Yijun Lin,Yao-Yi Chiang

DOI: https://doi.org/10.48550/arXiv.2110.07660

IF: 5.414

2021-10-14

Machine Learning

Abstract:Large network logs, recording multivariate time series generated from heterogeneous devices and sensors in a network, can often reveal important information about abnormal activities, such as network intrusions and device malfunctions. Existing machine learning methods for anomaly detection on multivariate time series typically assume that 1) normal sequences would have consistent behavior for training unsupervised models, or 2) require a large set of labeled normal and abnormal sequences for supervised models. However, in practice, normal network activities can demonstrate significantly varying sequence patterns (e.g., before and after rerouting partial network traffic). Also, the recorded abnormal events can be sparse. This paper presents a novel semi-supervised method that efficiently captures dependencies between network time series and across time points to generate meaningful representations of network activities for predicting abnormal events. The method can use the limited labeled data to explicitly learn separable embedding space for normal and abnormal samples and effectively leverage unlabeled data to handle training data scarcity. The experiments demonstrate that our approach significantly outperformed state-of-the-art approaches for event detection on a large real-world network log.

Shi Dong,Yuanjun Xia,Tao Peng

DOI: https://doi.org/10.1109/tnsm.2021.3120804

2021-12-01

IEEE Transactions on Network and Service Management

Abstract:The rapid development of Internet technology has brought great convenience to our production life, and the ensuing security problems have become increasingly prominent. These problems threaten users' privacy and pose significant security risks to the normal conduct of many aspects of society, such as politics, economy, culture, and people's livelihood. The growth of the information transmission rate expands the scope of attacks and provides a more attack environment for intruders. Abnormal detection is an effective security protection technology that can monitor network transmission in real-time, effectively sense external attacks, and provide response decisions for relevant managers. The development of machine learning has also led to the development of abnormal traffic detection technology. The goal has been to use powerful and fast learning algorithms to deal with changing threats and respond in real-time. Most of the current abnormal detection research is based on simulation, using public and well-known datasets. On the one hand, the dataset contains high-dimensional massive data, which traditional machine learning methods cannot be processed. On the other hand, the labeled data scale is far behind the application requirements, and the dataset's labels are all manually labeled, so the labeling cost is exceptionally high. This paper proposes a semi-supervised Double Deep Q-Network (SSDDQN)-based optimization method for network abnormal traffic detection, mainly based on Double Deep Q-Network (DDQN), a representative of Deep Reinforcement Learning algorithm. In SSDDQN, the current network first adopts the autoencoder to reconstruct the traffic features and then uses a deep neural network as a classifier. The target network first uses the unsupervised learning algorithm K-Means clustering and then uses deep neural network prediction. The experiment uses NSL-KDD and AWID datasets for training and testing and -erforms a comprehensive comparison with existing machine learning models. The experimental results show that SSDDQN has certain advantages in time complexity and achieved good results in various evaluation metrics.

computer science, information systems

Kai Zhang,Chao Li,Qinmin Yang,Wei Lin,Linsong Yuan

DOI: https://doi.org/10.1109/ICIST59754.2023.10367117

2023-01-01

Abstract:Abnormal detection is crucial for maintaining critical processes' stability, security, and efficiency in various domains. Traditional methods for abnormal detection in time series data have limitations in capturing temporal dependencies and providing interpretable anomaly scores. The authors propose a Segmentation-based Adversarial Denoising Auto-encoder (SADA) model to address these challenges. The SADA model uses two individual auto-encoders to establish an adversarial training process and incorporates segmentation techniques and inter-correlation encoding units to capture temporal dependencies and inter-correlations in multivariate time series data. Experimental results on multiple datasets demonstrate the effectiveness of the SADA model in detecting anomalies and achieving high precision and recall rates. The proposed model shows promise in improving the adaptability of anomaly detection algorithms to different types of data.

