Fei Tony Liu,Kai Ming Ting,Zhi-Hua Zhou

DOI: https://doi.org/10.1145/2133360.2133363

2012-01-01

Abstract:Anomalies are data points that are few and different. As a result of these properties, we show that, anomalies are susceptible to a mechanism called isolation. This article proposes a method called Isolation Forest (iForest), which detects anomalies purely based on the concept of isolation without employing any distance or density measure---fundamentally different from all existing methods. As a result, iForest is able to exploit subsampling (i) to achieve a low linear time-complexity and a small memory-requirement and (ii) to deal with the effects of swamping and masking effectively. Our empirical evaluation shows that iForest outperforms ORCA, one-class SVM, LOF and Random Forests in terms of AUC, processing time, and it is robust against masking and swamping effects. iForest also works well in high dimensional problems containing a large number of irrelevant attributes, and when anomalies are not available in training sample.

Jingtao Li,Qian Zhu,Xinyu Wang,Hengwei Zhao,Yanfei Zhong

2024-01-01

Abstract:Various Earth anomalies have destroyed the stable, balanced state, resulting in fatalities and serious destruction of property. With the advantages of large-scale and precise observation, high-resolution remote sensing images have been widely used for anomaly monitoring and localization. Powered by the deep representation, the existing methods have achieved remarkable advances, primarily in classification and change detection techniques. However, labeled samples are difficult to acquire due to the low probability of anomaly occurrence, and the trained models are limited to fixed anomaly categories, which hinders the application for anomalies with few samples or unknown anomalies. In this paper, to tackle this problem, we propose the anomaly change detection (AnomalyCD) technique, which accepts time-series observations and learns to identify anomalous changes by learning from the historical normal change pattern. Compared to the existing techniques, AnomalyCD processes an unfixed number of time steps and can localize the various anomalies in a unified manner, without human supervision. To benchmark AnomalyCD, we constructed a high-resolution dataset with time-series images dedicated to various Earth anomalies (the AnomalyCDD dataset). AnomalyCDD contains high-resolution (from 0.15 to 2.39 m/pixel), time-series (from 3 to 7 time steps), and large-scale images (1927.93 km2 in total) collected globally Furthermore, we developed a zero-shot baseline model (AnomalyCDM), which implements the AnomalyCD technique by extracting a general representation from the segment anything model (SAM) and conducting temporal comparison to distinguish the anomalous changes from normal changes. AnomalyCDM is designed as a two-stage workflow to enhance the efficiency, and has the ability to process the unseen images directly, without retraining for each scene.

Sunil Aryal,Kai Ming Ting,Jonathan R. Wells,Takashi Washio

DOI: https://doi.org/10.1007/978-3-319-06605-9_42

2014-01-01

Abstract:iForest uses a collection of isolation trees to detect anomalies. While it is effective in detecting global anomalies, it fails to detect local anomalies in data sets having multiple clusters of normal instances because the local anomalies are masked by normal clusters of similar density and they become less susceptible to isolation. In this paper, we propose a very simple but effective solution to overcome this limitation by replacing the global ranking measure based on path length with a local ranking measure based on relative mass that takes local data distribution into consideration. We demonstrate the utility of relative mass by improving the task specific performance of iForest in anomaly detection and information retrieval tasks.

Haolong Xiang,Jiayu Wang,Kotagiri Ramamohanarao,Zoran Salcic,Wanchun Dou,Xuyun Zhang

DOI: https://doi.org/10.1109/MIS.2021.3057914

IF: 6.744

2021-01-01

IEEE Intelligent Systems

Abstract:Anomaly detection is a significant but challenging data mining task in a wide range of applications. Different domains usually use different ways to measure the characteristics of data and to define the anomaly types. As a result, it is a big challenge to develop a versatile anomaly detection framework that can be universally applied with satisfactory performance in most, if not all, applications. In this article, we propose a generic isolation forest based ensemble framework named EDBHiForest, which can be universally applied to data spaces with arbitrary distance measures. It is realized through embedding the isolation forest structure with extended distance-based hashing (EDBH), which can significantly enhance the versatility and applicability of isolation forest based anomaly detection. This framework overcomes the limitations of existing isolation forest based methods that can only be applied to datasets with a very limited range of distance measure types. Extensive experiments on various non-independent and identically distributed datasets demonstrate the effectiveness and efficiency of our approach.

