Shaoyu Dou,Kai Yang,Yang Jiao,Chengbo Qiu,Kui Ren

DOI: https://doi.org/10.48550/arXiv.2207.08159

2022-07-17

Abstract:Time series analysis has achieved great success in diverse applications such as network security, environmental monitoring, and medical informatics. Learning similarities among different time series is a crucial problem since it serves as the foundation for downstream analysis such as clustering and anomaly detection. It often remains unclear what kind of distance metric is suitable for similarity learning due to the complex temporal dynamics of the time series generated from event-triggered sensing, which is common in diverse applications, including automated driving, interactive healthcare, and smart home automation. The overarching goal of this paper is to develop an unsupervised learning framework that is capable of learning task-aware similarities among unlabeled event-triggered time series. From the machine learning vantage point, the proposed framework harnesses the power of both hierarchical multi-scale sequence autoencoders and Gaussian Mixture Model (GMM) to effectively learn the low-dimensional representations from the time series. Finally, the obtained similarity measure can be easily visualized for explaining. The proposed framework aspires to offer a stepping stone that gives rise to a systematic approach to model and learn similarities among a multitude of event-triggered time series. Through extensive qualitative and quantitative experiments, it is revealed that the proposed method outperforms state-of-the-art methods considerably.

Machine Learning,Artificial Intelligence

Gaoang Wang,Xinyu Yuan,Aotian Zheng,Hung-Min Hsu,Jenq-Neng Hwang

2019-01-01

Computer Vision and Pattern Recognition

Abstract:Anomaly event detection on road traffic has been a challenging field mainly due to lack of training data and a wide variety of anomaly cases. In this paper, we propose a novel two-stage framework for anomaly event detection in road traffic based on anomaly candidate identification and starting time estimation of vehicles. First, we use Gaussian mixture models (GMMs) to generate the foreground mask and background image to identify the anomaly candidates. Foreground mask is used to produce the region of interest (ROI) to filter out the noise from the object detector, YOLOv3, in the background image. Then, we apply the TrackletNet Tracker (TNT) to extract the trajectory of anomaly candidate to estimate the anomaly starting time. Experimental results, with achieved S3 score performance of 93.62%, on the Track 3 testing set of CVPR AI City Challenge 2019 City Flow dataset, show the effectiveness of the proposed framework and its robustness in different real scenes.

Jin Fan,Yan Ge,Xinyi Zhang,ZheYu Wang,Huifeng Wu,Jia Wu

DOI: https://doi.org/10.1016/j.neunet.2024.106638

2024-08-21

Abstract:Identifying anomalies in multi-dimensional sequential data is crucial for ensuring optimal performance across various domains and in large-scale systems. Traditional contrastive methods utilize feature similarity between different features extracted from multidimensional raw inputs as an indicator of anomaly severity. However, the complex objective functions and meticulously designed modules of these methods often lead to efficiency issues and a lack of interpretability. Our study introduces a structural framework called SimDetector, which is a Local-Global Multi-Scale Similarity Contrast network. Specifically, the restructured and enhanced GRU module extracts more generalized local features, including long-term cyclical trends. The multi-scale sparse attention module efficiently extracts multi-scale global features with pattern information. Additionally, we modified the KL divergence to suit the characteristics of time series anomaly detection, proposing a symmetric absolute KL divergence that focuses more on overall distribution differences. The proposed method achieves results that surpass or approach the State-of-the-Art (SOTA) on multiple real-world datasets and synthetic datasets, while also significantly reducing Multiply-Accumulate Operations (MACs) and memory usage.

Kai Yang,Shaoyu Dou,Pan Luo,Xin Wang,H. Vincent Poor

DOI: https://doi.org/10.1109/tnse.2022.3170364

IF: 6.6

2022-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Many real-world multivariate time series are collected from a network of physical objects embedded with software, electronics, and sensors. The quasi-periodic signals generated by these objects often follow a similar repetitive and periodic pattern, but have variations in the period, and come in different lengths caused by timing (synchronization) errors. Given a multitude of such quasi-periodic time series, can we build machine learning models to identify those time series that behave differently from the majority of the observations? In addition, can the models help human experts to understand how the decision was made? We propose a sequence to Gaussian Mixture Model (seq2GMM) framework. The overarching goal of this framework is to identify unusual and interesting time series within a network time series database. We further develop a surrogate-based optimization algorithm that can efficiently train the seq2GMM model. Seq2GMM exhibits strong empirical performance on a plurality of public benchmark datasets, outperforming state-of-the-art anomaly detection techniques by a significant margin. We also theoretically analyze the convergence property of the proposed training algorithm and provide numerical results to substantiate our theoretical claims.

