Kuppusamy P, profile picture
Uploaded byKuppusamy P
PDF, PPTX1,830 views

Anomaly detection (Unsupervised Learning) in Machine Learning

Anomaly detection techniques are used to identify rare items, events or observations which raise suspicions by differing significantly from the majority of the data. There are various types of anomalies including point anomalies, contextual anomalies and collective anomalies. Anomaly detection algorithms typically build a model of normal behavior and then label new data as normal or anomalous based on how well it fits the model. Common techniques include clustering, statistical methods and distance-based approaches. Applications include fraud detection, system failure diagnosis and cybersecurity.

Education
Related topics:
Anomaly Detection

Embed presentation

Download as PDF, PPTX
Anomaly / Outlier Detection
Introduction • Anomaly is a pattern in the data that does not provide the expected behaviour called as outliers, exceptions, peculiarities, surprise, etc. • Anomalies are the set of data points that are considerably different than the remaining data. • Outliers are data points that are considered out of the ordinary or abnormal . This includes noise. • Anomalies are a special kind of outlier that has significant/ critical/actionable information which could be of interest to analysts.  Anomalous events occur infrequently. • Anomalies translate to significant (often critical) real life entities • Cyber intrusions • Credit card fraud • Applications: • Credit card fraud detection • Telecommunication fraud detection • Network intrusion detection • Fault detection
Example • N1 and N2 are regions of normal behavior • Points o1 and o2 are anomalies • Points in region O3 are anomalies X Y N1 N2 o1 o2 O3
Aspects of Anomaly Detection Problem • Nature of input data • Availability of supervision • Type of anomaly: point, contextual, structural • Output of anomaly detection • Evaluation of anomaly detection techniques
Input Data • Most common form of data handled by anomaly detection techniques is Record Data • Univariate • Multivariate Tid SrcIP Start time Dest IP Dest Port Number of bytes Attack 1 206.135.38.95 11:07:20 160.94.179.223 139 192 No 2 206.163.37.95 11:13:56 160.94.179.219 139 195 No 3 206.163.37.95 11:14:29 160.94.179.217 139 180 No 4 206.163.37.95 11:14:30 160.94.179.255 139 199 No 5 206.163.37.95 11:14:32 160.94.179.254 139 19 Yes 6 206.163.37.95 11:14:35 160.94.179.253 139 177 No 7 206.163.37.95 11:14:36 160.94.179.252 139 172 No 8 206.163.37.95 11:14:38 160.94.179.251 139 285 Yes 9 206.163.37.95 11:14:41 160.94.179.250 139 195 No 10 206.163.37.95 11:14:44 160.94.179.249 139 163 Yes 10
Input Data – Nature of Attributes • Nature of attributes • Binary • Categorical • Continuous Tid SrcIP Duration Dest IP Number of bytes Internal 1 206.163.37.81 0.10 160.94.179.208 150 No 2 206.163.37.99 0.27 160.94.179.235 208 No 3 160.94.123.45 1.23 160.94.179.221 195 Yes 4 206.163.37.37 112.03 160.94.179.253 199 No 5 206.163.37.41 0.32 160.94.179.244 181 No
Input Data – Complex Data Types • Relationship among data instances • Sequential • Temporal • Spatial • Spatio-temporal • Graph GGTTCCGCCTTCAGCCCCGCGCC CGCAGGGCCCGCCCCGCGCCGTC GAGAAGGGCCCGCCTGGCGGGCG GGGGGAGGCGGGGCCGCCCGAGC CCAACCGAGTCCGACCAGGTGCC CCCTCTGCTCGGCCTAGACCTGA GCTCATTAGGCGGCAGCGGACAG GCCAAGTAGAACACGCGAAGCGC TGGGCTGCCTGCTGCGACCAGGG
Data Labels • Supervised Anomaly Detection • Labels available for both normal data and anomalies • Semi-supervised Anomaly Detection • Labels available only for normal data • Unsupervised Anomaly Detection • No labels assumed • Based on the assumption that anomalies are very rare compared to normal data
Type of Anomaly • Point Anomalies • Contextual Anomalies • Collective Anomalies
Point Anomalies • An individual data instance is anomalous with respect to the data X Y N1 N2 o1 o2 O3
Contextual Anomalies • An individual data instance is anomalous within a context • Requires a notion of context • Also called as conditional anomalies Normal Anomaly
Collective Anomalies • A collection of related data instances is anomalous. • Requires a relationship among data instances • Sequential Data • Spatial Data • Graph Data • The individual instances within a collective anomaly are not anomalous by themselves. Anomalous Subsequence
Output of Anomaly Detection • Label • Each test instance is given a normal or anomaly label • Score • Each test instance is assigned an anomaly score • Allows the output to be ranked • Requires an additional threshold parameter
