Chao Chen,Dawei Wang,Feng Mao,Zongzhang Zhang,Yang Yu

DOI: https://doi.org/10.1609/aaai.v37i13.26950

2023-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Semi-supervised Anomaly Detection (AD) is a kind of data mining task which aims at learning features from partially-labeled datasets to help detect outliers. In this paper, we classify existing semi-supervised AD methods into two categories: unsupervised-based and supervised-based, and point out that most of them suffer from insufficient exploitation of labeled data and under-exploration of unlabeled data. To tackle these problems, we propose Deep Anomaly Detection and Search (DADS), which applies Reinforcement Learning (RL) to balance exploitation and exploration. During the training process, the agent searches for possible anomalies with hierarchically-structured datasets and uses the searched anomalies to enhance performance, which in essence draws lessons from the idea of ensemble learning. Experimentally, we compare DADS with several state-of-the-art methods in the settings of leveraging labeled known anomalies to detect both other known anomalies and unknown anomalies. Results show that DADS can efficiently and precisely search anomalies from unlabeled data and learn from them, thus achieving good performance.

Chao Chen,Dawei Wang,Feng Mao,Jiacheng Xu,Zongzhang Zhang,Yang Yu

DOI: https://doi.org/10.5555/3635637.3662879

2024-01-01

Abstract:Anomaly detection (AD) holds substantial practical value, and considering the limited labeled data, the semi-supervised anomaly detection technique has garnered increasing attention. We find that previous methods suffer from insufficient exploitation of labeled data and under-exploration of unlabeled data. To tackle the above problem, we aim to search for possible anomalies in unlabeled data and use the searched anomalies to enhance performance. We innovatively model this search process as a Markov decision process and utilize a reinforcement learning algorithm to solve it. Our method, Deep Anomaly Detection and Search (DADS), integrates the exploration of unlabeled data and the exploitation of labeled data into one framework. Experimentally, we compare DADS with several state-of-the-art methods in widely used benchmarks, and the results show that DADS can efficiently search anomalies from unlabeled data and learn from them, thus achieving good performance. Code: https://github.com/LAMDA-RL/DADS

Guansong Pang,Anton van den Hengel,Chunhua Shen,Longbing Cao

DOI: https://doi.org/10.1145/3447548.3467417

2021-06-10

Abstract:We consider the problem of anomaly detection with a small set of partially labeled anomaly examples and a large-scale unlabeled dataset. This is a common scenario in many important applications. Existing related methods either exclusively fit the limited anomaly examples that typically do not span the entire set of anomalies, or proceed with unsupervised learning from the unlabeled data. We propose here instead a deep reinforcement learning-based approach that enables an end-to-end optimization of the detection of both labeled and unlabeled anomalies. This approach learns the known abnormality by automatically interacting with an anomaly-biased simulation environment, while continuously extending the learned abnormality to novel classes of anomaly (i.e., unknown anomalies) by actively exploring possible anomalies in the unlabeled data. This is achieved by jointly optimizing the exploitation of the small labeled anomaly data and the exploration of the rare unlabeled anomalies. Extensive experiments on 48 real-world datasets show that our model significantly outperforms five state-of-the-art competing methods.

Machine Learning,Artificial Intelligence,Cryptography and Security,Computer Vision and Pattern Recognition

Junchi Xing,Chunming Wu

DOI: https://doi.org/10.1109/INFOCOMWKSHPS50562.2020.9162940

2020-01-01

Abstract:The widely used encryption of network traffic poses a great challenge to anomaly detection. Currently, the supervised and semi-supervised solutions suffer from the problems of noisy label of data, non-stationary traffic distribution, and huge resource consumption for offline training. To address this, in this paper, we present an unsupervised, robust, and online anomaly detection method for encrypted traffic by using deep dictionary learning, called D2LAD. D2LAD offers the potential to extract sequential features from raw encrypted traffic data with the help of an LSTM-based autoencoder. Then, according to the sequential features, D2LAD is able to explore the hidden normal patterns by iterative deep dictionary learning. Eventually, D2LAD can obtain the anomaly score of raw data by calculating its relevance to the deep dictionary. We implement a prototype of D2LAD and evaluate its effectiveness and performance by experiments using realistic datasets. The experimental results show that our method achieves high accuracy and low resource usage, and outperforms the representative state-of-the-art methods in real-world settings.

