Jingxuan Pang,Xiaokun Pu,Chunguang Li

DOI: https://doi.org/10.1109/tii.2022.3145834

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Anomaly detection plays an important role in industry, especially in ensuring system safety and product quality. Due to the unavailability of anomalous data in many practical cases, anomaly detection is usually solved by one-class classification (OCC) methods using only normal data. As a classical OCC method, one-class support vector machine (OCSVM) is a popular discriminative approach for anomaly detection, which detects abnormal data points by establishing a decision boundary in the kernel space. However, the performance of OCSVM heavily relies on kernel parameters, whose selection is not trivial for anomaly detection problems. Moreover, for some uneven and complex data distributions, different data regions may have quite different densities and shapes, making it difficult for OCSVM to obtain good boundaries in all regions using a global kernel parameter. To address the above two issues, in this article, we propose a hybrid algorithm incorporating vector quantization and OCSVM (VQ-OCSVM). Specifically, vector quantization is used to extract distribution information of normal data, and the results are used to construct an explicit mapping function to map data into a high-dimensional feature space. Then, OCSVM is performed in the feature space to build a classifier. By introducing the explicit mapping into OCSVM, the proposed method can effectively bypass the kernel parameter selection problem of the classical OCSVM method. Furthermore, the constructed mapping carries the data distribution information, and the VQ-OCSVM model can be regarded as an integration of generative learning and discriminative learning. The complementary properties of these two paradigms make the proposed VQ-OCSVM algorithm have better generalization capacity for complex data distribution. Both qualitative and quantitative experimental results demonstrate the effectiveness and advantages of the proposed method.

Qian Ma,Cong Sun,Baojiang Cui

DOI: https://doi.org/10.1155/2021/2170788

IF: 1.968

2021-11-20

Security and Communication Networks

Abstract:New vulnerabilities and ever-evolving network attacks pose great threats to today’s cyberspace security. Anomaly detection in network traffic is a promising and effective technique to enhance network security. In addition to traditional statistical analysis and rule-based detection techniques, machine learning models are introduced for intelligent detection of abnormal traffic data. In this paper, a novel model named SVM-C is proposed for the anomaly detection in network traffic. The URLs in the network traffic log are transformed into feature vectors via statistical laws and linear projection. The obtained feature vectors are fed into a support vector machine (SVM) classifier and classified as normal or abnormal. Based on the idea of SVM and clustering, we construct an optimization model to train the parameters of the feature extraction method and traffic classifier. Numerical tests indicate that the proposed model outperforms the state of the arts on all the tested datasets.

computer science, information systems,telecommunications

Guo Pu,Lijuan Wang,Jun Shen,Fang Dong

DOI: https://doi.org/10.26599/tst.2019.9010051

2021-04-01

Abstract:In recent years, machine learning-based cyber intrusion detection methods have gained increasing popularity. The number and complexity of new attacks continue to rise; therefore, effective and intelligent solutions are necessary. Unsupervised machine learning techniques are particularly appealing to intrusion detection systems since they can detect known and unknown types of attacks as well as zero-day attacks. In the current paper, we present an unsupervised anomaly detection method, which combines Sub-Space Clustering (SSC) and One Class Support Vector Machine (OCSVM) to detect attacks without any prior knowledge. The proposed approach is evaluated using the well-known NSL-KDD dataset. The experimental results demonstrate that our method performs better than some of the existing techniques.

computer science, information systems,engineering, electrical & electronic, software engineering

Simon Bilik,Karel Horak

DOI: https://doi.org/10.48550/arXiv.2203.13068

2022-03-24

Computer Vision and Pattern Recognition

Abstract:In this paper, we suggest a way, how to use SIFT and SURF algorithms to extract the image features for anomaly detection. We use those feature vectors to train various classifiers on a real-world dataset in the semi -supervised (with a small number of faulty samples) manner with a large number of classifiers and in the one-class (with no faulty samples) manner using the SVDD and SVM classifier. We prove, that the SIFT and SURF algorithms could be used as feature extractors, that they could be used to train a semi-supervised and one-class classifier with an accuracy around 89\% and that the performance of the one-class classifier could be comparable to the semi-supervised one. We also made our dataset and source code publicly available.

