Jingxuan Pang,Xiaokun Pu,Chunguang Li

DOI: https://doi.org/10.1109/tii.2022.3145834

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Anomaly detection plays an important role in industry, especially in ensuring system safety and product quality. Due to the unavailability of anomalous data in many practical cases, anomaly detection is usually solved by one-class classification (OCC) methods using only normal data. As a classical OCC method, one-class support vector machine (OCSVM) is a popular discriminative approach for anomaly detection, which detects abnormal data points by establishing a decision boundary in the kernel space. However, the performance of OCSVM heavily relies on kernel parameters, whose selection is not trivial for anomaly detection problems. Moreover, for some uneven and complex data distributions, different data regions may have quite different densities and shapes, making it difficult for OCSVM to obtain good boundaries in all regions using a global kernel parameter. To address the above two issues, in this article, we propose a hybrid algorithm incorporating vector quantization and OCSVM (VQ-OCSVM). Specifically, vector quantization is used to extract distribution information of normal data, and the results are used to construct an explicit mapping function to map data into a high-dimensional feature space. Then, OCSVM is performed in the feature space to build a classifier. By introducing the explicit mapping into OCSVM, the proposed method can effectively bypass the kernel parameter selection problem of the classical OCSVM method. Furthermore, the constructed mapping carries the data distribution information, and the VQ-OCSVM model can be regarded as an integration of generative learning and discriminative learning. The complementary properties of these two paradigms make the proposed VQ-OCSVM algorithm have better generalization capacity for complex data distribution. Both qualitative and quantitative experimental results demonstrate the effectiveness and advantages of the proposed method.

Ying Liu,Zhen Xu,Chunguang Li

DOI: https://doi.org/10.1016/j.ins.2018.07.045

IF: 8.1

2018-01-01

Information Sciences

Abstract:Recently, the research on semi-supervised support vector machine (S3VM) has received much attention, and many S3VM algorithms have been proposed. Existing studies have shown that S3VM is effective especially in the situations where labeled data is scarce. Nevertheless, most of existing S3VM algorithms belong to centralized learning, that is, all the data is stored and processed at a fusion center. In many real-world applications, data may be horizontally or vertically distributed over multiple nodes (parties). Besides, from the concerns of privacy and security, each node would not like to share its original data with the others. On the other hand, considering that the data is usually sequentially generated, online processing is preferred. In this paper, we propose two online distributed S3VM (dS3VM) algorithms, which are respectively used for horizontally and vertically partitioned data classification. In these two algorithms, to get a fully decentralized implementation, we propose a new form of manifold regularization defined on some anchor points that are adaptively selected by an online strategy. Besides, we use the sparse random feature map to approximate the kernel feature map. In this manner, the model parameters can be collaboratively estimated without transmitting the original data between neighbors. The convergence performances of the proposed algorithms are analyzed. Simulations on several data sets are performed. Results show that the proposed dS3VM algorithms achieve good classification performance even when there is only a small portion of labeled data.

Jun Ma,Guanzhong Dai,Zhong Xu

DOI: https://doi.org/10.1109/icppw.2009.6

2009-01-01

Abstract:We present a new network anomaly detection system using dissimilarity-based one-class support vector machine(DSVMC). we transform the raw data into a dissimilarity space using Dissimilarity Representations (DR). DR describe objects by their dissimilarities to a set of target class. DSVMC are constructed on these DR. We propose a framework of anomaly detection using DSVMC. A new strategy of prototype selection has been proposed to obtain better DR. We not only offer a better approach in strategy to describe to distribution of large training dataset but also reduce the computational cost of prototype selection largely. In order to deploy the ADS in real-time detection application, we use Kernel Primary Component Analysis (KPCA) to reduce the dimension of transformed data. Evaluation has been made among traditional one-class classifiers, the dissimilarity-based one class SVM classifier without optimization of DR (WSVMC) and our DSVMC on KDD-CUP'99 dataset. The results show that DSVMC can achieve high detection rate than WSVMC and more robust performance than traditional one-class classifiers.