Liyuan Zheng,Chen Wang,Dongcheng Zhang,Xin Xie

DOI: https://doi.org/10.1109/ICIBA56860.2023.10165364

2023-05-26

Abstract:Anomaly detection is a crucial service in contemporary data networks, and the development of new fast and robust algorithms capable of detecting and classifying dangerous traffic is essential to cope with evolving threats and increasing detection difficulty. In this paper, we present a novel anomaly detection algorithm that uses deep reinforcement learning (DRL) to efficiently learn and adapt to anomalies in time series data. Compared to alternative DRL methods using in anomaly detection, the approach posited in this paper presents various advantages. Primarily, it outperforms other techniques in scenarios with continuous action spaces. Additionally, it contributes to the stabilization of the learning procedure and enhances the convergence of the algorithm. Finally, it facilitates the acquisition of superior policies and circumvents the risk of being trapped in local optima.

Engineering,Computer Science

Ao Jin,Zhichao Wu,Li Zhu,Qianchen Xia,Xin Yang

DOI: https://doi.org/10.1007/978-981-99-8073-4_14

2024-01-01

Abstract:Weakly-supervised Anomaly Detection (AD) has achieved significant performance improvement compared to unsupervised methods by harnessing very little additional labeling information. However, most existing methods ignore anomalies in unlabeled data by simply treating the whole unlabeled set as normal; that is, they fail to resist such noise that may considerably disturb the learning process, and more importantly, they cannot extract key anomaly features from these unlabeled anomalies, which are complementary to those labeled ones. To solve this problem, a spiking reinforcement learning framework for weakly-supervised AD is proposed, named ADSD. Compared with artificial neural networks, the spiking neural network can effectively resist input perturbations due to its unique coding methods and neuronal characteristics. From this point of view, by using spiking neurons with noise filtering and threshold adaptation, as well as a multi-weight evaluation method to discover the most suspicious anomalies in unlabeled data, ADSD achieves end-to-end optimization for the utilization of a few labeled anomaly data and rare unlabeled anomalies in complex environments. The agent in ADSD has robustness and adaptability when exploring potential anomalies in the unknown space. Extensive experiments show that our method ADSD significantly outperforms four popular baselines in various environments while maintaining good robustness and generalization performance.

Haojie Li,Hongzuo Xu,Wei Peng

DOI: https://doi.org/10.1007/978-981-99-4752-2_10

2023-01-01

Abstract:Massive time series data are recorded in various domains. Identifying exceptional data objects within time series can help avoid potential faults, dangers, and accidents, which is significant in maintaining the target system’s health and stability. Recent years have witnessed a long list of unsupervised time-series anomaly detection models that can only work without any control after deployment. This motivates us to consider an intriguing question: can we devise a model that adaptively and iteratively evolves according to the interaction with human analysts . We intend to install a handle on the model, thus realizing a “human-in-the-loop” learning paradigm. However, it is still a non-trivial task due to the difficulty of (i) accurately exploring valuable data from the unlabeled set as query samples and (ii) fully exploiting returned annotated data. To tackle these challenges, this paper proposes a novel reinforced active time series anomaly detection algorithm. We first propose to use the ensemble of unsupervised anomaly scoring, and by leveraging the derived anomaly scores, we devise two reward strategies. The learning process is guided by these reward strategies, during which the agent is encouraged to explore possible anomalies hidden in the unlabeled set. These potential anomalies are submitted as queries for human labeling and further exploited in our reward functions to supervise the agent taking expected actions. Extensive experiments on real-world datasets demonstrate that our method substantially outperforms five state-of-the-art competitors and obtains 12.1%–60.3% F 1 score improvement, and 11.5%–59.1% AUC-PR improvement.

