Xudong Zhu,Zhijing Liu

DOI: https://doi.org/10.4028/www.scientific.net/amr.143-144.648

2010-01-01

Advanced Materials Research

Abstract:We present a novel online unsupervised anomaly detection method for human activities. The proposed approach is based on one-class support vector machine (OCSVM) clustering, where the novelty detection SVM capabilities are used for the identification of anomalous activities. Particular attention is given to activity classification in absence of a priori information on the distribution of outliers. Activities are represented by variable-length event sequences, but the most commonly used kernels are defined on fixed-dimension spaces. To solve the problem, we develop a novel sequence-similarity kernel, the n-grams kernel. Our kernel is conceptually simple and efficient to compute and performs well in comparison with state-of-the-art methods for anomaly detection. Moreover, most SVM algorithms require large number of memory to store the kernel matrix, or repeated access to the training samples. This makes it infeasible for online anomaly detection. In this paper, we develop simple and computationally efficient online learning algorithms for anomaly detection.

F. Chen,P. Chen,D. Li,F. Cheng

DOI: https://doi.org/10.1179/1743131x15y.0000000022

2015-01-01

Abstract:Kernel-like impurities (KLIs) have the similar colour, shape, texture and specific gravity with sound kernels. The amount of the KLIs is an important parameter for evaluating the quality of wheat. However, it is difficult to classify KLIs from sound kernels with normal methods because of these similar features. In this study, a machine vision system with a linear colour charged coupled device used to acquire images of kernels and a software package developed to extract various features from the images were used to classify 1169 sound kernels and 896 KLIs. Three methods-genetic algorithm (GA)/support vector machine (SVM), principal components analysis/SVM and linear discriminant analysis-were applied for the classification. The performance of GA/SVM for detecting KLIs was very outstanding, and the accuracy of testing sets could reach 99.34%. GA/SVM has the potential to improve the KLI classification accuracy in machine vision system. It is feasible to extract a small quantity of useful features without any extra image or data processing for online KLI classification.

Wen-Yun Yang,Bao-Liang Lu

DOI: https://doi.org/10.1142/9781848161092_0004

2008-01-01

Abstract:We introduce a general framework for string kernels. This framework can produce various types of kernels, including a number of existing kernels, to be used with support vector machines (SVMs). In this framework, we can select the informative subsequences to reduce the dimensionality of the feature space. We can model the mutations in biological sequences. Finally, we combine contributions of subsequences in a weighted fashion to get the target kernel. In practical computation, we develop a novel tree structure, coupled with a traversal algorithm to speed up the computation. The experimental results on a benchmark SCOP data set show that the kernels produced by our framework outperform the existing spectrum kernels, in both e‐ciency and ROC50 scores.

Jifeng Yu,Jingli Zhou

DOI: https://doi.org/10.1016/j.phpro.2012.03.281

2012-01-01

Physics Procedia

Abstract:Short sequences of system calls of running processes are good data sets for anomaly detection system. This paper analyzed the insufficiency of fixed-length patterns (N-Gram) and variable-length patterns (V-Gram) in processing sequences of system calls. A new model of Multi Wildcards V-Gram (MWV-Gram) with redundancy controlling mechanism is presented. Experimentation results indicate that the pattern database is reduced and detection efficiency is enhanced by the improved algorithm.

Shunan Guo,Zhuochen Jin,Qing Chen,David Gotz,Hongyuan Zha,Nan Cao

DOI: https://doi.org/10.1109/tvcg.2021.3093585

IF: 5.2

2021-01-01

IEEE Transactions on Visualization and Computer Graphics

Abstract:Anomaly detection is a common analytical task that aims to identify rare cases that differ from the typical cases that make up the majority of a dataset. When analyzing event sequence data, the task of anomaly detection can be complex because the sequential and temporal nature of such data results in diverse definitions and flexible forms of anomalies. This, in turn, increases the difficulty in interpreting detected anomalies. In this article, we propose a visual analytic approach for detecting anomalous sequences in an event sequence dataset via an unsupervised anomaly detection algorithm based on Variational AutoEncoders. We further compare the anomalous sequences with their reconstructions and with the normal sequences through a sequence matching algorithm to identify event anomalies. A visual analytics system is developed to support interactive exploration and interpretations of anomalies through novel visualization designs that facilitate the comparison between anomalous sequences and normal sequences. Finally, we quantitatively evaluate the performance of our anomaly detection algorithm, demonstrate the effectiveness of our system through case studies, and report feedback collected from study participants.