Ahmed Abdulaal,Zhuanghua Liu,Tomer Lancewicki

DOI: https://doi.org/10.1145/3447548.3467174

2021-08-14

Abstract:Engineers at eBay utilize robust methods in monitoring IT system signals for anomalies. However, the growing scale of signals, both in volumes and dimensions, overpowers traditional statistical state-space or supervised learning tools. Thus, state-of-the-art methods based on unsupervised deep learning are sought in recent research. However, we experienced flaws when implementing those methods, such as requiring partial supervision and weaknesses to high dimensional datasets, among other reasons discussed in this paper. We propose a practical approach for inferring anomalies from large multivariate sets. We observe an abundance of time series in real-world applications, which exhibit asynchronous and consistent repetitive variations, such as IT, weather, utility, and transportation. Our solution is designed to leverage this behavior. The solution utilizes spectral analysis on the latent representation of a pre-trained autoencoder to extract dominant frequencies across the signals, which are then used in a subsequent network that learns the phase shifts across the signals and produces a synchronized representation of the raw multivariate. Random subsets of the synchronous multivariate are then fed into an array of autoencoders learning to minimize the quantile reconstruction losses, which are then used to infer and localize anomalies based on a majority vote. We benchmark this method against state-of-the-art approaches on public datasets and eBay's data using their referenced evaluation methods. Furthermore, we address the limitations of the referenced evaluation methods and propose a more realistic evaluation method.

Yitu Wang,Runqi Dong,Takayuki Nakachi,Wei Wang

DOI: https://doi.org/10.1109/wcnc55385.2023.10118849

2023-01-01

Abstract:Network traffic monitoring plays a crucial role in maintaining the security and reliability of the communication networks. Although Machine Learning (ML) assisted abnormal traffic detection has been emerged as a promising paradigm, the existing data-driven learning-based approaches are faced with challenges on inefficient traffic feature extraction and high computational complexity, especially when taking the evolving property of traffic process into consideration. To this end, we establish an online learning framework for abnormality traffic detection by embracing Gaussian Process (GP) and Sparse Representation (SR). The contributions of this paper are two-fold: 1). We utilize a special kernel, i.e., mixture of Gaussian, to better explore and exploit the evolving traffic characteristics, so as to more accurately model network traffic. 2). To combat noise and modeling error, we formulate a feature vector based on Kullback-Leibler (KL) divergence to measure the difference between normal and abnormal traffic, based on which SR is adopted to perform robust binary classification. Finally, we demonstrate the superiority of the proposed framework in terms of detection accuracy through simulation.

Wenqi Chen,Zhiliang Wang,Liyuan Chang,Kai Wang,Ying Zhong,Dongqi Han,Chenxin Duan,Xia Yin,Jiahai Yang,Xingang Shi

DOI: https://doi.org/10.1016/j.comnet.2024.110423

IF: 5.493

2024-01-01

Computer Networks

Abstract:The last decade has seen increasing application of machine learning to various tasks, including network anomaly detection. But anomaly detection methods using a single machine learning algorithm often fail to perform well, since network traffic can have complex and changeable patterns. Therefore, many solutions based on ensemble learning have been proposed to address this problem. However, previous studies have a essential drawback that they overlook the similarity between the weak classifiers, which may degrade the detection ability of the model. What's more, prior work use offline and supervised algorithms, which means a large amount of memory and reliable labels are necessary during the training period. In this paper, we propose ADSIM, an online, unsupervised, and similarity-aware network anomaly detection algorithm based on ensemble learning. In the training phase, ADSIM incrementally maintains a distance matrix to record the similarity between the classifiers and uses hierarchy clustering to group similar classifiers. In the detecting phase, each cluster will be assigned a weight based on the consistency of the classifier outputs within it. We evaluate ADSIM on two datasets, MAWILab and CIC-IDS-2017, and the results show that ADSIM can accurately detect various anomalies and outperforms state-of-the-art ensemble learning methods.

