SLIDE 1
Anomaly Detection
Jia-Bin Huang Virginia Tech
Spring 2019
ECE-5424G / CS-5824
Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 - - PowerPoint PPT Presentation
Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 - - PowerPoint PPT Presentation
Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative Anomaly Detection Motivation Developing an anomaly detection system Anomaly detection vs. supervised learning Choosing what features
SLIDE 2
SLIDE 3
Anomaly Detection
- Motivation
- Developing an anomaly detection system
- Anomaly detection vs. supervised learning
- Choosing what features to use
- Multivariate Gaussian distribution
SLIDE 4
Anomaly Detection
- Motivation
- Developing an anomaly detection system
- Anomaly detection vs. supervised learning
- Choosing what features to use
- Multivariate Gaussian distribution
SLIDE 5
Anomaly detection example
- Dataset π¦(1), π¦(2), β― , π¦(π)
- New engine: π¦text
- Aircraft engine features:
- π¦1 = heat generated
- π¦2 = vibration intensity
π¦2
vibration
π¦1
heat
SLIDE 6
Density estimation
- Dataset π¦(1), π¦(2), β― , π¦(π)
- Is π¦text anomalous?
Model π π
- π π¦text < π β flag anomaly
- π π¦text β₯ π β OK
π¦2
vibration
π¦1
heat
SLIDE 7
Anomaly detection example
- Fraud detection
- π¦(π)= features of user Iβs activities
- Model π π¦ from data
- Identify unusual users by checking which have π π¦ < π
- Manufacturing
- Monitoring computers in a data center
- π¦(π)= features of machine i
- π¦1= memory use, π¦2= number of disk accesses/sec
- π¦3= CPU load, π¦4 = CPU load/network traffic
SLIDE 8
Anomaly Detection
- Motivation
- Developing an anomaly detection system
- Anomaly detection vs. supervised learning
- Choosing what features to use
- Multivariate Gaussian distribution
SLIDE 9
Gaussian (normal) distribution
- Say π¦ β π. If π¦ is a distributed Gaussian with mean π, variance π2.
- π¦ βΌ π(π, π2)
π standard deviation
- π π¦; π, π2 =
1 2ππ exp β π¦βπ 2 2π2
SLIDE 10
Gaussian distribution examples
SLIDE 11
Parameter estimation
- Dataset π¦(1), π¦(2), β― , π¦(π)
- π¦ βΌ π(π, π2)
- Maximum likelihood estimation
- ΰ·
π =
1 π Οπ=1 π π¦(π)
- ΰ·’
π2 =
1 π Οπ=1 π (π¦ π β ΰ·
π)2
SLIDE 12
Density estimation
- Dataset π¦(1), π¦(2), β― , π¦(π)
- Each example π¦ β ππ
- π π¦ = π(π¦1; π1, π1
2) π π¦2; π2, π2 2 β― π π¦π; ππ, ππ 2
= Ξ π π(π¦π; ππ, π
π 2)
SLIDE 13
Anomaly detection algorithm
- 1. Choose features π¦π that you think might be indicative of anomalous
examples
- 2. Fit parameters π1, π2, β― , ππ, π1
2, π2 2, β― , ππ 2
- ππ =
1 π Οπ=1 π π¦π (π)
- π
π 2 = 1 π Οπ=1 π (π¦π π β ππ)2
- 3. Given new example π¦, compute π π¦
π π¦ = Ξ π π(π¦π; ππ, π
π 2)
Anomaly if π π¦ < π
SLIDE 14
Evaluation
- Assume we have some labeled data, of anomalous and non-
anomalous examples (π§ = 0 if normal, π§ = 1 if anomalous)
- Training set π¦(1), π¦(2), β― , π¦(π) (assume normal examples)
- Cross-validation set: (π¦ππ€
(1), π§ππ€ (1)), (π¦ππ€ (2), π§ππ€ (2)), β― , (π¦ππ€ (πππ€), π§ππ€ (πππ€))
- Test set: (π¦π’ππ‘π’
(1) , π§π’ππ‘π’ (1) ), (π¦π’ππ‘π’ (2) , π§π’ππ‘π’ (2) ), β― , (π¦π’ππ‘π’ (ππ’ππ‘π’), π§π’ππ‘π’ (ππ’ππ‘π’))
SLIDE 15
Aircraft engines motivating example
- 10000 good (normal) engines
- 20 flawed engines (anomalous)
- Training set: 6000 good engines
- CV: 2000 good engines (y = 0), 10 anomalous (y = 1)
- Test: 2000 good engines (y = 0), 10 anomalous (y = 1)
SLIDE 16
Algorithm evaluation
- Fit model π(π¦) on training set {π¦ 1 , β― , π¦ π }
- On a cross-validation/test example π¦, predict
- π§ = α1
if π π¦ < π (anomaly) if π π¦ β₯ π (normal)
- Possible evaluation metrics:
- True positive, false positive, false negative, true negative
- Precision/Recall
- F1-score
- Can use cross-validation set to choose parameter π
SLIDE 17
Evaluation metric
- How about accuracy?
