Hoda Eldardiry,Evgeniy Bart,Juan Liu,John Hanley,Bob Price,Oliver Brdiczka

DOI: https://doi.org/10.1109/SPW.2013.14

2013-01-01

Abstract:Malicious insiders pose significant threats to information security, and yet the capability of detecting malicious insiders is very limited. Insider threat detection is known to be a difficult problem, presenting many research challenges. In this paper we report our effort on detecting malicious insiders from large amounts of work practice data. We propose novel approaches to detect two types of insider activities: (1) blend-in anomalies, where malicious insiders try to behave similar to a group they do not belong to, and (2) unusual change anomalies, where malicious insiders exhibit changes in their behavior that are dissimilar to their peers' behavioral changes. Our first contribution focuses on detecting blend-in malicious insiders. We propose a novel approach by examining various activity domains, and detecting behavioral inconsistencies across these domains. Our second contribution is a method for detecting insiders with unusual changes in behavior. The key strength of this proposed approach is that it avoids flagging common changes that can be mistakenly detected by typical temporal anomaly detection mechanisms. Our third contribution is a method that combines anomaly indicators from multiple sources of information.

Keqi Liu,Yizhuo Guo,Anyi Zhang,Peng Xu

DOI: https://doi.org/10.1109/ICCC57788.2023.10233434

2023-08-10

Abstract:The integration of multiple sensors in industrial systems and subsequent anomaly detection based on the sensor-collected data has emerged as one of the most popular applications of the Internet of Things. Therefore, it is highly significant to conduct anomaly detection based on multi-source subsequence data. However, existing research either deals with anomaly detection for multi-source data fusion or anomaly detection for subsequences. In this paper, we propose a novel Anomaly Detection method based on multi-source subsequence multi-View data that overcomes the limitations of the existing methods. Specifically, we introduce an improved shape-based subsequence mapping method for the representation of multi-source subsequences, followed by a multi-view based feature fusion matrix construction method. Finally, we propose an anomaly scoring method based on property attribute fusion, which is the first of its kind to introduce a source importance factor that takes into account the importance of different data sources for adjusting the impact weight. Our experimental results demonstrate that the proposed method outperforms traditional anomaly detection methods.

Computer Science,Engineering

Haoyang He,Jiangning Zhang,Hongxu Chen,Xuhai Chen,Zhishan Li,Xu Chen,Yabiao Wang,Chengjie Wang,Lei Xie

DOI: https://doi.org/10.1609/aaai.v38i8.28690

2024-01-01

Abstract:Reconstruction-based approaches have achieved remarkable outcomes in anomaly detection. The exceptional image reconstruction capabilities of recently popular diffusion models have sparked research efforts to utilize them for enhanced reconstruction of anomalous images. Nonetheless, these methods might face challenges related to the preservation of image categories and pixel-wise structural integrity in the more practical multi-class setting. To solve the above problems, we propose a Difusion-based Anomaly Detection (DiAD) framework for multi-class anomaly detection, which consists of a pixel-space autoencoder, a latent-space Semantic-Guided (SG) network with a connection to the stable diffusion's denoising network, and a feature-space pre-trained feature extractor. Firstly, The SG network is proposed for reconstructing anomalous regions while preserving the original image's semantic information. Secondly, we introduce Spatial-aware Feature Fusion (SFF) block to maximize reconstruction accuracy when dealing with extensively reconstructed areas. Thirdly, the input and reconstructed images are processed by a pre-trained feature extractor to generate anomaly maps based on features extracted at different scales. Experiments on MVTec-AD and VisA datasets demonstrate the effectiveness of our approach which surpasses the state-of-the-art methods, e.g., achieving 96.8/52.6 and 97.2/99.0 (AUROC/AP) for localization and detection respectively on multi-class MVTec-AD dataset. Code will be available at https://lewandofskee.github.io/projects/diad.