Anomaly Detection Schemes • General Steps • Build a profile of the “normal” behavior • Profile can be patterns or summary statistics for the overall population • Use the “normal” profile to detect anomalies • Anomalies are observations whose characteristics differ significantly from the normal profile • Types of anomaly detection schemes • Graphical & Statistical-based • Distance-based • Model-based
Clustering Based Anomaly Detection • Key assumption: Normal data records belong to large and dense clusters, while anomalies belong do not belong to any of the clusters or form very small clusters • Categorization according to labels • Semi-supervised – Cluster normal data to create modes of normal behavior. If any new instance does not belong to any of the clusters or it is not close to any cluster, is called anomaly • Unsupervised – Post-processing is needed after a clustering step to determine the size of the clusters and the distance from the clusters is required from the point to be anomaly. • Anomalies detected using clustering based methods can be: 1. Data records that do not fit into any cluster (residuals from clustering) 2. Small clusters 3. Low density clusters or local anomalies (far from other points within the same cluster)
Anomaly Detection: Clustering Approach Anomaly score function: • Given a data point x from a dataset D, Alternate definitions: 1. f(x) = distance between x and its closest centroid 2. f(x) : (called relative distance) = ratio between the data point's distance from the centroid to the median distance of all data points in the cluster from the centroid 3. f(x) = improvement in the goodness of a cluster (as measured by an objective function) when x is removed
Anomaly Detection: K-means Clustering Approach Step 1: Select k random data points from the training dataset as the centroids of the clusters C1, C2, ...Ck. Step 2: For each training data point x: a. Compute the Euclidean distance D(Ci, x), i = 1...k b. Find cluster Cq that is closest to data point x. c. Assign data point x to Cq. Update the centroid of Cq. (The centroid of a cluster is the arithmetic mean of the data points in the cluster.) Step 3: Repeat Step 2 until the centroids of clusters C1, C2, ...Ck stabilize in terms of convergence criterion. Step 4: For each test (new) data point y: a. Compute the Euclidean distance D(Ci, y), i = 1...k called anomaly score. Find the cluster Cr that is closest to y. b. Use a threshold t on this score to determine anomalies or outliers. i.e, x is an outlier iff score > t. Otherwise, x is normal datapoint. • Points in small clusters – anomalies**
Using K-means with 2 clusters. Fig uses distance of point from closest centroids (D is not considered outlier)
Fig uses relative distance of point from closest centroids to adjust for the difference of densities among the clusters
Clustering Based Anomaly Detection • Advantages: • No need to be supervised • Easily adaptable to on-line anomaly detection from temporal data • Drawbacks • Computationally expensive – Time complexity is O(cn), c - # of clusters • Using indexing structures (k-d tree, R* tree) may alleviate this problem • If normal points do not create any clusters the techniques may fail • In high dimensional spaces, data is sparse and distances between any two data records may become quite similar. • Clustering algorithms may not give any meaningful clusters
Visualization Based Techniques • Use visualization tools to observe the data • Provide alternate views of data for manual inspection • Anomalies are detected visually • Advantages • Keeps a human in the loop • Disadvantages • Works well for low dimensional data • Can provide only aggregated or partial views for high dimension data
Application of Dynamic Graphics • Apply dynamic graphics to the exploratory analysis of spatial data. • Visualization tools are used to examine local variability to detect anomalies • Manual inspection of plots of the data that display its marginal and multivariate distributions
Applications of Anomaly Detection • Network intrusion detection • Insurance / Credit card fraud detection • Healthcare Informatics / Medical diagnostics • Industrial Damage Detection • Image Processing / Video surveillance • Novel Topic Detection in Text Mining
References • Tom Markiewicz& Josh Zheng,Getting started with Artificial Intelligence, Published by O’Reilly Media,2017 • Stuart J. Russell and Peter Norvig,Artificial Intelligence A Modern Approach • Richard Szeliski, Computer Vision: Algorithms and Applications, Springer 2010 • Artificial Intelligence and Machine Learning, Chandra S.S. & H.S. Anand, PHI Publications • Machine Learning, Rajiv Chopra, Khanna Publishing House