- Assume only 0.1% of the engines are anomaly (skewed classes)
- Declare every example as normal -> 99.9% accuracy!
SLIDE 18
Precision/Recall
- F1 score: 2
ππ π+π
SLIDE 19
Anomaly Detection
- Motivation
- Developing an anomaly detection system
- Anomaly detection vs. supervised learning
- Choosing what features to use
- Multivariate Gaussian distribution
SLIDE 20
Anomaly detection
- Very small number of positive
examples (y=1) (0-20 is common)
- Large number of negative (y=0)
examples
- Many different types of anomalies.
Hard for any algorithm to learn from positive examples what the anomalies look like
- Future anomalies may look nothing
like any of the anomalous examples we have seen so far Supervised learning Large number of positive and negative examples Enough positive examples for algorithm to get a sense of what positive are like, future positive examples likely to be similar to ones in training set.
SLIDE 21
Anomaly detection
- Fraud detection
- Manufacturing
- Monitoring machines in a data
center Supervised learning
- Email spam classification
- Weather prediction
- Cancer classification
SLIDE 22
Anomaly Detection
- Motivation
- Developing an anomaly detection system
- Anomaly detection vs. supervised learning
- Choosing what features to use
- Multivariate Gaussian distribution
SLIDE 23
Non-Gaussian features
log π¦
SLIDE 24
Error analysis for anomaly detection
Want π(π¦) large for normal examples π¦ π(π¦) small for anomalous examples π¦ Most common problem: π(π¦) is comparable (say both large) for normal and anomalous examples
SLIDE 25
Monitoring computers in a data center
- Choose features that might take on unusually large or small values in
the event of an anomaly
- π¦1 = memory use of computer
- π¦2 = number of dis accesses/sec
- π¦3 = CPU load
- π¦4 = network traffic
- π¦5 =
CPU load network traffic π¦5 = CPU load^2 network traffic
SLIDE 26
Anomaly Detection
- Motivation
- Developing an anomaly detection system
- Anomaly detection vs. supervised learning
- Choosing what features to use
- Multivariate Gaussian distribution
SLIDE 27
Motivating example: Monitoring machines in a data center
π¦1 (CPU load) π¦2 (Memory use) π¦1 (CPU load) π¦2 (Memory use)
SLIDE 28
Multivariate Gaussian (normal) distribution
- π¦ β ππ. Donβt model π π¦1 , π π¦2 , β― separately
- Model π π¦ all in one go.
- Parameters: π β ππ, Ξ£ β ππΓπ (covariance matrix)
- π π¦; π, Ξ£ =
1 2π π/2 Ξ£ 1/2 exp β π¦ β π β€Ξ£β1(π¦ β π)
SLIDE 29
Multivariate Gaussian (normal) examples
Ξ£ = 1 1 Ξ£ = 0.6 0.6 Ξ£ = 2 2 π¦1 π¦2 π¦1 π¦2 π¦1 π¦2
SLIDE 30
Multivariate Gaussian (normal) examples
Ξ£ = 1 1 Ξ£ = 0.6 1 Ξ£ = 2 1 π¦1 π¦2 π¦1 π¦2 π¦1 π¦2
SLIDE 31
Multivariate Gaussian (normal) examples
Ξ£ = 1 1 Ξ£ = 1 0.5 0.5 1 Ξ£ = 1 0.8 0.8 1 π¦1 π¦2 π¦1 π¦2 π¦1 π¦2
SLIDE 32
Anomaly detection using the multivariate Gaussian distribution
- 1. Fit model π π¦ by setting
π = 1 π ΰ·
π=1 π
π¦(π) Ξ£ = 1 π ΰ·
π=1 π
(π¦(π)βπ)(π¦(π) β π)β€ 2 Give a new example π¦, compute π π¦; π, Ξ£ = 1 2π π/2 Ξ£ 1/2 exp β π¦ β π β€Ξ£β1(π¦ β π) Flag an anomaly if π π¦ < π
SLIDE 33
Original model π π¦1; π1, π1
2 π π¦2; π2, π2 2 β― π π¦π; ππ, ππ 2
Manually create features to capture anomalies where π¦1, π¦2 take unusual combinations of values Computationally cheaper (alternatively, scales better) OK even if training set size is small
Original model
π π¦; π, Ξ£ = 1 2π π/2 Ξ£ 1/2 exp(β π¦ β π β€Ξ£β1(π¦
SLIDE 34
Things to remember
- Motivation
- Developing an anomaly detection system
- Anomaly detection vs. supervised learning
- Choosing what features to use
- Multivariate Gaussian distribution