Zhixia Zhang,Liping Xie

DOI: https://doi.org/10.1002/cpe.5861

2020-01-01

Abstract:At present, irrelevant or redundant features in network traffic data occupy a lot of storage and computing resources, reducing the accuracy of network anomaly detection. Aiming at this problem, a many-objective feature selection model is proposed in this article. The model takes the number of selected feature, false alarm rate, detection rate, precision and accuracy as the optimization objectives, and characterizes the performance of the feature selection method from different perspectives. At the same time, a many-objective integration optimization algorithm (IN-MaOEA) is designed to solve this model. First, the algorithm will build the evolution strategy pool and the dominance strategy pool, then a random probability strategy selection mechanism is designed to improve the algorithm's convergence and diversity. At the same time, an anomaly detection simulation was performed using the NSL-KDD dataset. Experimental results show that the IN-MaOEA algorithm can effectively improve the performance of detection.

Ziyu Wang,Jiahai Yang,Fuliang Li

DOI: https://doi.org/10.1007/978-3-319-23802-9_10

2014-01-01

Abstract:Network anomalies have been a serious challenge for the Internet nowadays. In this paper, two new metrics, IGTE (Inter-group Traffic Entropy) and IGFE (Inter-group Flow Entropy), are proposed for network anomaly detection. It is observed that IGTE and IGFE are highly correlated and usually change synchronously when no anomaly occurs. However, once anomalies occur, this highly linear correlation would be destroyed. Based on this observation, we propose a linear regression model built upon IGTE and IGFE, to detect the network anomalies. We use both CERNET2 netflow data and synthetic data to validate the regression model and its corresponding detection method. The results show that the regression-based method works well and outperforms the well known wavelet-based detection method.

Mononito Goswami,Cristian Challu,Laurent Callot,Lenon Minorics,Andrey Kan

DOI: https://doi.org/10.48550/arXiv.2210.01078

2023-01-25

Abstract:Anomaly detection in time-series has a wide range of practical applications. While numerous anomaly detection methods have been proposed in the literature, a recent survey concluded that no single method is the most accurate across various datasets. To make matters worse, anomaly labels are scarce and rarely available in practice. The practical problem of selecting the most accurate model for a given dataset without labels has received little attention in the literature. This paper answers this question i.e. Given an unlabeled dataset and a set of candidate anomaly detectors, how can we select the most accurate model? To this end, we identify three classes of surrogate (unsupervised) metrics, namely, prediction error, model centrality, and performance on injected synthetic anomalies, and show that some metrics are highly correlated with standard supervised anomaly detection performance metrics such as the $F_1$ score, but to varying degrees. We formulate metric combination with multiple imperfect surrogate metrics as a robust rank aggregation problem. We then provide theoretical justification behind the proposed approach. Large-scale experiments on multiple real-world datasets demonstrate that our proposed unsupervised approach is as effective as selecting the most accurate model based on partially labeled data.

Machine Learning,Artificial Intelligence

Yi Li,Zhangbing Zhou,Shuiguang Deng,Xiao Sun,Xiao Xue,Sami Yangui,Walid Gaaloul

DOI: https://doi.org/10.1109/icws62655.2024.00077

2024-01-01

Abstract:Anomaly detection is a long-standing research topic to support the prompt remedy of potential risks for dependency-aware tasks, where Graph Neural Networks (GNNs) models have been adopted to differentiate anomalies from normal patterns. Generally, GNN models utilize time series data to construct graph structures for capturing task dependencies between Internet of Things (IoT) devices, such that deviations from predicted behaviours are assumed as anomalies. Current forecasting-based anomaly detection methods can hardly detect anomalies, which are uncovered by historical sensory data, but are explicitly specified by domain knowledge. To solve this issue, this paper proposes a Knowledge-enhanced graph attention-based Anomaly Detection (KeAD) method. Specifically, a knowledge-enhanced graph structure is constructed by incorporating domain-specific knowledge to represent spatio-temporal dependencies between IoT devices. Thereafter, a knowledge-enhanced graph attention-based forecasting network is developed to predict future behaviours of IoT devices. Anomalies are detected by analyzing deviations from these predicted behaviours, taking domain-specific knowledge into account. Extensive experiments are conducted based on publicly-available datasets, and evaluation results demonstrate that our KeAD outperform the state-of-the-art techniques in terms of the accuracy of anomaly detection.