Zhou Xiaohui,Wang Yijie,Xu Hongzuo,Liu Mingyu

DOI: https://doi.org/10.7544/issn1000-1239.202220490

2023-01-01

Abstract:With the arrival of the multi-cloud era, cloud-based intelligent operations can detect and handle cloud platform failures in advance to ensure their high availability. Because of the complexity of cloud systems, operational data shows various temporal dependency and inter-metric dependency in data locality and data globality, which brings great challenges to multi-dimensional time series anomaly detection. However, most of the existing anomaly detection methods for multi-dimensional time series learn feature representation from normal time series data and detect anomalies based on reconstruction error or prediction error. These methods cannot capture the local and global information dependency of multi-dimensional time series at the same time, resulting in poor anomaly detection effect.To solve the above problems, a fusion learning based unsupervised anomaly detection method for multi-dimensional time series is proposed. The local features and global features of multi-dimensional time series are modeled simultaneously to obtain more abundant time series reconstruction information, and anomalies are detected based on reconstruction errors. Specifically, by introducing the self-attention mechanism to the temporal convolutional network,the proposed model pays more attention to the global features of data while modeling the partial correlation of data. In addition, the information sharing mechanism is added between the temporal convolutional module and the selfattention module to realize the information fusion, so as to better reconstruct the normal mode of multi-dimensional time series. Our experimental results on multi-dimensional time series real-world datasets show that the proposed method improves F1 score by up to 0.0882 compared with the previous multi-dimensional time series anomaly detection.

Wei Di,Quan Pan,Yong-Qiang Zhao,Lin He

DOI: https://doi.org/10.1109/ICOSP.2006.345778

2006-01-01

Abstract:With the development of sensors capable of high spatial and spectral resolution, anomaly detection in Multispectral Imagery has gained more attention recently. However, using single detector meets great limitation due to that many of the conditions and parameters that govern performance are unknown or poorly characterized in an operational setting. Unlike the conventional fusion approaches simply using logical operators (e.g. AND, OR), which lead to produce highly variable performance results from one case and thus difficult to specify the "best" fusion logic in advance, a multiple-detector fusion (MDF) algorithm is proposed in this paper Three successive procedures are included as follows: First, we use series anomaly detectors including well-known RX and its varieties to get the pilot detection results. Second, in order to estimate the pdf statistics of each individual detector output more accurately, a nonparametric method called kernel density estimation (KDE) with bandwidth adjusted adaptively is used The obtained probabilistic information are then fused using a modeled joint distribution by the principle of maximum entropy. Finally, the MDF approach is applied to real multispectral imagery. Experimental results and theoretical analysis demonstrate the effectiveness of proposed algorithm.

Jie Hu,Yawen Huang,Yilin Lu,Guoyang Xie,Guannan Jiang,Yefeng Zheng,Zhichao Lu

2024-05-02

Abstract:Anomaly synthesis is one of the effective methods to augment abnormal samples for training. However, current anomaly synthesis methods predominantly rely on texture information as input, which limits the fidelity of synthesized abnormal samples. Because texture information is insufficient to correctly depict the pattern of anomalies, especially for logical anomalies. To surmount this obstacle, we present the AnomalyXFusion framework, designed to harness multi-modality information to enhance the quality of synthesized abnormal samples. The AnomalyXFusion framework comprises two distinct yet synergistic modules: the Multi-modal In-Fusion (MIF) module and the Dynamic Dif-Fusion (DDF) module. The MIF module refines modality alignment by aggregating and integrating various modality features into a unified embedding space, termed X-embedding, which includes image, text, and mask features. Concurrently, the DDF module facilitates controlled generation through an adaptive adjustment of X-embedding conditioned on the diffusion steps. In addition, to reveal the multi-modality representational power of AnomalyXFusion, we propose a new dataset, called MVTec Caption. More precisely, MVTec Caption extends 2.2k accurate image-mask-text annotations for the MVTec AD and LOCO datasets. Comprehensive evaluations demonstrate the effectiveness of AnomalyXFusion, especially regarding the fidelity and diversity for logical anomalies. Project page:

