Anomaly detection

In data mining, anomaly detection (or outlier detection) is the identification of items, events or observations which do not conform to an expected pattern or other items in a dataset.^[1] Typically the anomalous items will translate to some kind of problem such as bank fraud, a structural defect, medical problems or finding errors in text. Anomalies are also referred to as outliers, novelties, noise, deviations and exceptions.^[2]

In particular in the context of abuse and network intrusion detection, the interesting objects are often not rare objects, but unexpected bursts in activity. This pattern does not adhere to the common statistical definition of an outlier as a rare object, and many outlier detection methods (in particular unsupervised methods) will fail on such data, unless it has been aggregated appropriately. Instead, a cluster analysis algorithm may be able to detect the micro clusters formed by these patterns.^[3]

Three broad categories of anomaly detection techniques exist. Unsupervised anomaly detection techniques detect anomalies in an unlabeled test data set under the assumption that the majority of the instances in the data set are normal by looking for instances that seem to fit least to the remainder of the data set. Supervised anomaly detection techniques require a data set that has been labeled as "normal" and "abnormal" and involves training a classifier (the key difference to many other statistical classification problems is the inherent unbalanced nature of outlier detection). Semi-supervised anomaly detection techniques construct a model representing normal behavior from a given normal training data set, and then testing the likelihood of a test instance to be generated by the learnt model.^{[citation needed]}

Applications

Anomaly detection is applicable in a variety of domains, such as intrusion detection, fraud detection, fault detection, system health monitoring, event detection in sensor networks, and detecting Eco-system disturbances. It is often used in preprocessing to remove anomalous data from the dataset. In supervised learning, removing the anomalous data from the dataset often results in a statistically significant increase in accuracy.^[4][5]

Popular techniques

Several anomaly detection techniques have been proposed in literature. Some of the popular techniques are:

• Distance based techniques (k-nearest neighbor, local outlier factor^[6]).
• One class support vector machines.
• Replicator neural networks.
• Cluster analysis based outlier detection.
• Pointing at records that deviate from learned association rules.

Fuzzy Logic based method

In recent years fuzzy logic has been adopted in several outlier detection approaches in order to improve results coming from popular outlier detection techniques. Yousri et al.^[7] proposed an approach based on fuzzy logic in order to merge results obtained with an outlier detection method, which establishes if a pattern is an outlier and a clustering algorithm which provides results in allocating patterns to clusters. The two results, provided by the two different approaches, are then combined to give a meaure of outlierness. Another fuzzy based approach is proposed by Xue et al.^[8] This approach, called Fuzzy Rough Semi Supervised Outlier Detection (FRSSOD), is the combination of two approaches: the Semi-Supervised Outlier Detection method (SSOD) ^[9] and the Fuzzy Rough C-means clustering (FRCM).^[10] The objective of the FRSSOD method is to establish if a pattern under consideration can be considered as an outlier. Finally another fuzzy-based method, called Fuzzy Combination of Outlier Detection Techniques (FUCOT) ^[11] combines different popular outlier detection methods exploiting the advantages of each of them while overcoming their drawbacks.

Application to data security

Anomaly detection was proposed for Intrusion detection systems (IDS) by Dorothy Denning in 1986.^[12] Anomaly detection for IDS is normally accomplished with thresholds and statistics, but can also be done with Soft computing, and inductive learning.^[13] Types of statistics proposed by 1999 included profiles of users, workstations, networks, remote hosts, groups of users, and programs based on frequencies, means, variances, covariances, and standard deviations.^[14] The counterpart of Anomaly detection in Intrusion detection is Misuse Detection.

See also

• Outliers in statistics
• Change detection
• Intrusion detection system

References

1. Attention: This template ({{cite doi}}) is deprecated. To cite the publication identified by doi:10.1145/1541880.1541882, please use {{cite journal}} (if it was published in a bona fide academic journal, otherwise {{cite report}} with |doi=10.1145/1541880.1541882 instead.
2. Attention: This template ({{cite doi}}) is deprecated. To cite the publication identified by doi:10.1007/s10462-004-4304-y, please use {{cite journal}} (if it was published in a bona fide academic journal, otherwise {{cite report}} with |doi=10.1007/s10462-004-4304-y instead.
3. Dokas, Paul (2002). "Data mining for network intrusion detection" (PDF). Proceedings NSF Workshop on Next Generation Data Mining. {{cite journal}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
4. Attention: This template ({{cite doi}}) is deprecated. To cite the publication identified by doi:10.1109/TSMC.1976.4309523, please use {{cite journal}} (if it was published in a bona fide academic journal, otherwise {{cite report}} with |doi=10.1109/TSMC.1976.4309523 instead.
5. Attention: This template ({{cite doi}}) is deprecated. To cite the publication identified by doi:10.1109/IJCNN.2011.6033571, please use {{cite journal}} (if it was published in a bona fide academic journal, otherwise {{cite report}} with |doi=10.1109/IJCNN.2011.6033571 instead.
6. Attention: This template ({{cite doi}}) is deprecated. To cite the publication identified by doi: 10.1145/335191.335388 , please use {{cite journal}} (if it was published in a bona fide academic journal, otherwise {{cite report}} with |doi= 10.1145/335191.335388 instead.
7. Yousri, N.A. "Fuzzy Outlier Analysis a combined Clustering-outlier Detection Approach". IEEE SMC 2007. {{cite journal}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
8. Xue, Z. "Semi-supervised outlier detection based on fuzzy rough C-means clustering". Mathematics and Computers in Simulation 80, pp. 1911-1921, 2010. {{cite journal}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
9. Gao, J. "Semi-supervised outlier detection". Proceedings of the ACM Symposiumon Applied Computing, vol. 1, ACM Press, Dijon France, 2006, pp. 635-636. {{cite journal}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
10. Hu, Q.; Yu, D. "An improved clustering algorithm for information granulation". Proceedings of 2nd International Conference on Fuzzy Systems and Knowledge Discovery, Vol. 3613, LNCS, Springer Verlag Berlin/Heidelberg/Changsa, china, pp. 494-504,2006.
11. Cateni, S. "A multivariate fuzzy system applied for outliers detection". Journal of Intelligent and Fuzzy Systems, 24 (4), pp.889-903, 2013. {{cite journal}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
12. Attention: This template ({{cite doi}}) is deprecated. To cite the publication identified by doi:10.1109/TSE.1987.232894, please use {{cite journal}} (if it was published in a bona fide academic journal, otherwise {{cite report}} with |doi=10.1109/TSE.1987.232894 instead.
13. Attention: This template ({{cite doi}}) is deprecated. To cite the publication identified by doi:10.1109/RISP.1990.63857, please use {{cite journal}} (if it was published in a bona fide academic journal, otherwise {{cite report}} with |doi=10.1109/RISP.1990.63857 instead.
14. Jones, Anita K.; Sielken, Robert S. (1999). "Computer System Intrusion Detection: A Survey". Technical Report, Department of Computer Science, University of Virginia, Charlottesville, VA. CiteSeer^x: 10.1.1.24.7802.