Makiya Nakashima,Alex Sim,Youngsoo Kim,Jonghyun Kim,Jinoh Kim

DOI: https://doi.org/10.1145/3446636

2021-06-21

ACM Transactions on Management Information Systems

Abstract:Variable selection (also known as feature selection ) is essential to optimize the learning complexity by prioritizing features, particularly for a massive, high-dimensional dataset like network traffic data. In reality, however, it is not an easy task to effectively perform the feature selection despite the availability of the existing selection techniques. From our initial experiments, we observed that the existing selection techniques produce different sets of features even under the same condition (e.g., a static size for the resulted set). In addition, individual selection techniques perform inconsistently, sometimes showing better performance but sometimes worse than others, thereby simply relying on one of them would be risky for building models using the selected features. More critically, it is demanding to automate the selection process, since it requires laborious efforts with intensive analysis by a group of experts otherwise. In this article, we explore challenges in the automated feature selection with the application of network anomaly detection. We first present our ensemble approach that benefits from the existing feature selection techniques by incorporating them, and one of the proposed ensemble techniques based on greedy search works highly consistently showing comparable results to the existing techniques. We also address the problem of when to stop to finalize the feature elimination process and present a set of methods designed to determine the number of features for the reduced feature set. Our experimental results conducted with two recent network datasets show that the identified feature sets by the presented ensemble and stopping methods consistently yield comparable performance with a smaller number of features to conventional selection techniques.

Dongwen Li,Shenglin Zhang,Yongqian Sun,Yang Guo,Zeyu Che,Shiqi Chen,Zhenyu Zhong,Minghan Liang,Minyi Shao,Mingjie Li,Shuyang Liu,Yuzhi Zhang,Dan Pei

DOI: https://doi.org/10.1109/issre59848.2023.00014

2023-01-01

Abstract:Using multivariate time series (MTS) data for anomaly detection is widely adopted in service systems, such as web services and financial businesses. Researchers have recently proposed some well-performed algorithms for MTS anomaly detection from different perspectives. When applied to the real world, we observe that none of the algorithms is adaptable to all scenarios due to the complex data and anomaly characteristics. Moreover, there is currently a lack of comprehensive analysis work of these algorithms to guide operators in selecting the appropriate one in practice. To bridge this gap, we conduct an empirical study using various real-world data to gain an in-depth understanding of state-of-the-art anomaly detection algorithms. First, we provide general recommendations to guide operators in selecting suitable models based on the volume of training data, computational resources, and effectiveness requirements. Then, we summarize the typical data characteristics and types of anomalies and offer tailored model selection suggestions for different data characteristics and anomaly types. At last, we apply the summarized model selection suggestions to all the datasets we collected. The results show that most of our suggestions can achieve better than any single algorithm alone, demonstrating the effectiveness and generalization of our recommendations.

Zhongguo Yang,Irshad Ahmed Abbasi,Elfatih Elmubarak Mustafa,Sikandar Ali,Mingzhu Zhang