Computer Vision and Pattern Recognition

Yunfei Bai,Jing Wang,Xueer Zhang,Xiangtai Miao,Youfang Lin

DOI: https://doi.org/10.1109/tim.2023.3315420

IF: 5.6

2023-10-10

IEEE Transactions on Instrumentation and Measurement

Abstract:Time-series are often used to record the various states (i.e., metrics) of a system. Detecting the anomaly state is challenging, because temporal dynamics and intermetric dependencies need to be learned simultaneously, and anomaly types are diverse due to the complexity of the time-series. Many anomaly detection models still leave some challenges unresolved. They mainly ignore the importance of information from frequency domain while concentrating on time-domain modeling and further neglect the cross-domain effects of time and frequency domains. In this article, we proposed a novel multiview joint cross-fusion network (CrossFuN) to detect diverse types of anomaly, which has wide applicability to both univariate and multivariate time-series. In particular, based on the assumptions of time–frequency heterogeneity and time–frequency coordination, a time–frequency joint cross-fusion block is designed to simultaneously model the information of both the time and frequency domains and captures the relationship between the time domain and the frequency domain. Moreover, taking advantage of the attention mechanism, CrossFuN can capture temporal dynamics and intermetric dependencies. We conduct extensive experiments on seven real-world datasets to demonstrate the effectiveness of CrossFuN.

engineering, electrical & electronic,instruments & instrumentation

Wenwen Sun,Lin Cao,Yanan Guo,Kangning Du

DOI: https://doi.org/10.1038/s41598-024-73462-0

IF: 4.6

2024-10-03

Scientific Reports

Abstract:Weakly supervised video anomaly detection aims to detect anomalous events with only video-level labels. In the absence of boundary information for anomaly segments, most existing methods rely on multiple instance learning. In these approaches, the predictions for unlabeled video snippets are guided by the classification of labeled untrimmed videos. However, these methods do not account for issues such as video blur and visual occlusion, which can hinder accurate anomaly detection. To address these issues, we propose a novel weakly supervised video anomaly detection method that fuses multimodal and multiscale features. Firstly, RGB and optical flow snippets are input into pre-trained I3D to extract appearance and motion features. Then, we introduce an Attention De-redundancy (AD) module, which employs an attention mechanism to filter out task-irrelevant redundancy in these appearance and motion features. Next, to mitigate the effects of video blurring and visual occlusion, we propose a Multi-scale Feature Learning module. This module captures long-term and short-term temporal dependencies among video snippets to provide global and local guidance for blurred or occluded video snippets. Finally, to effectively utilize the discriminative features of different modalities, we propose an Adaptive Feature Fusion module. This module adaptively fuses appearance and motion features based on their respective feature weights. Extensive experimental results demonstrate that our proposed method outperforms mainstream unsupervised and weakly supervised methods in terms of AUC. Specifically, our proposed method achieves 97.00% AUC and 85.31% AUC on two benchmark datasets, i.e., ShanghaiTech and UCF-Crime, respectively.

multidisciplinary sciences

Sepehr Nourmohammadi,Arda Sarp Yenicesu,Ozgur S. Oguz

2024-11-10

Abstract:This paper presents a novel approach to one-class classifier fusion through locally adaptive learning with dynamic $\ell$p-norm constraints. We introduce a framework that dynamically adjusts fusion weights based on local data characteristics, addressing fundamental challenges in ensemble-based anomaly detection. Our method incorporates an interior-point optimization technique that significantly improves computational efficiency compared to traditional Frank-Wolfe approaches, achieving up to 19-fold speed improvements in complex scenarios. The framework is extensively evaluated on standard UCI benchmark datasets and specialized temporal sequence datasets, demonstrating superior performance across diverse anomaly types. Statistical validation through Skillings-Mack tests confirms our method's significant advantages over existing approaches, with consistent top rankings in both pure and non-pure learning scenarios. The framework's ability to adapt to local data patterns while maintaining computational efficiency makes it particularly valuable for real-time applications where rapid and accurate anomaly detection is crucial.

