Yingjie Zhou,Xucheng Song,Yanru Zhang,Fanxing Liu,Ce Zhu,Lingqiao Liu

DOI: https://doi.org/10.1109/tnnls.2021.3086137

IF: 14.255

2022-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:Weakly supervised anomaly detection aims at learning an anomaly detector from a limited amount of labeled data and abundant unlabeled data. Recent works build deep neural networks for anomaly detection by discriminatively mapping the normal samples and abnormal samples to different regions in the feature space or fitting different distributions. However, due to the limited number of annotated anomaly samples, directly training networks with the discriminative loss may not be sufficient. To overcome this issue, this article proposes a novel strategy to transform the input data into a more meaningful representation that could be used for anomaly detection. Specifically, we leverage an autoencoder to encode the input data and utilize three factors, hidden representation, reconstruction residual vector, and reconstruction error, as the new representation for the input data. This representation amounts to encode a test sample with its projection on the training data manifold, its direction to its projection, and its distance to its projection. In addition to this encoding, we also propose a novel network architecture to seamlessly incorporate those three factors. From our extensive experiments, the benefits of the proposed strategy are clearly demonstrated by its superior performance over the competitive methods. Code is available at: https://github.com/yj-zhou/Feature_Encoding_with_AutoEncoders_for_Weakly-supervised_Anomaly_Detection .

Clinton Cao,Annibale Panichella,Sicco Verwer,Agathe Blaise,Filippo Rebecchi

2023-08-04

Abstract:NetFlow data is a popular network log format used by many network analysts and researchers. The advantages of using NetFlow over deep packet inspection are that it is easier to collect and process, and it is less privacy intrusive. Many works have used machine learning to detect network attacks using NetFlow data. The first step for these machine learning pipelines is to pre-process the data before it is given to the machine learning algorithm. Many approaches exist to pre-process NetFlow data; however, these simply apply existing methods to the data, not considering the specific properties of network data. We argue that for data originating from software systems, such as NetFlow or software logs, similarities in frequency and contexts of feature values are more important than similarities in the value itself. In this work, we propose an encoding algorithm that directly takes the frequency and the context of the feature values into account when the data is being processed. Different types of network behaviours can be clustered using this encoding, thus aiding the process of detecting anomalies within the network. We train several machine learning models for anomaly detection using the data that has been encoded with our encoding algorithm. We evaluate the effectiveness of our encoding on a new dataset that we created for network attacks on Kubernetes clusters and two well-known public NetFlow datasets. We empirically demonstrate that the machine learning models benefit from using our encoding for anomaly detection.

Machine Learning

Honghui Chen,Pingping Chen,Huan Mao,Mengxi Jiang

2024-05-15

Abstract:Anomaly detection and localization without any manual annotations and prior knowledge is a challenging task under the setting of unsupervised learning. The existing works achieve excellent performance in the anomaly detection, but with complex networks or cumbersome pipelines. To address this issue, this paper explores a simple but effective architecture in the anomaly detection. It consists of a well pre-trained encoder to extract hierarchical feature representations and a decoder to reconstruct these intermediate features from the encoder. In particular, it does not require any data augmentations and anomalous images for training. The anomalies can be detected when the decoder fails to reconstruct features well, and then errors of hierarchical feature reconstruction are aggregated into an anomaly map to achieve anomaly localization. The difference comparison between those features of encoder and decode lead to more accurate and robust localization results than the comparison in single feature or pixel-by-pixel comparison in the conventional works. Experiment results show that the proposed method outperforms the state-of-the-art methods on MNIST, Fashion-MNIST, CIFAR-10, and MVTec Anomaly Detection datasets on both anomaly detection and localization.

Computer Vision and Pattern Recognition

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Chuanlei Zhang,Jiangtao Liu,Wei Chen,Jinyuan Shi,Minda Yao,Xiaoning Yan,Nenghua Xu,Dufeng Chen