DOI: https://doi.org/10.1155/2021/6677027

IF: 1.968

2021-02-05

Security and Communication Networks

Abstract:Anomaly detection algorithms (ADA) have been widely used as services in many maintenance monitoring platforms. However, there are numerous algorithms that could be applied to these fast changing stream data. Furthermore, in IoT stream data due to its dynamic nature, the phenomena of conception drift happened. Therefore, it is a challenging task to choose a suitable anomaly detection service (ADS) in real time. For accurate online anomalous data detection, this paper developed a service selection method to select and configure ADS at run-time. Initially, a time-series feature extractor (Tsfresh) and a genetic algorithm-based feature selection method are applied to swiftly extract dominant features which act as representation for the stream data patterns. Additionally, stream data and various efficient algorithms are collected as our historical data. A fast classification model based on XGBoost is trained to record stream data features to detect appropriate ADS dynamically at run-time. These methods help to choose suitable service and their respective configuration based on the patterns of stream data. The features used to describe and reflect time-series data’s intrinsic characteristics are the main success factor in our framework. Consequently, experiments are conducted to evaluate the effectiveness of features closed by genetic algorithm. Experimentations on both artificial and real datasets demonstrate that the accuracy of our proposed method outperforms various advanced approaches and can choose appropriate service in different scenarios efficiently.

computer science, information systems,telecommunications

Ziyu Wang,Jiahai Yang,Zhang ShiZe,Chenxi Li

DOI: https://doi.org/10.1109/icc.2017.7997373

2017-01-01

Abstract:In our previous work, we have applied ordinary linear regression equation to network anomaly detection. However, the performance of ordinary linear regression equation is susceptible to outliers. Unfortunately, it is almost impossible to obtain a "clean" traffic data set for ordinary regression model due to the burstiness of network traffic and the pervasive network attacks. In this paper, we make use of robust regression techniques to mitigate the impact of outliers in the training data set. The experiment results show that the robust regression based method is more reliable than the ordinary regression based method in the face of outliers.

Jiahao Bu,Ying Liu,Shenglin Zhang,Weibin Meng,Qitong Liu,Xiaotian Zhu,Dan Pei

DOI: https://doi.org/10.1109/pccc.2018.8711315

2018-01-01

Abstract:Internet-based services monitor and detect anomalies on KPIs (Key Performance Indicators, say CPU utilization, number of queries per second, response latency) of their applications and systems in order to keep their services reliable. This paper identifies a common, important, yet little-studied problem of KPI anomaly detection: rapid deployment of anomaly detection models for large number of emerging KPI streams, without manual algorithm selection, parameter tuning, or new anomaly labeling for any newly emerging KPI streams. We propose the first framework ADS (Anomaly Detection through Self-training) that tackles the above problem, via clustering and semi-supervised learning. Our extensive experiments using real-world data show that, with the labels of only the 5 cluster centroids of 70 historical KPI streams, ADS achieves an averaged best F-score of 0.92 on 81 new KPI streams, almost the same as a state-of-art supervised approach, and greatly outperforming a state-of-art unsupervised approach by 61.40% on average.

Yong Sun,Huakun Que,Qianqian Cai,Jingming Zhao,Jingru Li,Zhengmin Kong,Shuai Wang

DOI: https://doi.org/10.3390/en15134751

IF: 3.2

2022-06-29

Energies

Abstract:This paper proposes a novel network anomaly detection framework based on data balance and feature selection. Different from the previous binary classification of network intrusion, the network anomaly detection strategy proposed in this paper solves the problem of multiple classification of network intrusion. Regarding the common data imbalance of a network intrusion detection set, a resampling strategy generated by random sampling and Borderline SMOTE data is developed for data balance. According to the features of the intrusion detection dataset, feature selection is carried out based on information gain rate. Experiments are carried out on three basic machine learning algorithms (K-nearest neighbor algorithm (KNN), decision tree (DT), random forest (RF)), and the optimal feature selection scheme is obtained.

