-structured datasets. We also see that model effectiveness changes when a common data leak associated with a random train-test split in some prior work is removed. A qualitative study of the defects' characteristics identified by the developers on the industrial dataset further shows strengths and weaknesses of the models in detecting different types of anomalies. Finally, we explore the effect of limited training data by gradually increasing the training set size, to evaluate if the model effectiveness does depend on the training set size.

Machine Learning,Software Engineering

Daoyu Kan,Xianwen Fang

DOI: https://doi.org/10.1007/s00530-023-01199-3

IF: 3.9

2024-01-20

Multimedia Systems

Abstract:Anomaly detection is widely used in the field of business process management, and researchers have proposed various anomaly detection algorithms to detect anomalies in event logs. However, existing research focuses on detecting anomalies in event logs at the data level, ignoring the problem of anomalies caused by event log control flow, especially behavioral relationships, and identifying behavioral anomalies as normal, leading to an increase in the false-negative rate of anomaly detection results, which negatively affects the performance of process mining. To solve the above problems, this article proposes an auto-encoder-based anomaly detection approach to achieve the detection of behavioral relationship anomalies in event logs through the reconstruction error between images. The approach first considers event logs containing behavioral relationships, converts the logs into images as input to the auto-encoder, and analyses the reconstruction error between images to propose a reconstruction error threshold for anomaly detection. The algorithm is able to achieve anomaly detection of behavioral relationships in event logs and reduce the false-negative rate of anomaly detection results. Experiments on synthetic datasets and real datasets show that the proposed approach can improve the recall rate and F1-score of event log anomaly detection effectively.

computer science, information systems, theory & methods

Shangbin Han,Qianhong Wu,Han Zhang,Bo Qin,Jiankun Hu,Xingang Shi,Linfeng Liu,Xia Yin

DOI: https://doi.org/10.1109/tifs.2021.3053371

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Cloud technology has brought great convenience to enterprises as well as customers. System logs record notable events and are becoming valuable resources to track and investigate system status. Detecting anomaly from logs as fast as possible can improve the quality of service significantly. Although many machine learning algorithms (e.g., SVM, Logistic Regression) have high detection accuracy, we find that they assume data are clean and might have high training time. Facing these challenges, in this paper, we propose Robust Online Evolving Anomaly Detection (ROEAD) framework which adopts Robust Feature Extractor (RFE) to remove the effects of noise and Online Evolving Anomaly Detection (OEAD) to dynamic update parameters. We propose Online Evolving SVM (OES) algorithm as the example of online anomaly detection methods. We analyze the performance of OES in theory and prove the performance difference between OES and the best hypothesis tends to zero as time goes infinity. We compare the performance of ROEAD against state-of-the-art anomaly detection algorithms using public log datasets. The results demonstrate that ROEAD is able to remove the effects of noise and OES can improve the detection accuracy by more than 40%.

computer science, theory & methods,engineering, electrical & electronic

O. Moiseienko

DOI: https://doi.org/10.33042/2522-1809-2024-3-184-16-22

2024-06-07

Municipal economy of cities

Abstract:Detection of anomalies in streaming time series data has become an important research topic due to the wide range of possible applications, including the detection of extreme weather conditions, malicious attacks on protected facilities, monitoring unauthorised gas and oil leaks, illegal pipeline connections, power cable faults, and water and other environmental pollution. Rapid detection of abnormal conditions and identifying these critical events is essential to protect lives and assets. Therefore, developing appropriate systems and detection methods is an urgent task. Anomaly detection in streaming data is challenging due to its large volume and high speed, presence of noise, and non-stationarity of the signal (or ‘concept drift’). The latter significantly complicates the identification of differences between new ‘typical’ behaviour and abnormal events. Solving this problem requires the algorithm for processing such data to learn and adapt to changing conditions. The paper proposes a modification of the algorithm for detecting anomalies in time series. This algorithm provides early detection of abnormal series in a massive collection of non-stationary streaming time series data. Anomalies are observations that are highly improbable given the previous time series values. The proposed approach is based on the primary detection of the predictive limit for the typical system behaviour using the theory of extreme values, followed by checking for the abnormality of the following series using the sliding window technique. The time series parameters are used as input data and compared by density distribution to detect any significant changes in the distribution of the characteristics. It allows the decision-making model to automatically adapt to the changing environment according to detected changes. Since anomalies are, by definition, exceptions to the typical behaviour of a system, most of the available stored data should reflect that typical behaviour of the system in question. It is unnecessary to have representative samples of all possible types of the standard behaviour of a given system for the algorithm to work well. The basic idea is to have a warm-up data set to obtain initial values for the decision model parameters. It makes it possible to determine if there is any significant difference between the last typical behaviour and the new typical behaviour. The proposed algorithm demonstrates its performance under conditions of noisy non-stationary data in several time series classes. Keywords: concept drift, extreme value theory, multivariate time series, outlier detection.