DOI: https://doi.org/10.1155/2021/7389943

IF: 1.968

2021-10-13

Security and Communication Networks

Abstract:The unsupervised anomaly detection task based on high-dimensional or multidimensional data occupies a very important position in the field of machine learning and industrial applications; especially in the aspect of network security, the anomaly detection of network data is particularly important. The key to anomaly detection is density estimation. Although the methods of dimension reduction and density estimation have made great progress in recent years, most dimension reduction methods are difficult to retain the key information of original data or multidimensional data. Recent studies have shown that the deep autoencoder (DAE) can solve this problem well. In order to improve the performance of unsupervised anomaly detection, we propose an anomaly detection scheme based on a deep autoencoder (DAE) and clustering methods. The deep autoencoder is trained to learn the compressed representation of the input data and then feed it to clustering approach. This scheme makes full use of the advantages of the deep autoencoder (DAE) to generate low-dimensional representation and reconstruction errors for the input high-dimensional or multidimensional data and uses them to reconstruct the input samples. The proposed scheme could eliminate redundant information contained in the data, improve performance of clustering methods in identifying abnormal samples, and reduce the amount of calculation. To verify the effectiveness of the proposed scheme, massive comparison experiments have been conducted with traditional dimension reduction algorithms and clustering methods. The results of experiments demonstrate that, in most cases, the proposed scheme outperforms the traditional dimension reduction algorithms with different clustering methods.

computer science, information systems,telecommunications

Van Quan Nguyen,Viet Hung Nguyen,Nhien-An Le-Khac,Van Loi Cao

DOI: https://doi.org/10.1007/978-3-030-63924-2_17

2020-01-01

Abstract:AbstractA novel hybrid approach between clustering methods and autoencoders (AEs) is introduced for detecting network anomalies in a semi-supervised manner. A previous work has developed regularized AEs, namely Shrink AE (SAE) and Dirac Delta Variational AE (DVAE) that learn to represent normal data into a very small region being close to the origin in their middle hidden layers (latent representation). This work based on the assumption that normal data points may share some common characteristics, so they can be forced to distribute in a small single cluster. In some scenarios, however, normal network data may contain data from very different network services, which may result in a number of clusters in the normal data. Our proposed hybrid model attempts to automatically discover these clusters in the normal data in the latent representation of AEs. At each iteration, an AE learns to map normal data into the latent representation while a clustering method tries to discover clusters in the latent normal data and force them being close together. The co-training strategy can help to reveal true clusters in normal data. When a querying data point coming, it is first mapped into the latent representation of the AE, and its distance to the closest cluster center can be used as an anomaly score. The higher anomaly score a data point has, the more likely it is anomaly. The method is evaluated with four scenarios in the CTU13 dataset, and experiments illustrate that the proposed hybrid model often out-performs SAE on three out of four scenarios.

Amardeep Singh,Julian Jang-Jaccard

DOI: https://doi.org/10.48550/arXiv.2204.03779

2022-04-07

Cryptography and Security

Abstract:The massive growth of network traffic data leads to a large volume of datasets. Labeling these datasets for identifying intrusion attacks is very laborious and error-prone. Furthermore, network traffic data have complex time-varying non-linear relationships. The existing state-of-the-art intrusion detection solutions use a combination of various supervised approaches along with fused features subsets based on correlations in traffic data. These solutions often require high computational cost, manual support in fine-tuning intrusion detection models, and labeling of data that limit real-time processing of network traffic. Unsupervised solutions do reduce computational complexities and manual support for labeling data but current unsupervised solutions do not consider spatio-temporal correlations in traffic data. To address this, we propose a unified Autoencoder based on combining multi-scale convolutional neural network and long short-term memory (MSCNN-LSTM-AE) for anomaly detection in network traffic. The model first employs Multiscale Convolutional Neural Network Autoencoder (MSCNN-AE) to analyze the spatial features of the dataset, and then latent space features learned from MSCNN-AE employs Long Short-Term Memory (LSTM) based Autoencoder Network to process the temporal features. Our model further employs two Isolation Forest algorithms as error correction mechanisms to detect false positives and false negatives to improve detection accuracy. %Additionally, covariance matrices forms a Riemannian manifold that is naturally embedded with distance metrices that facilitates descriminative patterns for detecting malicious network traffic. We evaluated our model NSL-KDD, UNSW-NB15, and CICDDoS2019 dataset and showed our proposed method significantly outperforms the conventional unsupervised methods and other existing studies on the dataset.

Anasuya Chattopadhyay,Daniel Reti,Hans D. Schotten

2024-05-22

Abstract:The early research report explores the possibility of using Graph Neural Networks (GNNs) for anomaly detection in internet traffic data enriched with information. While recent studies have made significant progress in using GNNs for anomaly detection in finance, multivariate time-series, and biochemistry domains, there is limited research in the context of network flow data. In this report, we explore the idea that leverages information-enriched features extracted from network flow packet data to improve the performance of GNN in anomaly detection. The idea is to utilize feature encoding (binary, numerical, and string) to capture the relationships between the network components, allowing the GNN to learn latent relationships and better identify anomalies.

