Li Cheng,Yijie Wang,Xinwang Liu,Bin Li

DOI: https://doi.org/10.1609/aaai.v34i04.5755

2020-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Feature selection places an important role in improving the performance of outlier detection, especially for noisy data. Existing methods usually perform feature selection and outlier scoring separately, which would select feature subsets that may not optimally serve for outlier detection, leading to unsatisfying performance. In this paper, we propose an outlier detection ensemble framework with embedded feature selection (ODEFS), to address this issue. Specifically, for each random sub-sampling based learning component, ODEFS unifies feature selection and outlier detection into a pairwise ranking formulation to learn feature subsets that are tailored for the outlier detection method. Moreover, we adopt the thresholded self-paced learning to simultaneously optimize feature selection and example selection, which is helpful to improve the reliability of the training set. After that, we design an alternate algorithm with proved convergence to solve the resultant optimization problem. In addition, we analyze the generalization error bound of the proposed framework, which provides theoretical guarantee on the method and insightful practical guidance. Comprehensive experimental results on 12 real-world datasets from diverse domains validate the superiority of the proposed ODEFS.

Gang Chen,Yuanli Cai,Juan Shi

DOI: https://doi.org/10.1109/nlpke.2011.6138226

2011-01-01

Abstract:Feature selection is becoming more and more important for natural language processing as well as knowledge engineering. In this paper, we induce a simple principle that if an attribute subset has more representativeness, then it should be more self-organized, as a result it should be more insensitive to artificially seeded noise points. Based on that, our novel methodology transforms feature selection problems into outlier detection problems. Because of the characteristics of outlier detection problems, our framework can achieve high tolerance of noises, sub-samplings, and even classification errors in training data sets, which are extraordinary features of our method. Moreover, to evaluate the performance of our method comprehensively, we compare our method with several state-of-the-art methods on a number of real-life data sets, and give all the experiment results, which show that our method can accomplish feature reduction tasks with really high accuracy as well as remarkably low computing complexity.

Zhixia Zhang,Liping Xie

DOI: https://doi.org/10.1002/cpe.5861

2020-01-01

Abstract:At present, irrelevant or redundant features in network traffic data occupy a lot of storage and computing resources, reducing the accuracy of network anomaly detection. Aiming at this problem, a many-objective feature selection model is proposed in this article. The model takes the number of selected feature, false alarm rate, detection rate, precision and accuracy as the optimization objectives, and characterizes the performance of the feature selection method from different perspectives. At the same time, a many-objective integration optimization algorithm (IN-MaOEA) is designed to solve this model. First, the algorithm will build the evolution strategy pool and the dominance strategy pool, then a random probability strategy selection mechanism is designed to improve the algorithm's convergence and diversity. At the same time, an anomaly detection simulation was performed using the NSL-KDD dataset. Experimental results show that the IN-MaOEA algorithm can effectively improve the performance of detection.

Siqi Wang,Yijie Zeng,Xinwang Liu,En Zhu,Jianping Yin,Chuanfu Xu,Marius Kloft

2019-01-01

Abstract:Despite the wide success of deep neural networks (DNN), little progress has been made on end-to-end unsupervised outlier detection (UOD) from high dimensional data like raw images. In this paper, we propose a framework named E^3Outlier, which can perform UOD in a both effective and end-to-end manner: First, instead of the commonly-used autoencoders in previous end-to-end UOD methods, E^3Outlier for the first time leverages a discriminative DNN for better representation learning, by using surrogate supervision to create multiple pseudo classes from original unlabelled data. Next, unlike classic UOD that utilizes data characteristics like density or proximity, we exploit a novel property named inlier priority to enable end-to-end UOD by discriminative DNN. We demonstrate theoretically and empirically that the intrinsic class imbalance of inliers/outliers will make the network prioritize minimizing inliers' loss when inliers/outliers are indiscriminately fed into the network for training, which enables us to differentiate outliers directly from DNN's outputs. Finally, based on inlier priority, we propose the negative entropy based score as a simple and effective outlierness measure. Extensive evaluations show that E^3Outlier significantly advances UOD performance by up to 30% AUROC against state-of-the-art counterparts, especially on relatively difficult benchmarks.