Astha Garg,Wenyu Zhang,Jules Samaran,Savitha Ramasamy,Chuan-Sheng Foo

DOI: https://doi.org/10.48550/arXiv.2109.11428

IF: 5.414

2021-09-23

Machine Learning

Abstract:Several techniques for multivariate time series anomaly detection have been proposed recently, but a systematic comparison on a common set of datasets and metrics is lacking. This paper presents a systematic and comprehensive evaluation of unsupervised and semi-supervised deep-learning based methods for anomaly detection and diagnosis on multivariate time series data from cyberphysical systems. Unlike previous works, we vary the model and post-processing of model errors, i.e. the scoring functions independently of each other, through a grid of 10 models and 4 scoring functions, comparing these variants to state of the art methods. In time-series anomaly detection, detecting anomalous events is more important than detecting individual anomalous time-points. Through experiments, we find that the existing evaluation metrics either do not take events into account, or cannot distinguish between a good detector and trivial detectors, such as a random or an all-positive detector. We propose a new metric to overcome these drawbacks, namely, the composite F-score ($Fc_1$), for evaluating time-series anomaly detection. Our study highlights that dynamic scoring functions work much better than static ones for multivariate time series anomaly detection, and the choice of scoring functions often matters more than the choice of the underlying model. We also find that a simple, channel-wise model - the Univariate Fully-Connected Auto-Encoder, with the dynamic Gaussian scoring function emerges as a winning candidate for both anomaly detection and diagnosis, beating state of the art algorithms.

Xinfeng Zhang,Su Yang,Xinjian Zhang,Weishan Zhang,Jiulong Zhang

DOI: https://doi.org/10.48550/arXiv.1805.10620

2018-05-27

Abstract:In crowded scenes, detection and localization of abnormal behaviors is challenging in that high-density people make object segmentation and tracking extremely difficult. We associate the optical flows of multiple frames to capture short-term trajectories and introduce the histogram-based shape descriptor referred to as shape contexts to describe such short-term trajectories. Furthermore, we propose a K-NN similarity-based statistical model to detect anomalies over time and space, which is an unsupervised one-class learning algorithm requiring no clustering nor any prior assumption. Firstly, we retrieve the K-NN samples from the training set in regard to the testing sample, and then use the similarities between every pair of the K-NN samples to construct a Gaussian model. Finally, the probabilities of the similarities from the testing sample to the K-NN samples under the Gaussian model are calculated in the form of a joint probability. Abnormal events can be detected by judging whether the joint probability is below predefined thresholds in terms of time and space, separately. Such a scheme can adapt to the whole scene, since the probability computed as such is not affected by motion distortions arising from perspective distortion. We conduct experiments on real-world surveillance videos, and the results demonstrate that the proposed method can reliably detect and locate the abnormal events in the video sequences, outperforming the state-of-the-art approaches.

Computer Vision and Pattern Recognition

Xinggan Peng,Yuxuan Lin,Qi Cao,Yigang Cen,Huiping Zhuang,Zhiping Lin

DOI: https://doi.org/10.1109/itsc55140.2022.9922142

2022-01-01

Abstract:Multivariate time series traffic dataset is usually large with multiple feature dimensions for long time duration under certain time intervals or sampling rates. In applications such as intelligent transportation systems, some machine learning methods being applied to traffic anomaly detections are computed under certain assumptions and require further improvements. Transport traffic time series data may also suffer from unbalanced number of training data where large amount of labelled training data available for a few popular classes, but with very small amount of labelled data for corner cases. In this paper, based on the recent long sequences prediction method Informer, an anomaly detection algorithm with an anomaly score generator is proposed that does not require any assumptions of data. The encoder-decoder architecture is adopted in the anomaly score generator. The encoder consists of three stacking ProbSparse self-attention mechanisms that significantly reduce computing complexity. The decoder incorporates two multi-head attention layers and a fully connected layer to obtain an output of anomaly scores. Then a One-Class Support Vector Machines (OCSVM) is applied to be the anomaly classifier. The proposed algorithm is capable of detecting anomalies for both vehicle traffic flows and pedestrian flows. It has been verified by applying to a real-world dataset consisting of traffic flows recorded in 2021, as well as to a public anomaly detection dataset.