Dongyu Zhang,Wangmeng Zuo,David Zhang,Hongzhi Zhang

DOI: https://doi.org/10.1109/ICPR.2010.16

IF: 8

2010-01-01

Pattern Recognition

Abstract:Motivated by the great success of dynamic time warping (DTW) in time series matching, Gaussian DTW kernel had been developed for support vector machine (SVM)-based time series classification. Counter-examples, however, had been subsequently reported that Gaussian DTW kernel usually cannot outperform Gaussian RBF kernel in the SVM framework. In this paper, by extending the Gaussian RBF kernel, we propose one novel class of Gaussian elastic metric kernel (GEMK), and present two examples of GEMK: Gaussian time warp edit distance (GTWED) kernel and Gaussian edit distance with real penalty (GERP) kernel. Experimental results on UCR time series data sets show that, in terms of classification accuracy, SVM with GEMK is much superior to SVM with Gaussian RBF kernel and Gaussian DTW kernel, and the state-of-the-art similarity measure methods.

Yin Song,Longbing Cao,Junfu Yin,Cheng Wang

DOI: https://doi.org/10.1109/ijcnn.2013.6706837

IF: 7.8

2013-01-01

Neural Networks

Abstract:This paper presents a novel framework for detecting abnormal sequences in an one-class setting (i.e., only normal data are available), which is applicable to various domains. Examples include intrusion detection, fault detection and speaker verification. Detecting abnormal sequences with only normal data presents several challenges for anomaly detection: the weak discrimination of normal and abnormal sequences; the unavailability of the abnormal data and other issues. Traditional model-based anomaly detection techniques can solve some of the above issues but with limited discrimination power (because of directly modeling the normal data). In order to enhance the discriminative power for anomaly detection, we turn to extracting discriminative features from the generative model based on the principle deducted from the corresponding theoretical analysis. Then a new anomaly detection framework is developed on top of that. The proposed approach firstly projects all the sequential data into a model-based equal length feature space (this is theoretically proven to have better discriminative power than the model itself), and then adopts a classifier learned from the transformed data to detect anomalies. Experimental evaluation on both the synthetic and real-world data shows that our proposed approach outperforms several anomaly detection baseline algorithms for sequential data.

Bo Gao,Huiye Ma,Yuhang Yang

DOI: https://doi.org/10.1109/ICMLC.2002.1176779

2002-01-01

Abstract:In this paper we discuss our research in developing anomaly detecting method for intrusion detection. The key idea is to use HMMs (Hidden Markov models) to learn the (normal and abnormal) patterns of Unix processes. These patterns can be used to detect anomalies and known intrusion. Using experiments on the mail-sending system call data, we demonstrate that we can construct concise and accurate classifiers to detect intrusion action.

Defeng Wang,Yeung, D.S.,Tsang, E.C.C.

DOI: https://doi.org/10.1109/TNN.2007.895909

2007-01-01

Abstract:The support vector machine (SVM) has been demonstrated to be a very effective classifier in many applications, but its performance is still limited as the data distribution information is underutilized in determining the decision hyperplane. Most of the existing kernels employed in nonlinear SVMs measure the similarity between a pair of pattern images based on the Euclidean inner product or the Euclidean distance of corresponding input patterns, which ignores data distribution tendency and makes the SVM essentially a ldquolocalrdquo classifier. In this paper, we provide a step toward a paradigm of kernels by incorporating data specific knowledge into existing kernels. We first find the data structure for each class adaptively in the input space via agglomerative hierarchical clustering (AHC), and then construct the weighted Mahalanobis distance (WMD) kernels using the detected data distribution information. In WMD kernels, the similarity between two pattern images is determined not only by the Mahalanobis distance (MD) between their corresponding input patterns but also by the sizes of the clusters they reside in. Although WMD kernels are not guaranteed to be positive definite (pd) or conditionally positive definite (cpd), satisfactory classification results can still be achieved because regularizers in SVMs with WMD kernels are empirically positive in pseudo-Euclidean (pE) spaces. Experimental results on both synthetic and real-world data sets show the effectiveness of ldquopluggingrdquo data structure into existing kernels.