Jiewen Mao,Yongquan Hu,Dong Jiang,Tongquan Wei,Fuke Shen

DOI: https://doi.org/10.1109/access.2020.3004699

IF: 3.9

2020-01-01

IEEE Access

Abstract:Network traffic flows contain a large number of correlated and redundant features that significantly degrade the performance of data-driven network anomaly detection. In this paper, we propose a novel clustering and ranking-based feature selection scheme, termed as CBFS, to reduce redundant features in network traffic, which can greatly improve the efficiency and accuracy of feature-based network anomaly detection. Our proposed CBFS scheme first calculates the distance between feature vectors, merges these feature vectors into different clusters, and selects the center of each cluster as a representative feature vector. The proposed CBFS scheme then integrates the information gain and gain rate of features to further streamline the number of features on the basis of clustering generation. Finally, the proposed CBFS scheme applies the decision-tree-based classifier to the generated subset of features so that the abnormal traffic flows are detected. The experimental results show that our proposed CBFS scheme is effective in reducing feature dimensions across different datasets. The proposed CBFS scheme can achieve feature reduction rates of 20% to 70%, and cost-performance of up to 70% as compared to benchmarking methods.

Wanwei Huang,Haobin Tian,Sunan Wang,Chaoqin Zhang,Xiaohui Zhang

DOI: https://doi.org/10.7717/peerj-cs.2176

2024-07-16

Abstract:In the context of the 5G network, the proliferation of access devices results in heightened network traffic and shifts in traffic patterns, and network intrusion detection faces greater challenges. A feature selection algorithm is proposed for network intrusion detection systems that uses an improved binary pigeon-inspired optimizer (SABPIO) algorithm to tackle the challenges posed by the high dimensionality and complexity of network traffic, resulting in complex models, reduced accuracy, and longer detection times. First, the raw dataset is pre-processed by uniquely one-hot encoded and standardized. Next, feature selection is performed using SABPIO, which employs simulated annealing and the population decay factor to identify the most relevant subset of features for subsequent review and evaluation. Finally, the selected subset of features is fed into decision trees and random forest classifiers to evaluate the effectiveness of SABPIO. The proposed algorithm has been validated through experimentation on three publicly available datasets: UNSW-NB15, NLS-KDD, and CIC-IDS-2017. The experimental findings demonstrate that SABPIO identifies the most indicative subset of features through rational computation. This method significantly abbreviates the system's training duration, enhances detection rates, and compared to the use of all features, minimally reduces the training and testing times by factors of 3.2 and 0.3, respectively. Furthermore, it enhances the F1-score of the feature subset selected by CPIO and Boost algorithms when compared to CPIO and XGBoost, resulting in improvements ranging from 1.21% to 2.19%, and 1.79% to 4.52%.

Makiya Nakashima,Alex Sim,Youngsoo Kim,Jonghyun Kim,Jinoh Kim

DOI: https://doi.org/10.1145/3446636

2021-06-21

ACM Transactions on Management Information Systems

Abstract:Variable selection (also known as feature selection ) is essential to optimize the learning complexity by prioritizing features, particularly for a massive, high-dimensional dataset like network traffic data. In reality, however, it is not an easy task to effectively perform the feature selection despite the availability of the existing selection techniques. From our initial experiments, we observed that the existing selection techniques produce different sets of features even under the same condition (e.g., a static size for the resulted set). In addition, individual selection techniques perform inconsistently, sometimes showing better performance but sometimes worse than others, thereby simply relying on one of them would be risky for building models using the selected features. More critically, it is demanding to automate the selection process, since it requires laborious efforts with intensive analysis by a group of experts otherwise. In this article, we explore challenges in the automated feature selection with the application of network anomaly detection. We first present our ensemble approach that benefits from the existing feature selection techniques by incorporating them, and one of the proposed ensemble techniques based on greedy search works highly consistently showing comparable results to the existing techniques. We also address the problem of when to stop to finalize the feature elimination process and present a set of methods designed to determine the number of features for the reduced feature set. Our experimental results conducted with two recent network datasets show that the identified feature sets by the presented ensemble and stopping methods consistently yield comparable performance with a smaller number of features to conventional selection techniques.