Xianchao Zhang,Jie Mu,Xiaotong Zhang,Han Liu,Linlin Zong,Yuangang Li

DOI: https://doi.org/10.1016/j.patcog.2021.108234

IF: 8

2022-01-01

Pattern Recognition

Abstract:Deep anomaly detection, which utilizes neural networks to discover anomalies, is a vital research topic in pattern recognition. With the burgeoning of inference mechanism, inference-based methods show the promising performance. However, inference-based methods have two limitations: (1) they use an adversarial training way to learn data features. Such training way fails to learn task-specific features which can be conducive to capture the difference between normal and anomaly data. (2) The structure of detection network cannot capture the marginal distributions of normal data and corresponding features, which influences on the performance of anomaly detection. To overcome these limitations, this paper proposes a deep adversarial anomaly detection (DAAD) method. Specifically, an auxiliary task with self-supervised learning is first designed to learn task-specific features. Then a deep adversarial training (DAT) model is constructed to capture marginal distributions of normal data in different spaces. In addition, a majority voting strategy is applied to obtain reliable detection results. Experimental results on image and sequence datasets show that proposed method performs significantly better than many strong baselines.

computer science, artificial intelligence,engineering, electrical & electronic

Chaoqin Huang,Fei Ye,Ya Zhang,Yanfeng Wang,Qi Tian

2020-12-09

Abstract:This paper explores semi-supervised anomaly detection, a more practical setting for anomaly detection where a small set of labeled outlier samples are provided in addition to a large amount of unlabeled data for training. Rethinking the optimization target of anomaly detection, we propose a new objective function that measures the KL-divergence between normal and anomalous data, and prove that two factors: the mutual information between the data and latent representations, and the entropy of latent representations, constitute an integral objective function for anomaly detection. To resolve the contradiction in simultaneously optimizing the two factors, we propose a novel encoder-decoder-encoder structure, with the first encoder focusing on optimizing the mutual information and the second encoder focusing on optimizing the entropy. The two encoders are enforced to share similar encoding with a consistent constraint on their latent representations. Extensive experiments have revealed that the proposed method significantly outperforms several state-of-the-arts on multiple benchmark datasets, including medical diagnosis and several classic anomaly detection benchmarks.

Computer Science

Xiangwei Chen,Ruliang Xiaoa,Zhixia Zeng,Zhipeng Qiu,Shi Zhang,Xin Du

2024-05-16

Abstract:Semi-supervised anomaly detection for sensor signals is critical in ensuring system reliability in smart manufacturing. However, existing methods rely heavily on data correlation, neglecting causality and leading to potential misinterpretations due to confounding factors. Moreover, while current reinforcement learning-based methods can effectively identify known and unknown anomalies with limited labeled samples, these methods still face several challenges, such as under-utilization of priori knowledge, lack of model flexibility, and deficient reward feedback during environmental interactions. To address the above problems, this paper innovatively constructs a counterfactual causal reinforcement learning model, termed Triple-Assisted Causal Reinforcement Learning Anomaly Detector (Tri-CRLAD). The model leverages causal inference to extract the intrinsic causal feature in data, enhancing the agent's utilization of prior knowledge and improving its generalization capability. In addition, Tri-CRLAD features a triple decision support mechanism, including a sampling strategy based on historical similarity, an adaptive threshold smoothing adjustment strategy, and an adaptive decision reward mechanism. These mechanisms further enhance the flexibility and generalization ability of the model, enabling it to effectively respond to various complex and dynamically changing environments. Experimental results across seven diverse sensor signal datasets demonstrate that Tri-CRLAD outperforms nine state-of-the-art baseline methods. Notably, Tri-CRLAD achieves up to a 23\% improvement in anomaly detection stability with minimal known anomaly samples, highlighting its potential in semi-supervised anomaly detection scenarios. Our code is available at