More Related Content

PDF
Anomaly detection
byHitesh Mohapatra
 
PPTX
Anomaly detection
byDr. Stylianos Kampakis
 
PDF
Anomaly detection Workshop slides
byQuantUniversity
 
PPTX
Anomaly Detection Technique
byChakrit Phain
 
PPTX
Anomaly Detection - Real World Scenarios, Approaches and Live Implementation
byImpetus Technologies
 
PDF
Anomaly Detection: A Survey
byKonkuk University, Korea
 
PDF
An Introduction to Anomaly Detection
byKenneth Graham
 
PPTX
Anomaly detection with machine learning at scale
byImpetus Technologies
 
Anomaly detection
byHitesh Mohapatra
 
Anomaly detection
byDr. Stylianos Kampakis
 
Anomaly detection Workshop slides
byQuantUniversity
 
Anomaly Detection Technique
byChakrit Phain
 
Anomaly Detection - Real World Scenarios, Approaches and Live Implementation
byImpetus Technologies
 
Anomaly Detection: A Survey
byKonkuk University, Korea
 
An Introduction to Anomaly Detection
byKenneth Graham
 
Anomaly detection with machine learning at scale
byImpetus Technologies
 

What's hot

PDF
Anomaly Detection using Deep Auto-Encoders
byGianmario Spacagna
 
PDF
Anomaly detection
byQuantUniversity
 
PPTX
Ensemble methods in machine learning
bySANTHOSH RAJA M G
 
PPTX
House Sale Price Prediction
bysriram30691
 
PDF
Isolation Forest
byKonkuk University, Korea
 
PPTX
Outlier analysis and anomaly detection
byShantanuDeosthale
 
PDF
Anomaly detection: Core Techniques and Advances in Big Data and Deep Learning
byQuantUniversity
 
PPTX
Pattern Recognition
byMaaz Hasan
 
PDF
Unsupervised Learning in Machine Learning
byPyingkodi Maran
 
PPTX
Data Reduction
byRajan Shah
 
PPTX
Machine learning clustering
byCosmoAIMS Bassett
 
PDF
Anomaly Detection
byCarol Hargreaves
 
PDF
Data preprocessing using Machine Learning
byGopal Sakarkar
 
PDF
Cross-validation Tutorial: What, how and which?
byPradeep Redddy Raamana
 
PPTX
Gradient descent method
byProf. Neeta Awasthy
 
PPT
5.3 mining sequential patterns
byKrish_ver2
 
PDF
Unsupervised Anomaly Detection with Isolation Forest - Elena Sharova
byPyData
 
PPTX
Data Mining: Outlier analysis
byDataminingTools Inc
 
PPTX
Support vector machine
byMusa Hawamdah
 
PPTX
3 Data Mining Tasks
byMahmoud Alfarra
 
Anomaly Detection using Deep Auto-Encoders
byGianmario Spacagna
 
Anomaly detection
byQuantUniversity
 
Ensemble methods in machine learning
bySANTHOSH RAJA M G
 
House Sale Price Prediction
bysriram30691
 
Isolation Forest
byKonkuk University, Korea
 
Outlier analysis and anomaly detection
byShantanuDeosthale
 
Anomaly detection: Core Techniques and Advances in Big Data and Deep Learning
byQuantUniversity
 