Machine Learning

Kien Do,Truyen Tran,Svetha Venkatesh

DOI: https://doi.org/10.48550/arXiv.1610.06249

IF: 5.414

2016-10-20

Machine Learning

Abstract:Anomalies are those deviating from the norm. Unsupervised anomaly detection often translates to identifying low density regions. Major problems arise when data is high-dimensional and mixed of discrete and continuous attributes. We propose MIXMAD, which stands for MIXed data Multilevel Anomaly Detection, an ensemble method that estimates the sparse regions across multiple levels of abstraction of mixed data. The hypothesis is for domains where multiple data abstractions exist, a data point may be anomalous with respect to the raw representation or more abstract representations. To this end, our method sequentially constructs an ensemble of Deep Belief Nets (DBNs) with varying depths. Each DBN is an energy-based detector at a predefined abstraction level. At the bottom level of each DBN, there is a Mixed-variate Restricted Boltzmann Machine that models the density of mixed data. Predictions across the ensemble are finally combined via rank aggregation. The proposed MIXMAD is evaluated on high-dimensional realworld datasets of different characteristics. The results demonstrate that for anomaly detection, (a) multilevel abstraction of high-dimensional and mixed data is a sensible strategy, and (b) empirically, MIXMAD is superior to popular unsupervised detection methods for both homogeneous and mixed data.

Cuixia Gao,Zhitang Li

DOI: https://doi.org/10.1109/MINES.2009.150

2009-01-01

Abstract:Anomaly detection means developing a reference profile of normal activity and comparing the ongoing activity against it. Anomaly detection is very promising because of its potential to detect unseen types of attacks. In this paper we present our preliminary research on host anomaly detection by fusing multi-source security information. We selected five types of information which may be good indicators of host anomalies. They are RAM usage, host network connections, usage of bandwidth, the alert of antivirus and the alert of our own project SATA. In the information fusion framework, the D-S evidence theory was used to fuse the dynamic host-related information. Some improvements are also discussed. We also use real-world environment to demonstrate the method's capability for detecting host anomaly. We show that our prototype can successfully detect most of anomalies caused by DOS, scanning and other attacks.

Zhihan Li,Youjian Zhao,Jiaqi Han,Ya Su,Rui Jiao,Xidao Wen,Dan Pei

DOI: https://doi.org/10.1145/3447548.3467075

2021-01-01

Abstract:Anomaly detection is a crucial task for monitoring various status (i.e., metrics) of entities (e.g., manufacturing systems and Internet services), which are often characterized by multivariate time series (MTS). In practice, it's important to precisely detect the anomalies, as well as to interpret the detected anomalies through localizing a group of most anomalous metrics, to further assist the failure troubleshooting. In this paper, we propose InterFusion, an unsupervised method that simultaneously models the inter-metric and temporal dependency for MTS. Its core idea is to model the normal patterns inside MTS data through hierarchical Variational AutoEncoder with two stochastic latent variables, each of which learns low-dimensional inter-metric or temporal embeddings. Furthermore, we propose an MCMC-based method to obtain reasonable embeddings and reconstructions at anomalous parts for MTS anomaly interpretation. Our evaluation experiments are conducted on four real-world datasets from different industrial domains (three existing and one newly published dataset collected through our pilot deployment of InterFusion). InterFusion achieves an average anomaly detection F1-Score higher than 0.94 and anomaly interpretation performance of 0.87, significantly outperforming recent state-of-the-art MTS anomaly detection methods.

DI Wei,PAN Quan,HE Lin,ZHAO Yong-qiang

2007-01-01

Abstract:Anomaly detection in multi-band spectral imagery using single detector has great deficiency due to the model limitation,thus a multiple-detector fusion algorithm is proposed in this paper for this problem.Several different anomaly detectors are selected for obtaining pilot detection results,then a nonparametric method called Kernel Density Estimation(KDE) with bandwidth adjusted adaptively is used to estimate the Probability Density Function(PDF) statistics of the output of each individual detector,which preserves the long-tail behavior of multi-band spectral imagery to avoid the model error.The obtained probabilistic information are then transformed to a space with standard Gaussian marginal distribution,in which optimal probabilistic fusion of multi-detector on the decision level is accomplished utilizing a modeled joint distribution under maximum entropy principle.Target detection is finally achieved by likelihood function test in the original data space.Experimental results on EPS-A aerial multi-band spectral imagery demonstrate the effectiveness of the proposed algorithm.

