Download to read offline
![Anomaly Detection
What is it?
[1]: Liu, Fei Tony, Kai Ming Ting, and Zhi-Hua Zhou. "Isolation forest." 2008 eighth ieee international conference on data mining. IEEE, 2008.
[2]: Eswaran, Dhivya, et al. "Spotlight: Detecting anomalies in streaming graphs." Proceedings of the 24th ACM SIGKDD International
Conference on Knowledge Discovery & Data Mining. 2018.](https://image.slidesharecdn.com/anomaly-detection112940-240824083049-54f219ce/85/Introduction-to-anomaly-detection-methods-2-320.jpg)
![kNN(K-Nearest Neighbor)
[1]: Ramaswamy, S., Rastogi, R. and Shim, K., 2000, May. Efficient algorithms for mining outliers from large data sets. ACM Sigmod
Record, 29(2), pp. 427-438.
𝐷𝑖𝑠 𝑥, 𝑦 =
𝑖=1
𝑁
𝑥𝑖 − 𝑦𝑖
𝑝
1
𝑝
Choose Top K-th Dstance
Simple but expensive!](https://image.slidesharecdn.com/anomaly-detection112940-240824083049-54f219ce/85/Introduction-to-anomaly-detection-methods-5-320.jpg)
![LOF(Local Outlier Factor)
[1]: Breunig, M.M., Kriegel, H.P., Ng, R.T. and Sander, J., 2000, May. LOF: identifying density-based local outliers. ACM Sigmod Record,
29(2), pp. 93-104.
K-distance of an object p
5-distance](https://image.slidesharecdn.com/anomaly-detection112940-240824083049-54f219ce/85/Introduction-to-anomaly-detection-methods-6-320.jpg)
![LOF(Local Outlier Factor)
[1]: Breunig, M.M., Kriegel, H.P., Ng, R.T. and Sander, J., 2000, May. LOF: identifying density-based local outliers. ACM Sigmod Record,
29(2), pp. 93-104.
K-distance neighborhood of an object p
𝑁𝑘 𝑂 = 𝑃′
∈ 𝐷{𝑂 | 𝑑 𝑂, 𝑃′
≤ 𝑑𝑘(𝑂)}
𝑁5 𝑂 = {𝑃1, 𝑃2, 𝑃3, 𝑃4, 𝑃5, 𝑃6}
5-distance
𝑃6
𝑃5
Reachability distance of an object P w.r.t. object O
𝜌𝑘 𝑃 =
|𝑁𝑘(𝑃)|
σ𝑂∈𝑁𝑘(𝑃) 𝑑_𝑘(𝑃, 𝑂)
𝐿𝑂𝐹𝑘 𝑃 =
σ𝑂∈𝑁𝑘(𝑃)
𝜌𝑘 𝑂
𝜌𝑘 𝑃
|𝑁𝑘(𝑃)|](https://image.slidesharecdn.com/anomaly-detection112940-240824083049-54f219ce/85/Introduction-to-anomaly-detection-methods-7-320.jpg)
![PCA(Principal Component Analysis)
[1]: Shyu, Mei-Ling, et al. A novel anomaly detection scheme based on principal component classifier. MIAMI UNIV CORAL GABLES
FL DEPT OF ELECTRICALAND COMPUTER ENGINEERING, 2003.
Input: 𝑋 ∈ ℝn×𝑚 with 𝑛 samples
Output: 𝑌 = 𝑊𝑋 ∈ ℝn×𝑚′
Algorithm
Normalization: 𝑥𝑖 = 𝑥𝑖 −
1
𝑚
σ𝑗=1
𝑚
𝑥𝑗
Covariance matrix: 𝐶 =
1
𝑚
𝑋𝑋𝑇
Calculate eigenvectors
Anomaly score: the distance between the abnormal sample and the feature vector](https://image.slidesharecdn.com/anomaly-detection112940-240824083049-54f219ce/85/Introduction-to-anomaly-detection-methods-8-320.jpg)
![HBOS(Histogram-based Outlier Score)
[1]: Goldstein, M. and Dengel, A., 2012. Histogram-based outlier score (hbos): A fast unsupervised anomaly detection algorithm. In KI-2012:
Poster and Demo Track, pp.59-63.