Pattern Recognition
byMaaz Hasan
 
Unsupervised Learning in Machine Learning
byPyingkodi Maran
 
Data Reduction
byRajan Shah
 
Machine learning clustering
byCosmoAIMS Bassett
 
Anomaly Detection
byCarol Hargreaves
 
Data preprocessing using Machine Learning
byGopal Sakarkar
 
Cross-validation Tutorial: What, how and which?
byPradeep Redddy Raamana
 
Gradient descent method
byProf. Neeta Awasthy
 
5.3 mining sequential patterns
byKrish_ver2
 
Unsupervised Anomaly Detection with Isolation Forest - Elena Sharova
byPyData
 
Data Mining: Outlier analysis
byDataminingTools Inc
 
Support vector machine
byMusa Hawamdah
 
3 Data Mining Tasks
byMahmoud Alfarra
 

Similar to Anomaly detection (Unsupervised Learning) in Machine Learning

PPTX
Anomaly Detection and Spark Implementation - Meetup Presentation.pptx
byImpetus Technologies
 
PDF
Term_Paper_Shengzhe_Wang
byShengzhe Wang
 
PDF
Anomly and fraud detection using AI - Artivatic.ai
byArtivatic.ai
 
PDF
Fraud detection- Retail, Banking, Finance & FMCG
byArtivatic.ai
 
PDF
anomalydetection-191104083630.pdf
byhanadi40
 
PDF
Analytics for large-scale time series and event data
byAnodot
 
PPTX
Chapter 10 Anomaly Detection
byKhalid Elshafie
 
DOCX
AnomalyOutlier DetectionWhat are anomaliesoutliersThe set.docx
byamrit47
 
PDF
AI in anomaly detection - An Overview.pdf
byStephenAmell4
 
PDF
Outlier analysis for Temporal Datasets
byQuantUniversity
 
PPTX
Anomaly detection workshop
bygforgovind
 
PDF
Outlier Detection Using Unsupervised Learning on High Dimensional Data
byIJERA Editor
 
PDF
Annommaly detection techniques and approaches
byJay Sahoo
 
PDF
AI in anomaly detection.pdf
byStephenAmell4
 
PDF
Dataday Texas 2016 - Datadog
byDatadog
 
PPTX
Anomalies and events keep us on our toes
byCSIRO
 
PDF
POSTER_Ewonye.pdf
bykwadwoAmedi
 
PPTX
Traffic anomaly detection and attack
byQrator Labs
 
PPT
Chap10 Anomaly Detection
byguest76d673
 
PPTX
Anomaly Detection
byDatamining Tools
 
Anomaly Detection and Spark Implementation - Meetup Presentation.pptx
byImpetus Technologies
 
Term_Paper_Shengzhe_Wang
byShengzhe Wang
 
Anomly and fraud detection using AI - Artivatic.ai
byArtivatic.ai
 
Fraud detection- Retail, Banking, Finance & FMCG
byArtivatic.ai
 
anomalydetection-191104083630.pdf
byhanadi40
 
Analytics for large-scale time series and event data
byAnodot
 
Chapter 10 Anomaly Detection
byKhalid Elshafie
 
AnomalyOutlier DetectionWhat are anomaliesoutliersThe set.docx
byamrit47
 
AI in anomaly detection - An Overview.pdf
byStephenAmell4
 
Outlier analysis for Temporal Datasets
byQuantUniversity
 
Anomaly detection workshop
bygforgovind
 
Outlier Detection Using Unsupervised Learning on High Dimensional Data
byIJERA Editor
 