Fei Tony Liu,Kai Ming Ting,Zhi-Hua Zhou

DOI: https://doi.org/10.1007/978-3-642-15883-4_18

2010-01-01

Abstract:Detecting local clustered anomalies is an intricate problem for many existing anomaly detection methods. Distance-based and density-based methods are inherently restricted by their basic assumptions-anomalies are either far from normal points or being sparse. Clustered anomalies are able to avoid detection since they defy these assumptions by being dense and, in many cases, in close proximity to normal instances. In this paper, without using any density or distance measure, we propose a new method called SCiForest to detect clustered anomalies. SCiForest separates clustered anomalies from normal points effectively even when clustered anomalies are very close to normal points. It maintains the ability of existing methods to detect scattered anomalies, and it has superior time and space complexities against existing distance-based and density-based methods.

Tharindu R. Bandaragoda,Kai Ming Ting,David Albrecht,Fei Tony Liu,Jonathan R. Wells

DOI: https://doi.org/10.1109/icdmw.2014.70

2014-01-01

Abstract:This paper presents iNNE (isolation using Nearest Neighbour Ensemble), an efficient nearest neighbour-based anomaly detection method by isolation. iNNE runs significantly faster than existing nearest neighbour-based methods such as Local Outlier Factor, especially in data sets having thousands of dimensions or millions of instances. This is because the proposed method has linear time complexity and constant space complexity. Compared with the existing tree-based isolation method iForest, the proposed isolation method overcomes three weaknesses of iForest that we have identified, i.e., its inability to detect local anomalies, anomalies with a low number of relevant attributes, and anomalies that are surrounded by normal instances.

Tharindu R. Bandaragoda,Kai Ming Ting,David Albrecht,Fei Tony Liu,Ye Zhu,Jonathan R. Wells

DOI: https://doi.org/10.1111/coin.12156

2018-01-01

Computational Intelligence

Abstract:The first successful isolation-based anomaly detector, ie, iForest, uses trees as a means to perform isolation. Although it has been shown to have advantages over existing anomaly detectors, we have identified 4 weaknesses, ie, its inability to detect local anomalies, anomalies with a high percentage of irrelevant attributes, anomalies that are masked by axis-parallel clusters, and anomalies in multimodal data sets. To overcome these weaknesses, this paper shows that an alternative isolation mechanism is required and thus presents iNNE or isolation using Nearest Neighbor Ensemble. Although relying on nearest neighbors, iNNE runs significantly faster than the existing nearest neighbor-based methods such as the local outlier factor, especially in data sets having thousands of dimensions or millions of instances. This is because the proposed method has linear time complexity and constant space complexity.

SUN Fei,LI Xiao-run,ZHAO Liao-ying,YU Shao-qi

DOI: https://doi.org/10.3785/j.issn.1008-973X.2022.07.002

2022-01-01

Abstract:A hyperspectral anomaly detection algorithm based on fractional Fourier transform (FrFT) and total variation regularization constraint was proposed aiming at the challenge of insufficient utilization of spatial information and contamination of background dictionary in low-rank and sparse representation based hyperspectral anomaly detection algorithms. The high-dimensional image data was mapped to multiple subspaces through the clustering algorithm. A pure background dictionary was obtained by constructing the FrFT-RX operator in order to enhance the discrimination between anomalies and background. A total variation regularization constraint was introduced into the low-rank and sparse representation model in order to describe the spatial features of background and anomalies in the intermediate domain after FrFT transformation. The optimal solution of the model was obtained by using the alternating direction method of multipliers. The anomaly detection results were obtained. The experimental results on three real hyperspectral datasets demonstrate that the proposed algorithm has a higher detection rate and a lower false alarm rate compared with the other five anomaly detection algorithms.

Chunkai Zhang,Ao Yin

DOI: https://doi.org/10.4018/IJWSR.2019070103

2019-07-01

International Journal of Web Services Research

Abstract:In this article, the authors propose a novel anomaly detection algorithm based on subspace local density estimation. The key insight of the proposed algorithm is to build multiple trident trees, which can implement the process of building subspace and local density estimation. Each trident tree (T-tree) is constructed recursively by splitting the data outside of 3 sigma into the left or right subtree and splitting the remaining data into the middle subtree. Each node in trident tree records the number of instances that falls on this node, so each trident tree can be used as a local density estimator. The density of each instance is the average of all trident tree evaluation instance densities, and it can be used as the anomaly score of instances. Since each trident tree is constructed according to 3 sigma principle, it can obtain good anomaly detection results without a large tree height. Theoretical analysis and experimental results show that the proposed algorithm is effective and efficient.

