Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Successfully reported this slideshow.

Like this presentation? Why not share!

- Cloud intrusion detection and preve... by Ohud Saud 665 views
- Open Source Private Cloud Managemen... by XHANI TRUNGU 277 views
- Architecture Challenges In Cloud Co... by IndicThreads 6164 views
- Analysis and Design for Intrusion D... by Pritesh Ranjan 1303 views
- Intrusion Detection in the Cloud (S... by Amazon Web Services 8478 views
- Leverage points for wicked problems by Demos Helsinki 1775 views

2,246 views

Published on

Introduction to Anomaly Detection and Data mining

Published in:
Technology

No Downloads

Total views

2,246

On SlideShare

0

From Embeds

0

Number of Embeds

2

Shares

0

Downloads

0

Comments

1

Likes

4

No notes for slide

- 1. Anomaly Detection<br />
- 2. What are anomalies/outliers?<br /><ul><li>The set of data points that are considerably different than the remainder of the data</li></ul>Applications: <br /> Credit card fraud detection, <br />telecommunication fraud detection, <br />network intrusion detection, <br />fault detection<br />
- 3. Variants of Anomaly/Outlier Detection Problems<br />Given a database D, find all the data points x D with anomaly scores greater than some threshold t<br />Given a database D, find all the data points x D having the top-n largest anomaly scores f(x)<br />Given a database D, containing mostly normal (but unlabeled) data points, and a test point x, compute the anomaly score of x with respect to D<br />
- 4. Anomaly Detection<br />Challenges<br />How many outliers are there in the data?<br />Method is unsupervised<br /> Validation can be quite challenging (just like for clustering)<br />Finding needle in a haystack<br />Working assumption:<br />There are considerably more “normal” observations than “abnormal” observations (outliers/anomalies) in the data<br />
- 5. Anomaly Detection Schemes <br />General Steps:<br />Build a profile of the “normal” behavior<br />Profile can be patterns or summary statistics for the overall population<br />Use the “normal” profile to detect anomalies<br />Anomalies are observations whose characteristicsdiffer significantly from the normal profile<br />
- 6. Types of anomaly detection schemes<br /><ul><li>Statistical-based
- 7. Distance-based
- 8. Model-based</li></li></ul><li>Statistical Approaches<br />Assume a parametric model describing the distribution of the data (e.g., normal distribution) <br />Apply a statistical test that depends on <br />Data distribution<br />Parameter of distribution (e.g., mean, variance)<br />Number of expected outliers (confidence limit)<br />
- 9. Grubbs’ Test<br />Detect outliers in univariate data<br />Assume data comes from normal distribution<br />Detects one outlier at a time, remove the outlier, and repeat<br />H0: There is no outlier in data<br />HA: There is at least one outlier<br />Grubbs’ test statistic: <br />Reject H0 if:<br />
- 10. Statistical-based – Likelihood Approach<br />Assume the data set D contains samples from a mixture of two probability distributions: <br />M (majority distribution) <br />A (anomalous distribution)<br />General Approach:<br />Initially, assume all the data points belong to M<br />Let Lt(D) be the log likelihood of D at time t<br />
- 11. Contd…<br />For each point xtthat belongs to M, move it to A<br /> Let Lt+1 (D) be the new log likelihood.<br /> Compute the difference, = Lt(D) – Lt+1 (D)<br /> If > c (some threshold), then xt is declared as an anomaly and moved permanently from M to A<br />
- 12. Limitations of Statistical Approaches <br />Most of the tests are for a single attribute<br />In many cases, data distribution may not be known<br />For high dimensional data, it may be difficult to estimate the true distribution<br />
- 13. Distance-based Approaches<br />Data is represented as a vector of features<br />Three major approaches<br />Nearest-neighbor based<br />Density based<br />Clustering based<br />
- 14. Nearest-Neighbor Based Approach<br />Approach:<br />Compute the distance between every pair of data points<br />There are various ways to define outliers:<br />Data points for which there are fewer than p neighboring points within a distance D<br />The top n data points whose distance to the kth nearest neighbor is greatest<br />The top n data points whose average distance to the k nearest neighbors is greatest <br />
- 15. Density-based: LOF approach<br />For each point, compute the density of its local neighborhood<br />Compute local outlier factor (LOF) of a sample p as the average of the ratios of the density of sample p and the density of its nearest neighbors<br />Outliers are points with largest LOF value<br />
- 16. Clustering-Based<br />Basic idea:<br />Cluster the data into groups of different density<br />Choose points in small cluster as candidate outliers<br />Compute the distance between candidate points and non-candidate clusters. <br />If candidate points are far from all other non-candidate points, they are outliers<br />
- 17. Pros and Cons<br />Advantages: <br />No need to be supervised <br />Easily adaptable to on-line / incremental mode suitable for anomaly detection from temporal data <br />
- 18. Pros and Cons<br />Drawbacks <br />Computationally expensive <br />Using indexing structures (k-d tree, R* tree) may alleviate this problem <br />If normal points do not create any clusters the techniques may fail <br />In high dimensional spaces, datais sparse and distances between any two data records may become quite similar. <br />Clustering algorithms may not give any meaningful clusters <br />
- 19. conclusion<br />Anomaly detection in data mining is dealt in detail in this presentation<br />Types of anomaly detection and their merits and demerits are briefly discussed.<br />
- 20. Visit more self help tutorials<br />Pick a tutorial of your choice and browse through it at your own pace.<br />The tutorials section is free, self-guiding and will not involve any additional support.<br />Visit us at www.dataminingtools.net<br />

No public clipboards found for this slide

Login to see the comments