Hao Zhang,Zude Xiao,Jason Gu,Yanhua Liu

DOI: https://doi.org/10.1007/s11227-023-05474-y

IF: 3.3

2023-06-15

The Journal of Supercomputing

Abstract:With the rapid development of network technology, the Internet has brought significant convenience to various sectors of society, holding a prominent position. Due to the unpredictable and severe consequences resulting from malicious attacks, the detection of anomalous network traffic has garnered considerable attention from researchers over the past few decades. Accurately labeling a sufficient amount of network traffic data as a training dataset within a short period of time is a challenging task, given the rapid and massive generation of network traffic data. Furthermore, the proportion of malicious attack traffic is relatively small compared to the overall traffic data, and the distribution of traffic data across different types of malicious attacks also varies significantly. To address the aforementioned challenges, this paper presents a novel network anomaly detection algorithm based on semi-supervised learning and adaptive multiclass balancing. Building upon the assumption of consistent distribution between labeled and unlabeled data, this paper introduces the multiclass split balancing strategy and the adaptive confidence threshold function. These innovative approaches aim to tackle the issue of the multiclass imbalanced in traffic data. By leveraging the mutually beneficial relationship between semi-supervised learning and ensemble learning, this paper presents the collaborative rotation forest algorithm. This algorithm is specifically designed to enhance performance of anomaly detection in an environment with label inadequacy. Several comparative experiments conducted on the NSL-KDD, UNSW-NB15, and ToN-IoT demonstrate that the proposed algorithm achieves significant improvements in performance. Specifically, it enhances precision by 1.5–5.7%, recall by 1.5−5.7%, and F-Measure by 1.4−4.3% compared to the state-of-the-art algorithms.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Xuedan Miao,Ying Liu,Haiquan Zhao,Chunguang Li

DOI: https://doi.org/10.1109/tcyb.2018.2804940

IF: 11.8

2019-01-01

IEEE Transactions on Cybernetics

Abstract:Anomaly detection has attracted much attention in recent years since it plays a crucial role in many domains. Various anomaly detection approaches have been proposed, among which one-class support vector machine (OCSVM) is a popular one. In practice, data used for anomaly detection can be distributively collected via wireless sensor networks. Besides, as the data usually arrive at the nodes sequentially, online detection method that can process streaming data is preferred. In this paper, we formulate a distributed online OCSVM for anomaly detection over networks and get a decentralized cost function. To get the decentralized implementation without transmitting the original data, we use a random approximate function to replace the kernel function. Furthermore, to find an appropriate approximate dimension, we add a sparse constraint into the decentralized cost function to get another one. Then we minimize these two cost functions by stochastic gradient descent and derive two distributed algorithms. Some theoretical analysis and experiments are performed to show the effectiveness of the proposed algorithms. Experimental results on both synthetic and real datasets reveal that both of the proposed algorithms achieve low mis-detection rates and high true positive rates. Compared with other state-of-the-art anomaly detection methods, the proposed distributed algorithms not only show good anomaly detection performance, but also require relatively short running time and low CPU memory consumption.

Yi Li,Zhangbing Zhou,Shuiguang Deng,Xiao Sun,Xiao Xue,Sami Yangui,Walid Gaaloul

DOI: https://doi.org/10.1109/icws62655.2024.00077

2024-01-01

Abstract:Anomaly detection is a long-standing research topic to support the prompt remedy of potential risks for dependency-aware tasks, where Graph Neural Networks (GNNs) models have been adopted to differentiate anomalies from normal patterns. Generally, GNN models utilize time series data to construct graph structures for capturing task dependencies between Internet of Things (IoT) devices, such that deviations from predicted behaviours are assumed as anomalies. Current forecasting-based anomaly detection methods can hardly detect anomalies, which are uncovered by historical sensory data, but are explicitly specified by domain knowledge. To solve this issue, this paper proposes a Knowledge-enhanced graph attention-based Anomaly Detection (KeAD) method. Specifically, a knowledge-enhanced graph structure is constructed by incorporating domain-specific knowledge to represent spatio-temporal dependencies between IoT devices. Thereafter, a knowledge-enhanced graph attention-based forecasting network is developed to predict future behaviours of IoT devices. Anomalies are detected by analyzing deviations from these predicted behaviours, taking domain-specific knowledge into account. Extensive experiments are conducted based on publicly-available datasets, and evaluation results demonstrate that our KeAD outperform the state-of-the-art techniques in terms of the accuracy of anomaly detection.

Yinan Tang,Yabo Zhang,Zhifeng Yin,Jianxi Deng,Feng Li,Yong Cui,Xiaoxiao Zhang

DOI: https://doi.org/10.1109/icc45855.2022.9839022

2022-01-01

Abstract:In nowadays large-scale networks, it is challenging for network operation and maintenance systems to analyze the reported massive network anomaly information. To handle this problem, we proposed a deep multi-modal learning approach called multi-modal anomaly root cause analysis, which enables network operation and maintenance systems to automatically and effectively associate the related network anomalies that appear from different modalities or aspects, and then locate the root causes. As a self/semi-supervised approach, our proposal is capable of realizing self-learning, self-adapting, and does not rely on a large number of manual annotations. According to the experimental results in a real large-scale network, without any annotations, our approach achieves up to 14% accuracy improvement in terms of multi-modal network anomaly association and root cause locating compared to the classical association rule mining algorithm Apriori, while its performance turns even much better when a few of labeled training samples are provided. The experiment also well proves the versatility and self-adaptability of our approach, which means our learning-based approach is able to not only achieve fast convergence but also automatically adapt itself to network changes.