Shih-Wei Lin,Kuo-Ching Ying,Chou-Yuan Lee,Zne-Jung Lee

DOI: https://doi.org/10.1016/j.asoc.2012.05.004

IF: 8.7

2012-10-01

Applied Soft Computing

Abstract:Intrusion detection system (IDS) is to monitor the attacks occurring in the computer or networks. Anomaly intrusion detection plays an important role in IDS to detect new attacks by detecting any deviation from the normal profile. In this paper, an intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection is proposed. The key idea is to take the advantage of support vector machine (SVM), decision tree (DT), and simulated annealing (SA). In the proposed algorithm, SVM and SA can find the best selected features to elevate the accuracy of anomaly intrusion detection. By analyzing the information from using KDD’99 dataset, DT and SA can obtain decision rules for new attacks and can improve accuracy of classification. In addition, the best parameter settings for the DT and SVM are automatically adjusted by SA. The proposed algorithm outperforms other existing approaches. Simulation results demonstrate that the proposed algorithm is successful in detecting anomaly intrusion detection.

computer science, artificial intelligence, interdisciplinary applications

Ji Qiu,Hongmei Shi,Yuhen Hu,Zujun Yu

DOI: https://doi.org/10.3390/app132312655

2023-11-24

Applied Sciences

Abstract:Unsupervised anomaly detection models are crucial for the efficiency of industrial applications. However, frequent false alarms hinder the widespread adoption of unsupervised anomaly detection, especially in fault detection tasks. To this end, our research delves into the dependence of false alarms on the baseline anomaly detector by analyzing the high-response regions in anomaly maps. We introduce an SVM-based false positive classifier as a post-processing module, which identifies false alarms from positive predictions at the object level. Moreover, we devise a sample synthesis strategy that generates synthetic false positives from the trained baseline detector while producing synthetic defect patch features from fuzzy domain knowledge. Following comprehensive evaluations, we showcase substantial performance enhancements in two advanced out-of-distribution anomaly detection models, Cflow and Fastflow, across image and pixel-level anomaly detection performance metrics. Substantive improvements are observed in two distinct industrial applications, with notable instances of elevating the image-level F1-score from 46.15% to 78.26% in optimal scenarios and boosting pixel-level AUROC from 72.36% to 94.74%.

materials science, multidisciplinary,engineering,chemistry,physics, applied

Xuedan Miao,Ying Liu,Haiquan Zhao,Chunguang Li

DOI: https://doi.org/10.1109/tcyb.2018.2804940

IF: 11.8

2019-01-01

IEEE Transactions on Cybernetics

Abstract:Anomaly detection has attracted much attention in recent years since it plays a crucial role in many domains. Various anomaly detection approaches have been proposed, among which one-class support vector machine (OCSVM) is a popular one. In practice, data used for anomaly detection can be distributively collected via wireless sensor networks. Besides, as the data usually arrive at the nodes sequentially, online detection method that can process streaming data is preferred. In this paper, we formulate a distributed online OCSVM for anomaly detection over networks and get a decentralized cost function. To get the decentralized implementation without transmitting the original data, we use a random approximate function to replace the kernel function. Furthermore, to find an appropriate approximate dimension, we add a sparse constraint into the decentralized cost function to get another one. Then we minimize these two cost functions by stochastic gradient descent and derive two distributed algorithms. Some theoretical analysis and experiments are performed to show the effectiveness of the proposed algorithms. Experimental results on both synthetic and real datasets reveal that both of the proposed algorithms achieve low mis-detection rates and high true positive rates. Compared with other state-of-the-art anomaly detection methods, the proposed distributed algorithms not only show good anomaly detection performance, but also require relatively short running time and low CPU memory consumption.

Yong Sun,Huakun Que,Qianqian Cai,Jingming Zhao,Jingru Li,Zhengmin Kong,Shuai Wang

DOI: https://doi.org/10.3390/en15134751

IF: 3.2

2022-06-29

Energies

Abstract:This paper proposes a novel network anomaly detection framework based on data balance and feature selection. Different from the previous binary classification of network intrusion, the network anomaly detection strategy proposed in this paper solves the problem of multiple classification of network intrusion. Regarding the common data imbalance of a network intrusion detection set, a resampling strategy generated by random sampling and Borderline SMOTE data is developed for data balance. According to the features of the intrusion detection dataset, feature selection is carried out based on information gain rate. Experiments are carried out on three basic machine learning algorithms (K-nearest neighbor algorithm (KNN), decision tree (DT), random forest (RF)), and the optimal feature selection scheme is obtained.