Xudong Zhu,Zhijing Liu

DOI: https://doi.org/10.4028/www.scientific.net/amr.143-144.648

2010-01-01

Advanced Materials Research

Abstract:We present a novel online unsupervised anomaly detection method for human activities. The proposed approach is based on one-class support vector machine (OCSVM) clustering, where the novelty detection SVM capabilities are used for the identification of anomalous activities. Particular attention is given to activity classification in absence of a priori information on the distribution of outliers. Activities are represented by variable-length event sequences, but the most commonly used kernels are defined on fixed-dimension spaces. To solve the problem, we develop a novel sequence-similarity kernel, the n-grams kernel. Our kernel is conceptually simple and efficient to compute and performs well in comparison with state-of-the-art methods for anomaly detection. Moreover, most SVM algorithms require large number of memory to store the kernel matrix, or repeated access to the training samples. This makes it infeasible for online anomaly detection. In this paper, we develop simple and computationally efficient online learning algorithms for anomaly detection.

Junlin Zhou,Aleksandar Lazarevic,Kuo-Wei Hsu,Jaideep Srivastava,Yan Fu,Yue Wu

DOI: https://doi.org/10.1142/s0219622010004172

2010-01-01

International Journal of Information Technology & Decision Making

Abstract:Anomaly detection has recently become an important problem in many industrial and financial applications. Very often, the databases from which anomalies have to be found are located at multiple local sites and cannot be merged due to privacy reasons or communication overhead. In this paper, a novel general framework for distributed anomaly detection is proposed. The proposed method consists of three steps: (i) building local models for distributed data sources with unsupervised anomaly detection methods and computing quality measure of local models; (ii) transforming local unsupervised local models into sharing models; and (iii) reusing sharing models for new data and combining their results by considering both quality and diversity of them to detect anomalies in a global view. In experiments performed on synthetic and real-life large data set, the proposed distributed anomaly detection method achieved prediction performance comparable or even slightly better than the global anomaly detection algorithm applied on the data set obtained when all distributed data set were merged.

zheng hong xiao,zhi gang chen,xiao heng deng

DOI: https://doi.org/10.4028/www.scientific.net/AMM.121-126.3745

2012-01-01

Applied Mechanics and Materials

Abstract:Based on the principle that the same class is adjacent, an anomaly intrusion detection method based on K-means and Support Vector Machine (SVM) is presented. In order to overcome the disadvantage that k-means algorithm requires initializing parameters, this paper proposes an improved K-means algorithm with a strategy of adjustable parameters. According to the location of wireless sensor networks (WSN), we can obtain clustering results by applying improved K-means algorithm to WSN, and then SVM algorithm is applied to different clusters for anomaly intrusion detection. Simulation results show that the proposed method can detect abnormal behaviors efficiently and has high detection rate and low false positive rate than the current typical intrusion detection schemes of WSN.

Tian Wang,Jie Chen,Yi Zhou,Hichem Snoussi

DOI: https://doi.org/10.3390/s131217130

IF: 3.9

2013-01-01

Sensors

Abstract:The abnormal event detection problem is an important subject in real-time video surveillance. In this paper, we propose a novel online one-class classification algorithm, online least squares one-class support vector machine (online LS-OC-SVM), combined with its sparsified version (sparse online LS-OC-SVM). LS-OC-SVM extracts a hyperplane as an optimal description of training objects in a regularized least squares sense. The online LS-OC-SVM learns a training set with a limited number of samples to provide a basic normal model, then updates the model through remaining data. In the sparse online scheme, the model complexity is controlled by the coherence criterion. The online LS-OC-SVM is adopted to handle the abnormal event detection problem. Each frame of the video is characterized by the covariance matrix descriptor encoding the moving information, then is classified into a normal or an abnormal frame. Experiments are conducted, on a two-dimensional synthetic distribution dataset and a benchmark video surveillance dataset, to demonstrate the promising results of the proposed online LS-OC-SVM method.