Social and Information Networks,Cryptography and Security,Machine Learning

Hasan Torabi,Seyedeh Leili Mirtaheri,Sergio Greco

DOI: https://doi.org/10.1186/s42400-022-00134-9

2023-01-06

Abstract:Nowadays, cloud computing provides easy access to a set of variable and configurable computing resources based on user demand through the network. Cloud computing services are available through common internet protocols and network standards. In addition to the unique benefits of cloud computing, insecure communication and attacks on cloud networks cannot be ignored. There are several techniques for dealing with network attacks. To this end, network anomaly detection systems are widely used as an effective countermeasure against network anomalies. The anomaly-based approach generally learns normal traffic patterns in various ways and identifies patterns of anomalies. Network anomaly detection systems have gained much attention in intelligently monitoring network traffic using machine learning methods. This paper presents an efficient model based on autoencoders for anomaly detection in cloud computing networks. The autoencoder learns a basic representation of the normal data and its reconstruction with minimum error. Therefore, the reconstruction error is used as an anomaly or classification metric. In addition, to detecting anomaly data from normal data, the classification of anomaly types has also been investigated. We have proposed a new approach by examining an autoencoder's anomaly detection method based on data reconstruction error. Unlike the existing autoencoder-based anomaly detection techniques that consider the reconstruction error of all input features as a single value, we assume that the reconstruction error is a vector. This enables our model to use the reconstruction error of every input feature as an anomaly or classification metric. We further propose a multi-class classification structure to classify the anomalies. We use the CIDDS-001 dataset as a commonly accepted dataset in the literature. Our evaluations show that the performance of the proposed method has improved considerably compared to the existing ones in terms of accuracy, recall, false-positive rate, and F1-score metrics.

computer science, information systems, interdisciplinary applications, software engineering

Hao Zhang,Zude Xiao,Jason Gu,Yanhua Liu

DOI: https://doi.org/10.1007/s11227-023-05474-y

IF: 3.3

2023-06-15

The Journal of Supercomputing

Abstract:With the rapid development of network technology, the Internet has brought significant convenience to various sectors of society, holding a prominent position. Due to the unpredictable and severe consequences resulting from malicious attacks, the detection of anomalous network traffic has garnered considerable attention from researchers over the past few decades. Accurately labeling a sufficient amount of network traffic data as a training dataset within a short period of time is a challenging task, given the rapid and massive generation of network traffic data. Furthermore, the proportion of malicious attack traffic is relatively small compared to the overall traffic data, and the distribution of traffic data across different types of malicious attacks also varies significantly. To address the aforementioned challenges, this paper presents a novel network anomaly detection algorithm based on semi-supervised learning and adaptive multiclass balancing. Building upon the assumption of consistent distribution between labeled and unlabeled data, this paper introduces the multiclass split balancing strategy and the adaptive confidence threshold function. These innovative approaches aim to tackle the issue of the multiclass imbalanced in traffic data. By leveraging the mutually beneficial relationship between semi-supervised learning and ensemble learning, this paper presents the collaborative rotation forest algorithm. This algorithm is specifically designed to enhance performance of anomaly detection in an environment with label inadequacy. Several comparative experiments conducted on the NSL-KDD, UNSW-NB15, and ToN-IoT demonstrate that the proposed algorithm achieves significant improvements in performance. Specifically, it enhances precision by 1.5–5.7%, recall by 1.5−5.7%, and F-Measure by 1.4−4.3% compared to the state-of-the-art algorithms.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Serenje Macdonald,Mkandawire Mtende

DOI: https://doi.org/10.26634/jcom.11.4.20650

2024-01-01

Abstract:The rapid growth of network infrastructures and the increasing volume of data transmitted through them have led to a critical need for efficient and accurate anomaly detection systems in network transport. This paper proposes a novel anomaly detection system that utilizes machine learning techniques to identify abnormal patterns and deviations in network traffic. The proposed system follows a multi-layered approach, starting with the collection of network traffic data from various sources, including routers, switches, and gateways. The data is then preprocessed to extract relevant features and eliminate noise. Feature extraction is carried out using statistical, time-series, and flow-based analysis to capture the inherent characteristics of network communication. Machine learning algorithms, such as neural networks, or in this case, auto-encoders, will be trained to learn the patterns of normal network behavior and subsequently detect deviations from these patterns as anomalies. The system provides alerts and notifications to network administrators, allowing prompt investigation and response to potential security threats or network performance issues. It effectively differentiates between benign and malicious network activities, enabling network administrators to take proactive measures to secure their infrastructure and ensure uninterrupted communication.