Methods
Low density area](https://image.slidesharecdn.com/anomaly-detection112940-240824083049-54f219ce/85/Introduction-to-anomaly-detection-methods-9-320.jpg)
![HBOS(Histogram-based Outlier Score)
[1]: Goldstein, M. and Dengel, A., 2012. Histogram-based outlier score (hbos): A fast unsupervised anomaly detection algorithm. In KI-2012:
Poster and Demo Track, pp.59-63.
Assumption
Multidimensional data is independent of each dimension.
➢ Draw a data histogram
➢ Divide the value range into K buckets of equal(sometimes can be dynamic)
width, and the frequency of the value falling into each bucket is used as an
estimate of density.
Algorithm
Anomaly Score
𝐻𝐵𝑂𝑆 𝑝 =
𝑖=0
𝑎
log(
1
ℎ𝑖𝑠𝑡𝑖(𝑝)
)](https://image.slidesharecdn.com/anomaly-detection112940-240824083049-54f219ce/85/Introduction-to-anomaly-detection-methods-10-320.jpg)
![AE(Auto Encoder)
[1]: Ramaswamy, S., Rastogi, R. and Shim, K., 2000, May. Efficient algorithms for mining outliers from large data sets. ACM Sigmod
Record, 29(2), pp. 427-438.
Latent Representation](https://image.slidesharecdn.com/anomaly-detection112940-240824083049-54f219ce/85/Introduction-to-anomaly-detection-methods-11-320.jpg)
![Isolation Forest
ICDM '08
[1]: Liu, F.T., Ting, K.M. and Zhou, Z.H., 2008, December. Isolation forest. In International Conference on Data Mining (ICDM), pp. 413-
422. IEEE](https://image.slidesharecdn.com/anomaly-detection112940-240824083049-54f219ce/85/Introduction-to-anomaly-detection-methods-12-320.jpg)
![Isolation Forest
Anomaly Detection
[1]: Liu, F.T., Ting, K.M. and Zhou, Z.H., 2008, December. Isolation forest. In International Conference on Data Mining (ICDM), pp. 413-
422. IEEE](https://image.slidesharecdn.com/anomaly-detection112940-240824083049-54f219ce/85/Introduction-to-anomaly-detection-methods-13-320.jpg)
![Isolation Forest
Anomaly Detection
[1]: Liu, F.T., Ting, K.M. and Zhou, Z.H., 2008, December. Isolation forest. In International Conference on Data Mining (ICDM), pp. 413-
422. IEEE](https://image.slidesharecdn.com/anomaly-detection112940-240824083049-54f219ce/85/Introduction-to-anomaly-detection-methods-14-320.jpg)
![Isolation Forest
Anomaly Detection
[1]: Liu, F.T., Ting, K.M. and Zhou, Z.H., 2008, December. Isolation forest. In International Conference on Data Mining (ICDM), pp. 413-
422. IEEE](https://image.slidesharecdn.com/anomaly-detection112940-240824083049-54f219ce/85/Introduction-to-anomaly-detection-methods-15-320.jpg)
![REFERENCE
[1]: Liu, Fei Tony, Kai Ming Ting, and Zhi-Hua Zhou. "Isolation forest." 2008 eighth ieee international
conference on data mining. IEEE, 2008.
[2]: Eswaran, Dhivya, et al. "Spotlight: Detecting anomalies in streaming graphs." Proceedings of the 24th
ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 2018.
[3]: Ramaswamy, S., Rastogi, R. and Shim, K., 2000, May. Efficient algorithms for mining outliers from
large data sets. ACM Sigmod Record, 29(2), pp. 427-438.
[4]: Breunig, M.M., Kriegel, H.P., Ng, R.T. and Sander, J., 2000, May. LOF: identifying density-based local
outliers. ACM Sigmod Record, 29(2), pp. 93-104.
[5]: Shyu, Mei-Ling, et al. A novel anomaly detection scheme based on principal component classifier.
MIAMI UNIV CORAL GABLES FL DEPT OF ELECTRICAL AND COMPUTER ENGINEERING, 2003.
[6]: Goldstein, M. and Dengel, A., 2012. Histogram-based outlier score (hbos): A fast unsupervised anomaly
detection algorithm. In KI-2012: Poster and Demo Track, pp.59-63.
