In data mining, anomaly detection (or outlier detection) is the identification of items, events or observations which do not conform to an expected pattern or other items in a dataset. Typically the anomalous items will translate to some kind of problem such as bank fraud, a structural defect, medical problems or finding errors in text. Anomalies are also referred to as outliers, novelties, noise, deviations and exceptions.
In particular in the context of abuse and network intrusion detection, the interesting objects are often not rare objects, but unexpected bursts in activity. This pattern does not adhere to the common statistical definition of an outlier as a rare object, and many outlier detection methods (in particular unsupervised methods) will fail on such data, unless it has been aggregated appropriately. Instead, a cluster analysis algorithm may be able to detect the micro clusters formed by these patterns.
Three broad categories of anomaly detection techniques exist. Unsupervised anomaly detection techniques detect anomalies in an unlabeled test data set under the assumption that the majority of the instances in the data set are normal by looking for instances that seem to fit least to the remainder of the data set. Supervised anomaly detection techniques require a data set that has been labeled as "normal" and "abnormal" and involves training a classifier (the key difference to many other statistical classification problems is the inherent unbalanced nature of outlier detection). Semi-supervised anomaly detection techniques construct a model representing normal behavior from a given normal training data set, and then testing the likelihood of a test instance to be generated by the learnt model.
Anomaly detection is applicable in a variety of domains, such as intrusion detection, fraud detection, fault detection, system health monitoring, event detection in sensor networks, and detecting Eco-system disturbances. It is often used in preprocessing to remove anomalous data from the dataset. In supervised learning, removing the anomalous data from the dataset often results in a statistically significant increase in accuracy.
Several anomaly detection techniques have been proposed in literature. Some of the popular techniques are:
- Distance based techniques (k-nearest neighbor, local outlier factor).
- One class support vector machines.
- Replicator neural networks.
- Cluster analysis based outlier detection.
- Pointing at records that deviate from learned association rules.
Fuzzy Logic based method
In recent years Fuzzy Logic has been adopted in several outlier detection approaches in order to improve results coming from popular outlier detection techniques. Yousri et al. proposed an approach based on fuzzy logic in order to merge results obtained with an outlier detection method, which establishes if a pattern is an outlier and a clustering algorithm which provides results in allocating patterns to clusters. The two results, provided by the two different approaches, are then combined to give a meaure of outlierness. Another fuzzy based approach is proposed by Xue et al. This approach, called Fuzzy Rough Semi Supervised Outlier Detection (FRSSOD), is the combination of two approaches: the Semi-Supervised Outlier Detection method (SSOD)  and the Fuzzy Rough C-means clustering (FRCM). The objective of the FRSSOD method is to establish if a pattern under consideration can be considered as an outlier. Finally another fuzzy-based method, called Fuzzy Combination of Outlier Detection Techniques (FUCOT)  combines different popular outlier detection methods exploiting the advantages of each of them while overcoming their drawbacks.
Application to data security
Anomaly detection was proposed for Intrusion detection systems (IDS) by Dorothy Denning in 1986. Anomaly detection for IDS is normally accomplished with thresholds and statistics, but can also be done with Soft computing, and inductive learning. Types of statistics proposed by 1999 included profiles of users, workstations, networks, remote hosts, groups of users, and programs based on frequencies, means, variances, covariances, and standard deviations. The counterpart of Anomaly detection in Intrusion detection is Misuse Detection.
- Chandola, V.; Banerjee, A.; Kumar, V. (2009). "Anomaly detection: A survey". ACM Computing Surveys 41 (3): 1. doi:10.1145/1541880.1541882.
- Hodge, V. J.; Austin, J. (2004). "A Survey of Outlier Detection Methodologies". Artificial Intelligence Review 22 (2): 85. doi:10.1007/s10462-004-4304-y.
- Dokas, Paul; Levent Ertoz, Vipin Kumar, Aleksandar Lazarevic, Jaideep Srivastava, Pang-Ning Tan (2002). "Data mining for network intrusion detection". Proceedings NSF Workshop on Next Generation Data Mining.
- Tomek, Ivan (1976). "An Experiment with the Edited Nearest-Neighbor Rule". IEEE Transactions on Systems, Man, and Cybernetics 6 (6): 448. doi:10.1109/TSMC.1976.4309523.
- Smith, M. R.; Martinez, T. (2011). "Improving classification accuracy by identifying and removing instances that should be misclassified". The 2011 International Joint Conference on Neural Networks. p. 2690. doi:10.1109/IJCNN.2011.6033571. ISBN 978-1-4244-9635-8.
- Breunig, M. M.; Kriegel, H.-P.; Ng, R. T.; Sander, J. (2000). "LOF: Identifying Density-based Local Outliers". Proceedings of the 2000 ACM SIGMOD International Conference on Management of Data. SIGMOD: 93–104. doi:10.1145/335191.335388. ISBN 1-58113-217-4.
- Yousri, N.A.; Ismal, M.A. Kamel, M.S. "Fuzzy Outlier Analysis a combined Clustering-outlier Detection Approach". IEEE SMC 2007.
- Xue, Z.; Shang, Y. Feng, A. "Semi-supervised outlier detection based on fuzzy rough C-means clustering". Mathematics and Computers in Simulation 80, pp. 1911-1921, 2010.
- Gao, J.; Cheng, H.B. Tan, P.N. "Semi-supervised outlier detection". Proceedings of the ACM Symposiumon Applied Computing, vol. 1, ACM Press, Dijon France, 2006, pp. 635-636.
- Hu, Q.; Yu, D. "An improved clustering algorithm for information granulation". Proceedings of 2nd International Conference on Fuzzy Systems and Knowledge Discovery, Vol. 3613, LNCS, Springer Verlag Berlin/Heidelberg/Changsa, china, pp. 494-504,2006.
- Cateni, S.; Colla,V. Nastasi, G. "A multivariate fuzzy system applied for outliers detection". Journal of Intelligent and Fuzzy Systems, 24 (4), pp.889-903, 2013.
- Denning, D. E. (1987). "An Intrusion-Detection Model". IEEE Transactions on Software Engineering (2): 222. doi:10.1109/TSE.1987.232894. CiteSeerX: 10.1.1.102.5127.
- Teng, H. S.; Chen, K.; Lu, S. C. (1990). "Adaptive real-time anomaly detection using inductively generated sequential patterns". Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy: 278–284. doi:10.1109/RISP.1990.63857. ISBN 0-8186-2060-9.
- Jones, Anita K.; Sielken, Robert S. (1999). "Computer System Intrusion Detection: A Survey". Technical Report, Department of Computer Science, University of Virginia, Charlottesville, VA. CiteSeerX: 10.1.1.24.7802.