Hongjun Li,Yunlong Wang,Yating Wang,Junjie Chen

DOI: https://doi.org/10.1016/j.neunet.2024.106509

Abstract:An autoencoder for video anomaly detection task is a type of algorithm with the primary purpose of learning an "informative" representation of the normal data that can be used for identifying the abnormal data by learning to reconstruct a set of input observations. Based on the encoding-decoding structure, we explore a novel dual ForkNet architecture that can dissociate and process the spatio-temporal representation. It is well-known in the information theory community that most autoencoders coding processes are inevitably accompanied by a certain loss of information. In this dual ForkNet, we focus on mitigating the information loss problem and propose a novel architectural recalibration approach, which we term the "Informetrics Recalibration" (IR). It can adaptively recalibrate latent feature representation by explicitly modeling the similarity between the corresponding feature maps of encoder and decoder, and retain more useful semantic information to generate greater differentiation between normal and abnormal events. Additionally, because the structure of the autoencoder itself determines the difficulty to obtain deep semantic information, we introduce a Secondary Encoder (SE) in each ForkNet, so as to recalibrate target features responses of latent feature representation. Our model is easy to be trained and robust to be applied, because it basically consists of some ResNet blocks without using complicated modules. Extensive experiments on the five publicly available benchmarks show that our model outperforms the existing state-of-the-art architectures, demonstrating our framework's effectiveness.

Chaewon Park,Minhyeok Lee,Suhwan Cho,Donghyeong Kim,Sangyoun Lee

DOI: https://doi.org/10.48550/arXiv.2302.09794

2023-02-20

Abstract:Image reconstruction-based anomaly detection has recently been in the spotlight because of the difficulty of constructing anomaly datasets. These approaches work by learning to model normal features without seeing abnormal samples during training and then discriminating anomalies at test time based on the reconstructive errors. However, these models have limitations in reconstructing the abnormal samples due to their indiscriminate conveyance of features. Moreover, these approaches are not explicitly optimized for distinguishable anomalies. To address these problems, we propose a two-stream decoder network (TSDN), designed to learn both normal and abnormal features. Additionally, we propose a feature normality estimator (FNE) to eliminate abnormal features and prevent high-quality reconstruction of abnormal regions. Evaluation on a standard benchmark demonstrated performance better than state-of-the-art models.

Computer Vision and Pattern Recognition

Miao Ye,Qinghao Zhang,Xingsi Xue,Yong Wang,Qiuxiang Jiang,Hongbing Qiu

DOI: https://doi.org/10.1109/jsyst.2023.3347435

IF: 4.802

2024-03-19

IEEE Systems Journal

Abstract:To address the issue that existing wireless sensor network (WSN)-based anomaly detection methods only consider and analyze temporal features, in this article, a self-supervised learning-based anomalous node detection method based on an autoencoder is designed. This method integrates the extraction of temporal WSN data flow feature, spatial position feature, and intermodal WSN correlation feature into the autoencoder design to make full use of the spatial and temporal information of the WSN for anomaly detection. First, a fully connected network is used to extract the temporal features of nodes by considering a single mode from a local spatial perspective. Second, a graph neural network is used to introduce the WSN topology from a global spatial perspective for anomaly detection and to extract the spatial and temporal features of the data flows of nodes and their neighbors by considering a single mode. Then, an adaptive fusion method involving weighted summation is used to extract the relevant features between different modes. In addition, the gated recurrent unit network structure is introduced to solve the long-term dependence problem in the time dimension. Eventually, the reconstructed output of the decoder and the hidden layer representation of the autoencoder are fed into a fully connected network to calculate the anomaly probability for the current system. Since the spatial feature extraction operation is performed first, the designed method can be applied for anomaly detection in large-scale networks with the addition of a clustering operation. Experiments show that the designed method outperforms baseline methods, and the F1 score reaches 90.6%, at least 5.2% higher than those of existing anomaly detection methods based on unsupervised reconstruction and prediction.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Yufei Liang,Jiangning Zhang,Shiwei Zhao,Runze Wu,Yong Liu,Shuwen Pan