[7]: Ramaswamy, S., Rastogi, R. and Shim, K., 2000, May. Efficient algorithms for mining outliers from
large data sets. ACM Sigmod Record, 29(2), pp. 427-438.
[8]: Liu, F.T., Ting, K.M. and Zhou, Z.H., 2008, December. Isolation forest. In International Conference on
Data Mining (ICDM), pp. 413-422. IEEE](https://image.slidesharecdn.com/anomaly-detection112940-240824083049-54f219ce/85/Introduction-to-anomaly-detection-methods-16-320.jpg)
Introduction to anomaly detection methods
- 1. Introduction to Anomaly Detection Introductionto Anomaly Detection Linghao Chen HOMEPAGE: https://lhchen.top lhchen@stu.xidian.edu.cn School of Computer Science and Technology, Xidian University, Xi'an, ShaanXi, P.R.China
- 2. Anomaly Detection What isit? [1]: Liu, Fei Tony, Kai Ming Ting, and Zhi-Hua Zhou. "Isolation forest." 2008 eighth ieee international conference on data mining. IEEE, 2008. [2]: Eswaran, Dhivya, et al. "Spotlight: Detecting anomalies in streaming graphs." Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 2018.
- 3. Problems Why so hardto detect anomaly? ✓ Unsupervised learning in most cases; ✓ The data is extremely unbalanced; ✓ It often involves density estimation, which requires a large amount of distance or similarity calculations, and computationally expensive; ✓ Real-time detection; ✓ Interpretability of methods.
- 4. Methods Classic Methods: ➢ kNN(K-NearestNeighbor) ➢ LOF(Local Outlier Factor) ➢ PCA(Principal Component Analysis) ➢ HBOS(Histogram-based Outlier Score) ➢ Isolation Forest ➢ AE(Auto Encoder)
- 5. kNN(K-Nearest Neighbor) [1]: Ramaswamy,S., Rastogi, R. and Shim, K., 2000, May. Efficient algorithms for mining outliers from large data sets. ACM Sigmod Record, 29(2), pp. 427-438. 𝐷𝑖𝑠 𝑥, 𝑦 = 𝑖=1 𝑁 𝑥𝑖 − 𝑦𝑖 𝑝 1 𝑝 Choose Top K-th Dstance Simple but expensive!
- 6. LOF(Local Outlier Factor) [1]:Breunig, M.M., Kriegel, H.P., Ng, R.T. and Sander, J., 2000, May. LOF: identifying density-based local outliers. ACM Sigmod Record, 29(2), pp. 93-104. K-distance of an object p 5-distance
- 7. LOF(Local Outlier Factor) [1]:Breunig, M.M., Kriegel, H.P., Ng, R.T. and Sander, J., 2000, May. LOF: identifying density-based local outliers. ACM Sigmod Record, 29(2), pp. 93-104. K-distance neighborhood of an object p 𝑁𝑘 𝑂 = 𝑃′ ∈ 𝐷{𝑂 | 𝑑 𝑂, 𝑃′ ≤ 𝑑𝑘(𝑂)} 𝑁5 𝑂 = {𝑃1, 𝑃2, 𝑃3, 𝑃4, 𝑃5, 𝑃6} 5-distance 𝑃6 𝑃5 Reachability distance of an object P w.r.t. object O 𝜌𝑘 𝑃 = |𝑁𝑘(𝑃)| σ𝑂∈𝑁𝑘(𝑃) 𝑑_𝑘(𝑃, 𝑂) 𝐿𝑂𝐹𝑘 𝑃 = σ𝑂∈𝑁𝑘(𝑃) 𝜌𝑘 𝑂 𝜌𝑘 𝑃 |𝑁𝑘(𝑃)|
- 8. PCA(Principal Component Analysis) [1]:Shyu, Mei-Ling, et al. A novel anomaly detection scheme based on principal component classifier. MIAMI UNIV CORAL GABLES FL DEPT OF ELECTRICALAND COMPUTER ENGINEERING, 2003. Input: 𝑋 ∈ ℝn×𝑚 with 𝑛 samples Output: 𝑌 = 𝑊𝑋 ∈ ℝn×𝑚′ Algorithm Normalization: 𝑥𝑖 = 𝑥𝑖 − 1 𝑚 σ𝑗=1 𝑚 𝑥𝑗 Covariance matrix: 𝐶 = 1 𝑚 𝑋𝑋𝑇 Calculate eigenvectors Anomaly score: the distance between the abnormal sample and the feature vector
- 9. HBOS(Histogram-based Outlier Score) [1]:Goldstein, M. and Dengel, A., 2012. Histogram-based outlier score (hbos): A fast unsupervised anomaly detection algorithm. In KI-2012: Poster and Demo Track, pp.59-63. Methods Low density area