Xiaofeng Qiu,Xinran Wang

DOI: https://doi.org/10.1109/ICCT56141.2022.10073098

2022-11-11

Abstract:Deep learning techniques have become an increasingly popular solution for network intrusion detection system (NIDS). Semi-supervised deep anomaly detection methods used in network intrusion detection always need a high proportion of labeled samples and do not have good robustness. To solve these problems, we propose ATSAD: a novel semi-supervised anomaly detection method which is an improvement of the state-of-the-art method Deep SAD (Deep Semi-Supervised Anomaly Detection). Our main idea is to make the model pay more attention to important features of input data. We use an attention network to make the idea come true. We define a new objective function so that the attention network and the mapping network of Deep SAD can be trained together. Our evaluations show ATSAD has the best performance and good robustness compared with other methods on the dataset CSE-CIC-IDS2018.

Computer Science

Weiwei Lin,Songbo Wang,Wentai Wu,Dongdong Li,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tetci.2023.3290027

2023-01-01

IEEE Transactions on Emerging Topics in Computational Intelligence

Abstract:Anomaly detection, in recent years, has gained increasing attention in the research and practice of time series processing. However, the task is particularly challenging with multivariate time series which complicates the temporal dependency between observations and introduces complex inter-channel correlation. Meanwhile, in order to fit a broader range of applications, robustness during both training and detection is also a critical aspect. In this paper, we propose an unsupervised, hybrid model-driven anomaly detection scheme capable of (1) transforming sequences into a fused representation of temporal dependency embeddings and inter-channel correlation embeddings, and (2) achieving robust anomaly detection using a temporal prediction network for sample-wise posterior estimation combined with a data reconstruction network to assess the source of prediction. On this basis, we develop a probability density-based anomaly scoring mechanism for online detection in multivariate time series, where the anomaly score for each observation is rectified by the reliability of the prediction source. The results of extensive experiments on five publicly available datasets show that our proposed solution outperforms various state-of-the-art anomaly detection algorithms (including DL-based and non-DL-based), achieving a performance improvement (in F1-Score) by up to 10.42%.

Haitian Yang,Degang Sun,Wen Liu,Yanshu Li,Yan Wang,Weiqing Huang

DOI: https://doi.org/10.48550/arXiv.2402.11841

2024-02-19

Abstract:Logs are widely used in the development and maintenance of software systems. Logs can help engineers understand the runtime behavior of systems and diagnose system failures. For anomaly diagnosis, existing methods generally use log event data extracted from historical logs to build diagnostic models. However, we find that existing methods do not make full use of two types of features, (1) statistical features: some inherent statistical features in log data, such as word frequency and abnormal label distribution, are not well exploited. Compared with log raw data, statistical features are deterministic and naturally compatible with corresponding tasks. (2) semantic features: Logs contain the execution logic behind software systems, thus log statements share deep semantic relationships. How to effectively combine statistical features and semantic features in log data to improve the performance of log anomaly diagnosis is the key point of this paper. In this paper, we propose an adaptive semantic gate networks (ASGNet) that combines statistical features and semantic features to selectively use statistical features to consolidate log text semantic representation. Specifically, ASGNet encodes statistical features via a variational encoding module and fuses useful information through a well-designed adaptive semantic threshold mechanism. The threshold mechanism introduces the information flow into the classifier based on the confidence of the semantic features in the decision, which is conducive to training a robust classifier and can solve the overfitting problem caused by the use of statistical features. The experimental results on the real data set show that our method proposed is superior to all baseline methods in terms of various performance indicators.