energy & fuels

Mina Eshak Magdy,Ahmed M. Matter,Saleh Hussin,Doaa Hassan,Shaimaa Ahmed Elsaid

DOI: https://doi.org/10.11591/ijeecs.v30.i3.pp1699-1706

2023-06-01

Indonesian Journal of Electrical Engineering and Computer Science

Abstract:Recently, cyberattacks have been more complex than in the past, as a new cyber-attack is initiated almost every day. Therefore, researchers should develop efficient intrusion detection systems (IDS) to detect cyber-attacks. In order to improve the detection and prevention of the aforementioned cyber-attacks, several articles developed IDSs exploiting machine learning and deep learning. In this paper, a way to find network intrusions using a combination of feature selection and adoptive voting is investigated. NSL-KDD dataset, a high-dimensional dataset that has been widely used for network intrusion detection, is applied in this approach. Feature selection plays an important role for improving accuracy and testing time as it eliminates the less significant attributes from the data set, thus saving computational power and effort. The experimental results show that the proposed approach achieves an accuracy of 86.5% on the NSL-KDD test dataset using an adoptive voting algorithm trained with the selected features. In addition, the time to process each record is 97.5 microseconds, which reflects the proposed model's superior performance. Comparing the proposed model with the existing models in the literature shows that the proposed adaptive voting approach significantly improves intrusion detection accuracy, enhances computational efficiency, and reduces false positives.

Chao Wang,Yunxiao Sun,Sicai Lv,Chonghua Wang,Hongri Liu,Bailing Wang

DOI: https://doi.org/10.3390/electronics12040930

IF: 2.9

2023-02-13

Electronics

Abstract:Intrusion detection systems (IDSs) play a significant role in the field of network security, dealing with the ever-increasing number of network threats. Machine learning-based IDSs have attracted a lot of interest owing to their powerful data-driven learning capabilities. However, it is challenging to train the supervised learning algorithms when there are no attack data at hand. Semi-supervised anomaly detection algorithms, which train the model with only normal data, are more suitable. In this study, we propose a novel semi-supervised anomaly detection-based IDS that leverages the capabilities of representation learning and two anomaly detectors. In detail, the autoencoder (AE) is applied to extract representative features of normal data in the first step, and then two semi-supervised detectors, the one-class support vector machine (OCSVM) and Gaussian mixture model (GMM), are trained on the derived features. The two detectors collaborate to detect anomalous samples. The OCSVM predicts the abnormal samples initially, and after that, the GMM is applied to recheck the misclassified samples further. The experiments demonstrate that the AE improves the detection rate, and two detectors are more promising than a single one.

engineering, electrical & electronic,computer science, information systems,physics, applied

Feng Xue,Weizhong Yan

DOI: https://doi.org/10.48550/arXiv.2207.00705

2022-07-02

Abstract:Given the scarcity of anomalies in real-world applications, the majority of literature has been focusing on modeling normality. The learned representations enable anomaly detection as the normality model is trained to capture certain key underlying data regularities under normal circumstances. In practical settings, particularly industrial time series anomaly detection, we often encounter situations where a large amount of normal operation data is available along with a small number of anomaly events collected over time. This practical situation calls for methodologies to leverage these small number of anomaly events to create a better anomaly detector. In this paper, we introduce two methodologies to address the needs of this practical situation and compared them with recently developed state of the art techniques. Our proposed methods anchor on representative learning of normal operation with autoregressive (AR) model along with loss components to encourage representations that separate normal versus few positive examples. We applied the proposed methods to two industrial anomaly detection datasets and demonstrated effective performance in comparison with approaches from literature. Our study also points out additional challenges with adopting such methods in practical applications.

Machine Learning,Artificial Intelligence,Neural and Evolutionary Computing

Wu Liu,Ping Ren,Ke Liu,Duan Hai-xin

DOI: https://doi.org/10.1109/wicom.2011.6040153

2011-01-01

Abstract:This paper considers anomaly detection using an improved probabilistic neural networks. We first introduce a Basic Adaptive Boost Algorithm (BABA) and analysis its drawbacks and then introduce an Improved Adaptive Boost Algorithm (IABA) to classify the detected event as normal or intrusive. © 2011 IEEE.