Yu Su,Kaiyue Qi,Chong Di,Yinghua Ma,Shenghong Li

DOI: https://doi.org/10.1109/dsc.2018.00099

2018-01-01

Abstract:Considering the sharp increasing flow of network traffic, it is extremely emergency to detect malicious and anomalous network traffic to protect network security. Network Intrusion Detection Systems (NIDS) can be used to detect normal and anomalous behavior by analyzing network traffic. However, network traffic data consist of large quantities of features, increasing the difficulty of detection. These features contain many redundant features, which can affect the effectiveness of detection. In this paper, a method of learning automata is proposed to select the optimal and significant features for network traffic intrusion detection. Multiple LAs collaboratively remove redundant features and fully consider the redundancy of single feature and multiple combined features. The experiments on KDD99 show that the proposed feature selection scheme can effectively reduce feature dimension and select the optimal feature subset. It can also achieves higher detection accuracy compared with other feature selection methods.

Xuecheng Yu,Yan Huang,Yu Zhang,Mingyang Song,Zhenhong Jia

DOI: https://doi.org/10.32604/cmc.2023.044999

2024-01-01

Abstract:With the increasing dimensionality of network traffic, extracting effective traffic features and improving the identification accuracy of different intrusion traffic have become critical in intrusion detection systems (IDS). However, both unsupervised and semisupervised anomalous traffic detection methods suffer from the drawback of ignoring potential correlations between features, resulting in an analysis that is not an optimal set. Therefore, in order to extract more representative traffic features as well as to improve the accuracy of traffic identification, this paper proposes a feature dimensionality reduction method combining principal component analysis and Hotelling’s T2 and a multilayer convolutional bidirectional long short-term memory (MSC_BiLSTM) classifier model for network traffic intrusion detection. This method reduces the parameters and redundancy of the model by feature extraction and extracts the dependent features between the data by a bidirectional long short-term memory (BiLSTM) network, which fully considers the influence between the before and after features. The network traffic is first characteristically downscaled by principal component analysis (PCA), and then the downscaled principal components are used as input to Hotelling’s T2 to compare the differences between groups. For datasets with outliers, Hotelling’s T2 can help identify the groups where the outliers are located and quantitatively measure the extent of the outliers. Finally, a multilayer convolutional neural network and a BiLSTM network are used to extract the spatial and temporal features of network traffic data. The empirical consequences exhibit that the suggested approach in this manuscript attains superior outcomes in precision, recall and F1-score juxtaposed with the prevailing techniques. The results show that the intrusion detection accuracy, precision, and F1-score of the proposed MSC_BiLSTM model for the CIC-IDS 2017 dataset are 98.71%, 95.97%, and 90.22%.

computer science, information systems,materials science, multidisciplinary

Kurnia Setiawan,Arief Wibowo

DOI: https://doi.org/10.33387/jiko.v6i2.6092

2023-08-06

JIKO (Jurnal Informatika dan Komputer)

Abstract:The large number of data packet records of network traffic can be used to evaluate the quality of a network as well as to analyze the occurrence of anomalies in the network, both related to network security and network performance. Based on the data obtained, the occurrence of anomalies in computer networks can not be detected specifically on which traffic packets. Meanwhile, to monitor network traffic packets manually will require a lot of time and resources, making it difficult to detect potential anomaly events more specifically. This study analyzes network packet traffic data to see records that include anomalies with an outlier detection approach, using the Isolation Forest algorithm to detect outliers on network traffic packet data, with the result that minority data are of the outliers type of 1,643 records (4.86%), while inliers are 32,098 records (95.13%). Then check and filter the expert attributes that contain expert information. The outlier detection results were classified using 5 algorithms as comparison, namely Random Forest Classifier, Support Vector Machine, Decision Tree Classifier, K-Nearest Neighbor, and Bernoulli Naive Bayes. The Random Forest algorithm has the highest score for accuracy, macro average precision, and macro average f1-score, namely 0.9962067330488383; 0.78; and 0.82. The classification model can be used to classify samples with labels "inliers", "outliers", "Error", and "warning outliers". There are labels that have scores for precision, recall, and f1-scrore that are not too high, namely the labels “error” (0.50; 1.00; and 0.67) and “warning outlier” (0.64; 0 .70; 0.67). The resulting classification model is used for prototype development that facilitates the process of investigating potential network traffic packet anomalies more specifically.