energy & fuels

Makiya Nakashima,Alex Sim,Youngsoo Kim,Jonghyun Kim,Jinoh Kim

DOI: https://doi.org/10.48550/arXiv.1910.12806

2019-10-29

Abstract:While variable selection is essential to optimize the learning complexity by prioritizing features, automating the selection process is preferred since it requires laborious efforts with intensive analysis otherwise. However, it is not an easy task to enable the automation due to several reasons. First, selection techniques often need a condition to terminate the reduction process, for example, by using a threshold or the number of features to stop, and searching an adequate stopping condition is highly challenging. Second, it is uncertain that the reduced variable set would work well; our preliminary experimental result shows that well-known selection techniques produce different sets of variables as a result of reduction (even with the same termination condition), and it is hard to estimate which of them would work the best in future testing. In this paper, we demonstrate the potential power of our approach to the automation of selection process that incorporates well-known selection methods identifying important variables. Our experimental results with two public network traffic data (UNSW-NB15 and IDS2017) show that our proposed method identifies a small number of core variables, with which it is possible to approximate the performance to the one with the entire variables.

Machine Learning,Networking and Internet Architecture

Feifei Cao,Xitong Guo

DOI: https://doi.org/10.1016/j.engappai.2024.108663

IF: 8

2024-09-01

Engineering Applications of Artificial Intelligence

Abstract:Financial multivariate time series anomaly detection has received widespread attention, which is crucial for the reliable and safe operation of the financial system. Based on this, multi-variable time series anomaly detection methods based on different network architectures have emerged, but these models are either based on a single anomaly hypothesis (such as point anomalies) or based on labeled data (such as supervised methods). This goes against the multimodal nature and complexity of real-world data, making these methods ineffective. To remedy these shortcomings, we propose a model selection framework based on curiosity search and experience replay mechanisms.This framework includes multiple anomaly assumptions and base models in a carefully designed search space. The agent explores this search space to guide each base model, leveraging its strengths in exotic types of time series data. The framework subsequently employs reinforcement learning to select the optimal model from these candidate models. Through multi-dimensional, multi-index experimental verification of four different types of data sets, our model search framework can select the optimal base model suitable for the current timestamp from the base model pool, thereby achieving superior detection performance and better than the current A model selection framework based on reinforcement learning.Additionally, we introduce self-imitation learning and utilize an experience replay mechanism to enhance the effectiveness of samples, thereby saving detection time. To better extend our approach to more complex real-world applications, we conduct interpretability analysis on the output of anomalies. This research assists in troubleshooting and analyzing anomalies.

automation & control systems,computer science, artificial intelligence,engineering, electrical & electronic, multidisciplinary

Shuo Liang,Dechang Pi,Xiangyan Zhang

DOI: https://doi.org/10.1088/1361-6501/ad545e

IF: 2.398

2024-06-06

Measurement Science and Technology

Abstract:Multivariate time series (MTS) anomaly detection is vital for ensuring the safety and reliability of large-scale industrial systems. However, existing deep learning methods often overlook complex interrelationships between different time series and the study of anomalies has been limited to detection. To address this, we propose an MTS anomaly detection model based on transfer entropy (TE) and graph attention network (GAT). In the graph construction module, by combining modified TE with automatic structure learning, we extract intricate relationships between features. In the prediction module, we modify the GAT to implement the dynamic attention mechanism and non-linear interaction between different features to improve the accuracy of model prediction. Finally, our model combines the modified TE with anomaly detection task, which can be used to provide interpretability for the detected anomalies using the constructed causal graph. Experimental results on both real and public datasets show that our approach outperforms the mainstream methods, in particular, achieving optimal results in terms of F1 scores and recall.

engineering, multidisciplinary,instruments & instrumentation

Dongpo Wang,Chengli Zhao,Xue Zhang,Boyu Liu,Xiang Li,Dongyun Yi

DOI: https://doi.org/10.1088/1742-6596/1693/1/012050

2020-01-01

Journal of Physics Conference Series

Abstract:With the increasing network threat, network anomaly detection has become a very challenging and indispensable task. In this article, we propose an anomaly detection algorithm through modeling computer network as temporal network. The active subnetwork is extracted from the original computer communication network and then projected to an undirected weighted network series, finally the abnormal behavior patterns of network series are detected based on eigenvectors. Data test experiment shows that the proposed algorithm has achieved very good results.