Machine Learning,Artificial Intelligence

Fengqian Ding,Bo Li,Xianye Ben,Jia Zhao,Hongchao Zhou

DOI: https://doi.org/10.1109/tbdata.2024.3453762

2024-01-01

IEEE Transactions on Big Data

Abstract:Time series anomaly detection has been received growing interest in industrial and academic communities due to its substantial theoretical value and practical significance in reality. Recent advanced methods for time series anomaly detection are based on deep learning techniques, since they have shown their superiority in some specific situations. However, most existing deep learning-based anomaly detection methods require predefined, specific tasks of reconstruction or prediction, necessitating task-specific loss functions. Designing such anomaly-aware loss functions poses a significant challenge due to the ambiguity in defining ground-truth anomalies. Moreover, these methods often rely on complex network architectures that tend to lead to over-generalization, resulting in even abnormal data being well reconstructed or fitted. To mitigate this situation, grounded in activation learning theory, we propose a novel unsupervised time series anomaly detection paradigm termed ALAD. ALAD utilizes a straightforward fully connected network architecture, measuring the typicality of input patterns through the sum of the squared output. Despite its simplicity, ALAD achieves competitive performance compared to state-of-the-art models trained using backpropagation. By utilizing various real-world and synthetic datasets, experimental results have confirmed the effectiveness and feasibility of the proposed paradigm. This work also demonstrates that biologically-plausible local learning can sometimes outperform backpropagation in real-world scenarios.

Claudia Linnhoff-Popien,Steffen Illium,Robert Müller,Tom Haider,Thomy Phan

DOI: https://doi.org/10.5555/3535850.3536113

Abstract:Identifying datapoints that substantially differ from normality is the task of anomaly detection (AD). While AD has gained wide-spread attention in rich data domains such as images, videos, audio and text, it has has been studied less frequently in the context of reinforcement learning (RL). This is due to the additional layer of complexity that RL introduces through sequential decision making. Developing suitable anomaly detectors for RL is of particular importance in safety-critical scenarios where acting on anomalous data could result in hazardous situations. In this work, we address the question of what AD means in the context of RL. We found that current research trains and evaluates on overly simplistic and unrealistic scenarios which reduce to classic pattern recognition tasks. We link AD in RL to various fields in RL such as lifelong RL and generalization. We discuss their similarities, differences, and how the fields can benefit from each other. Moreover, we identify non-stationarity to be one of the key drivers for future research on AD in RL and make a first step towards a more formal treatment of the problem by framing it in terms of the recently introduced block contextual Markov decision process. Finally, we define a list of practical desiderata for future problems.

Computer Science

Yingying He,Xiaobing Pei

2024-07-30

Abstract:Log anomaly detection is a critical component in modern software system security and maintenance, serving as a crucial support and basis for system monitoring, operation, and troubleshooting. It aids operations personnel in timely identification and resolution of issues. However, current methods in log anomaly detection still face challenges such as underutilization of unlabeled data, imbalance between normal and anomaly class data, and high rates of false positives and false negatives, leading to insufficient effectiveness in anomaly recognition. In this study, we propose a semi-supervised log anomaly detection method named DQNLog, which integrates deep reinforcement learning to enhance anomaly detection performance by leveraging a small amount of labeled data and large-scale unlabeled data. To address issues of imbalanced data and insufficient labeling, we design a state transition function biased towards anomalies based on cosine similarity, aiming to capture semantic-similar anomalies rather than favoring the majority class. To enhance the model's capability in learning anomalies, we devise a joint reward function that encourages the model to utilize labeled anomalies and explore unlabeled anomalies, thereby reducing false positives and false negatives. Additionally, to prevent the model from deviating from normal trajectories due to misestimation, we introduce a regularization term in the loss function to ensure the model retains prior knowledge during updates. We evaluate DQNLog on three widely used datasets, demonstrating its ability to effectively utilize large-scale unlabeled data and achieve promising results across all experimental datasets.

Software Engineering,Machine Learning

Yaoxun Liu,Liangli Ma,Muyuan Wang,Siyuan Zhang

DOI: https://doi.org/10.3390/electronics12061313

IF: 2.9

2023-03-10

Electronics

Abstract:Deep learning-based anomaly detection (DAD) has been a hot topic of research in various domains. Despite being the most common data type, DAD for tabular data remains under-explored. Due to the scarcity of anomalies in real-world scenarios, deep semi-supervised learning methods have come to dominate, which build deep learning models and leverage a limited number of labeled anomalies and large-scale unlabeled data to improve their detection capabilities. However, existing works share two drawbacks. (1) Most of them simply treat the unlabeled samples as normal ones, ignoring the problem of label contamination, which is very common in real-world datasets. (2) Only very few works have designed models specifically for tabular data instead of migrating models from other domains to tabular data. Both of them will limit the model's performance. In this work, we propose a feature interaction-based reinforcement learning for tabular anomaly detection, FIRTAD. FIRTAD incorporates a feature interaction module into a deep reinforcement learning framework; the former can model tabular data by learning a relationship among features, while the latter can effectively exploit available information and fully explore suspicious anomalies from the unlabeled samples. Extensive experiments on three datasets not only demonstrate its superiority over the state-of-art methods but also confirm its robustness to anomaly rarity, label contamination and unknown anomalies.