Guolou Ping,Shuo Feng,Yehao Li,Xiaojun Ye

DOI: https://doi.org/10.1109/iccc56324.2022.10065635

2022-01-01

Abstract:To address the challenge of lacking labeling information in network traffic anomaly detection, we propose an unsupervised anomaly detection algorithm based on cascading representation and multiple-clustering. First, this paper designs a cascading representation method to obtain discriminative traffic features. We create a residual auto-encoder that employs generative learning to capture generic statistical expressions. We augment the time-series features in various ways and leverage contrastive learning to capture discriminative representations. We develop a host identification task based on triplet loss, enhancing feature discrimination in addition to cascading two feature representations. Second, we design a multiple-clustering-based algorithm for anomalous traffic detection. By performing KMeans on the cascading feature representations, we obtained clustering centers to replace each cluster and avoid the problem of unbalanced abnormal traffic. By applying DBSACAN clustering with a tree structure to these clustering centers and using the height of the anomalies to calculate the traffic anomaly score, we can detect abnormal network traffic flexibly. Finally, we conducted experimental validation on several commonly used intrusion detection datasets. The experimental results show that the method proposed in this paper generally outperforms the comparison methods.

Su Yang,Wenbin Zhou

DOI: https://doi.org/10.1109/PASSAT/SocialCom.2011.10

2011-01-01

Abstract:Some special natural and social events like natural disasters, terrorism attacks, and traffic accidents may have remarkable effect on people's collective behaviors, which means the behaviors of a large number of people viewed as a whole. Analysis of the patterns of collective behaviors in the sense of data mining is an important topic. Solving this problem is crucial and practical in that online detection of abnormal patterns of people's collective behaviors may lead to rapid response to emergent affairs. In terms of technology, the task can be regarded as detection of abnormal particle movement patterns from a global point of view. In this study, we propose a solution to solve this problem. First, the traffic flows observed by more than 4000 sensors are organized as high-dimensional time series. Second, a widely used manifold learning technique referred to as locally linear embedding (LLE) is used to compute the K coefficients in fitting every data point with its K nearest neighbors in the high-dimensional space, which can be regarded as a K-dimensional local feature associated with every data point. Then, the local features of the data points within a time window are summarized by using principal component analysis (PCA) to obtain a global feature to represent the traffic data in every time window. Finally, outlier detection is performed on such PCALLE feature space. The experimental results show that the proposed method can effectively detect abnormal traffic patterns, which correspond with some special days, like the New Year day, the national day of America, and some days with extreme weather. © 2011 IEEE.

Tianyang Lei,Chang Gong,Gang Chen,Mengxin Ou,Kewei Yang,Jichao Li

DOI: https://doi.org/10.1016/j.knosys.2023.111002

IF: 8.139

2023-09-22

Knowledge-Based Systems

Abstract:Time series is a common type of data that widely exists in various real-world scenarios, such as traffic flow data, network KPI, financial data, which can be regarded as time series. Anomaly detection in time series is an interesting research topic with a wide range of real-world applications, such as network intrusion detection, traffic situation monitoring and sensor error detection. In the real-world scenario, the frequency of anomalies is very low and little anomalous sample is available for analysis. Therefore, unsupervised methods are usually used for anomaly detection. In this paper, based on spectrum analysis and time series decomposition, an unsupervised deep framework for anomaly detection in time series data is designed. First, we decompose the original time series into trend series, seasonal series and residual series based on spectrum analysis. Then, prediction models based on long short-term memory (LSTM) networks and convolutional neural networks (CNNs) are designed to predict the trend series and seasonal series, respectively, and the residual series is reconstructed based on a Gaussian distribution. Next, the time series data are reconstructed by superimposing the predicted trend series and seasonal series and reconstructed residual series. Finally, we compare the original time series with the reconstructed time series and detect anomalies according to a certain threshold. The method proposed in this paper integrates prediction-based and reconstruction-based methods, and the experimental results on four datasets demonstrate the excellent performance of our method.

