Wenzhuo Yang,Kun Zhang,Steven C.H. Hoi

DOI: https://doi.org/10.48550/arXiv.2206.15033

2022-09-29

Abstract:Detecting anomalies and the corresponding root causes in multivariate time series plays an important role in monitoring the behaviors of various real-world systems, e.g., IT system operations or manufacturing industry. Previous anomaly detection approaches model the joint distribution without considering the underlying mechanism of multivariate time series, making them computationally hungry and hard to identify root causes. In this paper, we formulate the anomaly detection problem from a causal perspective and view anomalies as instances that do not follow the regular causal mechanism to generate the multivariate data. We then propose a causality-based framework for detecting anomalies and root causes. It first learns the causal structure from data and then infers whether an instance is an anomaly relative to the local causal mechanism whose conditional distribution can be directly estimated from data. In light of the modularity property of causal systems (the causal processes to generate different variables are irrelevant modules), the original problem is divided into a series of separate, simpler, and low-dimensional anomaly detection problems so that where an anomaly happens (root causes) can be directly identified. We evaluate our approach with both simulated and public datasets as well as a case study on real-world AIOps applications, showing its efficacy, robustness, and practical feasibility.

Machine Learning,Artificial Intelligence

Chao Liu,Kin Gwn Lore,Soumik Sarkar

2016-01-01

Abstract:Modern distributed cyber-physical systems encounter a large variety of anomalies and in many cases, they are vulnerable to catastrophic fault propagation scenarios due to strong connectivity among the sub-systems. In this regard, root-cause analysis becomes highly intractable due to complex fault propagation mechanisms in combination with diverse operating modes. This paper presents a new data-driven framework for root-cause analysis for addressing such issues. The framework is based on a spatiotemporal feature extraction scheme for multivariate time series built on the concept of symbolic dynamics for discovering and representing causal interactions among subsystems of a complex system. We propose sequential state switching ($S^3$) and artificial anomaly association ($A^3$) methods to implement root-cause analysis in an unsupervised and semi-supervised manner respectively. Synthetic data from cases with failed pattern(s) and anomalous node are simulated to validate the proposed approaches, then compared with the performance of vector autoregressive (VAR) model-based root-cause analysis. The results show that: (1) $S^3$ and $A^3$ approaches can obtain high accuracy in root-cause analysis and successfully handle multiple nominal operation modes, and (2) the proposed tool-chain is shown to be scalable while maintaining high accuracy.

Jia-cheng Pan,Dong-ming Han,Fang-zhou Guo,Da-wei Zhou,Nan Cao,Jing-rui He,Ming-liang Xu,Wei Chen

DOI: https://doi.org/10.1631/fitee.1900310

IF: 2.526

2020-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:A dynamic network refers to a graph structure whose nodes and/or links dynamically change over time. Existing visualization and analysis techniques focus mainly on summarizing and revealing the primary evolution patterns of the network structure. Little work focuses on detecting anomalous changing patterns in the dynamic network, the rare occurrence of which could damage the development of the entire structure. In this study, we introduce the first visual analysis system RCAnalyzer designed for detecting rare changes of sub-structures in a dynamic network. The proposed system employs a rare category detection algorithm to identify anomalous changing structures and visualize them in the context to help oracles examine the analysis results and label the data. In particular, a novel visualization is introduced, which represents the snapshots of a dynamic network in a series of connected triangular matrices. Hierarchical clustering and optimal tree cut are performed on each matrix to illustrate the detected rare change of nodes and links in the context of their surrounding structures. We evaluate our technique via a case study and a user study. The evaluation results verify the effectiveness of our system.