Paul Irofti,Iulian-Andrei Hîji,Andrei Pătraşcu,Nicolae Cleju

2024-04-05

Abstract:We study in this paper the improvement of one-class support vector machines (OC-SVM) through sparse representation techniques for unsupervised anomaly detection. As Dictionary Learning (DL) became recently a common analysis technique that reveals hidden sparse patterns of data, our approach uses this insight to endow unsupervised detection with more control on pattern finding and dimensions. We introduce a new anomaly detection model that unifies the OC-SVM and DL residual functions into a single composite objective, subsequently solved through K-SVD-type iterative algorithms. A closed-form of the alternating K-SVD iteration is explicitly derived for the new composite model and practical implementable schemes are discussed. The standard DL model is adapted for the Dictionary Pair Learning (DPL) context, where the usual sparsity constraints are naturally eliminated. Finally, we extend both objectives to the more general setting that allows the use of kernel functions. The empirical convergence properties of the resulting algorithms are provided and an in-depth analysis of their parametrization is performed while also demonstrating their numerical performance in comparison with existing methods.

Machine Learning,Cryptography and Security,Numerical Analysis

AT Quang,QL Zhang,X Li

DOI: https://doi.org/10.1109/icct.2003.1209103

2003-01-01

Abstract:This paper presents an approach to controlling the attack recall in an anomaly detection system using Support Vector Machine (SVM). The recall and precision of SVM are controlled by the selection of the training model. The training model is selected by optimization method using Genetic Algorithm. A SVM training model optimization problem is presented and an expected attack recall is controlled by a tradeoff parameter rho in the objective function. Experiment results demonstrate that as rho increases from 0 to 1, the recall increases from 0 to 1. If we use the value of rho to estimate the recall, the mean square error of this estimation is decreased during the evolution of the training model. Our approach allows a user to design a system with an expected recall while the precision is high.

Guanghui Song,Xiaogang Jin,Genlang Chen,Yan Nie

DOI: https://doi.org/10.1109/ISKE.2010.5680860

2010-01-01

Abstract:The source data of intrusion detection system (IDS) are characteristic of heavy-flow, high-dimension and nonlinearity. A frequent problem in IDS is the choice of the right features that give rise to compact and concise representations of the network data; the other is how to improve the detection efficiency and accuracy of IDS under the small sample conditions. In order to delete the redundant and noisy features, improve the performance of IDS, we present an efficient IDS based on multiple kernel learning (MKL) method. Kernel methods are the effective approaches to intrusion detection problems. MKL methods combined with support vector machines (SVMs) can overcome some practice difficulties of IDS such as irregular data, non-flat distribution of the samples, etc. Experiments on the KDD Cup (1999) intrusion detection data set show that MKL methods have a higher detection rate and a lower false alarm rate compared to single kernel methods.

Jionghua Jin,Xuejun Zhu

2006-01-01

Abstract:The intrusion detection in computer networks is a complex research problem, which requires the understanding of computer networks and the mechanism of intrusions, the configuration of sensors and the collected data, the selection of the relevant attributes, and the monitor algorithms for online detection. It is critical to develop general methods for data dimension reduction, effective monitoring algorithms for intrusion detection, and means for their performance improvement. This dissertation is motivated by the timely need to develop statistics-based machine learning methods for effective detection of computer network anomalies. Three fundamental research issues related to data dimension reduction, control charts design and performance improvement have been addressed accordingly. The major research activities and corresponding contributions are summarized as follows: (1) Filter and Wrapper models are integrated to extract a small number of the informative attributes for computer network intrusion detection. A two-phase analyses method is proposed for the integration of Filter and Wrapper models. The proposed method has successfully reduced the original 41 attributes to 12 informative attributes while increasing the accuracy of the model. The comparison of the results in each phase shows the effectiveness of the proposed method. (2) Supervised kernel based control charts for anomaly intrusion detection. We propose to construct control charts in a feature space. The first contribution is the use of multi-objective Genetic Algorithm in the parameter pre-selection for SVM based control charts. The second contribution is the performance evaluation of supervised kernel based control charts. (3) Unsupervised kernel based control charts for anomaly intrusion detection. Two types of unsupervised kernel based control charts are investigated: Kernel PCA control charts and Support Vector Clustering based control charts. The applications of SVC based control charts on computer networks audit data are also discussed to demonstrate the effectiveness of the proposed method. Although the developed methodologies in this dissertation are demonstrated in the computer network intrusion detection applications, the methodologies are also expected to be applied to other complex system monitoring, where the database consists of a large dimensional data with non-Gaussian distribution.