Computer Science

Haolong Xiang,Xuyun Zhang,Hongsheng Hu,Lianyong Qi,Wanchun Dou,Mark Dras,Amin Beheshti,Xiaolong Xu

2023-06-23

Abstract:Anomaly detection plays an increasingly important role in various fields for critical tasks such as intrusion detection in cybersecurity, financial risk detection, and human health monitoring. A variety of anomaly detection methods have been proposed, and a category based on the isolation forest mechanism stands out due to its simplicity, effectiveness, and efficiency, e.g., iForest is often employed as a state-of-the-art detector for real deployment. While the majority of isolation forests use the binary structure, a framework LSHiForest has demonstrated that the multi-fork isolation tree structure can lead to better detection performance. However, there is no theoretical work answering the fundamentally and practically important question on the optimal tree structure for an isolation forest with respect to the branching factor. In this paper, we establish a theory on isolation efficiency to answer the question and determine the optimal branching factor for an isolation tree. Based on the theoretical underpinning, we design a practical optimal isolation forest OptIForest incorporating clustering based learning to hash which enables more information to be learned from data for better isolation quality. The rationale of our approach relies on a better bias-variance trade-off achieved by bias reduction in OptIForest. Extensive experiments on a series of benchmarking datasets for comparative and ablation studies demonstrate that our approach can efficiently and robustly achieve better detection performance in general than the state-of-the-arts including the deep learning based methods.

Machine Learning,Artificial Intelligence

Gerard Shu Fuhnwi,Janet O. Agbaje,Kayode Oshinubi,Olumuyiwa James Peter

DOI: https://doi.org/10.46481/jnsps.2023.1364

2023-04-19

Journal of the Nigerian Society of Physical Sciences

Abstract:In data mining, and statistics, anomaly detection is the process of finding data patterns (outcomes, values, or observations) that deviate from the rest of the other observations or outcomes. Anomaly detection is heavily used in solving real-world problems in many application domains, like medicine, finance , cybersecurity, banking, networking, transportation, and military surveillance for enemy activities, but not limited to only these fields. In this paper, we present an empirical study on unsupervised anomaly detection techniques such as Density-Based Spatial Clustering of Applications with Noise (DBSCAN), (DBSCAN++) (with uniform initialization, k-center initialization, uniform with approximate neighbor initialization, and $k$-center with approximate neighbor initialization), and $k$-means$--$ algorithms on six benchmark imbalanced data sets. Findings from our in-depth empirical study show that k-means-- is more robust than DBSCAN, and DBSCAN++, in terms of the different evaluation measures (F1-score, False alarm rate, Adjusted rand index, and Jaccard coefficient), and running time. We also observe that DBSCAN performs very well on data sets with fewer number of data points. Moreover, the results indicate that the choice of clustering algorithm can significantly impact the performance of anomaly detection and that the performance of different algorithms varies depending on the characteristics of the data. Overall, this study provides insights into the strengths and limitations of different clustering algorithms for anomaly detection and can help guide the selection of appropriate algorithms for specific applications.

Xuyun Zhang,Wanchun Dou,Qiang He,Rui Zhou,Christopher Leckie,Ramamohanarao Kotagiri,Zoran Salcic

DOI: https://doi.org/10.1109/icde.2017.145

2017-01-01

Abstract:Anomaly or outlier detection is a major challenge in big data analytics because anomaly patterns provide valuable insights for decision-making in a wide range of applications. Recently proposed anomaly detection methods based on the tree isolation mechanism are very fast due to their logarithmic time complexity, making them capable of handling big data sets efficiently. However, the underlying similarity or distance measures in these methods have not been well understood. Contrary to the claims that these methods never rely on any distance measure, we find that they have close relationships with certain distance measures. This implies that the current use of this fast isolation mechanism is only limited to these distance measures and fails to generalise to other commonly-used measures. In this paper, we propose a generic framework named LSHiForest for fast tree isolation based ensemble anomaly analysis with the use of a Locality-Sensitive Hashing (LSH) forest. Being generic, the proposed framework can be instantiated with a diverse range of LSH families, and the fast isolation mechanism can be extended to any distance measures, data types and data spaces where an LSH family is defined. In particular, the instances of our framework with kernelised LSH families or learning based hashing schemes can detect complicated anomalies like local or surrounded anomalies. We also formally show that the existing tree isolation based detection methods are special cases of our framework with the corresponding distance measures. Extensive experiments on both synthetic and real-world benchmark data sets show that the framework can achieve both high time efficiency and anomaly detection quality.