Ching Chang,Wen-Chih Peng

DOI: https://doi.org/10.48550/arXiv.2301.07281

2024-05-03

Abstract:With the rapid development of technology, the automated monitoring systems of large-scale factories are becoming more and more important. By collecting a large amount of machine sensor data, we can have many ways to find anomalies. We believe that the real core value of an automated monitoring system is to identify and track the cause of the problem. The most famous method for finding causal anomalies is RCA, but there are many problems that cannot be ignored. They used the AutoRegressive eXogenous (ARX) model to create a time-invariant correlation network as a machine profile, and then use this profile to track the causal anomalies by means of a method called fault propagation. There are two major problems in describing the behavior of a machine by using the correlation network established by ARX: (1) It does not take into account the diversity of states (2) It does not separately consider the correlations with different time-lag. Based on these problems, we propose a framework called Ranking Causal Anomalies in End-to-End System (RCAE2E), which completely solves the problems mentioned above. In the experimental part, we use synthetic data and real-world large-scale photoelectric factory data to verify the correctness and existence of our method hypothesis.

Machine Learning

Han Dongming,Pan Jiacheng,Pan Rusheng,Zhou Dawei,Cao Nan,He Jingrui,Xu Mingliang,Chen Wei

DOI: https://doi.org/10.1007/s11704-020-0013-1

IF: 2.6688

2021-01-01

Frontiers of Computer Science

Abstract:Multivariate dynamic networks indicate networks whose topology structure and vertex attributes are evolving along time. They are common in multimedia applications. Anomaly detection is one of the essential tasks in analyzing these networks though it is not well addressed. In this paper, we combine a rare category detection method and visualization techniques to help users to identify and analyze anomalies in multivariate dynamic networks. We conclude features of rare categories and two types of anomalies of rare categories. Then we present a novel rare category detection method, called DIRAD, to detect rare category candidates with anomalies. We develop a prototype system called iNet, which integrates two major visualization components, including a glyph-based rare category identifier, which helps users to identify rare categories among detected substructures, a major view, which assists users to analyze and interpret the anomalies of rare categories in network topology and vertex attributes. Evaluations, including an algorithm performance evaluation, a case study, and a user study, are conducted to test the effectiveness of proposed methods.

Kun Zhang,S. Hoi,Wenzhuo Yang

DOI: https://doi.org/10.48550/arXiv.2206.15033

Abstract:Anomaly detection in multivariate time series plays an important role in monitoring the behaviors of various real-world systems, e.g., IT system operations or manufacturing industry. Previous approaches model the joint distribution without considering the underlying mechanism of multivariate time series, making them complicated and computationally hungry. In this paper, we formulate the anomaly detection problem from a causal perspective and view anomalies as instances that do not follow the regular causal mechanism to generate the multivariate data. We then propose a causality-based anomaly detection approach, which first learns the causal structure from data and then infers whether an instance is an anomaly relative to the local causal mechanism to generate each variable from its direct causes, whose conditional distribution can be directly estimated from data. In light of the modularity property of causal systems, the original problem is divided into a series of separate low-dimensional anomaly detection problems so that where an anomaly happens can be directly identified. We evaluate our approach with both simulated and public datasets as well as a case study on real-world AIOps applications, showing its efficacy, robustness, and practical feasibility.

Computer Science

Xin Shi,Robert Qiu,Zenan Ling,Fan Yang,Haosen Yang,Xing He

DOI: https://doi.org/10.1109/tsg.2019.2929219

IF: 10.275

2019-01-01

IEEE Transactions on Smart Grid

Abstract:The online monitoring data in distribution networks contain rich information on the running states of the networks. By leveraging the data, this paper proposes a spatio-temporal correlation analysis approach for anomaly detection and location in distribution networks. First, spatio-temporal matrix for each feeder line in a distribution network is formulated and the spectrum of its covariance matrix is analyzed. The spectrum is complex and exhibits two aspects: 1) bulk, which arises from random noise or fluctuations and 2) spikes, which represents factors caused by anomaly signals or fault disturbances. Then, by connecting the estimation of the number of factors to the limiting empirical spectral density of covariance matrices of residuals, the spatio-temporal parameters are accurately estimated, during which free random variable techniques are used. Based on the estimators, anomaly indicators are designed to detect and locate the anomalies by exploring the variations of spatio-temporal correlations in the data. The proposed approach is sensitive to the anomalies and robust to random fluctuations, which makes it possible for detecting early anomalies and reducing false alarming rate. Case studies on both synthetic data and real-world online monitoring data verify the effectiveness and advantages of the proposed approach.