Subutai Ahmad,Alexander Lavin,Scott Purdy,Zuha Agha

DOI: https://doi.org/10.1016/j.neucom.2017.04.070

IF: 6

2017-11-01

Neurocomputing

Abstract:We are seeing an enormous increase in the availability of streaming, time-series data. Largely driven by the rise of connected real-time data sources, this data presents technical challenges and opportunities. One fundamental capability for streaming analytics is to model each stream in an unsupervised fashion and detect unusual, anomalous behaviors in real-time. Early anomaly detection is valuable, yet it can be difficult to execute reliably in practice. Application constraints require systems to process data in real-time, not batches. Streaming data inherently exhibits concept drift, favoring algorithms that learn continuously. Furthermore, the massive number of independent streams in practice requires that anomaly detectors be fully automated. In this paper we propose a novel anomaly detection algorithm that meets these constraints. The technique is based on an online sequence memory algorithm called Hierarchical Temporal Memory (HTM). We also present results using the Numenta Anomaly Benchmark (NAB), a benchmark containing real-world data streams with labeled anomalies. The benchmark, the first of its kind, provides a controlled open-source environment for testing anomaly detection algorithms on streaming data. We present results and analysis for a wide range of algorithms on this benchmark, and discuss future challenges for the emerging field of streaming analytics.

computer science, artificial intelligence

Swapneel Mehta,Prasanth Kothuri,Daniel Lanza Garcia

DOI: https://doi.org/10.48550/arXiv.1812.01941

2018-12-01

Abstract:We leverage a streaming architecture based on ELK, Spark and Hadoop in order to collect, store, and analyse database connection logs in near real-time. The proposed system investigates outliers using unsupervised learning; widely adopted clustering and classification algorithms for log data, highlighting the subtle variances in each model by visualisation of outliers. Arriving at a novel solution to evaluate untagged, unfiltered connection logs, we propose an approach that can be extrapolated to a generalised system of analysing connection logs across a large infrastructure comprising thousands of individual nodes and generating hundreds of lines in logs per second.

Machine Learning,Distributed, Parallel, and Cluster Computing

Renfang Wang,Hong Qiu,Cheng Xu,Xiufeng Liu

DOI: https://doi.org/10.1016/j.jii.2023.100507

IF: 11.718

2023-08-04

Journal of Industrial Information Integration

Abstract:Online anomaly detection is a key challenge for industrial internet of things (IIoT) applications, as anomalies may occur in data streams from sensors and cause losses or damages. However, most existing methods for online anomaly detection have limitations in efficiency, effectiveness and timeliness, especially with the massive and distributed data streams from IIoT devices. Therefore, developing a data stream processing framework to discover anomalies in time and ensure the proper operation of the system is an urgent issue for IIoT. In this paper, we propose a flexible stream processing framework that enables online anomaly detection for IIoT applications. The framework exploits a distributed computing architecture based on docker containers to improve flexibility, migration capability and customisation. The framework also uses a central mediator to coordinate data stream processing tasks running on different docker nodes. Moreover, we develop a prediction-based online anomaly detection model that consists of batch model training and data stream anomaly detection processes. The model uses long short-term memory (LSTM) neural networks to predict data stream values and a dynamic sliding window method to model prediction errors and detect anomalies. We implement a case study to detect abnormal heating temperatures from an industrial heating plant and evaluate the performance of the proposed framework and anomaly detection model. The results show that our framework and model can achieve high accuracy and low latency in detecting anomalies, and they outperform existing methods in terms of scalability, efficiency and adaptability for IIoT applications.