Zongyuan Huang,Baohua Zhang,Guoqiang Hu,Longyuan Li,Yanyan Xu,Yaohui Jin

2023-10-09

Abstract:Anomaly detection plays a crucial role in various real-world applications, including healthcare and finance systems. Owing to the limited number of anomaly labels in these complex systems, unsupervised anomaly detection methods have attracted great attention in recent years. Two major challenges faced by the existing unsupervised methods are: (i) distinguishing between normal and abnormal data in the transition field, where normal and abnormal data are highly mixed together; (ii) defining an effective metric to maximize the gap between normal and abnormal data in a hypothesis space, which is built by a representation learner. To that end, this work proposes a novel scoring network with a score-guided regularization to learn and enlarge the anomaly score disparities between normal and abnormal data. With such score-guided strategy, the representation learner can gradually learn more informative representation during the model training stage, especially for the samples in the transition field. We next propose a score-guided autoencoder (SG-AE), incorporating the scoring network into an autoencoder framework for anomaly detection, as well as other three state-of-the-art models, to further demonstrate the effectiveness and transferability of the design. Extensive experiments on both synthetic and real-world datasets demonstrate the state-of-the-art performance of these score-guided models (SGMs).

Machine Learning,Artificial Intelligence

Haodong Yan,Fudong Li,Jinglong Chen,Zijun Liu,Jun Wang,Yong Feng,Xinwei Zhang

DOI: https://doi.org/10.1016/j.ress.2023.109418

2023-06-09

Abstract:Real-time anomaly detection is essential for the safe launch of some sophisticated equipment, such as liquid rocket engines (LRE), in order to head off disasters. However, the Industrial Internet of Things (IIoT) edge's real-time requirements cannot be addressed by the present methodologies, and the outcome is poor when dealing with a lack of training samples on the device side. We provide a solution for device-side real-time anomaly detection using the architecture known as Graph Embedded in Graph Networks to address these issues (GG-Nets). To fully extract features under insufficient training data, in our method, we learn the temporal relationship of timestamps in the multivariate signal through a time-series graph attention network (T-GAT) and extract features, and use the extracted features to replace the original signal as the information of the sensor attention network (S-GAT) nodes. For efficiency, the signals in the original sample are divided into odd and even sequences, which greatly reduces the number of nodes in the T-GAT. Experiments reveal that the proposed method outperforms other state-of-the-art models on the LRE ignition dataset. Furthermore, the ablation experiment proves that each module of the model improves the effect and extensive discussions explore interpretability. Our code can be found on: https://github.com/yhd-ai/GG-Nets .

engineering, industrial,operations research & management science

Manqing Dong,Zhanxiang Zhao,Yitong Geng,Wentao Li,Wei Wang,Huai Jiang

2023-07-20

Abstract:Time series anomaly detection is crucial for industrial monitoring services that handle a large volume of data, aiming to ensure reliability and optimize system performance. Existing methods often require extensive labeled resources and manual parameter selection, highlighting the need for automation. This paper proposes a comprehensive framework for automatic parameter optimization in time series anomaly detection models. The framework introduces three optimization targets: prediction score, shape score, and sensitivity score, which can be easily adapted to different model backbones without prior knowledge or manual labeling efforts. The proposed framework has been successfully applied online for over six months, serving more than 50,000 time series every minute. It simplifies the user's experience by requiring only an expected sensitive value, offering a user-friendly interface, and achieving desired detection results. Extensive evaluations conducted on public datasets and comparison with other methods further confirm the effectiveness of the proposed framework.