Annommaly detection techniques and approaches
byJay Sahoo
 
AI in anomaly detection.pdf
byStephenAmell4
 
Dataday Texas 2016 - Datadog
byDatadog
 
Anomalies and events keep us on our toes
byCSIRO
 
POSTER_Ewonye.pdf
bykwadwoAmedi
 
Traffic anomaly detection and attack
byQrator Labs
 
Chap10 Anomaly Detection
byguest76d673
 
Anomaly Detection
byDatamining Tools
 

More from Kuppusamy P

PDF
Recurrent neural networks rnn
byKuppusamy P
 
PDF
Deep learning
byKuppusamy P
 
PDF
Image segmentation
byKuppusamy P
 
PDF
Image enhancement
byKuppusamy P
 
PDF
Feature detection and matching
byKuppusamy P
 
PDF
Image processing, Noise, Noise Removal filters
byKuppusamy P
 
PDF
Flowchart design for algorithms
byKuppusamy P
 
PDF
Algorithm basics
byKuppusamy P
 
PDF
Problem solving using Programming
byKuppusamy P
 
PDF
Parts of Computer, Hardware and Software
byKuppusamy P
 
PDF
Strings in java
byKuppusamy P
 
PDF
Java methods or Subroutines or Functions
byKuppusamy P
 
PDF
Java arrays
byKuppusamy P
 
PDF
Java iterative statements
byKuppusamy P
 
PDF
Java conditional statements
byKuppusamy P
 
PDF
Java data types
byKuppusamy P
 
PDF
Java introduction
byKuppusamy P
 
PDF
Logistic regression in Machine Learning
byKuppusamy P
 
PDF
Machine Learning Performance metrics for classification
byKuppusamy P
 
PDF
Machine learning Introduction
byKuppusamy P
 
Recurrent neural networks rnn
byKuppusamy P
 
Deep learning
byKuppusamy P
 
Image segmentation
byKuppusamy P
 
Image enhancement
byKuppusamy P
 
Feature detection and matching
byKuppusamy P
 
Image processing, Noise, Noise Removal filters
byKuppusamy P
 
Flowchart design for algorithms
byKuppusamy P
 
Algorithm basics
byKuppusamy P
 
Problem solving using Programming
byKuppusamy P
 
Parts of Computer, Hardware and Software
byKuppusamy P
 
Strings in java
byKuppusamy P
 
Java methods or Subroutines or Functions
byKuppusamy P
 
Java arrays
byKuppusamy P
 
Java iterative statements
byKuppusamy P
 
Java conditional statements
byKuppusamy P
 
Java data types
byKuppusamy P
 
Java introduction
byKuppusamy P
 
Logistic regression in Machine Learning
byKuppusamy P
 
Machine Learning Performance metrics for classification
byKuppusamy P
 
Machine learning Introduction
byKuppusamy P
 

Recently uploaded

PDF
45 ĐỀ LUYỆN THI IOE LỚP 8 THEO CHƯƠNG TRÌNH MỚI - NĂM HỌC 2024-2025 (CÓ LINK ...
byNguyen Thanh Tu Collection
 
PPTX
Screening and Selecting Studies for Systematic Review Dr Reginald Quansah
bySystematic Reviews Network (SRN)
 
PPTX
A Presentation of PMES 2025-2028 with Salient features.pptx
byRoyPintor2
 
PPTX
How to Configure Automatic Wave Transfer in Odoo 18 Inventory
byCeline George
 
PDF
DEFINITION OF COMMUNITY Sociology. .pdf
byJhasketan Kuanar
 
PDF
The invasion of Alexander of Macedonia in India
byPrachiSontakke5
 
PDF
*Unit-II A (Elements of Communication & Communication Style Matrix)
bySayyadTarannum
 
PPTX
Chapter 3. Pharmaceutical Aids (pharmaceutics)
bySharibJamal
 
PDF
UGC NET Paper 1 Syllabus | 10 Units Complete Guide for NTA JRF
byNIKHIL K N
 
PDF
“Step-by-Step Fabrication of Bipolar Junction Transistors (BJTs)”
byGS Virdi
 
PDF
1. Doing Academic Research: Problems and Issues, 2. Academic Research Writing...
byProf. Vinod Kumar Kanvaria
 