Xin Shi,Robert Qiu,Zenan Ling,Fan Yang,Haosen Yang,Xing He

DOI: https://doi.org/10.1109/tsg.2019.2929219

IF: 10.275

2019-01-01

IEEE Transactions on Smart Grid

Abstract:The online monitoring data in distribution networks contain rich information on the running states of the networks. By leveraging the data, this paper proposes a spatio-temporal correlation analysis approach for anomaly detection and location in distribution networks. First, spatio-temporal matrix for each feeder line in a distribution network is formulated and the spectrum of its covariance matrix is analyzed. The spectrum is complex and exhibits two aspects: 1) bulk, which arises from random noise or fluctuations and 2) spikes, which represents factors caused by anomaly signals or fault disturbances. Then, by connecting the estimation of the number of factors to the limiting empirical spectral density of covariance matrices of residuals, the spatio-temporal parameters are accurately estimated, during which free random variable techniques are used. Based on the estimators, anomaly indicators are designed to detect and locate the anomalies by exploring the variations of spatio-temporal correlations in the data. The proposed approach is sensitive to the anomalies and robust to random fluctuations, which makes it possible for detecting early anomalies and reducing false alarming rate. Case studies on both synthetic data and real-world online monitoring data verify the effectiveness and advantages of the proposed approach.

Ömer KASIM

DOI: https://doi.org/10.1016/j.comnet.2020.107390

IF: 5.493

2020-10-01

Computer Networks

Abstract:<p>The number of devices connected to the Internet is increasing day by day. This increase causes cyber-attacks to be larger and more complex. It is important to sdetect the anomalies rapidly when there is a cyber-attack. In detecting anomalies, high false positive rate is obtained by using feature extraction based on statistical calculations and machine learning algorithms. In proposed approach, the measured values obtained from the network are normalized between 0 and 1. These values applied to autoencoder model trained with optimum hyper parameters. This model contributes to feature learning and dimensional reduction. Support vector machines effectively differentiate between normal and DDOS attack traffic by using these features. The CICIDS dataset and virtually generated DDOS traffic are used to validate the proposed approach and measure its performance. The results show that the proposed approach speeds up training and testing times and performs better classification performance metrics than most previous approaches. The novelty of the study is that AE-SVM trained with CICIDS successfully captures virtually generated DDOS traffic data. Despite the unbalanced data set, 99.1% test success was achieved in detection of DDOS ​​traffic which is produced with Kali Linux. This success contributed to the solution of the high false-positive problem compared to other models.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Omar Alghushairy,Raed Alsini,Zakhriya Alhassan,Abdulrahman A. Alshdadi,Ameen Banjar,Ayman Yafoz,Xiaogang Ma

DOI: https://doi.org/10.1109/access.2024.3364400

IF: 3.9

2024-02-20

IEEE Access

Abstract:With the increase of cyber-attacks and security threats in the recent decade, it is necessary to safeguard sensitive data and provide robust protection to information systems and computer networks. In this paper, an anomaly-based network outlier detection system (NODS) is proposed and optimized to check and classify the incoming network traffic stream's behaviours that affect the computer networks. The proposed NODS has high classification efficiency. Network connection events classified as outliers are reported to the network admin to drop and block its packets. The NSL-KDD and CICIDS2017 intrusion datasets were employed to build the proposed system and test its detection capabilities. Sequential scenarios were implemented to optimize the system's effectiveness. Network features were normalized by min-max and Z-Score approaches, while the relevant features were selected individually by the principal component analysis (PCA) and correlated features selection (CFS) techniques. Support vector machine (SVM) and Gaussian Naive Bayes (GNB) algorithms are used to build the detection model, while the Genetic algorithm (GA) was employed to tune their control parameters. The obtained evaluation results proved that the proposed SVM based NODS is characterized by low false alarms and detection time as well as high classification accuracy. Furthermore, a comparative analysis was conducted with other existing techniques, and the results obtained demonstrate the effectiveness of the proposed SVM-IDS

computer science, information systems,telecommunications,engineering, electrical & electronic