Machine Learning

Zahra Nemati,Ali Mohammadi,Ali Bayat,Abbas Mirzaei

DOI: https://doi.org/10.1080/03772063.2023.2299673

IF: 1.8768

2024-01-17

IETE Journal of Research

Abstract:In response to the evolving landscape of data security and the rising threat of anomalies in various domains, this study presents an innovative approach for anomaly detection in data streams and extends its application to financial network security. Our research initially focuses on identifying relevant correlation ratios for anomaly detection in the commercial data traffic of some companies listed during the 2014–2020 period. Utilising genetic algorithms (GA), gray wolf optimisation (GWO) for dimensionality reduction, we process 96 different financial streams. Subsequently, we employ the support vector machine (SVM) classifier to categorise companies into anomaly classes based on their financial data. The SVM classifier's initial performance, considering all financial ratios, falls short of our expectations. Our research thus provides a comprehensive approach to anomaly detection, showcasing the versatility and effectiveness of our methods in financial data stream analysis and network security. By combining the strengths of metaheuristic methods in data analysis and advanced deep learning techniques in network security, our work offers comprehensive solutions for anomaly detection in both domains. To enhance the classification accuracy and streamline the ratios, we introduce metaheuristic algorithms. GWO, in particular, stands out, with a fitness function of 0.2940 and an accuracy of 70.06% after 31 iterations. This algorithm successfully extracts 9 crucial financial ratios. These GWO-extracted ratios are then integrated into the SVM classifier, resulting in an anomaly detection model with outstanding accuracy, precision, error reduction, and efficiency, achieving 75.83%, 66.80%, 33.2%, and 80.3%, respectively.

telecommunications,engineering, electrical & electronic

Emanuele Mengoli,Zhiyuan Yao,Wutao Wei

2024-02-01

Abstract:Anomaly detection plays a crucial role in ensuring network robustness. However, implementing intelligent alerting systems becomes a challenge when considering scenarios in which anomalies can be caused by both malicious and non-malicious events, leading to the difficulty of determining anomaly patterns. The lack of labeled data in the computer networking domain further exacerbates this issue, impeding the development of robust models capable of handling real-world scenarios. To address this challenge, in this paper, we propose an end-to-end anomaly detection model development pipeline. This framework makes it possible to consume user feedback and enable continuous user-centric model performance evaluation and optimization. We demonstrate the efficacy of the framework by way of introducing and bench-marking a new forecasting model -- named \emph{Lachesis} -- on a real-world networking problem. Experiments have demonstrated the robustness and effectiveness of the two proposed versions of \emph{Lachesis} compared with other models proposed in the literature. Our findings underscore the potential for improving the performance of data-driven products over their life cycles through a harmonized integration of user feedback and iterative development.

Networking and Internet Architecture,Machine Learning

Astha Garg,Wenyu Zhang,Jules Samaran,Savitha Ramasamy,Chuan-Sheng Foo

DOI: https://doi.org/10.48550/arXiv.2109.11428

IF: 5.414

2021-09-23

Machine Learning

Abstract:Several techniques for multivariate time series anomaly detection have been proposed recently, but a systematic comparison on a common set of datasets and metrics is lacking. This paper presents a systematic and comprehensive evaluation of unsupervised and semi-supervised deep-learning based methods for anomaly detection and diagnosis on multivariate time series data from cyberphysical systems. Unlike previous works, we vary the model and post-processing of model errors, i.e. the scoring functions independently of each other, through a grid of 10 models and 4 scoring functions, comparing these variants to state of the art methods. In time-series anomaly detection, detecting anomalous events is more important than detecting individual anomalous time-points. Through experiments, we find that the existing evaluation metrics either do not take events into account, or cannot distinguish between a good detector and trivial detectors, such as a random or an all-positive detector. We propose a new metric to overcome these drawbacks, namely, the composite F-score ($Fc_1$), for evaluating time-series anomaly detection. Our study highlights that dynamic scoring functions work much better than static ones for multivariate time series anomaly detection, and the choice of scoring functions often matters more than the choice of the underlying model. We also find that a simple, channel-wise model - the Univariate Fully-Connected Auto-Encoder, with the dynamic Gaussian scoring function emerges as a winning candidate for both anomaly detection and diagnosis, beating state of the art algorithms.