PDF
Digital Journalism Ethics 2025 materi for Regulation & Ethic Media
byAdePutraTunggali
 
PPTX
Psychological disorders affecting students well being.pptx
bymunushah
 
PPTX
Time Series Analysis - Least Square Method Fitting a Linear Trend Equation
bySundar B N
 
PPTX
SEMESTER 5 UNIT- 1 Difference of Children and adults.pptx
bysachin7989
 
PPTX
Time Series Analysis - Weighted (Unequal) Moving Average Method
bySundar B N
 
PDF
AI Workflows and Workflow Rhetoric - by Ms. Oceana Wong
byagenticroom
 
PPTX
ATTENTION - PART 1.pptx cognitive processes -For B.Sc I Sem By Mrs.Shilpa Hot...
bySHILPA HOTAKAR
 
PDF
Comparative Research Report of Legal Frameworks for General Asylum and the Pr...
byScalabrini Institute for Human Mobility in Africa
 
PPTX
Prelims - History and Geography Quiz - Around the World in 80 Questions - IITK
byAditya Padhi
 
45 ĐỀ LUYỆN THI IOE LỚP 8 THEO CHƯƠNG TRÌNH MỚI - NĂM HỌC 2024-2025 (CÓ LINK ...
byNguyen Thanh Tu Collection
 
Screening and Selecting Studies for Systematic Review Dr Reginald Quansah
bySystematic Reviews Network (SRN)
 
A Presentation of PMES 2025-2028 with Salient features.pptx
byRoyPintor2
 
How to Configure Automatic Wave Transfer in Odoo 18 Inventory
byCeline George
 
DEFINITION OF COMMUNITY Sociology. .pdf
byJhasketan Kuanar
 
The invasion of Alexander of Macedonia in India
byPrachiSontakke5
 
*Unit-II A (Elements of Communication & Communication Style Matrix)
bySayyadTarannum
 
Chapter 3. Pharmaceutical Aids (pharmaceutics)
bySharibJamal
 
UGC NET Paper 1 Syllabus | 10 Units Complete Guide for NTA JRF
byNIKHIL K N
 
“Step-by-Step Fabrication of Bipolar Junction Transistors (BJTs)”
byGS Virdi
 
1. Doing Academic Research: Problems and Issues, 2. Academic Research Writing...
byProf. Vinod Kumar Kanvaria
 
Digital Journalism Ethics 2025 materi for Regulation & Ethic Media
byAdePutraTunggali
 
Psychological disorders affecting students well being.pptx
bymunushah
 
Time Series Analysis - Least Square Method Fitting a Linear Trend Equation
bySundar B N
 
SEMESTER 5 UNIT- 1 Difference of Children and adults.pptx
bysachin7989
 
Time Series Analysis - Weighted (Unequal) Moving Average Method
bySundar B N
 
AI Workflows and Workflow Rhetoric - by Ms. Oceana Wong
byagenticroom
 
ATTENTION - PART 1.pptx cognitive processes -For B.Sc I Sem By Mrs.Shilpa Hot...
bySHILPA HOTAKAR
 
Comparative Research Report of Legal Frameworks for General Asylum and the Pr...
byScalabrini Institute for Human Mobility in Africa
 
Prelims - History and Geography Quiz - Around the World in 80 Questions - IITK
byAditya Padhi
 