Wanke Yu,Chunhui Zhao

DOI: https://doi.org/10.1109/tii.2020.2990975

IF: 12.3

2020-01-01

IEEE Transactions on Industrial Informatics

Abstract:In real industrial applications, process data may get corrupted due to failure of the measurement devices or errors in data management. Besides, incipient faults, which may evolve into serious accidents, are generally more difficult to be detected because of its small magnitudes. In this article, a robust canonical variate dissimilarity analysis method is proposed to detect incipient faults for industrial processes with missing value. According to the low-rank characteristic, the low-rank matrix decomposition (LRMD) method is applied to recover the missing elements and reduce the ambient noise for process data. The output results of LRMD model consist of a low-rank component and a sparse component, which indicate main variance and residual information of the inputted data, respectively. For each component, a canonical variate analysis) model is developed to extract the temporal correlation in the process data. Based on the obtained features, a total of three monitoring statistics are established to reflect the operation status of the online sample. Among them, a statistic is used to measure the static deviation of this sample, and other two indices are applied to evaluate the dissimilarity between the past and future canonical variates. A simulated process and a real industrial process are adopted to illustrate the performance of the proposed method. Experimental results show that the proposed model can be well developed with incomplete training data and robustly detects the incipient faults for industrial applications.

Chao Liu,Kin Gwn Lore,Soumik Sarkar

DOI: https://doi.org/10.1109/cdc.2017.8264527

2017-01-01

Abstract:Modern distributed cyber-physical systems encounter a large variety of anomalies and in many cases, they are vulnerable to catastrophic fault propagation scenarios due to strong connectivity among the sub-systems. In this regard, root-cause analysis becomes highly intractable due to complex fault propagation mechanisms in combination with diverse operating modes. This paper presents a new data-driven framework for root-cause analysis for addressing such issues. The framework is based on a spatiotemporal feature extraction scheme for distributed cyber-physical systems built on the concept of symbolic dynamics for discovering and representing causal interactions among subsystems of a complex system. We present two approaches for root-cause analysis, namely the sequential state switching (S-3, based on free energy concept of a Restricted Boltzmann Machine, RBM) and artificial anomaly association (A(3), a multi-class classification framework using deep neural networks, DNN). Synthetic data from cases with failed pattern(s) and anomalous node are simulated to validate the proposed approaches, then compared with the performance of vector autoregressive (VAR) model-based root-cause analysis. Real dataset based on Tennessee Eastman process (TEP) is also used for validation. The results show that: (1) S-3 and A(3) approaches can obtain high accuracy in root-cause analysis and successfully handle multiple nominal operation modes, and (2) the proposed tool-chain is shown to be scalable while maintaining high accuracy.

Xiaoyu Wang,Yongwang Zhou,Dongbiao Li,Chi Zhang

DOI: https://doi.org/10.1109/iccc62479.2024.10681973

2024-01-01

Abstract:Anomaly detection in dynamic and temporal graphs is frequently accomplished using unsupervised learning. This involves clustering to group similar data instances and identify outliers. Nonetheless, the accuracy of unsupervised learning algorithms is limited when anomalous data instances exhibit similar features. Existing graph theory-based methods can only detect significant anomalies that affect the entire network structure but fail to detect subtle anomalies such as small-scale DDoS attacks within node groups. Conversely, monitoring the behavior of every node in a real-time network can be expensive. In this paper, we propose a real-time anomaly detection method that leverages community detection and graph spectral theory. Specifically, each graph is partitioned into groups of densely connected nodes, which serve as detection objects to identify subtle anomalies. To address the challenge of detecting anomalies with similar features, we measured changes in communities between adjacent time steps, allowing us to identify outlier time points. Finally, to strike a balance between accuracy and cost, we utilize a novel graph spectral theory method as a graph distance function. Experimental evaluations demonstrate the efficacy of our approach in detecting subtle anomalies.