Zhong-Yang Xiong,Hua Long,Yu-Fang Zhang,Xiao-Xia Wang,Qin-Qin Gao,Lin-Tao Li,Min Zhang

DOI: https://doi.org/10.1007/s10489-022-03258-0

IF: 5.3

2022-08-13

Applied Intelligence

Abstract:Outlierdetection is an important research direction in data mining, including fraud detection, activity monitoring, medical research, network intrusion detection, etc. Many outlier detection methods have been proposed; however, most of them are not suitable for complex patterns because they do not extract appropriate neighbor information and cannot estimate the density accurately. Additionally, their performance is not stable and depends heavily on the number of nearest neighbors ( k ) selected. To overcome the above defects, we proposed a neighborhood weighted-based outlier detection(NWOD) algorithm that can obtain correct detection result in a variety of situations. In our algorithm, the local density of an object is measured by constructing a weighted nearest neighbor graph and quantifying how difficult it is for the object and its nearest neighbors to reach each other. Furthermore, the proposed neighborhood weighted local outlier factor (NWLOF) compares the differences of the neighborhood weighted local density between a given object and the objects in its neighborhood, and then the degree of being an outlier of an object can be judged. The larger the NWLOF of an object is, the more likely it is to be an outlier. In addition, due to our proposed algorithm being based on the concept of a natural stable structure, its performance does not rely on the value of k . Experiments conducted on both synthetic and real-world datasets show the superiority of our algorithm.

computer science, artificial intelligence

Hui Lu,Yaxian Liu,Zongming Fei,Chongchong Guan

DOI: https://doi.org/10.1109/access.2018.2870151

IF: 3.9

2018-01-01

IEEE Access

Abstract:Outlier detection is a very essential problem in a variety of application areas. Many detection methods are deficient for high-dimensional time series data sets containing both isolated and assembled outliers. In this paper, we propose an Outlier Detection method based on Cross-correlation Analysis (ODCA). ODCA consists of three key parts. They are data preprocessing, outlier analysis, and outlier rank. First, we investigate a linear interpolation method to convert assembled outliers into isolated ones. Second, a detection mechanism based on the cross-correlation analysis is proposed for translating the high-dimensional data sets into 1-D cross-correlation function, according to which the isolated outlier is determined. Finally, a multilevel Otsu's method is adopted to help us select the rank thresholds adaptively and output the abnormal samples at different levels. To illustrate the effectiveness of the ODCA algorithm, four experiments are performed using several high-dimensional time series data sets, which include two smallscale sets and two large-scale sets. Furthermore, we compare the proposed algorithm with the detection methods based on wavelet analysis, bilateral filtering, particle swarm optimization, auto-regression, and extreme learning machine. In addition, we discuss the robustness of the ODCA algorithm. The statistical results show that the ODCA algorithm is much better than existing mainstream methods in both effectiveness and time complexity.

Chao Fei,Nian Xia,Pang-Wei Tsai,Yang Lu,Xiaonan Pan,Junli Gong

DOI: https://doi.org/10.1109/asiajcis64263.2024.00024

2024-01-01

Abstract:Malicious traffic detection is important to defend network attacks. Traditional machine learning-based malicious traffic detection methods aim to improve detection performance and ignore resource consumption. For Internet of Things devices with constrained resources, reducing resource consumption in traffic detection while ensuring the detection accuracy is challenging. In order to solve this problem, this paper proposed an effective feature selection algorithm based on chi-squared test (EFS-CST), which selects the most relevant features to train machine learning (ML) models like random forest, naive bayes, decision tree, and convolutional neural networks. The proposed algorithm was evaluated in terms of accuracy, precision, F1 score, AUROC (area under the receiver operating characteristic curve), AUC-PR (area under the precision-recall curve), model size, training time, and dataset size. Results proved that ML models with EFS-CST could obtain similar detection performance compared to ML models with all features on both UNSW-NBls and TII-SSRC-23 datasets. The detection performance of some ML models with EFS-CST could even outperform that of ML models without feature selection. The dataset sizes for TII-SSRC-23 and UNSW-NB15 were reduced by 48.8% and 47.8%, respectively. In addition, the model training time for TII-SSRC-23 and UNSW-NB15 datasets can be reduced by up to 86.1 % and 48.9%, respectively. Finally, the model sizes for TII-SSRC-23 and UNSW-NB15 datasets could be reduced by up to 60.0% and 65.6 %” respectively.