Kai Guo,Datong Liu,Yu Peng,Xiyuan Peng

DOI: https://doi.org/10.1109/phm-chongqing.2018.00048

2018-01-01

Abstract:With large amount of industrial data available, data-driven anomaly detection methods have been widely used for ensuring industrial safety and preventing economic losses. Among them, one-class support vector machine (OCSVM) is an effective unsupervised method for detecting abnormal points by establishing a decision boundary in the kernel space and has obtained much attention in the research field in recent years. Through solving the convex quadratic programming problem, OCSVM obtains a classifier with maximum distance to the origin and satisfying maximum quantity of training samples, without utilizing anomaly data points. However, the outliers in the training set, which are more likely to be selected as support vectors, will lead to the degradation in the performance of OCSVM. Because the outliers are away from the center of the dataset and cannot represent the real characteristics for the data. To address this drawback, the clustering-based and LOF outlier detection method (CLOF), which has high computational efficiency and modeling accuracy, is adopted for eliminating the outliers and optimizing the final acquired boundary of OCSVM. Experimental results on shuttle flight data have illustrated the superior performance of the proposed approach.

Arya Karami,Seyed Taghi Akhavan Niaki

DOI: https://doi.org/10.1016/j.neunet.2023.12.024

Abstract:Online monitoring of social networks offers exciting features for platforms, enabling both technical and behavioral analysis. Numerous studies have explored the adaptation of traditional quality control methods for detecting change points within social networks. However, the current research studies face limitations such as an overreliance on case-based attributes, high computational costs, poor scalability with large networks, and low sensitivity in fast change point detection. This paper proposes a novel algorithm for social network monitoring using One-Class Support Vector Machines (OC-SVMs) to address these limitations. Additionally, using both nodal and network-level attributes makes it versatile for diverse social network applications and effectively detecting network disturbances. The algorithm utilizes a well-defined training data dictionary with an updating procedure for evolutionary networks, enhancing memory and time efficiency by reducing the processing of input data. Extensive numerical experiments are conducted using an EpiCNet model to simulate interactions in an online social network, covering six change scenarios to evaluate the proposed methodology. The results show lower Average Run Length (ARL) and Expected Delay Detection (EDD), demonstrating the superior accuracy and effectiveness of the OC-SVM algorithm compared to alternative methods. Applying OC-SVM to the Enron Email network indicates its capability to identify change points, reflecting the tumultuous timeline that led to Enron's downfall. This further validates the substantial advancement of OC-SVM in social network monitoring and opens doors to broader real-world applications.

Xing Yang,Pan Huang,Le An,Peng Feng,Biao Wei,Peng He,Kexin Peng

DOI: https://doi.org/10.1007/s00354-022-00193-z

2022-01-01

New Generation Computing

Abstract:With the rapid development of information technology, Smart Campus Card System (SCCS) has become an important part of digital campus construction. Although the characteristics of students' abnormal activities can be reflected in smart campus card records, studies now focus more on analyzing the relationship between normal student activities and smart campus card data. Therefore, we analyzed some features of students’ amounts of consumption on campus and their statistical characteristics, and established a dataset based on smart campus card records for the purpose of detecting students’ abnormal activities. However, extant anomaly detection methods are prone to the two issues listed below. First, the vast majority of existing unsupervised anomaly detection algorithms are trained by fitting a central piece of the training data while disregarding the anomalous data. Those approaches do not completely eliminate the impact of anomaly data. Secondly, those algorithms have poor time performance on large-scale datasets. This paper proposed a growing model-based one-class support vector machine (GMB-OCSVM) to solve the above problems. Our model outperforms other frontier models in terms of detection accuracy and execution efficiency after extensive testing. In particular, our method processes 61,000 more units of data per second than the OCSVM method in terms of execution efficiency and improves detection accuracy to 92.39%. It demonstrates that our method can effectively handle the challenges of abnormal data interference in the training process and inefficient execution, and can detect abnormal student behavior in the campus daily consumption dataset in an efficient and accurate manner, indicating that our method has some practical utility.

