ADT: Agent-based Dynamic Thresholding for Anomaly Detection

Xue Yang,Enda Howley,Micheal Schukat
2023-12-04
Abstract:The complexity and scale of IT systems are increasing dramatically, posing many challenges to real-world anomaly detection. Deep learning anomaly detection has emerged, aiming at feature learning and anomaly scoring, which has gained tremendous success. However, little work has been done on the thresholding problem despite it being a critical factor for the effectiveness of anomaly detection. In this paper, we model thresholding in anomaly detection as a Markov Decision Process and propose an agent-based dynamic thresholding (ADT) framework based on a deep Q-network. The proposed method can be integrated into many systems that require dynamic thresholding. An auto-encoder is utilized in this study to obtain feature representations and produce anomaly scores for complex input data. ADT can adjust thresholds adaptively by utilizing the anomaly scores from the auto-encoder and significantly improve anomaly detection performance. The properties of ADT are studied through experiments on three real-world datasets and compared with benchmarks, hence demonstrating its thresholding capability, data-efficient learning, stability, and robustness. Our study validates the effectiveness of reinforcement learning in optimal thresholding control in anomaly detection.
Machine Learning,Artificial Intelligence
What problem does this paper attempt to address?
The problem that this paper attempts to solve is: **In anomaly detection, how to dynamically adjust the threshold to improve detection performance**. ### Problem Background With the sharp increase in the complexity and scale of IT systems, anomaly detection in the real world faces many challenges. Deep learning has achieved great success in feature learning and anomaly scoring, but when it comes to the threshold setting problem, although it is crucial to the effectiveness of anomaly detection, few studies have been involved. Traditional static or expert - defined threshold methods are difficult to adapt to non - stationary and evolving time - series data, resulting in poor detection performance. ### Paper Objectives The paper aims to solve this problem by introducing an Agent - based Dynamic Threshold (ADT) framework. Specifically, the author models the threshold setting problem as a Markov Decision Process (MDP) and uses Deep Q - Network (DQN) to achieve dynamic threshold adjustment. By combining the anomaly scores generated by Autoencoder (AE), ADT can adaptively adjust the threshold, thereby significantly improving the performance of anomaly detection. ### Key Contributions 1. **Modeling and Framework Proposal**: Model the threshold setting problem in anomaly detection as MDP and propose an Agent - based Dynamic Threshold (ADT) framework. 2. **Experimental Verification**: Experiments were carried out on three real - world benchmark datasets, demonstrating the superiority of ADT in terms of threshold setting, data efficiency, stability, and robustness. 3. **Application Prospects**: Show the application potential of reinforcement learning in optimal threshold control, especially the advantages in dealing with high - dimensional continuous inputs. ### Main Content Overview - **Problem Modeling**: Formalize the threshold setting problem in anomaly detection as MDP, where the state space includes information such as the mean and variance of anomaly scores, the action is binary threshold selection in the space, and the reward function is adjusted according to the detection results. - **Method Design**: Use AE to extract features and generate anomaly scores, and train agents through DQN to dynamically adjust the threshold. - **Experimental Evaluation**: Experiments were carried out on three datasets, namely Yahoo A1Benchmark, SWaT, and WADI, verifying the superiority of ADT over static threshold and other dynamic threshold methods. Through these works, the paper shows the potential of dynamic threshold adjustment in improving the performance of anomaly detection and provides new ideas and methods for future research.