engineering, electrical & electronic,computer science, information systems,physics, applied

Amgad Muneer,Rao Faizan Ali,S. Taib,Kinza Arshad,N. Khan,I. Aziz,Sheraz Naseer

DOI: https://doi.org/10.1109/ACCESS.2022.3224023

IF: 3.9

IEEE Access

Abstract:Anomaly detection has been used to detect and analyze anomalous elements from data for years. Various techniques have been developed to detect anomalies. However, the most convenient one is Machine learning which is performing well but still has limitations for large-scale unlabeled datasets. Deep Reinforcement Learning (DRL) based techniques outperform the existing supervised or unsupervised and other alternative techniques for anomaly detection. This study presents a Systematic Literature Review (SLR), which analyzes DRL models that detect anomalies in their application. This SLR aims to analyze the DRL frameworks for anomaly detection applications, proposed DRL methods, and their performance comparisons against alternative methods. In this review, we have identified 32 research articles published from 2017–2022 that discuss DRL techniques for various anomaly detection applications. After analyzing the selected research articles, this paper presents 13 different applications of anomaly detection found in the selected research articles. We identified 50 different datasets applied in experiments on anomaly detection and demonstrated 17 distinct DRL models used in the selected papers to detect anomalies. Finally, we analyzed the performance of these DRL models and reviewed them. Additionally, we observed that detecting anomalies using DRL frameworks is a promising area of research and showed that DRL had shown better performance for anomaly detection where other models lack. Therefore, we provide researchers with recommendations and guidelines based on this review.

Computer Science

Zhongyang Wang,Yijie Wang,Hongzuo Xu,Yongjun Wang

DOI: https://doi.org/10.1109/icpads53394.2021.00043

2021-01-01

Abstract:Mixed-type data with both categorical and numerical features are ubiquitous in network security, but the existing methods are minimal to deal with them. Existing methods usually process mixed-type data through feature conversion, whereas their performance is downgraded by information loss and noise caused by the transformation. Meanwhile, existing methods usually superimpose domain knowledge and machine learning in which fixed thresholds are used. It cannot dynamically adjust the anomaly threshold to the actual scenario, resulting in inaccurate anomalies obtained, which results in poor performance. To address these issues, this paper proposes a novel Anomaly Detection method based on Reinforcement Learning, termed ADRL, which uses reinforcement learning to dynamically search for thresholds and accurately obtain anomaly candidate sets, fusing domain knowledge and machine learning fully and promoting each other. Specifically, ADRL uses prior domain knowledge to label known anomalies and uses entropy and deep autoencoder in the categorical and numerical feature spaces, respectively, to obtain anomaly scores combining with known anomaly information, which are integrated to get the overall anomaly scores via a dynamic integration strategy. To obtain accurate anomaly candidate sets, ADRL uses reinforcement learning to search for the best threshold. Detailedly, it initializes the anomaly threshold to get the initial anomaly candidate set and carries on the frequent rule mining to the anomaly candidate set to form the new knowledge. Then, ADRL uses the obtained knowledge to adjust the anomaly score and get the score modification rate. According to the modification rate, different threshold modification strategies are executed, and the best threshold, that is, the threshold under the maximum modification rate, is finally obtained, and the modified anomaly scores are obtained. The scores are used to re-carry out machine learning to improve the algorithm's accuracy for anomalous data. Repeat the above process until the method is stable. We experiment on ten real network traffic datasets. Experiments show ADRL averagely improves ROC-AUC and PR-AUC than eight state-of-the-art competitors by 89.6% and 286.0%, respectively.