Lingfei Wu,Ian En-Hsu Yen,Siyu Huo,Liang Zhao,Kun Xu,Liang Ma,Shouling Ji,Charu Aggarwal

DOI: https://doi.org/10.1145/3292500.3330923

2019-01-01

Abstract:Analysis of large-scale sequential data has been one of the most crucial tasks in areas such as bioinformatics, text, and audio mining. Existing string kernels, however, either (i) rely on local features of short substructures in the string, which hardly capture long discriminative patterns, (ii) sum over too many substructures, such as all possible subsequences, which leads to diagonal dominance of the kernel matrix, or (iii) rely on non-positive-definite similarity measures derived from the edit distance. Furthermore, while there have been works addressing the computational challenge with respect to the length of string, most of them still experience quadratic complexity in terms of the number of training samples when used in a kernel-based classifier. In this paper, we present a new class of global string kernels that aims to (i) discover global properties hidden in the strings through global alignments, (ii) maintain positive-definiteness of the kernel, without introducing a diagonal dominant kernel matrix, and (iii) have a training cost linear with respect to not only the length of the string but also the number of training string samples. To this end, the proposed kernels are explicitly defined through a series of different random feature maps, each corresponding to a distribution of random strings. We show that kernels defined this way are always positive-definite, and exhibit computational benefits as they always produce Random String Embeddings (RSE) that can be directly used in any linear classification models. Our extensive experiments on nine benchmark datasets corroborate that RSE achieves better or comparable accuracy in comparison to state-of-the-art baselines, especially with the strings of longer lengths. In addition, we empirically show that RSE scales linearly with the increase of the number and the length of string.

Shunan Guo,Zhuochen Jin,Qing Chen,David Gotz,Hongyuan Zha,Nan Cao

DOI: https://doi.org/10.1109/BigData47090.2019.9005687

2019-01-01

Abstract:Anomaly detection is a common analytical task that aims to identify rare cases that differ from the typical cases that make up the majority of a dataset. When applied to the analysis of event sequence data, the task of anomaly detection can be complex because the sequential and temporal nature of such data results in diverse definitions and flexible forms of anomalies. This, in turn, increases the difficulty in interpreting detected anomalies. In this paper, we propose an unsupervised anomaly detection algorithm based on Variational AutoEncoders (VAE) to estimate underlying normal progressions for each given sequence represented as occurrence probabilities of events along the sequence progression. Events in violation of their occurrence probability are identified as abnormal. We also introduce a visualization system, EventThread3 (ET <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">3</sup> , to support interactive exploration and interpretations of anomalies within the context of normal sequence progressions in the dataset through comprehensive one-to-many sequence comparison. Finally, we quantitatively evaluate the performance of our anomaly detection algorithm and demonstrate the effectiveness of our system through a case study.

Jingxuan Pang,Xiaokun Pu,Chunguang Li

DOI: https://doi.org/10.1109/tii.2022.3145834

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Anomaly detection plays an important role in industry, especially in ensuring system safety and product quality. Due to the unavailability of anomalous data in many practical cases, anomaly detection is usually solved by one-class classification (OCC) methods using only normal data. As a classical OCC method, one-class support vector machine (OCSVM) is a popular discriminative approach for anomaly detection, which detects abnormal data points by establishing a decision boundary in the kernel space. However, the performance of OCSVM heavily relies on kernel parameters, whose selection is not trivial for anomaly detection problems. Moreover, for some uneven and complex data distributions, different data regions may have quite different densities and shapes, making it difficult for OCSVM to obtain good boundaries in all regions using a global kernel parameter. To address the above two issues, in this article, we propose a hybrid algorithm incorporating vector quantization and OCSVM (VQ-OCSVM). Specifically, vector quantization is used to extract distribution information of normal data, and the results are used to construct an explicit mapping function to map data into a high-dimensional feature space. Then, OCSVM is performed in the feature space to build a classifier. By introducing the explicit mapping into OCSVM, the proposed method can effectively bypass the kernel parameter selection problem of the classical OCSVM method. Furthermore, the constructed mapping carries the data distribution information, and the VQ-OCSVM model can be regarded as an integration of generative learning and discriminative learning. The complementary properties of these two paradigms make the proposed VQ-OCSVM algorithm have better generalization capacity for complex data distribution. Both qualitative and quantitative experimental results demonstrate the effectiveness and advantages of the proposed method.