Ya-Lin Zhang,Longfei Li,Jun Zhou,Xiaolong Li,Zhi-Hua Zhou

DOI: https://doi.org/10.1145/3184558.3186580

2018-01-01

Abstract:In this paper, we consider the problem of anomaly detection. Previous studies mostly deal with this task in either supervised or unsupervised manner according to whether label information is available. However, there always exists settings which are different from the two standard manners. In this paper, we address the scenario when anomalies are partially observed, i.e., we are given a large amount of unlabeled instances as well as a handful labeled anomalies. We refer to this problem as anomaly detection with partially observed anomalies, and proposed a two-stage method ADOA to solve it. Firstly, by addressing the difference between the anomalies, the observed anomalies are clustered, while the unlabeled instances are filtered to get potential anomalies and reliable normal instances. Then, with the above instances, a weight is attached to each instance according to the confidence of its label, and a weighted multi-class model is built, which will be further used to distinguish different anomalies to the normal instances. Experimental results show that in the aforementioned setting, existing methods behave unsatisfactorily and the proposed method performs significantly better than all these methods, which validates the effectiveness of the proposed approach.

Yang Cao,Haolong Xiang,Hang Zhang,Ye Zhu,Kai Ming Ting

2024-03-16

Abstract:Anomaly detection is a longstanding and active research area that has many applications in domains such as finance, security, and manufacturing. However, the efficiency and performance of anomaly detection algorithms are challenged by the large-scale, high-dimensional, and heterogeneous data that are prevalent in the era of big data. Isolation-based unsupervised anomaly detection is a novel and effective approach for identifying anomalies in data. It relies on the idea that anomalies are few and different from normal instances, and thus can be easily isolated by random partitioning. Isolation-based methods have several advantages over existing methods, such as low computational complexity, low memory usage, high scalability, robustness to noise and irrelevant features, and no need for prior knowledge or heavy parameter tuning. In this survey, we review the state-of-the-art isolation-based anomaly detection methods, including their data partitioning strategies, anomaly score functions, and algorithmic details. We also discuss some extensions and applications of isolation-based methods in different scenarios, such as detecting anomalies in streaming data, time series, trajectory, and image datasets. Finally, we identify some open challenges and future directions for isolation-based anomaly detection research.

Machine Learning

Chun-Hui Xiao,Chen Su,Cong-Xiao Bao,Xing Li

DOI: https://doi.org/10.1109/ICNISC.2018.00019

2018-01-01

Abstract:As an important part in network management system, rapid and accurate anomaly detection is one of the preconditions to guarantee the effective work of the network. In general, the network management system will monitor the data of multiple indicators, and the manifestations of network anomalies are complex in the data. Most existing anomaly detection approaches have encountered some trouble in network anomaly detection because of the periodicity of time series data or high time complexity and memory cost working on high-dimensional data. Aiming at the deficiency of present methods of network anomaly detection, we propose an adapted method based on iForest algorithm. We construct some feature extractors through statistical methods to highlight different abnormal behaviors in different indicator and then use the extracted feature data for the construction and prediction of iForest. Combining specific feature extractors, we can eliminate the effects of periodicity, or specify the detection of peaks or troughs to adapt to different indicators. By means of iForest algorithm which has linear time complexity and low memory requirement, our method makes a rapid detection with large dataset and works well in high dimensional network management data.

Sijin Yeom,Jae-Hun Jung

2024-01-09

Abstract:Random cut forest (RCF) algorithms have been developed for anomaly detection, particularly in time series data. The RCF algorithm is an improved version of the isolation forest (IF) algorithm. Unlike the IF algorithm, the RCF algorithm can determine whether real-time input contains an anomaly by inserting the input into the constructed tree network. Various RCF algorithms, including Robust RCF (RRCF), have been developed, where the cutting procedure is adaptively chosen probabilistically. The RRCF algorithm demonstrates better performance than the IF algorithm, as dimension cuts are decided based on the geometric range of the data, whereas the IF algorithm randomly chooses dimension cuts. However, the overall data structure is not considered in both IF and RRCF, given that split values are chosen randomly. In this paper, we propose new IF and RCF algorithms, referred to as the weighted IF (WIF) and weighted RCF (WRCF) algorithms, respectively. Their split values are determined by considering the density of the given data. To introduce the WIF and WRCF, we first present a new geometric measure, a density measure, which is crucial for constructing the WIF and WRCF. We provide various mathematical properties of the density measure, accompanied by theorems that support and validate our claims through numerical examples.