computer science, artificial intelligence

Feng Xue,Weizhong Yan

DOI: https://doi.org/10.48550/arXiv.2207.00705

2022-07-02

Abstract:Given the scarcity of anomalies in real-world applications, the majority of literature has been focusing on modeling normality. The learned representations enable anomaly detection as the normality model is trained to capture certain key underlying data regularities under normal circumstances. In practical settings, particularly industrial time series anomaly detection, we often encounter situations where a large amount of normal operation data is available along with a small number of anomaly events collected over time. This practical situation calls for methodologies to leverage these small number of anomaly events to create a better anomaly detector. In this paper, we introduce two methodologies to address the needs of this practical situation and compared them with recently developed state of the art techniques. Our proposed methods anchor on representative learning of normal operation with autoregressive (AR) model along with loss components to encourage representations that separate normal versus few positive examples. We applied the proposed methods to two industrial anomaly detection datasets and demonstrated effective performance in comparison with approaches from literature. Our study also points out additional challenges with adopting such methods in practical applications.

Machine Learning,Artificial Intelligence,Neural and Evolutionary Computing

Jiayi Ni,Wei Chen,Jiacheng Tong,Haiyong Wang,Lifa Wu

DOI: https://doi.org/10.1016/j.jisa.2023.103575

IF: 4.96

2023-08-14

Journal of Information Security and Applications

Abstract:Anomaly detection methods based on machine learning assist in identifying attacker behavior concealed in critical infrastructure's high-speed network traffic. However, these methods generally experience problems including a lack of labeled data and poor performance. We suggest a detection method based on staged frequency domain features to address these issues. A small-step sliding window is used in the training phase to fully understand the frequency domain features of the traffic. We suggest SOM-Kmeans, an integrated clustering technique that can accurately distinguish between malicious and benign flows. We evaluate the SOM-Kmeans accuracy using open datasets and assess its effectiveness in a real network environment. The experimental results demonstrate that our method can detect anomaly traffic at high speed without sacrificing detection accuracy.

computer science, information systems

Weiwei Lin,Songbo Wang,Wentai Wu,Dongdong Li,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tetci.2023.3290027

2023-01-01

IEEE Transactions on Emerging Topics in Computational Intelligence

Abstract:Anomaly detection, in recent years, has gained increasing attention in the research and practice of time series processing. However, the task is particularly challenging with multivariate time series which complicates the temporal dependency between observations and introduces complex inter-channel correlation. Meanwhile, in order to fit a broader range of applications, robustness during both training and detection is also a critical aspect. In this paper, we propose an unsupervised, hybrid model-driven anomaly detection scheme capable of (1) transforming sequences into a fused representation of temporal dependency embeddings and inter-channel correlation embeddings, and (2) achieving robust anomaly detection using a temporal prediction network for sample-wise posterior estimation combined with a data reconstruction network to assess the source of prediction. On this basis, we develop a probability density-based anomaly scoring mechanism for online detection in multivariate time series, where the anomaly score for each observation is rectified by the reliability of the prediction source. The results of extensive experiments on five publicly available datasets show that our proposed solution outperforms various state-of-the-art anomaly detection algorithms (including DL-based and non-DL-based), achieving a performance improvement (in F1-Score) by up to 10.42%.

Shuai Zhang,Chuan Zhou,Peng Zhang,Yang Liu,Zhao Li,Hongyang Chen

DOI: https://doi.org/10.1109/icdm58522.2023.00090

2023-01-01

Abstract:Anomaly detection in multi-type event sequences is a crucial and challenging problem with important applications in various domains, including cybersecurity, finance and healthcare. Temporal point process has emerged as a powerful technique for modeling event sequences and has gained considerable attention in the field of anomaly detection. However, existing temporal point process approaches are either inapplicable to multi-type event sequence data or incur the loss of valuable information in subsequences associated with specific event types. To this end, we propose a novel Multiple Hypothesis Testing based Anomaly Detection method (MultiAD) to detect anomalous multi-type event sequences. The basic idea of MultiAD is to capture the underlying distribution of normal sequences using a neural multivariate point process, based on which the original hypothesis testing problem can be converted into a multiple hypothesis testing using the multivariate time rescaling theorem. By conducting multiple hypothesis tests on the time-rescaled subsequences, MultiAD makes full use of the valuable information contained within individual subsequences. Moreover, we claim that the existing test statistic ignores the sequential information of inter-event time intervals and propose new statistics to address this shortcoming. Finally, we employ the kernel method to obtain a smooth estimator of the distribution of the proposed statistics under the null hypothesis. This ensures a more accurate and reliable computation of the p-value, providing robust statistical inference. Extensive experimental results demonstrate that MultiAD significantly outperforms the state-of-the-art methods on both synthetic and real-world data.