Hansheng Lei,Bingyu Sun

DOI: https://doi.org/10.1109/sitis.2007.112

2007-01-01

Abstract:The dynamic time warping (DTW) is state-of-the-art distance measure widely used in sequential pattern matching and it outperforms Euclidean distance in most cases because its matching is elastic and robust. It is tempting to substitute DTW distance for Euclidean distance in the Gaussian RBF kernel and plug it into the state-of-the art classifier support vector machines (SVMs) for sequence classification. However, it is not straightforward that DTW also outperforms Euclidean distance in kernel machines. While counter-examples can be found to numerically prove that DTW is not positive definite symmetric (PDS)acceptable by SVM, little is known why it can not be PDS theoretically. We analyze the DTW kernel and complete a theoretical proof via the connection between PDS kernel and reproducing kernel Hilbert space (RKHS). Our analysis leads to a better understanding that all Hilbertian metrics can be be converted to a PDS kernel in the Gaussian form, while the reverse is not true. The proof can be extended to conclude that elastic matching distance is not eligible to construct PDS kernels (e.g., Edit distance). Experiments were conducted to compare the RBF-kernel and DTW kernel in SVM classifications and the results show that simple Euclidean distance outperforms DTW in kernel machines.

Choujun Zhan,Benjamin Yee Shing Li,Quansi Wen,Gao Ying,Tianyong Hao

DOI: https://doi.org/10.1109/bibm47256.2019.8982993

2019-01-01

Abstract:Imbalanced dataset is a common issue in many applications. The one-class Support Vector Machine (SVM) is found to be an effective algorithm to construct classification models over the underlying imbalanced dataset. In some cases, feature extraction is hard and one would prefer using pre-defined kernels to train the model. In traditional practice, a valid kernel has to satisfy the Mercer's condition, which may restrict the design of kernel functions or matrices. In this paper, an indefinite kernel extension is applied to the one-class SVM model in order to relieve such limitation. To illustrate its performance, the algorithm is applied to perform virtual screening of drugs.

Limin Li,Kiyoko F. Aoki-Kinoshita,Wai-Ki Ching,Hao Jiang

DOI: https://doi.org/10.1007/s11424-015-2156-y

2015-01-01

Abstract:String kernels are popular tools for analyzing protein sequence data and they have been successfully applied to many computational biology problems. The traditional string kernels assume that different substrings are independent. However, substrings can be highly correlated due to their substructure relationship or common physico-chemical properties. This paper proposes two kinds of weighted spectrum kernels: The correlation spectrum kernel and the AA spectrum kernel. We evaluate their performances by predicting glycan-binding proteins of 12 glycans. The results show that the correlation spectrum kernel and the AA spectrum kernel perform significantly better than the spectrum kernel for nearly all the 12 glycans. By comparing the predictive power of AA spectrum kernels constructed by different physico-chemical properties, the authors can also identify the physicochemical properties which contributes the most to the glycan-protein binding. The results indicate that physico-chemical properties of amino acids in proteins play an important role in the mechanism of glycan-protein binding.

Xingshu CHEN,Jiaxin CHEN,Dandan ZHAO,Xin JIN

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2018.25.018

2018-01-01

Abstract:A abnormal IO behavior in virtual machines is monitored to discover known and unknown virtual machine escape attacks. Hardware-assisted virtualization is used here in an anomaly detection method for IO sequences in virtual machines including asynchronous acquisition to efficiently collect the IO sequences of the virtual machine, relating the IO sequences with the processes running in the virtual machine for a fine-grained description of the virtual machine s IO behavior, and an algorithm for generating short IO sequences in virtual machines based on a double-layer hash table and a Markov chain model to detect the IO sequences of malicious virtual machines. A virtual machine detection system was implemented on a Kernel-based virtual machine (KVM) to evaluate the effectiveness of this system. The results show that the system can effectively detect some IO based on security threats and some known and unknown virtual machine escape attacks with an acceptable false alarm rate and performance overhead.