Machine Learning

Xiangyu Song,Sunil Aryal,Kai Ming Ting,Zhen Liu,Bin He

DOI: https://doi.org/10.1109/tgrs.2021.3104998

IF: 8.2

2021-01-01

IEEE Transactions on Geoscience and Remote Sensing

Abstract:Anomaly detection in hyperspectral image is affected by redundant bands and the limited utilization capacity of spectral-spatial information. In this article, we propose a novel Improved Isolation Forest (IIF) algorithm based on the assumption that anomaly pixels are more susceptible to isolation than the background pixels. The proposed IIF is a modified version of the Isolation Forest (iForest) algorithm, which addresses the poor performance of iForest in detecting local anomalies and anomaly detection in high-dimensional data. Further, we propose a spectral-spatial anomaly detector based on IIF (SSIIFD) to make full use of global and local information, as well as spectral and spatial information. To be specific, first, we apply the Gabor filter to extract spatial features, which are then employed as input to the Relative Mass Isolation Forest (ReMass-iForest) detector to obtain the spatial anomaly score. Next, original images are divided into several homogeneous regions via the Entropy Rate Segmentation (ERS) algorithm, and the preprocessed images are then employed as input to the proposed IIF detector to obtain the spectral anomaly score. Finally, we fuse the spatial and spectral anomaly scores by combining them linearly to predict anomaly pixels. The experimental results on four real hyperspectral data sets demonstrate that the proposed detector outperforms other state-of-the-art methods.

Haolong Xiang,Xuyun Zhang,Mark Dras,Amin Beheshti,Wanchun Dou,Xiaolong Xu

DOI: https://doi.org/10.1109/icdm58522.2023.00077

2023-01-01

Abstract:Anomaly detection is one of the crucial research topics in artificial intelligence, encompassing various fields such as health monitoring, network intrusion detection, and fraud detection in financial transactions. Deep anomaly detection (DAD) methods are considered as the effective approaches for addressing complex anomaly detection problems. Among them, the deep isolation forest methods have gained rapid development recently due to their simplicity in parameter turning and efficiency in model training. The existing deep isolation forest approaches are all based on representation learning, while OptiForest theoretically proves the crucial role of the tree structure in isolation forest based methods. In this paper, we analyse the search space of isolation trees under specific data instances and address the challenges in finding optimal isolation forest. Based on the theoretical underpinning and genetic algorithm, we design a deep model DOIForest with two mutation schemes and solution selection, which learns the optimal isolation forest and optimises the parameters in data partitioning. Extensive experiments on both synthetic dataset and a series of real-world datasets demonstrate that our approach can achieve better detection accuracy and robustness than the state-of-the-arts.

Lev V. Utkin,Andrey Y. Ageev,Andrei V. Konstantinov

DOI: https://doi.org/10.48550/arXiv.2210.02558

2022-10-06

Abstract:A new modification of Isolation Forest called Attention-Based Isolation Forest (ABIForest) for solving the anomaly detection problem is proposed. It incorporates the attention mechanism in the form of the Nadaraya-Watson regression into the Isolation Forest for improving solution of the anomaly detection problem. The main idea underlying the modification is to assign attention weights to each path of trees with learnable parameters depending on instances and trees themselves. The Huber's contamination model is proposed to be used for defining the attention weights and their parameters. As a result, the attention weights are linearly depend on the learnable attention parameters which are trained by solving the standard linear or quadratic optimization problem. ABIForest can be viewed as the first modification of Isolation Forest, which incorporates the attention mechanism in a simple way without applying gradient-based algorithms. Numerical experiments with synthetic and real datasets illustrate outperforming results of ABIForest. The code of proposed algorithms is available.

Machine Learning

Zhong Yuan,Baiyang Chen,Jia Liu,Hongmei Chen,Dezhong Peng,Peilin Li

DOI: https://doi.org/10.1016/j.asoc.2023.109995

2023-01-01

Abstract:The density-based method is a more widely used anomaly detection. However, most of the existing density-based methods mainly focus on dealing with certainty data and do not consider the problem of uncertainty and fuzziness of the data. Fuzzy rough set theory, as an important mathematical model of granular computing, provides an effective method for information processing of uncertain data. For this reason, this paper proposes an anomaly detection based on fuzzy-rough density. First, the fuzzy-rough density is defined to describe the degree of aggregation of objects. Then, fuzzy entropy is introduced to compute the weights of each attribute. Further, an anomaly score is constructed to characterize the anomaly degree of the samples, which takes into account both the density and fuzziness of the samples. Finally, extensive experiments are conducted on publicly available data with nine popular detection methods. The experimental results show that the proposed method achieves better performance on three types of datasets.(c) 2023 Elsevier B.V. All rights reserved.