Zhu Chen,Weihai Li,Chi Fei,Bin Liu,Nenghai Yu

DOI: https://doi.org/10.1109/vcip.2018.8698703

2018-01-01

Abstract:Anomaly detection in crowded scenes is an important issue in computer vision. In this paper, we propose a novel framework which takes both appearance and motion characteristics into consideration to detect anomalies. A new foreground object localization method is put forward at first to extract object proposals. For motion representation, we present a novel local motion based descriptor named as Spatially Localized Multi-scale Histogram of Optical Flow (SL-MHOF) to capture the local motion statistics for each object proposal. For appearance representation, we apply convolutional neural networks (CNNs) because of their high visual discriminative capacities. These two features are then fed into Gaussian Mixture Model (GMM) Classifiers respectively to generate anomaly scores, which are fused with a softmax function to produce the final anomaly detection results. Experiments on UCSD datasets indicate the effectiveness of our proposed approach, which achieves state-of-the-art performance.

Peng Xu,Qihong Gao,Zhongbao Zhang,Kai Zhao

DOI: https://doi.org/10.1016/j.eswa.2023.121675

IF: 8.5

2023-09-27

Expert Systems with Applications

Abstract:Anomaly detection is vital in complex distributed systems. However, existing methods did not take into full account the temporal and spatial characteristics of data from multiple sources in the system. That will lead to less accurate of anomaly detection. To address this limitation, in this paper we propose a multi-source data based anomaly detection method through temporal and spatial characteristics. Specifically, we first considered the spatial characteristics. We propose a Transformer encoder to parse log templates and output template vectors, then an attention-based CNN is introduced to obtain the spatial characteristics from traces. Next, we considered the temporal characteristics. We propose Bi-LSTM network to obtain the temporal characteristics of multi-source data of the distributed systems, followed by anomaly detection. Finally, extensive comparative experiments verify the effectiveness of our method, the F1-score reaches 0.859 and improves by 2.14% compared to state-of-the-art methods.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Sarala Naidu,Ning Xiong

2024-04-25

Abstract:Anomaly detection plays a crucial role in industrial settings, particularly in maintaining the reliability and optimal performance of cooling systems. Traditional anomaly detection methods often face challenges in handling diverse data characteristics and variations in noise levels, resulting in limited effectiveness. And yet traditional anomaly detection often relies on application of single models. This work proposes a novel, robust approach using five heterogeneous independent models combined with a dual ensemble fusion of voting techniques. Diverse models capture various system behaviors, while the fusion strategy maximizes detection effectiveness and minimizes false alarms. Each base autoencoder model learns a unique representation of the data, leveraging their complementary strengths to improve anomaly detection performance. To increase the effectiveness and reliability of final anomaly prediction, dual ensemble technique is applied. This approach outperforms in maximizing the coverage of identifying anomalies. Experimental results on a real-world dataset of industrial cooling system data demonstrate the effectiveness of the proposed approach. This approach can be extended to other industrial applications where anomaly detection is critical for ensuring system reliability and preventing potential malfunctions.

Machine Learning

Xiao-hua WANG,Jie ZOU,Li LI,Yan LIANG

DOI: https://doi.org/10.3969/j.issn.0372-2112.2017.03.011

2017-01-01

Abstract:The track anomaly detection is the key issue to make sure flying anomaly detected in time for the route flight.Traditional probabilistic frameworks are always based on prior probabilities.Transferable belief model (TBM) theory can generalizes the Bayesian approach without prior probabilities and efficiently deal with heterogeneous data.However,the traditional TBM cannot deal with the discontinuity and uncertainty about the time.Considering the existence of unreliable evidence sources,an alternative anomaly detection method is proposed in the framework of transferable belief model (TBM) theory.A two-level architecture fusion system based on TBM is developed.The novelty of this work is that it can detect both unreliable evidence source and abnormal behavior of the targets within our architecture by using a temporal analysis and a new discounting coefficient through introducing the concept of contribution degrees of features.Detection of abnormal behavior is based on a prediction/observation process and the influence of the faulty sources is weakened through discounting coefficients.The simulations show the better accuracy of decision and precision of time compared with the dynamic evidence reasoning method.