Hossein Saeedi Emadi,Sayyed Majid Mazinani

DOI: https://doi.org/10.1007/s11277-017-4961-1

IF: 2.017

2017-09-11

Wireless Personal Communications

Abstract:Anomaly is an important and influential element in Wireless Sensor Networks that affects the integrity of data. On account of the fact that these networks cannot be supervised, this paper, therefore, deals with the problem of anomaly detection. First, the three features of temperature, humidity, and voltage are extracted from the network traffic. Then, network data are clustered using the density-based spatial clustering of applications with noise (DBSCAN) algorithm. It also analyzes the accuracy of DBSCAN algorithm input data with the help of density-based detection techniques. This algorithm detects the points in regions with low density as anomaly. By using normal data, it trains support vector machine. And, finally, it removes anomalies from network data. The proposed algorithm is evaluated by the standard and general data set of Intel Berkeley Research lab (IRLB). In this paper, we could obliterate DBSCAN’s problem in selecting input parameters by benefiting from coefficient correlation. The advantage of the proposed algorithm over previous ones is in using soft computing methods, simple implementation, and improving detection accuracy through simultaneous analysis of those three features.

telecommunications

Hao Zhang,Zude Xiao,Jason Gu,Yanhua Liu

DOI: https://doi.org/10.1007/s11227-023-05474-y

IF: 3.3

2023-06-15

The Journal of Supercomputing

Abstract:With the rapid development of network technology, the Internet has brought significant convenience to various sectors of society, holding a prominent position. Due to the unpredictable and severe consequences resulting from malicious attacks, the detection of anomalous network traffic has garnered considerable attention from researchers over the past few decades. Accurately labeling a sufficient amount of network traffic data as a training dataset within a short period of time is a challenging task, given the rapid and massive generation of network traffic data. Furthermore, the proportion of malicious attack traffic is relatively small compared to the overall traffic data, and the distribution of traffic data across different types of malicious attacks also varies significantly. To address the aforementioned challenges, this paper presents a novel network anomaly detection algorithm based on semi-supervised learning and adaptive multiclass balancing. Building upon the assumption of consistent distribution between labeled and unlabeled data, this paper introduces the multiclass split balancing strategy and the adaptive confidence threshold function. These innovative approaches aim to tackle the issue of the multiclass imbalanced in traffic data. By leveraging the mutually beneficial relationship between semi-supervised learning and ensemble learning, this paper presents the collaborative rotation forest algorithm. This algorithm is specifically designed to enhance performance of anomaly detection in an environment with label inadequacy. Several comparative experiments conducted on the NSL-KDD, UNSW-NB15, and ToN-IoT demonstrate that the proposed algorithm achieves significant improvements in performance. Specifically, it enhances precision by 1.5–5.7%, recall by 1.5−5.7%, and F-Measure by 1.4−4.3% compared to the state-of-the-art algorithms.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Chao Wang,Yunxiao Sun,Sicai Lv,Chonghua Wang,Hongri Liu,Bailing Wang

DOI: https://doi.org/10.3390/electronics12040930

IF: 2.9

2023-02-13

Electronics

Abstract:Intrusion detection systems (IDSs) play a significant role in the field of network security, dealing with the ever-increasing number of network threats. Machine learning-based IDSs have attracted a lot of interest owing to their powerful data-driven learning capabilities. However, it is challenging to train the supervised learning algorithms when there are no attack data at hand. Semi-supervised anomaly detection algorithms, which train the model with only normal data, are more suitable. In this study, we propose a novel semi-supervised anomaly detection-based IDS that leverages the capabilities of representation learning and two anomaly detectors. In detail, the autoencoder (AE) is applied to extract representative features of normal data in the first step, and then two semi-supervised detectors, the one-class support vector machine (OCSVM) and Gaussian mixture model (GMM), are trained on the derived features. The two detectors collaborate to detect anomalous samples. The OCSVM predicts the abnormal samples initially, and after that, the GMM is applied to recheck the misclassified samples further. The experiments demonstrate that the AE improves the detection rate, and two detectors are more promising than a single one.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yuan Zhang,Qinghai Yang,Sangarapillai Lambotharan,Konstantinos Kyriakopoulos,Ibrahim Ghafir,Basil AsSadhan