Wei Xiong,Naixue Xiong,Laurance T. Yang,Athanasios V. Vasilakos,Qian Wang,Hanping Hu

DOI: https://doi.org/10.1109/GLOCOMW.2010.5700309

2010-01-01

Abstract:Although various methods have been proposed to detect anomalies, they are mostly based on the traditional statistical physics. The traditional statistical physics methods are based on the stationary hypothesis of the network traffic, which always ignore the real catastrophe process when anomalies occur. In order to reflect the catastrophe process of the abnormal network traffic, we present a non-stationary network traffic anomaly detection approach based on catastrophe theory. The cusp catastrophe model is selected to describe the catastrophe feature of the network traffic and the catastrophe distance is defined as an index to assess the deviation from the normal catastrophe model and the serial of catastrophe distance is the main feature to detect anomaly. We evaluate our approach using the 1999 intrusion evaluation data set of network traffic trace provided by The Defense Advanced Research Projects Agency (DARPA). Experiment results show that our approach can effectively detect network anomalies and achieve high detection probability and low false alarms rate.

Chao Liu,Kin Gwn Lore,Zhanhong Jiang,Soumik Sarkar

DOI: https://doi.org/10.1016/j.knosys.2020.106527

2021-01-01

Abstract:Performance monitoring, anomaly detection, and root-cause analysis in complex cyber–physical systems (CPSs) are often highly intractable due to widely diverse operational modes, disparate data types, and complex fault propagation mechanisms. This paper presents a new data-driven framework for root-cause analysis, based on a spatiotemporal graphical modeling approach built on the concept of symbolic dynamics for discovering and representing causal interactions among sub-systems of complex CPSs. We formulate the root-cause analysis problem as a minimization problem via the proposed inference based metric and present two approximate approaches for root-cause analysis, namely the sequential state switching (S3, based on free energy concept of a restricted Boltzmann machine, RBM) and artificial anomaly association (A3, a classification framework using deep neural networks, DNN). Synthetic data from cases with failed pattern(s) and anomalous node(s) are simulated to validate the proposed approaches. Real dataset based on Tennessee Eastman process (TEP) is also used for comparison with other approaches. The results show that: (1) S3 and A3 approaches can obtain high accuracy in root-cause analysis under both pattern-based and node-based fault scenarios, in addition to successfully handling multiple nominal operating modes, (2) the proposed tool-chain is shown to be scalable while maintaining high accuracy, and (3) the proposed framework is robust and adaptive in different fault conditions and performs better in comparison with the state-of-the-art methods.

computer science, artificial intelligence

Luguo Xue,Yan Chen,Minnan Luo,Zhen Peng,Jun Liu

DOI: https://doi.org/10.1016/j.neucom.2020.04.047

IF: 6

2020-01-01

Neurocomputing

Abstract:Real-world information systems are naturally dynamic, and they are usually represented as a time-evolving attributed network (i.e., a sequence of static attributed networks). Recently, there is a surge of research interests in finding anomalous nodes upon attributed networks due to its significant implications in many high-impact applications, such as financial fraud detection, network intrusion detection, and opinion spam detection, to name a few. Despite the importance of anomaly detection in time-evolving attributed network, a vast majority of existing methods fail to capture the evolution of the underlying networks properly, as they regard the whole system as static and neglect the evolution process. Meanwhile, they treat all the attributes and the instances equally, ignoring the existence of noisy which may lead to the adverse effects to the detection results. To tackle these problems, in this paper, we propose a novel dynamic anomaly detection framework on time-evolving attributed networks on the basis of residual analysis, namely AMAD. Under the assumption of temporal smoothness property, AMAD leverages the small smooth disturbance between two consecutive time stamps to characterize the evolution of networks for incrementally update. Experiments conducted on both synthetic and real-world time-evolving attributed networks show the superiority of our proposed method in detecting anomalies. Moreover, our method is competitive in terms of efficiency compared to the existing work.