Anomaly detection (Unsupervised Learning) in Machine Learning

  • 1.
  • 2.
    Introduction • Anomaly isa pattern in the data that does not provide the expected behaviour called as outliers, exceptions, peculiarities, surprise, etc. • Anomalies are the set of data points that are considerably different than the remaining data. • Outliers are data points that are considered out of the ordinary or abnormal . This includes noise. • Anomalies are a special kind of outlier that has significant/ critical/actionable information which could be of interest to analysts.  Anomalous events occur infrequently. • Anomalies translate to significant (often critical) real life entities • Cyber intrusions • Credit card fraud • Applications: • Credit card fraud detection • Telecommunication fraud detection • Network intrusion detection • Fault detection
  • 3.
    Example • N1 andN2 are regions of normal behavior • Points o1 and o2 are anomalies • Points in region O3 are anomalies X Y N1 N2 o1 o2 O3
  • 4.
    Aspects of AnomalyDetection Problem • Nature of input data • Availability of supervision • Type of anomaly: point, contextual, structural • Output of anomaly detection • Evaluation of anomaly detection techniques
  • 5.
    Input Data • Mostcommon form of data handled by anomaly detection techniques is Record Data • Univariate • Multivariate Tid SrcIP Start time Dest IP Dest Port Number of bytes Attack 1 206.135.38.95 11:07:20 160.94.179.223 139 192 No 2 206.163.37.95 11:13:56 160.94.179.219 139 195 No 3 206.163.37.95 11:14:29 160.94.179.217 139 180 No 4 206.163.37.95 11:14:30 160.94.179.255 139 199 No 5 206.163.37.95 11:14:32 160.94.179.254 139 19 Yes 6 206.163.37.95 11:14:35 160.94.179.253 139 177 No 7 206.163.37.95 11:14:36 160.94.179.252 139 172 No 8 206.163.37.95 11:14:38 160.94.179.251 139 285 Yes 9 206.163.37.95 11:14:41 160.94.179.250 139 195 No 10 206.163.37.95 11:14:44 160.94.179.249 139 163 Yes 10
  • 6.
    Input Data –Nature of Attributes • Nature of attributes • Binary • Categorical • Continuous Tid SrcIP Duration Dest IP Number of bytes Internal 1 206.163.37.81 0.10 160.94.179.208 150 No 2 206.163.37.99 0.27 160.94.179.235 208 No 3 160.94.123.45 1.23 160.94.179.221 195 Yes 4 206.163.37.37 112.03 160.94.179.253 199 No 5 206.163.37.41 0.32 160.94.179.244 181 No
  • 7.
    Input Data –Complex Data Types • Relationship among data instances • Sequential • Temporal • Spatial • Spatio-temporal • Graph GGTTCCGCCTTCAGCCCCGCGCC CGCAGGGCCCGCCCCGCGCCGTC GAGAAGGGCCCGCCTGGCGGGCG GGGGGAGGCGGGGCCGCCCGAGC CCAACCGAGTCCGACCAGGTGCC CCCTCTGCTCGGCCTAGACCTGA GCTCATTAGGCGGCAGCGGACAG GCCAAGTAGAACACGCGAAGCGC TGGGCTGCCTGCTGCGACCAGGG
  • 8.
    Data Labels • SupervisedAnomaly Detection • Labels available for both normal data and anomalies • Semi-supervised Anomaly Detection • Labels available only for normal data • Unsupervised Anomaly Detection • No labels assumed • Based on the assumption that anomalies are very rare compared to normal data
  • 9.
    Type of Anomaly •Point Anomalies • Contextual Anomalies • Collective Anomalies
  • 10.
    Point Anomalies • Anindividual data instance is anomalous with respect to the data X Y N1 N2 o1 o2 O3
  • 11.
    Contextual Anomalies • Anindividual data instance is anomalous within a context • Requires a notion of context • Also called as conditional anomalies Normal Anomaly
  • 12.
    Collective Anomalies • Acollection of related data instances is anomalous. • Requires a relationship among data instances • Sequential Data • Spatial Data • Graph Data • The individual instances within a collective anomaly are not anomalous by themselves. Anomalous Subsequence
  • 13.
    Output of AnomalyDetection • Label • Each test instance is given a normal or anomaly label • Score • Each test instance is assigned an anomaly score • Allows the output to be ranked • Requires an additional threshold parameter
  • 14.
    Anomaly Detection Schemes •General Steps • Build a profile of the “normal” behavior • Profile can be patterns or summary statistics for the overall population • Use the “normal” profile to detect anomalies • Anomalies are observations whose characteristics differ significantly from the normal profile • Types of anomaly detection schemes • Graphical & Statistical-based • Distance-based • Model-based
  • 15.