LI Hui,LI Wengen,GUAN Jihong

DOI: https://doi.org/10.11896/jsjkx.220900027

2023-01-01

Computer Science

Abstract:Anomaly detection is a hot topic that has been widely studied in the field of machine learning and plays an important role in industrial production， food safety， disease monitoring， etc. The latest anomaly detection methods mostly jointly train semi-supervised detection models based on a small number of available labeled samples and many unlabeled samples. However， these existing semi-supervised anomaly detection models mostly use deep learning frameworks. Due to the lack of enough feature information on low-dimensional data sets， it is difficult to learn accurate data boundaries， resulting in insufficient detection performance. To solve this problem， a dually encoded semi-supervised anomaly detection model DE-SAD is proposed. DE-SAD can make full use of a small amount of available labeled data and a large amount of unlabeled data for semi-supervised learning， and learn more accurate implicit manifold distribution of normal data through the dually encoded stage constraint， thus effectively magnifying the gap between normal data and abnormal data. DE-SAD shows excellent anomaly detection performance on multiple anomaly detection datasets from different fields， especially on low-dimensional data， and its AUROC is up to 4.6% higher than the current state-of-the-art methods.

Guansong Pang,Chunhua Shen,Longbing Cao,Anton van den Hengel

DOI: https://doi.org/10.48550/arXiv.2007.02500

IF: 5.414

2020-07-06

Machine Learning

Abstract:Anomaly detection, a.k.a. outlier detection or novelty detection, has been a lasting yet active research area in various research communities for several decades. There are still some unique problem complexities and challenges that require advanced approaches. In recent years, deep learning enabled anomaly detection, i.e., deep anomaly detection, has emerged as a critical direction. This paper surveys the research of deep anomaly detection with a comprehensive taxonomy, covering advancements in three high-level categories and 11 fine-grained categories of the methods. We review their key intuitions, objective functions, underlying assumptions, advantages and disadvantages, and discuss how they address the aforementioned challenges. We further discuss a set of possible future opportunities and new perspectives on addressing the challenges.

Mansour Zoubeirou A Mayaki,Michel Riveill

2023-05-28

Abstract:Anomaly detection or more generally outliers detection is one of the most popular and challenging subject in theoretical and applied machine learning. The main challenge is that in general we have access to very few labeled data or no labels at all. In this paper, we present a new semi-supervised anomaly detection method called \textbf{AnoRand} by combining a deep learning architecture with random synthetic label generation. The proposed architecture has two building blocks: (1) a noise detection (ND) block composed of feed forward ferceptron and (2) an autoencoder (AE) block. The main idea of this new architecture is to learn one class (e.g. the majority class in case of anomaly detection) as well as possible by taking advantage of the ability of auto encoders to represent data in a latent space and the ability of Feed Forward Perceptron (FFP) to learn one class when the data is highly imbalanced. First, we create synthetic anomalies by randomly disturbing (add noise) few samples (e.g. 2\%) from the training set. Second, we use the normal and the synthetic samples as input to our model. We compared the performance of the proposed method to 17 state-of-the-art unsupervised anomaly detection method on synthetic datasets and 57 real-world datasets. Our results show that this new method generally outperforms most of the state-of-the-art methods and has the best performance (AUC ROC and AUC PR) on the vast majority of reference datasets. We also tested our method in a supervised way by using the actual labels to train the model. The results show that it has very good performance compared to most of state-of-the-art supervised algorithms.

Machine Learning

Zhe Feng,Jie Tang,Yishun Dou,Gangshan Wu

DOI: https://doi.org/10.1109/icassp39728.2021.9414285

2021-01-01

Abstract:Anomaly detection is the task of identifying unusual samples in data. Typically anomaly detection is defined on an unlabeled dataset that is assumed most of the samples are normal and others are anomalies. However, in industrial practice, one may have access to a part of annotated data. This gives us the potential for semi-supervised learning. In addition, existing methods assume all training data is normal and neglect the impact of a small number of anomalous samples. In this paper, we consolidate the model’s discriminative power by introducing a transfer learning scheme to anomaly detection, thereby the model suffers less perturbation caused by pollution. We also propose a novel loss function to further adapt to semi-supervised data scenario. We ensure that the contribution of pollution can be well suppressed and reach a harmonious balance in magnitude of loss/gradient between unlabeled and labeled samples. Experiments on three publicly available datasets show that our method achieves state-of-the-art results.