Mulugeta Weldezgina Asres,Christian Walter Omlin,CMS-HCAL Collaboration

2024-12-16

Abstract:Extracting anomaly causality facilitates diagnostics once monitoring systems detect system faults. Identifying anomaly causes in large systems involves investigating a more extensive set of monitoring variables across multiple subsystems. However, learning causal graphs comes with a significant computational burden that restrains the applicability of most existing methods in real-time and large-scale deployments. In addition, modern monitoring applications for large systems often generate large amounts of binary alarm flags, and the distinct characteristics of binary anomaly data -- the meaning of state transition and data sparsity -- challenge existing causality learning mechanisms. This study proposes an anomaly causal discovery approach (AnomalyCD), addressing the accuracy and computational challenges of generating causal graphs from binary flag data sets. The AnomalyCD framework presents several strategies, such as anomaly flag characteristics incorporating causality testing, sparse data and link compression, and edge pruning adjustment approaches. We validate the performance of this framework on two datasets: monitoring sensor data of the readout-box system of the Compact Muon Solenoid experiment at CERN, and a public data set for information technology monitoring. The results demonstrate the considerable reduction of the computation overhead and moderate enhancement of the accuracy of temporal causal discovery on binary anomaly data sets.

Machine Learning

ZengRi Zeng,Xuhui Liu,Ming Dai,Jian Zheng,Xiaoheng Deng,Detian Zeng,Jie Chen

DOI: https://doi.org/10.1109/tnsm.2024.3455768

2024-01-01

IEEE Transactions on Network and Service Management

Abstract:The proliferation of internet-connected devices and the complexity of modern network environments have led to the collection of massive and high-dimensional datasets, resulting in substantial information redundancy and sample imbalance issues. These challenges not only hinder the computational efficiency and generalizability of anomaly detection systems but also compromise their ability to detect rare attack types, posing significant security threats. To address these pressing issues, we propose a novel causal genetic network-based anomaly detection method, the CNSGA, which integrates causal inference and the nondominated sorting genetic algorithm-III (NSGA-III). The CNSGA leverages causal reasoning to exclude irrelevant information, focusing solely on the features that are causally related to the outcome labels. Simultaneously, NSGA-III iteratively eliminates redundant information and prioritizes minority samples, thereby enhancing detection performance. To quantitatively assess the improvements achieved, we introduce two indices: a detection balance index and an optimal feature subset index. These indices, along with the causal effect weights, serve as fitness metrics for iterative optimization. The optimized individuals are then selected for subsequent population generation on the basis of nondominated reference point ordering. The experimental results obtained with four real-world network attack datasets demonstrate that the CNSGA significantly outperforms existing methods in terms of overall precision, the imbalance index, and the optimal feature subset index, with maximum increases exceeding 10%, 0.5, and 50%, respectively. Notably, for the CICDDoS2019 dataset, the CNSGA requires only 16-dimensional features to effectively detect more than 70% of all sample types, including 6 more network attack sample types than the other methods detect. The significance and impact of this work encompass the ability to eliminate redundant information, increase detection rates, balance attack detection systems, and ensure stability and generalizability. The proposed CNSGA framework represents a significant step forward in developing efficient and accurate anomaly detection systems capable of defending against a wide range of cyber threats in complex network environments.

Hadiseh Safdari,Caterina De Bacco

2024-04-16

Abstract:Anomaly detection is an essential task in the analysis of dynamic networks, as it can provide early warning of potential threats or abnormal behavior. We present a principled approach to detect anomalies in dynamic networks that integrates community structure as a foundational model for regular behavior. Our model identifies anomalies as irregular edges while capturing structural changes. Leveraging a Markovian approach for temporal transitions and incorporating structural information via latent variables for communities and anomaly detection, our model infers these hidden parameters to pinpoint abnormal interactions within the network. Our approach is evaluated on both synthetic and real-world datasets. Real-world network analysis shows strong anomaly detection across diverse scenarios. In a more specific study of transfers of professional male football players, we observe various types of unexpected patterns and investigate how the country and wealth of clubs influence interactions. Additionally, we identify anomalies between clubs with incompatible community memberships, but also instances of anomalous transactions between clubs with similar memberships. The latter is due in particular to the dynamic nature of the transactions, as we find that the frequency of transfers results in anomalous behaviors that are otherwise expected to interact as they belong to similar communities.