computer science, interdisciplinary applications,engineering, industrial

Peng Gao,Xusheng Xiao,Ding Li,Kangkook Jee,Haifeng Chen,Sanjeev R. Kulkarni,Prateek Mittal

DOI: https://doi.org/10.48550/arXiv.1903.08159

2020-02-27

Abstract:The need for countering Advanced Persistent Threat (APT) attacks has led to the solutions that ubiquitously monitor system activities in each enterprise host, and perform timely abnormal system behavior detection over the stream of monitoring data. However, existing stream-based solutions lack explicit language constructs for expressing anomaly models that capture abnormal system behaviors, thus facing challenges in incorporating expert knowledge to perform timely anomaly detection over the large-scale monitoring data. To address these limitations, we build SAQL, a novel stream-based query system that takes as input, a real-time event feed aggregated from multiple hosts in an enterprise, and provides an anomaly query engine that queries the event feed to identify abnormal behaviors based on the specified anomaly models. SAQL provides a domain-specific query language, Stream-based Anomaly Query Language (SAQL), that uniquely integrates critical primitives for expressing major types of anomaly models. In the demo, we aim to show the complete usage scenario of SAQL by (1) performing an APT attack in a controlled environment, and (2) using SAQL to detect the abnormal behaviors in real time by querying the collected stream of system monitoring data that contains the attack traces. The audience will have the option to interact with the system and detect the attack footprints in real time via issuing queries and checking the query results through a command-line UI.

Cryptography and Security

Jonghyeon Ko,Marco Comuzzi

DOI: https://doi.org/10.2139/ssrn.4062471

2022-01-01

SSRN Electronic Journal

Abstract:Event log anomaly detection and log repairing concern the identification of anomalous traces in an event log and the reconstruction of a correct trace for the anomalous ones, respectively. Anomalies in real-world event logs often appear according to specific patterns, since they are generated by a limited number of root causes, such as poor resource behaviour or system malfunctioning. This paper proposes PBAR (PatternBased Anomaly Reconstruction), a semi-supervised pattern-based anomaly detection and log repairing approach that exploits the pattern-based nature of trace-level anomalies in event logs. PBAR captures in a set of ad-hoc graphs the behaviour of clean traces in a log and uses these to identify anomalous traces, the specific anomaly pattern that applies to them, and then reconstruct the correct trace. The proposed approach is evaluated using artificial and real event logs against the traditional trace alignment in conformance checking, the edit distance-based alignment method, and an unsupervised method based on deep learning. Overall, the proposed method outscored the alignment method in anomalous trace reconstruction while providing interpretability by regarding the anomaly pattern classification. PBAR is also quicker to execute and its performance is more balanced across different types of anomaly patterns.

Jinoh Kim,Makiya Nakashima,Wenjun Fan,Simeon Wuthier,Xiaobo Zhou,Ikkyun Kim,Sang-Yoon Chang

DOI: https://doi.org/10.1109/tnsm.2022.3173598

2022-10-15

IEEE Transactions on Network and Service Management

Abstract:While blockchain technology provides strong cryptographic protection on the ledger and the system operations, the underlying blockchain networking remains vulnerable due to potential threats such as denial of service (DoS), Eclipse, spoofing, and Sybil attacks. Effectively detecting such malicious events should thus be an essential task for securing blockchain networks and services. Due to its importance, several studies investigated anomaly detection in Bitcoin and blockchain networks, but their analyses mainly focused on the blockchain ledger in the application context (e.g., transactions) and targets specific types of attacks (e.g., double-spending, deanonymization, etc). In this study, we present a security mechanism based on the analysis of blockchain network traffic statistics (rather than ledger data) to detect malicious events, through the functions of data collection and anomaly detection. The data collection engine senses the underlying blockchain traffic and generates multi-dimensional data streams in a periodic, real-time manner. The anomaly detection engine then detects anomalies from the created data instances based on semi-supervised learning, which is capable of detecting previously unseen patterns, and we introduce our profiling-based detection engine implemented on top of AutoEncoder (AE). Our experimental results evaluated with real and simulated traffic data support the effectiveness of our security mechanism and design choices based on the AE structure, with the approximate detection performance to the supervised learning methods only through the profiling of normal instances. The measured time complexity is sufficiently cheap to perform real-time analysis, with less than 1.4 msec for per-instance testing on a single core setting.

computer science, information systems