Lecheng Zheng,John R. Birge,Yifang Zhang,Jingrui He

2024-09-15

Abstract:Anomaly detection on graphs plays an important role in many real-world applications. Usually, these data are composed of multiple types (e.g., user information and transaction records for financial data), thus exhibiting view heterogeneity. Therefore, it can be challenging to leverage such multi-view information and learn the graph's contextual information to identify rare anomalies. To tackle this problem, many deep learning-based methods utilize contrastive learning loss as a regularization term to learn good representations. However, many existing contrastive-based methods show that traditional contrastive learning losses fail to consider the semantic information (e.g., class membership information). In addition, we theoretically show that clustering-based contrastive learning also easily leads to a sub-optimal solution. To address these issues, in this paper, we proposed an autoencoder-based clustering framework regularized by a similarity-guided contrastive loss to detect anomalous nodes. Specifically, we build a similarity map to help the model learn robust representations without imposing a hard margin constraint between the positive and negative pairs. Theoretically, we show that the proposed similarity-guided loss is a variant of contrastive learning loss, and how it alleviates the issue of unreliable pseudo-labels with the connection to graph spectral clustering. Experimental results on several datasets demonstrate the effectiveness and efficiency of our proposed framework.

Machine Learning

Boxiang Dong,Zhengzhang Chen,Lu-An Tang,Haifeng Chen,Hui Wang,Kai Zhang,Ying Lin,Zhichun Li

DOI: https://doi.org/10.1109/mis.2020.3041174

IF: 6.744

2021-05-01

IEEE Intelligent Systems

Abstract:Anomaly detection has been widely applied in modern data-driven security applications to detect abnormal events/entities that deviate from the majority. However, less work has been done in terms of detecting suspicious event sequences/paths, which are better discriminators than single events/entities for distinguishing normal and abnormal behaviors in complex systems such as cyber-physical systems. A key and challenging step in this endeavor is how to discover those abnormal event sequences from millions of system event records in an efficient and accurate way. To address this issue, we propose NINA, a network diffusion based algorithm for identifying anomalous event sequences. Experimental results on both static and streaming data show that NINA is efficient (processes about 2 million records per minute) and accurate.

computer science, artificial intelligence,engineering, electrical & electronic

Ruochen Jiao,Juyang Bai,Xiangguo Liu,Takami Sato,Xiaowei Yuan,Qi Alfred Chen,Qi Zhu

2023-03-09

Abstract:Predicting the future trajectories of surrounding vehicles based on their history trajectories is a critical task in autonomous driving. However, when small crafted perturbations are introduced to those history trajectories, the resulting anomalous (or adversarial) trajectories can significantly mislead the future trajectory prediction module of the ego vehicle, which may result in unsafe planning and even fatal accidents. Therefore, it is of great importance to detect such anomalous trajectories of the surrounding vehicles for system safety, but few works have addressed this issue. In this work, we propose two novel methods for learning effective and efficient representations for online anomaly detection of vehicle trajectories. Different from general time-series anomaly detection, anomalous vehicle trajectory detection deals with much richer contexts on the road and fewer observable patterns on the anomalous trajectories themselves. To address these challenges, our methods exploit contrastive learning techniques and trajectory semantics to capture the patterns underlying the driving scenarios for effective anomaly detection under supervised and unsupervised settings, respectively. We conduct extensive experiments to demonstrate that our supervised method based on contrastive learning and unsupervised method based on reconstruction with semantic latent space can significantly improve the performance of anomalous trajectory detection in their corresponding settings over various baseline methods. We also demonstrate our methods' generalization ability to detect unseen patterns of anomalies.

Machine Learning