Software Engineering

Yali Yuan,Sripriya Srikant Adhatarao,Mingkai Lin,Yachao Yuan,Zheli Liu,Xiaoming Fu

DOI: https://doi.org/10.1109/infocom41043.2020.9155487

2020-07-01

Abstract:Large private and government networks are often subjected to attacks like data extrusion and service disruption. Existing anomaly detection systems use offline supervised learning and employ experts for labeling. Hence they cannot detect anomalies in real-time. Even though unsupervised algorithms are increasingly used nowadays, they cannot readily adapt to newer threats. Moreover, many such systems also suffer from high cost of storage and require extensive computational resources. In this paper, we propose ADA: Adaptive Deep Log Anomaly Detector, an unsupervised online deep neural network framework that leverages LSTM networks and regularly adapts to newer log patterns to ensure accurate anomaly detection. In ADA, an adaptive model selection strategy is designed to choose pareto-optimal configurations and thereby utilize resources efficiently. Further, a dynamic threshold algorithm is proposed to dictate the optimal threshold based on recently detected events to improve the detection accuracy. We also use the predictions to guide storage of abnormal data and effectively reduce the overall storage cost. We compare ADA with state-of-the-art approaches through leveraging the Los Alamos National Laboratory cyber security dataset and show that ADA accurately detects anomalies with high F1-score ~95% and it is 97 times faster than existing approaches and incurs very low storage cost.

Yutong Chen,Hongzuo Xu,Guansong Pang,Hezhe Qiao,Yuan Zhou,Mingsheng Shang

2024-06-28

Abstract:Time Series Anomaly Detection (TSAD) finds widespread applications across various domains such as financial markets, industrial production, and healthcare. Its primary objective is to learn the normal patterns of time series data, thereby identifying deviations in test samples. Most existing TSAD methods focus on modeling data from the temporal dimension, while ignoring the semantic information in the spatial dimension. To address this issue, we introduce a novel approach, called Spatial-Temporal Normality learning (STEN). STEN is composed of a sequence Order prediction-based Temporal Normality learning (OTN) module that captures the temporal correlations within sequences, and a Distance prediction-based Spatial Normality learning (DSN) module that learns the relative spatial relations between sequences in a feature space. By synthesizing these two modules, STEN learns expressive spatial-temporal representations for the normal patterns hidden in the time series data. Extensive experiments on five popular TSAD benchmarks show that STEN substantially outperforms state-of-the-art competing methods. Our code is available at <a class="link-external link-https" href="https://github.com/mala-lab/STEN" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Artificial Intelligence

Xiaoxue Ma,Jacky Keung,Pinjia He,Yan Xiao,Xiao Yu,Yishu Li

DOI: https://doi.org/10.1109/tii.2023.3280246

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:With the rapid development of the Industrial Internet of Things (IIoT), log-based anomaly detection has become vital for smart industrial construction that has prompted many researchers to contribute. To detect anomalies based on log data, semi-supervised approaches stand out from supervised and unsupervised approaches because they only require a portion of labeled data and are relatively stable. However, the state-of-the-art semi-supervised approaches still suffer from two main problems: manual parameter setting and unsatisfactory performance with high false positives. We propose AdaLog, an integrated semi-supervised approach based on self-adaptive clustering, for industrial anomaly detection. In particular, the clustering step performs automatic label probability estimation by distinguishing twelve situations so that the label probability of each unlabeled data can be carefully calculated, leading to high accuracy. In addition, AdaLog employs a pre-trained model to learn contextual information comprehensively and a transformer-based model to detect anomalies efficiently. To alleviate class imbalance, an undersampling method is incorporated. The results on three popular datasets demonstrate that AdaLog significantly outperforms three state-of-the-art semi-supervised approaches by 17.8%–2,489.8% on average in terms of F1-score, and is even superior to two supervised approaches in most cases with average improvements of 10.9%–23.8%.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Wenqi Chen,Zhiliang Wang,Liyuan Chang,Kai Wang,Ying Zhong,Dongqi Han,Chenxin Duan,Xia Yin,Jiahai Yang,Xingang Shi

DOI: https://doi.org/10.1016/j.comnet.2024.110423

IF: 5.493

2024-01-01

Computer Networks

Abstract:The last decade has seen increasing application of machine learning to various tasks, including network anomaly detection. But anomaly detection methods using a single machine learning algorithm often fail to perform well, since network traffic can have complex and changeable patterns. Therefore, many solutions based on ensemble learning have been proposed to address this problem. However, previous studies have a essential drawback that they overlook the similarity between the weak classifiers, which may degrade the detection ability of the model. What's more, prior work use offline and supervised algorithms, which means a large amount of memory and reliable labels are necessary during the training period. In this paper, we propose ADSIM, an online, unsupervised, and similarity-aware network anomaly detection algorithm based on ensemble learning. In the training phase, ADSIM incrementally maintains a distance matrix to record the similarity between the classifiers and uses hierarchy clustering to group similar classifiers. In the detecting phase, each cluster will be assigned a weight based on the consistency of the classifier outputs within it. We evaluate ADSIM on two datasets, MAWILab and CIC-IDS-2017, and the results show that ADSIM can accurately detect various anomalies and outperforms state-of-the-art ensemble learning methods.