    Clustering Based AnomalyDetection • Key assumption: Normal data records belong to large and dense clusters, while anomalies belong do not belong to any of the clusters or form very small clusters • Categorization according to labels • Semi-supervised – Cluster normal data to create modes of normal behavior. If any new instance does not belong to any of the clusters or it is not close to any cluster, is called anomaly • Unsupervised – Post-processing is needed after a clustering step to determine the size of the clusters and the distance from the clusters is required from the point to be anomaly. • Anomalies detected using clustering based methods can be: 1. Data records that do not fit into any cluster (residuals from clustering) 2. Small clusters 3. Low density clusters or local anomalies (far from other points within the same cluster)
  • 16.
    Anomaly Detection: ClusteringApproach Anomaly score function: • Given a data point x from a dataset D, Alternate definitions: 1. f(x) = distance between x and its closest centroid 2. f(x) : (called relative distance) = ratio between the data point's distance from the centroid to the median distance of all data points in the cluster from the centroid 3. f(x) = improvement in the goodness of a cluster (as measured by an objective function) when x is removed
  • 17.
    Anomaly Detection: K-meansClustering Approach Step 1: Select k random data points from the training dataset as the centroids of the clusters C1, C2, ...Ck. Step 2: For each training data point x: a. Compute the Euclidean distance D(Ci, x), i = 1...k b. Find cluster Cq that is closest to data point x. c. Assign data point x to Cq. Update the centroid of Cq. (The centroid of a cluster is the arithmetic mean of the data points in the cluster.) Step 3: Repeat Step 2 until the centroids of clusters C1, C2, ...Ck stabilize in terms of convergence criterion. Step 4: For each test (new) data point y: a. Compute the Euclidean distance D(Ci, y), i = 1...k called anomaly score. Find the cluster Cr that is closest to y. b. Use a threshold t on this score to determine anomalies or outliers. i.e, x is an outlier iff score > t. Otherwise, x is normal datapoint. • Points in small clusters – anomalies**
  • 18.
    Using K-means with2 clusters. Fig uses distance of point from closest centroids (D is not considered outlier)
  • 19.
    Fig uses relativedistance of point from closest centroids to adjust for the difference of densities among the clusters
  • 20.
    Clustering Based AnomalyDetection • Advantages: • No need to be supervised • Easily adaptable to on-line anomaly detection from temporal data • Drawbacks • Computationally expensive – Time complexity is O(cn), c - # of clusters • Using indexing structures (k-d tree, R* tree) may alleviate this problem • If normal points do not create any clusters the techniques may fail • In high dimensional spaces, data is sparse and distances between any two data records may become quite similar. • Clustering algorithms may not give any meaningful clusters
  • 21.
    Visualization Based Techniques •Use visualization tools to observe the data • Provide alternate views of data for manual inspection • Anomalies are detected visually • Advantages • Keeps a human in the loop • Disadvantages • Works well for low dimensional data • Can provide only aggregated or partial views for high dimension data
  • 22.
    Application of DynamicGraphics • Apply dynamic graphics to the exploratory analysis of spatial data. • Visualization tools are used to examine local variability to detect anomalies • Manual inspection of plots of the data that display its marginal and multivariate distributions
  • 23.
    Applications of AnomalyDetection • Network intrusion detection • Insurance / Credit card fraud detection • Healthcare Informatics / Medical diagnostics • Industrial Damage Detection • Image Processing / Video surveillance • Novel Topic Detection in Text Mining
  • 24.
    References • Tom Markiewicz&Josh Zheng,Getting started with Artificial Intelligence, Published by O’Reilly Media,2017 • Stuart J. Russell and Peter Norvig,Artificial Intelligence A Modern Approach • Richard Szeliski, Computer Vision: Algorithms and Applications, Springer 2010 • Artificial Intelligence and Machine Learning, Chandra S.S. & H.S. Anand, PHI Publications • Machine Learning, Rajiv Chopra, Khanna Publishing House