Tongyu ZHU,Qi WANG,Mengdan GAO

DOI: https://doi.org/10.3778/j.issn.1673-9418.1306016

2014-01-01

Abstract:Traffic incident detection and confirmation is the primary problem in traffic incident management, but detection method based on loop detector and video data is restricted in practical applications due to the high cost and inefficiency. This paper proposes a traffic incident detection algorithm based on outlier mining by use of feature vector related to traffic incident. The feature vector is obtained from the traffic information processed by the float car technology. The algorithm is simple, efficient, and easy to deploy. The experimental results show that the algorithm has higher accuracy than the pattern recognition method, and can effectively distinguish between the conventional congestion and traffic incident.

Longqi Yang,Yibing Wang,Zhisong Pan,Guyu Hu

DOI: https://doi.org/10.48550/arXiv.1403.4017

2014-03-17

Abstract:Network anomaly detection is still a vibrant research area. As the fast growth of network bandwidth and the tremendous traffic on the network, there arises an extremely challengeable question: How to efficiently and accurately detect the anomaly on multiple traffic? In multi-task learning, the traffic consisting of flows at different time periods is considered as a task. Multiple tasks at different time periods performed simultaneously to detect anomalies. In this paper, we apply the multi-task feature selection in network anomaly detection area which provides a powerful method to gather information from multiple traffic and detect anomalies on it simultaneously. In particular, the multi-task feature selection includes the well-known l1-norm based feature selection as a special case given only one task. Moreover, we show that the multi-task feature selection is more accurate by utilizing more information simultaneously than the l1-norm based method. At the evaluation stage, we preprocess the raw data trace from trans-Pacific backbone link between Japan and the United States, label with anomaly communities, and generate a 248-feature dataset. We show empirically that the multi-task feature selection outperforms independent l1-norm based feature selection on real traffic dataset.

Machine Learning

Siqi Wang,Yijie Zeng,Guang Yu,Zhen Cheng,Xinwang Liu,Sihang Zhou,En Zhu,Marius Kloft,Jianping Yin,Qing Liao

DOI: https://doi.org/10.1109/tpami.2022.3188763

IF: 23.6

2022-01-01

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:Existing unsupervised outlier detection (OD) solutions face a grave challenge with surging visual data like images. Although deep neural networks (DNNs) prove successful for visual data, deep OD remains difficult due to OD's unsupervised nature. This paper proposes a novel framework named E 3Outlier that can perform effective and end-to-end deep outlier removal. Its core idea is to introduce self-supervision into deep OD. Specifically, our major solution is to adopt a discriminative learning paradigm that creates multiple pseudo classes from given unlabeled data by various data operations, which enables us to apply prevalent discriminative DNNs (e.g., ResNet) to the unsupervised OD problem. Then, with theoretical and empirical demonstration, we argue that inlier priority, a property that encourages DNN to prioritize inliers during self-supervised learning, makes it possible to perform end-to-end OD. Meanwhile, unlike frequently-used outlierness measures (e.g., density, proximity) in previous OD methods, we explore network uncertainty and validate it as a highly effective outlierness measure, while two practical score refinement strategies are also designed to improve OD performance. Finally, in addition to the discriminative learning paradigm above, we also explore the solutions that exploit other learning paradigms (i.e., generative learning and contrastive learning) to introduce self-supervision for E 3Outlier. Such extendibility not only brings further performance gain on relatively difficult datasets, but also enables E 3Outlier to be applied to other OD applications like video abnormal event detection. Extensive experiments demonstrate that E 3Outlier can considerably outperform state-of-the-art counterparts by 10%-30% AUROC. Demo codes are available at https://github.com/demonzyj56/E3Outlier.