Aiguo Chen,Yang Fu,Xu Zheng,Guoming Lu

DOI: https://doi.org/10.1016/j.cose.2021.102600

2022-03-01

Abstract:The Internet environment is exposed to diverse and increasingly numerous intrusion attacks due to its continuously expanding scale, threatening the information and assets of individuals and companies. The application of machine learning and deep learning methods has significantly improved the performance of network behavior anomaly detection (NBAD). However, existing NBAD methods based on machine learning classify network behaviors with hand-selected feature vectors, which are not flexible enough to adapt to various cyber environments and new categories of attacks, resulting in low accuracy. Moreover, high-dimensional and large-scale data have significantly increased the training, retraining, and detection time, resulting in low scalability. To solve these problems, an efficient NBAD algorithm based on deep belief networks (DBN) and long short-term memory (LSTM) networks is proposed. First, a nonlinear feature extraction method using a DBN is applied to extract features automatically and reduce the dimension of the original data while guaranteeing accuracy. Then, a light-structure LSTM network is used to obtain the classification results. The results of multiple experiments show that the proposed approach performs well in feature learning and has high accuracy while obtaining results in a timely manner and easily updating the model.

computer science, information systems

Xudong Yan,Huaidong Zhang,Xuemiao Xu,Xiaowei Hu,Pheng-Ann Heng

DOI: https://doi.org/10.1609/aaai.v35i4.16420

2021-05-18

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Unsupervised anomaly detection aims to identify data samples that have low probability density from a set of input samples, and only the normal samples are provided for model training. The inference of abnormal regions on the input image requires an understanding of the surrounding semantic context. This work presents a Semantic Context based Anomaly Detection Network, SCADN, for unsupervised anomaly detection by learning the semantic context from the normal samples. To achieve this, we first generate multi-scale striped masks to remove a part of regions from the normal samples, and then train a generative adversarial network to reconstruct the unseen regions. Note that the masks are designed in multiple scales and stripe directions, and various training examples are generated to obtain the rich semantic context . In testing, we obtain an error map by computing the difference between the reconstructed image and the input image for all samples, and infer the abnormal samples based on the error maps. Finally, we perform various experiments on three public benchmark datasets and a new dataset LaceAD collected by us, and show that our method clearly outperforms the current state-of-the-art methods.

Yuxin Zhang,Jindong Wang,Yiqiang Chen,Han Yu,Tao Qin

DOI: https://doi.org/10.48550/arXiv.2201.00464

IF: 5.414

2022-01-03

Machine Learning

Abstract:Unsupervised anomaly detection aims to build models to effectively detect unseen anomalies by only training on the normal data. Although previous reconstruction-based methods have made fruitful progress, their generalization ability is limited due to two critical challenges. First, the training dataset only contains normal patterns, which limits the model generalization ability. Second, the feature representations learned by existing models often lack representativeness which hampers the ability to preserve the diversity of normal patterns. In this paper, we propose a novel approach called Adaptive Memory Network with Self-supervised Learning (AMSL) to address these challenges and enhance the generalization ability in unsupervised anomaly detection. Based on the convolutional autoencoder structure, AMSL incorporates a self-supervised learning module to learn general normal patterns and an adaptive memory fusion module to learn rich feature representations. Experiments on four public multivariate time series datasets demonstrate that AMSL significantly improves the performance compared to other state-of-the-art methods. Specifically, on the largest CAP sleep stage detection dataset with 900 million samples, AMSL outperforms the second-best baseline by \textbf{4}\%+ in both accuracy and F1 score. Apart from the enhanced generalization ability, AMSL is also more robust against input noise.