Kun Wu,Lei Zhu,Weihang Shi,Wenwu Wang,Jin Wu

DOI: https://doi.org/10.1109/tcsvt.2022.3211839

IF: 5.859

2023-03-11

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Anomaly detection plays an important role in manufacturing quality control/assurance. Among approaches adopting computer vision techniques, reconstruction-based methods learn a content-aware mapping function that transfers abnormal regions to normal regions in an unsupervised manner. Such methods usually have difficulty in improving both the reconstruction quality and capacity for abnormal discovery. We observe that high-level semantic contextual features demonstrate a strong ability for abnormal discovery, while variational features help to preserve fine image details. Inspired by the observation, we propose a new abnormal detection model by utilizing features for different purposes depending on their frequency characteristics. The 2D-discrete wavelet transform (DWT) is introduced to obtain the low-frequency and high-frequency components of features and further used to generate the two essential features following different routing paths in our encoder process. To further improve the capacity for abnormal discovery, we propose a novel feature augmentation module that is informed by a customized self-attention mechanism. Extensive experiments are conducted on two popular datasets: MVTec AD and BTAD. The experimental results illustrate that the proposed method outperforms other state-of-the-art approaches in terms of the image-level AUROC score. In particular, our method achieves 100% of the image-level AUROC score on 8 out of 15 classes on the MVTec dataset.

engineering, electrical & electronic

GuiPing Wang,JianXi Yang,Ren Li

DOI: https://doi.org/10.4218/etrij.2018-0475

2019-06-19

ETRI Journal

Abstract:In a cloud environment, performance degradation, or even downtime, of virtual machines (VMs) usually appears gradually along with anomalous states of VMs. To better characterize the state of a VM, all possible performance metrics are collected. For such high‐dimensional datasets, this article proposes a feature extraction algorithm based on unsupervised fuzzy linear discriminant analysis with kernel (UFKLDA). By introducing the kernel method, UFKLDA can not only effectively deal with non‐Gaussian datasets but also implement nonlinear feature extraction. Two sets of experiments were undertaken. In discriminability experiments, this article introduces quantitative criteria to measure discriminability among all classes of samples. The results show that UFKLDA improves discriminability compared with other popular feature extraction algorithms. In detection accuracy experiments, this article computes accuracy measures of an anomaly detection algorithm (i.e., C‐SVM) on the original performance metrics and extracted features. The results show that anomaly detection with features extracted by UFKLDA improves the accuracy of detection in terms of sensitivity and specificity.

telecommunications,engineering, electrical & electronic

Feng MEI,Chun-hui ZHAO,Li-guo WANG,Jia YOU

2009-01-01

Abstract:An adaptive support vector data description(SVDD)method is proposed for anomaly deteciton in hyperspectral imagery.According to the features of hyperspectral data and the local detection model,the second-order statistic information between hyperspectral bands of local background is calculated firstly.Based on the relationship between kernel parameter and the local second-order statistic information,an adaptive kernel parameter estimation method is derived.The parameter estimation of kernel function can be obtained along with the shifting of the background clutter pixels automatically,The degeneration of detection performance brought by a global fixed kernel parameter SVDD method in a background of miscellaneous terrain is improved by the proposed algorithm.Numerical experiments are conducted on simulated data and real hyperspectral imagery.Using receiver operating characteristic(ROC)curves,the results show that the detection probability of the proposed algorithm is 10 percentage better than the classical fixed kernel parameter SVDD at the same false alarm rates.

Yuejing Zhai,Haizhong Liu

DOI: https://doi.org/10.3233/jifs-213088

2022-03-24

Abstract:Recent studies have shown that the evolution of infinitely wide neural networks satisfying certain conditions can be described by a kernel function called neural tangent kernel (NTK). We introduce NTK into a one-class support vector machine model and select data from different domains in UCI for a small-sample outlier detection task, demonstrate that NTK-OCSVM generally outperforms a variety of commonly used classification models, with more than 20% improvement in accuracy for similar models. When the kernel function parameters are varied, the experiments show that the model has strong robustness within a certain parameter range. Finally, we experimentally compare the time complexity of different models and the decision boundaries, and demonstrate that NTK-OCSVM improves accuracy at the expense of operational efficiency and has linear decision boundaries.