Jun Ma,Guanzhong Dai,Zhong Xu

DOI: https://doi.org/10.1109/icppw.2009.6

2009-01-01

Abstract:We present a new network anomaly detection system using dissimilarity-based one-class support vector machine(DSVMC). we transform the raw data into a dissimilarity space using Dissimilarity Representations (DR). DR describe objects by their dissimilarities to a set of target class. DSVMC are constructed on these DR. We propose a framework of anomaly detection using DSVMC. A new strategy of prototype selection has been proposed to obtain better DR. We not only offer a better approach in strategy to describe to distribution of large training dataset but also reduce the computational cost of prototype selection largely. In order to deploy the ADS in real-time detection application, we use Kernel Primary Component Analysis (KPCA) to reduce the dimension of transformed data. Evaluation has been made among traditional one-class classifiers, the dissimilarity-based one class SVM classifier without optimization of DR (WSVMC) and our DSVMC on KDD-CUP'99 dataset. The results show that DSVMC can achieve high detection rate than WSVMC and more robust performance than traditional one-class classifiers.

Tolga Ergen,Ali Hassan Mirza,Suleyman Serdar Kozat

DOI: https://doi.org/10.1109/TNNLS.2019.2935975

2017-10-25

Abstract:We investigate anomaly detection in an unsupervised framework and introduce Long Short Term Memory (LSTM) neural network based algorithms. In particular, given variable length data sequences, we first pass these sequences through our LSTM based structure and obtain fixed length sequences. We then find a decision function for our anomaly detectors based on the One Class Support Vector Machines (OC-SVM) and Support Vector Data Description (SVDD) algorithms. As the first time in the literature, we jointly train and optimize the parameters of the LSTM architecture and the OC-SVM (or SVDD) algorithm using highly effective gradient and quadratic programming based training methods. To apply the gradient based training method, we modify the original objective criteria of the OC-SVM and SVDD algorithms, where we prove the convergence of the modified objective criteria to the original criteria. We also provide extensions of our unsupervised formulation to the semi-supervised and fully supervised frameworks. Thus, we obtain anomaly detection algorithms that can process variable length data sequences while providing high performance, especially for time series data. Our approach is generic so that we also apply this approach to the Gated Recurrent Unit (GRU) architecture by directly replacing our LSTM based structure with the GRU based structure. In our experiments, we illustrate significant performance gains achieved by our algorithms with respect to the conventional methods.

Signal Processing,Machine Learning

BAO Wei-dong,XIAN Ming,XIAO Shun-ping,WANG Guo-yu,ZHANG Yi-rong

DOI: https://doi.org/10.3969/j.issn.1003-0530.2007.04.003

IF: 4.729

2007-01-01

Signal Processing

Abstract:This paper implemented an anomaly intrusion detection technique based on dual p support vector machine (dualν- SVM)with regard to labeled and unbalanced data sets often occurring in practical intrusion detection systems.The basic idea is that dif- ferent error penalty factors are provided to classes with different number,which will make classification error rates of both classes in-clined to be even.Experiments on 1999 KDD data set show that the anomaly detection technique based on dualν-SVM evidently increa- ses the detection rate of attack records with low false positive rate,while slightly decreases the detection rate of normal records compared to conventionalν-SVM.Thus the algorithm is adapted to those occasions subtle for the detection of attack records.

Han Bao,Yijie Wang

DOI: https://doi.org/10.1109/ICPADS.2016.0127

2016-01-01

Abstract:Anomaly detection over multi-dimensional data stream has attracted considerable attention recently in various fields, such as network, finance and aerospace. In many cases, anomalies are composed of a sequence of multi-dimensional data, and it's necessary to detect this type of anomalies accurately and efficiently over data stream. Existing online methods of anomaly detection merely focus on the single-dimensional sequence. What's more, current studies about multi-dimensional sequence are mainly concentrated on static database. However, the anomaly detection for multi-dimensional sequence over data stream is much more difficult, due to the complexity of multidimensional sequence processing, the dynamic nature of data stream and the unbalance between normal and abnormal data. Facing these challenges, we propose an anomaly detection method for multi-dimensional sequence over data stream based on cost sensitive support vector machine (C-SVM) called ADMS. First, to improve the accuracy and efficiency, the ADMS transforms multi-dimensional sequences into feature vectors in a lossless way and prunes worthless features of these vectors. And then, the ADMS can detect abnormal sequences over dynamically imbalanced data stream by lively testing these vectors based on C-SVM. Experiments show that the false negative rate (FNR) of the ADMS is lower than 5%, the false positive rate (FPR) is lower than 7%, and the throughput is improved 42% by pruning worthless features. In addition, the AMDS performs well when there are concept drifts over the data stream.