- 10. HBOS(Histogram-based Outlier Score) [1]:Goldstein, M. and Dengel, A., 2012. Histogram-based outlier score (hbos): A fast unsupervised anomaly detection algorithm. In KI-2012: Poster and Demo Track, pp.59-63. Assumption Multidimensional data is independent of each dimension. ➢ Draw a data histogram ➢ Divide the value range into K buckets of equal(sometimes can be dynamic) width, and the frequency of the value falling into each bucket is used as an estimate of density. Algorithm Anomaly Score 𝐻𝐵𝑂𝑆 𝑝 = 𝑖=0 𝑎 log( 1 ℎ𝑖𝑠𝑡𝑖(𝑝) )
- 11. AE(Auto Encoder) [1]: Ramaswamy,S., Rastogi, R. and Shim, K., 2000, May. Efficient algorithms for mining outliers from large data sets. ACM Sigmod Record, 29(2), pp. 427-438. Latent Representation
- 12. Isolation Forest ICDM '08 [1]:Liu, F.T., Ting, K.M. and Zhou, Z.H., 2008, December. Isolation forest. In International Conference on Data Mining (ICDM), pp. 413- 422. IEEE
- 13. Isolation Forest Anomaly Detection [1]:Liu, F.T., Ting, K.M. and Zhou, Z.H., 2008, December. Isolation forest. In International Conference on Data Mining (ICDM), pp. 413- 422. IEEE
- 14. Isolation Forest Anomaly Detection [1]:Liu, F.T., Ting, K.M. and Zhou, Z.H., 2008, December. Isolation forest. In International Conference on Data Mining (ICDM), pp. 413- 422. IEEE
- 15. Isolation Forest Anomaly Detection [1]:Liu, F.T., Ting, K.M. and Zhou, Z.H., 2008, December. Isolation forest. In International Conference on Data Mining (ICDM), pp. 413- 422. IEEE
- 16. REFERENCE [1]: Liu, FeiTony, Kai Ming Ting, and Zhi-Hua Zhou. "Isolation forest." 2008 eighth ieee international conference on data mining. IEEE, 2008. [2]: Eswaran, Dhivya, et al. "Spotlight: Detecting anomalies in streaming graphs." Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 2018. [3]: Ramaswamy, S., Rastogi, R. and Shim, K., 2000, May. Efficient algorithms for mining outliers from large data sets. ACM Sigmod Record, 29(2), pp. 427-438. [4]: Breunig, M.M., Kriegel, H.P., Ng, R.T. and Sander, J., 2000, May. LOF: identifying density-based local outliers. ACM Sigmod Record, 29(2), pp. 93-104. [5]: Shyu, Mei-Ling, et al. A novel anomaly detection scheme based on principal component classifier. MIAMI UNIV CORAL GABLES FL DEPT OF ELECTRICAL AND COMPUTER ENGINEERING, 2003. [6]: Goldstein, M. and Dengel, A., 2012. Histogram-based outlier score (hbos): A fast unsupervised anomaly detection algorithm. In KI-2012: Poster and Demo Track, pp.59-63. [7]: Ramaswamy, S., Rastogi, R. and Shim, K., 2000, May. Efficient algorithms for mining outliers from large data sets. ACM Sigmod Record, 29(2), pp. 427-438. [8]: Liu, F.T., Ting, K.M. and Zhou, Z.H., 2008, December. Isolation forest. In International Conference on Data Mining (ICDM), pp. 413-422. IEEE
- 17. Q&A Introduction to Anomaly Detection LinghaoChen HOMEPAGE: https://lhchen.top lhchen@stu.xidian.edu.cn School of Computer Science and Technology, Xidian University, Xi'an, ShaanXi, P.R.China