Kaiyu Zhang,Jinglong Chen,Chi-Guhn Lee,Shuilong He

DOI: https://doi.org/10.1016/j.eswa.2023.121506

IF: 8.5

2024-01-01

Expert Systems with Applications

Abstract:In industrial environments, individual sensor is easily affected by background noise, etc. In order to improve the reliability of anomaly detections, sensors are arranged at multiple measuring points to collect monitoring data of machines. However, under the coupling of vibration responses of multiple components of machines, the complex nonlinear relationship between monitoring data of multiple measuring points makes it difficult to achieve the best feature extraction and fusion effect, which reduces the accuracy of anomaly detection. To solve this problem, an unsupervised spatiotemporal fusion network augmented with random mask and time-relative information modulation is proposed. Firstly, we creatively propose random mask and modulated signal generation method based on mask index to learn the dependence of waveform and time dimension and achieve temporal dimension fusion of signals. Based on end-to-end training, modulated signals are also more conducive to spatial fusion. Then, to fully exploit the correlation between monitoring data of multiple measuring points and obtain the best spatial dimension fusion effect, a multi-head graph neural network based on self-attention weight matrix is carried out. Finally, we use transformer encoder to reconstruct the signal of each measuring point and obtain reconstruction error. Based on exponentially weighted moving average, anomaly detection threshold is obtained. Two anomaly detection experiments are conducted, and accuracy of 99.78%, 99% are achieved.

Zheng Xu,Yumeng Yang,Xinwen Gao,Min Hu

DOI: https://doi.org/10.3390/s23083910

IF: 3.9

2023-04-13

Sensors

Abstract:The detection of anomalies in multivariate time-series data is becoming increasingly important in the automated and continuous monitoring of complex systems and devices due to the rapid increase in data volume and dimension. To address this challenge, we present a multivariate time-series anomaly detection model based on a dual-channel feature extraction module. The module focuses on the spatial and time features of the multivariate data using spatial short-time Fourier transform (STFT) and a graph attention network, respectively. The two features are then fused to significantly improve the model's anomaly detection performance. In addition, the model incorporates the Huber loss function to enhance its robustness. A comparative study of the proposed model with existing state-of-the-art ones was presented to prove the effectiveness of the proposed model on three public datasets. Furthermore, by using in shield tunneling applications, we verify the effectiveness and practicality of the model.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Chao Hu,Weibin Qiu,Weijie Wu,Liqiang Zhu

DOI: https://doi.org/10.1016/S0550-3213%2801%2900405-9

2022-10-18

Abstract:Video anomaly detection aims to discover abnormal events in videos, and the principal objects are target objects such as people and vehicles. Each target in the video data has rich spatio-temporal context information. Most existing methods only focus on the temporal context, ignoring the role of the spatial context in anomaly detection. The spatial context information represents the relationship between the detection target and surrounding targets. Anomaly detection makes a lot of sense. To this end, a video anomaly detection algorithm based on target spatio-temporal context fusion is proposed. Firstly, the target in the video frame is extracted through the target detection network to reduce background interference. Then the optical flow map of two adjacent frames is calculated. Motion features are used multiple targets in the video frame to construct spatial context simultaneously, re-encoding the target appearance and motion features, and finally reconstructing the above features through the spatio-temporal dual-stream network, and using the reconstruction error to represent the abnormal score. The algorithm achieves frame-level AUCs of 98.5% and 86.3% on the UCSDped2 and Avenue datasets, respectively. On the UCSDped2 dataset, the spatio-temporal dual-stream network improves frames by 5.1% and 0.3%, respectively, compared to the temporal and spatial stream networks. After using spatial context encoding, the frame-level AUC is enhanced by 1%, which verifies the method's effectiveness.

Computer Vision and Pattern Recognition,Image and Video Processing