Zhi-Quan Qin,Xing-Kong Ma,Yong-Jun Wang

DOI: https://doi.org/10.1016/j.cose.2020.102070

2020-12-01

Abstract:<p>Detecting anomalous discrete sequences such as payloads and syscall traces is a crucial task of network security analysis for discovering novel attacks. The data characteristics that lack of labels, very long sequences and irregularly variable lengths make generating proper representations for the sequences for anomaly detection quite challenging. Traditional methods combining shallow models with feature engineering require lots of time and effort from researchers. And they only catch short patterns for the sequences. Recently deep learning is paid more and more attention due to its excellent performance on data representation. Current works simply adopt recurrent neural network based models to this task. They learn the local patterns of the sequences but can not view the sequences globally. Besides, the variable length makes the deep models that accept fixed-size inputs unavailable. Moreover, the deep models usually lack interpretability. Here an unsupervised deep learning framework utilizing attention mechanism called ADSAD is proposed to address these issues. ADSAD takes both the data characteristics and the limitation of the deep models into consideration and generate the global representations for the sequences by two steps, in which the attention mechanism is applied to improve the interpretability. The empirical results showed that the ADSAD instances significantly outperformed the state-of-the-art deep models, with the relative AUC improvement of up to 7%. The attention mechanism not only enhanced the detection performance by up to 73% in terms of AUC but was also able to assist experts for anomaly analysis by visualization.</p>

computer science, information systems

R. Mosayebi,H. Kia,A. Kianpour Raki

DOI: https://doi.org/10.48550/arXiv.2310.06779

2023-10-11

Abstract:The paper introduces Supervised Embedding and Clustering Anomaly Detection (SEMC-AD), a method designed to efficiently identify faulty alarm logs in a mobile network and alleviate the challenges of manual monitoring caused by the growing volume of alarm logs. SEMC-AD employs a supervised embedding approach based on deep neural networks, utilizing historical alarm logs and their labels to extract numerical representations for each log, effectively addressing the issue of imbalanced classification due to a small proportion of anomalies in the dataset without employing one-hot encoding. The robustness of the embedding is evaluated by plotting the two most significant principle components of the embedded alarm logs, revealing that anomalies form distinct clusters with similar embeddings. Multivariate normal Gaussian clustering is then applied to these components, identifying clusters with a high ratio of anomalies to normal alarms (above 90%) and labeling them as the anomaly group. To classify new alarm logs, we check if their embedded vectors' two most significant principle components fall within the anomaly-labeled clusters. If so, the log is classified as an anomaly. Performance evaluation demonstrates that SEMC-AD outperforms conventional random forest and gradient boosting methods without embedding. SEMC-AD achieves 99% anomaly detection, whereas random forest and XGBoost only detect 86% and 81% of anomalies, respectively. While supervised classification methods may excel in labeled datasets, the results demonstrate that SEMC-AD is more efficient in classifying anomalies in datasets with numerous categorical features, significantly enhancing anomaly detection, reducing operator burden, and improving network maintenance.

Machine Learning,Artificial Intelligence

Chuxu Zhang,Dongjin Song,Yuncong Chen,Xinyang Feng,Cristian Lumezanu,Wei Cheng,Jingchao Ni,Bo Zong,Haifeng Chen,Nitesh V. Chawla

DOI: https://doi.org/10.1609/aaai.v33i01.33011409

2019-07-17

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Nowadays, multivariate time series data are increasingly collected in various real world systems, e.g., power plants, wearable devices, etc. Anomaly detection and diagnosis in multivariate time series refer to identifying abnormal status in certain time steps and pinpointing the root causes. Building such a system, however, is challenging since it not only requires to capture the temporal dependency in each time series, but also need encode the inter-correlations between different pairs of time series. In addition, the system should be robust to noise and provide operators with different levels of anomaly scores based upon the severity of different incidents. Despite the fact that a number of unsupervised anomaly detection algorithms have been developed, few of them can jointly address these challenges. In this paper, we propose a Multi-Scale Convolutional Recurrent Encoder-Decoder (MSCRED), to perform anomaly detection and diagnosis in multivariate time series data. Specifically, MSCRED first constructs multi-scale (resolution) signature matrices to characterize multiple levels of the system statuses in different time steps. Subsequently, given the signature matrices, a convolutional encoder is employed to encode the inter-sensor (time series) correlations and an attention based Convolutional Long-Short Term Memory (ConvLSTM) network is developed to capture the temporal patterns. Finally, based upon the feature maps which encode the inter-sensor correlations and temporal information, a convolutional decoder is used to reconstruct the input signature matrices and the residual signature matrices are further utilized to detect and diagnose anomalies. Extensive empirical studies based on a synthetic dataset and a real power plant dataset demonstrate that MSCRED can outperform state-ofthe-art baseline methods.