Hongzuo Xu,Yongjun Wang,Li Cheng,Yijie Wang,Xingkong Ma

DOI: https://doi.org/10.1145/3269206.3271721

2018-01-01

Abstract:Unavoidable noise in real-world categorical data presents significant challenges to existing outlier detection methods because they normally fail to separate noisy values from outlying values. Feature subspace-based methods inevitably mix noisy values when retaining an entire feature because a feature may contain both outlying values and noisy values. Pattern-based methods are normally based on frequency and are easily misled by noisy values, resulting in many faulty patterns. This paper introduces a novel unsupervised framework termed OUVAS, and its parameter-free instantiation RHAC to explore a high-quality outlying value set for detecting outliers in noisy categorical data. Based on the observation that the relations between values reflect their essence, OUVAS investigates value similarities to cluster values into different groups and combines cluster-level analysis and value-level refinement to identify an outlying value set. RHAC instantiates OUVAS by three successive modules (i.e., the combination of Ochiai coefficient and LOUVAIN algorithm to cluster values, hierarchical value coupling learning to perform cluster-level analysis, and a threshold to divide fake and real outlying values in value-level refinement). We show that (i) RHAC-based outlier detector significantly outperforms five state-of-the-art outlier detection methods; (ii) Extended RHAC-based feature selection method successfully improves the performance of existing outlier detectors and performs better than two latest outlying feature selection methods.

Yuening Li,Zhengzhang Chen,Daochen Zha,Kaixiong Zhou,Haifeng Jin,Haifeng Chen,Xia Hu

DOI: https://doi.org/10.48550/arXiv.2006.11321

2020-06-20

Abstract:Outlier detection is an important data mining task with numerous practical applications such as intrusion detection, credit card fraud detection, and video surveillance. However, given a specific complicated task with big data, the process of building a powerful deep learning based system for outlier detection still highly relies on human expertise and laboring trials. Although Neural Architecture Search (NAS) has shown its promise in discovering effective deep architectures in various domains, such as image classification, object detection, and semantic segmentation, contemporary NAS methods are not suitable for outlier detection due to the lack of intrinsic search space, unstable search process, and low sample efficiency. To bridge the gap, in this paper, we propose AutoOD, an automated outlier detection framework, which aims to search for an optimal neural network model within a predefined search space. Specifically, we firstly design a curiosity-guided search strategy to overcome the curse of local optimality. A controller, which acts as a search agent, is encouraged to take actions to maximize the information gain about the controller's internal belief. We further introduce an experience replay mechanism based on self-imitation learning to improve the sample efficiency. Experimental results on various real-world benchmark datasets demonstrate that the deep model identified by AutoOD achieves the best performance, comparing with existing handcrafted models and traditional search methods.

Machine Learning

Yao Xiao,Chunying Kang,Hongchen Yu,Tao Fan,Haofang Zhang

DOI: https://doi.org/10.3390/s22197548

2022-10-05

Abstract:In recent years, network traffic contains a lot of feature information. If there are too many redundant features, the computational cost of the algorithm will be greatly increased. This paper proposes an anomalous network traffic detection method based on Elevated Harris Hawks optimization. This method is easier to identify redundant features in anomalous network traffic, reduces computational overhead, and improves the performance of anomalous traffic detection methods. By enhancing the random jump distance function, escape energy function, and designing a unique fitness function, there is a unique anomalous traffic detection method built using the algorithm and the neural network for anomalous traffic detection. This method is tested on three public network traffic datasets, namely the UNSW-NB15, NSL-KDD, and CICIDS2018. The experimental results show that the proposed method does not only significantly reduce the number of features in the dataset and computational overhead, but also gives better indicators for every test.

Yun Hu,Junyuan Xie,Cunhua Li

DOI: https://doi.org/10.1109/icist.2011.5765219

2011-01-01

Abstract:Outlier detection is an important problem for many domains, including fraud detection, network intrusion and medical diagnosis. Discovery of unexpected knowledge revealed from outliers is becoming an integral aspect of data mining. Existing works in this field fall short of the adaptability to the distributive feature of the dataset. This paper presents a novel approach for outlier detection with high efficiency and the ability to closely monitor the neighboring density characteristics around outliers. A generalized neighboring dependent outlier is defined, followed by a cell-based detection algorithm. Results of extensive experimental studies on real-world and synthetic datasets demonstrate the effectiveness of the algorithm with respect to the size, the bias distributive structure of the datasets.