DOI: https://doi.org/10.1109/wcsp.2019.8927907

2019-01-01

Abstract:With the rapid development of new technologies and applications of Internet, much attention has been paid to the detection of anomalies in cyberspace traffic. A series of intrusion detection techniques based on machine learning have been developed. Support vector machine (SVM), as an essential approach, has been paid close attention in this filed. Nevertheless, the existing SVM-based techniques with the training features can not efficiently detect short duration intrusions and attacks in the traffic. To tackle this issue, we propose an anomaly-based SVM detection scheme by extracting and optimizing the training features. It trains the SVM with Kullback-Leibler (KL) divergence and cross-correlation calculated by the control and data planes traffic. Following this way, the novel training method can effectively enhance the detection accuracy. And the performance of the presented scheme is validated and evaluated based on a recent realistic Internet traffic dataset. Finally, relevant results indicate that the developed method establishes the relationship between Transmission Control Protocol (TCP) traffic and intrusions. It can efficiently detect short duration intrusions and attacks in the network traffic.

Xiaoyu Wang,Yongwang Zhou,Dongbiao Li,Chi Zhang

DOI: https://doi.org/10.1109/iccc62479.2024.10681973

2024-01-01

Abstract:Anomaly detection in dynamic and temporal graphs is frequently accomplished using unsupervised learning. This involves clustering to group similar data instances and identify outliers. Nonetheless, the accuracy of unsupervised learning algorithms is limited when anomalous data instances exhibit similar features. Existing graph theory-based methods can only detect significant anomalies that affect the entire network structure but fail to detect subtle anomalies such as small-scale DDoS attacks within node groups. Conversely, monitoring the behavior of every node in a real-time network can be expensive. In this paper, we propose a real-time anomaly detection method that leverages community detection and graph spectral theory. Specifically, each graph is partitioned into groups of densely connected nodes, which serve as detection objects to identify subtle anomalies. To address the challenge of detecting anomalies with similar features, we measured changes in communities between adjacent time steps, allowing us to identify outlier time points. Finally, to strike a balance between accuracy and cost, we utilize a novel graph spectral theory method as a graph distance function. Experimental evaluations demonstrate the efficacy of our approach in detecting subtle anomalies.

Wanjun LIU,Jitao QIN,Haicheng QU

DOI: https://doi.org/10.11772/j.issn.1001-9081.2017102502

2018-01-01

Abstract:Since the intrusion detection method based on One-Class Support Vector Machine (OCSVM) can not detect internal abnormal points and outliers,which leads to the deviation of decision function from training samples.A new OCSVM anomaly detection function combining DBSCAN (Density-Based Spatial Clustering of Applications with Noise) and K-means was proposed.Firstly,the outliers in the training data were removed by DBSCAN algorithm to eliminate the influence of outliers.Then,K-means clustering method was used to classify normal data clusters,so that the internal abnormal points could be selected.Finally,a one-class classifier for each data cluster was created to detect exception data by OCSVM algorithm.The experimental results on industrial control networks show that the combined classifier can detect the intrusion attacks of the industrial control network by using normal data,and it can improve the detection effect of OCSVM algorithm.In intrusion detection experiment of gas pipeline,the overall detection rate of the proposed method is 91.81％,while the overall detection rate of OCSVM algorithm is 80.77％.

David Savage,Xiuzhen Zhang,Xinghuo Yu,Pauline Chou,Qingmai Wang

DOI: https://doi.org/10.48550/arXiv.1608.00301

2016-08-01

Abstract:Anomalies in online social networks can signify irregular, and often illegal behaviour. Anomalies in online social networks can signify irregular, and often illegal behaviour. Detection of such anomalies has been used to identify malicious individuals, including spammers, sexual predators, and online fraudsters. In this paper we survey existing computational techniques for detecting anomalies in online social networks. We characterise anomalies as being either static or dynamic, and as being labelled or unlabelled, and survey methods for detecting these different types of anomalies. We suggest that the detection of anomalies in online social networks is composed of two sub-processes; the selection and calculation of network features, and the classification of observations from this feature space. In addition, this paper provides an overview of the types of problems that anomaly detection can address and identifies key areas of future research.

Social and Information Networks,Physics and Society