Social and Information Networks

Tong Sun,Yan Liu,Jing Chen

DOI: https://doi.org/10.1109/compcomm.2017.8322580

2017-01-01

Abstract:Detecting abnormal behavior during network evolution is an important and challenging data analysis task at present, it is named as dynamic network anomaly detection in this paper. The network abnormal behavior differs from that of normal behavior, the probability of occurrence stays relatively low but may cause serious damages once happened. This paper takes the topological structure of the network as the research object and identifies the network anomaly through the change of network structure. Based on Cox-stuart test, we put forward a new type of method to detect dynamic anomaly. This method refers to an alarm of monitoring the trend change of the network structure parameters. Finally, an experiment was carried out in the real dynamic network-Enron Email Network, which verified that the dynamic network anomaly detection method proposed in this paper can effectively detect the network anomaly behavior.

Li Zonglin,Hu Guangmin,Yao Xingmiao,Yang Dan

DOI: https://doi.org/10.1155/2009/752818

2008-01-01

EURASIP Journal on Advances in Signal Processing

Abstract:Distributed network traffic anomaly refers to a traffic abnormal behavior involving many links of a network and caused by the same source (e.g., DDoS attack, worm propagation). The anomaly transiting in a single link might be unnoticeable and hard to detect, while the anomalous aggregation from many links can be prevailing, and does more harm to the networks. Aiming at the similar features of distributed traffic anomaly on many links, this paper proposes a network-wide detection method by performing anomalous correlation analysis of traffic signals' instantaneous parameters. In our method, traffic signals' instantaneous parameters are firstly computed, and their network-wide anomalous space is then extracted via traffic prediction. Finally, an anomaly is detected by a global correlation coefficient of anomalous space. Our evaluation using Abilene traffic traces demonstrates the excellent performance of this approach for distributed traffic anomaly detection.

Weishan Zhang,Yuqian Wang,Leiming Chen,Yong Yuan,Xingjie Zeng,Liang Xu,Hongwei Zhao

DOI: https://doi.org/10.1007/s12599-023-00825-8

2024-01-01

Business & Information Systems Engineering

Abstract:Multivariate time-series data exhibit intricate correlations in both temporal and spatial dimensions. However, existing network architectures often overlook dependencies in the spatial dimension and struggle to strike a balance between long-term and short-term patterns when extracting features from the data. Furthermore, industries within the business community are hesitant to share their raw data, which hinders anomaly prediction accuracy and detection performance. To address these challenges, the authors propose a dynamic circular network-based federated dual-view learning approach. Experimental results from four open-source datasets demonstrate that the method outperforms existing methods in terms of accuracy, recall, and F1_score for anomaly detection.

Shiyuan Fu,Xin Gao,Feng Zhai,Baofeng Li,Bing Xue,Jiahao Yu,Zhihang Meng,Guangyao Zhang

DOI: https://doi.org/10.1016/j.ins.2023.119978

IF: 8.1

2024-01-01

Information Sciences

Abstract:Multivariate time series anomaly detection methods can discover malfunctions in a complex system by detecting anomalies in the monitoring data. Multivariate time series have complex temporal and spatial correlations. Existing methods that explicitly model both correlations only extract semantic information sequentially in a single temporal-spatial or spatial-temporal order. However, different orders have a significant influence on the method's performance. In addition, a static graph structure trained on normal data has difficulties capturing the change of correlations between features when anomalies occur, limiting the method's performance. This paper proposes the Spatial-Temporal Anomaly Transformer (STAT), which extracts semantic information comprehensively by combining both spatial-temporal and temporal-spatial orders. STAT uses the Temporal Anomaly Transformer and the Spatial Anomaly Transformer (SAT) to explicitly compute temporal and spatial association discrepancies to conduct anomaly detection. Since the topological structure is usually unknown, SAT adopts a trainable hypersphere to learn the prior-association between features on normal data and computes the distance between the attention weights and the center of the hypersphere as the spatial association discrepancy. AUC and two recently proposed evaluation metrics are used to compare STAT with various typical methods on public data sets, proving that our method can achieve state-of-the-art performance.