DOI: https://doi.org/10.1109/TIP.2023.3293772

2023-07-03

Abstract:Density-based and classification-based methods have ruled unsupervised anomaly detection in recent years, while reconstruction-based methods are rarely mentioned for the poor reconstruction ability and low performance. However, the latter requires no costly extra training samples for the unsupervised training that is more practical, so this paper focuses on improving this kind of method and proposes a novel Omni-frequency Channel-selection Reconstruction (OCR-GAN) network to handle anomaly detection task in a perspective of frequency. Concretely, we propose a Frequency Decoupling (FD) module to decouple the input image into different frequency components and model the reconstruction process as a combination of parallel omni-frequency image restorations, as we observe a significant difference in the frequency distribution of normal and abnormal images. Given the correlation among multiple frequencies, we further propose a Channel Selection (CS) module that performs frequency interaction among different encoders by adaptively selecting different channels. Abundant experiments demonstrate the effectiveness and superiority of our approach over different kinds of methods, e.g., achieving a new state-of-the-art 98.3 detection AUC on the MVTec AD dataset without extra training data that markedly surpasses the reconstruction-based baseline by +38.1 and the current SOTA method by +0.3. Source code is available at <a class="link-external link-https" href="https://github.com/zhangzjn/OCR-GAN" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition

Qian Dang,Ajun Cui,Wenbo Shang,Chunhui Du,Chenyu Wang,Xiaolin Gui

DOI: https://doi.org/10.1109/EEPS58791.2023.10257132

2023-01-01

Abstract:With the rapid development of computer and communication technology, the power Internet of Things has become an inevitable trend of intelligent and informatized power grid construction. However, the openness of the power Internet of Things makes it more vulnerable to cyber attacks and affects the normal operation of the power system. Therefore, in order to improve the stability of the power system, it is necessary to detect the abnormality of the traffic data generated by the network attack and give early warning of the attack in time. However, almost all existing network traffic anomaly detection methods are strongly dependent on labeled data, manually selected features, and balanced datasets. These methods are not only expensive, but also difficult to distinguish unknown abnormal types. This paper proposes a network traffic anomaly detection method based on autoencoder and attribute graph. This method is designed to learn generic abstract features by autoencoder and avoid the influence of manual features. Then the network traffic is abstracted into an attribute graph based on abstract features, and an anomaly detection model based on the attribute graph is designed to filter out anomalous traffic depending on topology and similarity. At last, the feasibility and effectiveness of the algorithm proposed is verified, on the two network traffic public datasets (NSL-KDD and CICIDS2017). Experimental result demonstrate that the model proposed in this paper has better detection performance compared with other state-of-the-art network traffic anomaly detection algorithms in unsupervised condition, which can be effectively used for imbalanced dataset.

Haijun Geng,Qi Ma,Haotian Chi,Zhi Zhang,Jing Yang,Xia Yin

DOI: https://doi.org/10.1016/j.comnet.2024.110937

IF: 5.493

2024-01-01

Computer Networks

Abstract:Internet of Things (IoT) devices are often used as springboards for network intrusion due to the open nature of IoT protocol stacks that enable automatic inter-connection and data sharing among devices, so it is critical to develop network anomaly detection algorithms that can be deployed at important nodes such as gateways and routers. However, existing detection algorithms based on signature rules and supervised machine learning heavily rely on known anomaly types, yielding low detection accuracy when deployed in realistic network environments with a significant number of unknown attacks. With this in mind, we propose DUdetector, an unsupervised anomaly detection algorithm by employing Transformer and Conv1d&MaxPool1d AutoEncoder with residual connection (abbr., CM&RC-AE) to realize a dual-granularity learning from the perspective of segments and points, respectively. Specifically, we perform coarse-grained segment-level anomaly detection based on an improved Transformer to detect whether there is any anomalous traffic within a time window. Then, we perform fine-grained point-level anomaly detection based on CM&RC-AE for each packet within the problematic segment output by the first step. Extensive experiments on three datasets (SSDP Flood, Mirai and IDS2017) demonstrate that our DUdetector achieves a better performance than existing work: an F1-score of 95.98% for Mirai, and over 99.2% for both SSDP Flood and IDS2017, with false positive rates less than 0.5% for all three datasets.

