An enhanced abnormal information expression spatiotemporal model for anomaly detection in multivariate time-series

Di Ge,Yuhang Cheng,Shuangshuang Cao,Yanmei Ma,Yanwen Wu
DOI: https://doi.org/10.1007/s40747-023-01306-x
IF: 6.7
2024-01-06
Complex & Intelligent Systems
Abstract:Abstract The detection of anomalies in high-dimensional time-series has always played a crucial role in the domain of system security. Recently, with rapid advancements in transformer model and graph neural network (GNN) technologies, spatiotemporal modeling approaches for anomaly detection tasks have been greatly improved. However, most methods focus on optimizing upstream time-series prediction tasks by leveraging joint spatiotemporal features. Through experiments, we found that this modeling approach not only risks the loss of some original anomaly information during data preprocessing, but also focuses on optimizing the performance of the upstream prediction task and does not directly enhance the performance of the downstream detection task. We propose a spatiotemporal anomaly detection model that incorporates an improved attention mechanism in the process of temporal modeling. We adopt a heterogeneous graph contrastive learning approach in spatio modeling to compensate for the representation of anomalous behavioral information, thereby guiding the model through thorough training. Through validation on two widely used real-world datasets, we demonstrate that our model outperforms baseline methods. We also explore the impact of multivariate time-series prediction tasks on the detection task, and visualize the reasons behind the benefits gained by our model.
computer science, artificial intelligence
What problem does this paper attempt to address?
The problem that this paper attempts to solve is the challenge of detecting anomalies in high - dimensional time - series data. Specifically, most of the existing methods may lose some original anomaly information when optimizing the upstream time - series prediction task, and these methods mainly focus on improving the performance of the upstream prediction task rather than directly enhancing the performance of the downstream detection task. In addition, in the actual production process, the system is usually reliable, so the data at abnormal moments are scarce and hidden under a large amount of normal data, which makes it difficult for the model to be trained under unsupervised conditions. Based on these problems, the paper proposes a spatiotemporal model for enhancing abnormal information expression (Enhanced Abnormal Information Expression Spatiotemporal Model, EAIE - AD), aiming to compensate for the representation of abnormal behavior information through the improved attention mechanism in time modeling and the heterogeneous graph contrast learning method in space modeling, thereby guiding the model to conduct more comprehensive training. ### Main contributions 1. **End - to - end spatiotemporal anomaly detection model**: This model can simultaneously and deeply model the temporal dependence and spatial correlation of features, and guide the complete training of the model under unsupervised conditions by enhancing abnormal information expression. 2. **Effective modeling in the time dimension**: By improving the execution object of the attention mechanism, it compensates for the modeling of the non - stationary information inherent in the original data and reduces the loss of abnormal information. 3. **Modeling in the spatial dimension**: Using graph neural networks and contrast learning techniques, it models the physical characteristics of feature behaviors and extracts the expression of abnormal behavior information hidden in the spatial topology. 4. **Experimental verification**: It has achieved state - of - the - art anomaly detection results on multiple datasets, with F1 - scores reaching 0.82 and 0.59 respectively (on the SWaT and WADI datasets). In addition, sufficient ablation experiments and data visualizations have been carried out to enhance the interpretability of the model. ### Method overview - **Problem definition**: Assume multivariate time - series data \(S=\{S_1,...,S_{T_{\text{train}}}\}\) obtained from \(d\) features at \(T_{\text{train}}\) time stamps, where \(S_i\in\mathbb{R}^d\). The model is trained under unsupervised conditions, and the training and validation datasets only contain normal data, while the test dataset contains normal and abnormal data. - **Modeling of temporal dependence**: By slicing the original input data \(S\) through a sliding window, normalizing each time window \(X\), and then calculating the feature values through an improved self - attention mechanism. Finally, the feature values \(Y_t\) at each time point \(t\) are predicted through a feed - forward neural network (FNN). - **Modeling of spatial dependence**: By graph - structure learning, an association graph between sensor features is constructed, and then a graph - contrast learning method is used to find beneficial spatial constraints to enhance the representation of abnormal information. - **Anomaly detection**: Calculate the difference between the predicted value and the observed value, apply robust normalization processing, and then aggregate the anomaly scores of all sensors to obtain the anomaly score of the time stamp. If it exceeds the preset threshold, it is judged as an anomaly. ### Experimental results - **Dataset**: Two widely used real - world datasets, SWaT and WADI, are used. - **Baseline methods**: Including a variety of excellent multivariate time - series anomaly detection methods and the Transformer model that has recently performed well in multivariate time - series prediction. - **Performance evaluation**: On multiple datasets, the F1 - score of this model is significantly better than that of the baseline methods, which proves its effectiveness in the anomaly detection task. Through the above methods, the paper proposes a new method for efficient anomaly detection in multivariate time - series data, especially performing excellently under unsupervised conditions.