G. Victor Daniel,Kandasamy Chandrasekaran,Venkatesan Meenakshi,Prabhavathy Paneer

DOI: https://doi.org/10.3390/electronics12061501

IF: 2.9

2023-03-23

Electronics

Abstract:The task of identifying anomalous users on attributed social networks requires the detection of users whose profile attributes and network structure significantly differ from those of the majority of the reference profiles. GNN-based models are well-suited for addressing the challenge of integrating network structure and node attributes into the learning process because they can efficiently incorporate demographic data, activity patterns, and other relevant information. Aggregate operations, such as sum or mean pooling, are utilized by Graph Neural Networks (GNNs) to combine the representations of neighboring nodes within a graph. However, these aggregate operations can cause problems in detecting anomalous nodes. There are two main issues to consider when utilizing aggregate operations in GNNs. Firstly, the presence of anomalous neighboring nodes may affect the representation of normal nodes, leading to false positives. Secondly, anomalous nodes may be overlooked as their representation is flattened during the aggregate operation, leading to false negatives. The proposed approach, AnomEn, is a robust graph neural network developed for anomaly detection. It addresses the challenges of false positives and false negatives using a weighted aggregate mechanism. This mechanism is designed to differentiate between a node's own features and the features of its neighbors by placing greater emphasis on a node's own features and less emphasis on its neighbors' features. The system can preserve the node's original characteristics, whether the node is normal or anomalous. This work proposes not only a robust graph neural network, namely, AnomEn, but also specific anomaly detection structures for nodes and edges. The proposed AnomEn method serves as the encoder in the node and edge anomaly detection architectures and was tested on multiple datasets. Experiments were conducted to validate the effectiveness of the proposed method as a graph neural network encoder. The findings demonstrated the robustness of the proposed method in detecting anomalies. The proposed method outperforms other existing methods in node anomaly detection tasks by 5.63% and edge anomaly detection tasks by 7.87%.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yihao Guo,Xinning Zhu,Zheng Hu,Zhiqiang Zhan

DOI: https://doi.org/10.1145/3529836.3529924

2022-01-01

Abstract:In unsupervised anomaly detection tasks, a crucial challenge is modeling the underlying structure of normal data without knowing the definition or ratio of anomalies. The introduction of robustness against anomalous data in autoencoder architecture is a significant research focus in order to address this challenge. In this paper, we propose a model implemented by an autoencoder with two decoders, called Feature Decomposition AutoEncoder (FDAE). It maps all data into a high-dimensional latent feature space. Many studies have proved RSR technology and RPCA technology to improve the performance of anomaly detection models. FDAE employs RSR and RPCA techniques in the latent space to decompose latent features into normal features and abnormal features, then decodes them separately using two decoders. Furthermore, we design an optimization strategy to enable FDAE to prioritize modeling the underlying structure of normal data from unlabeled data to reduce the interference caused by unknown anomalous data. We demonstrate the high performance of FDAE in unsupervised anomaly detection tasks through experiments on five public datasets. In addition, we study the variation of FDAE’s anomaly detection capability under different noise scenarios on the MNIST dataset.

Heejeong Choi,Subin Kim,Pilsung Kang

DOI: https://doi.org/10.1007/s10489-023-04764-5

IF: 5.3

2023-08-10

Applied Intelligence

Abstract:As large-scale time-series data can easily be found in real-world applications, multivariate time-series anomaly detection has played an essential role in diverse industries. It enables productivity improvement and maintenance cost reduction by preventing malfunctions and detecting anomalies based on time-series data. However, multivariate time-series anomaly detection is challenging because real-world time-series data exhibit complex temporal dependencies. For this task, it is crucial to learn a rich representation that effectively contains the nonlinear temporal dynamics of normal behavior. In this study, we propose an unsupervised multivariate time-series anomaly detection model named RAE-MEPC which learns informative normal representations based on multi-resolution ensemble reconstruction and predictive coding. We introduce multi-resolution ensemble encoding to capture the multi-scale dependency from the input time series. The encoder hierarchically aggregates the multi-scale temporal features extracted from the sub-encoders with different encoding lengths. From these encoded features, the reconstruction decoder reconstructs the input time series based on multi-resolution ensemble decoding where lower-resolution information helps to decode sub-decoders with higher-resolution outputs. Predictive coding is further introduced to encourage the model to learn more temporal dependencies of the time series. Experiments on real-world benchmark datasets show that the proposed model outperforms the benchmark models for multivariate time-series anomaly detection.

computer science, artificial intelligence