efficient anomaly detection
play

Efficient Anomaly Detection by Isolation using Nearest Neighbour - PowerPoint PPT Presentation

Mar 09, 2024 •240 likes •657 views

Information Technology Efficient Anomaly Detection by Isolation using Nearest Neighbour Ensemble Tharindu Rukshan Bandaragoda Kai Ming Ting David Albrecht Fei Tony Liu Jonathan R. Wells Outline Overview of anomaly detection

  1. Information Technology Efficient Anomaly Detection 
 by 
 Isolation using Nearest Neighbour Ensemble Tharindu Rukshan Bandaragoda Kai Ming Ting David Albrecht Fei Tony Liu Jonathan R. Wells 


  2. Outline 
 ▪ Overview of anomaly detection ▪ Existing methods ▪ Motivation ▪ iNNE ▪ Empirical evaluation 2

  3. Anomaly Detection 
 ▪ Properties of anomalies – Not conforming to the norm in a dataset – Rare and different from others ▪ Applications: – Intrusion detection in computer networks – Credit card fraud detection – Disturbance detection in natural systems (e.g., hurricane) ▪ Challenges – Datasets becoming larger : need efficient methods – Datasets increasing in dimensions : need methods effective in high-dimensional scenarios 3

  4. Existing methods ▪ Clustering based methods – Instances that do not belong to any cluster are anomalies – Some measures used: • Membership of a cluster (Ester et al., 1996) • Distance from closest cluster centroid • Ratio between distance to cluster centroid and cluster size (He et al., 2003) – Issues • Computationally expensive: O(n 2 ) or higher • Do not provide a score to determine the granularity of an anomaly (strong or weak anomaly) 4

  5. Existing methods ▪ Distance/density based methods – Instances having far neighbours are anomalies – Some measures used : • k th -nearest neighbour distance (Ramaswamy et al., 2000) • Average distance of k -nearest neighbours (Angiulli et al., 2002) • Number of instances inside an r radius hypersphere (Ren et al., 2004) – Issues • Nearest neighbour search is expensive – O(n 2 ) time complexity • Insensitive to locality and thus fail to detect local anomalies 5

  6. Existing methods ▪ Relative density based methods – Instances having lower density than its neighbourhood are anomalies – Measure the ratio between density of a data point and average density of its neighbourhood – k- nearest neighbour distance (Breunig et al., 2000) or number of instances in r -radius neighbourhood (Papadimitriou et al., 2003) are used as proxies to density. – Issues • Nearest neighbour search is expensive – O(n 2 ) time complexity 6

  7. Existing methods ▪ Isolation based methods – Attempt to isolate anomalies from others – Exploit anomalous properties of being few and different – iForest (Liu et al., 2008) • Partition feature space using axis-parallel subdivisions • Instances isolated earlier are anomalies • Build an ensemble of binary trees from randomly selected samples • Extremely efficient : O(nt ψ ) where t is ensemble size and ψ is subsample size • Effective in detection global anomalies of low dimensional datasets 7

  8. Motivation ▪ iForest is a highly efficient method – Can scale up to very large datasets ▪ It fails in some scenarios such as: – Local anomaly detection – Anomaly detection in noisy datasets – Axis parallel masking ▪ Hypothesis : weaknesses of iForest occurs due to its isolation mechanism ▪ Solution : use a better isolation mechanism to overcome the weaknesses 8

  9. iNNE ▪ iNNE : i solation using N earest N eighbour E nsembles ▪ Features: – Overcome the identified weaknesses of iForest – Retain the efficiency of iForest and scale up to very large datasets – Perform competitively with existing methods 9

  10. Intuition ▪ Anomalies are expected to be far from its Nearest Neighbours ▪ Isolation can be performed by creating a region around an instance to isolate it from other instances – Large regions in sparse areas – Small regions in dense areas ▪ Radius of the region is a measure of isolation ▪ Radius of the region relative to neighbouring region is a measure of relative-isolation ▪ Points that fall into regions with a high relative-isolation are anomalies 10

  11. Local Regions – Sample is selected randomly from the given dataset 11

  12. Local Regions – Sample is selected randomly from the given dataset 12

  13. Local Regions – Sample is selected randomly from the given dataset 13

  14. Local Regions – Sample is selected randomly from the given dataset 14

  15. Local Regions – Sample is selected randomly from the given dataset 15

  16. Local Regions – Sample is selected randomly from the given dataset – Local-regions , are created centering each 16

  17. Local Regions – Sample is selected randomly from the given dataset – Local-regions , are created centering each – Radius 17

  18. Local Regions – Sample is selected randomly from the given dataset – Local-regions , are created centering each – Radius is the nearest neighbour of c where 18

  19. Local Regions – Sample is selected randomly from the given dataset – Local-regions , are created centering each – Radius is the nearest neighbour of c where 19

  20. Isolation Score 20

  21. Isolation Score ▪ Based on 21

  22. Isolation Score ▪ Based on ▪ Isolation score I(x) for x 22

  23. Isolation Score ▪ Based on ▪ Isolation score I(x) for x – Find the smallest B(c) s.t. 23

  24. Isolation Score ▪ Based on ▪ Isolation score I(x) for x – Find the smallest B(c) s.t. – Isolation score based on the ratio 24

  25. Isolation Score ▪ Based on ▪ Isolation score I(x) for x – Find the smallest B(c) s.t. – Isolation score based on the ratio ▪ Isolation score I(y) for y 25

  26. Isolation Score ▪ Based on ▪ Isolation score I(x) for x – Find the smallest B(c) s.t. – Isolation score based on the ratio ▪ Isolation score I(y) for y – Ds 26

  27. Isolation Score ▪ Based on ▪ Isolation score I(x) for x – Find the smallest B(c) s.t. – Isolation score based on the ratio ▪ Isolation score I(y) for y – Ds – Maximum isolation score 27

  28. Anomaly score – Average of isolation scores over an ensemble of size t – Instances with high anomaly score are likely to be anomalies – Accuracy of the anomaly score improve with t • t = 100 is sufficient – Sample size is a parameter setting • Similar to k in k-NN based methods • Empirical results show that the required sample size is usually in the range 2 - 128 28

  29. Example ▪ X a get the maximum anomaly score – I(X a ) = 1 ▪ X b and X c get lower anomaly scores 29

  30. Time and space complexity ▪ Time complexity – Training stage : O( t Ψ 2 ) , t = ensemble size, Ψ = sample size – Evaluation stage: O(n t Ψ ) , n = data size – t and Ψ are constants for iNNE, t << n and Ψ << n (Default values: t = 100 and Ψ in the range 2 to 128) – Thus time complexity of iNNE is linear with n ▪ Space complexity – Only need to store the sets of hyperspheres – Hence has a constant space complexity: O( t Ψ ) 30

  31. iNNE : Advantages over iForest – Adapts well to local distribution better than axis- parallel subdivision – Uses all the available attributes to partition data space into regions – Isolation score is a local measure , which is defined relative to the local neighbourhood 31

  32. Comparison with LOF ▪ Similarities – Employ NN distance – Score based on relative measure to local-neighbourhood ▪ Differences : O(n) versus O(n 2 ) – iNNE : An ensemble based eager learner – LOF: Lazy learner – iNNE: Partition the space in to regions based on NN distance • Does not relies on the accuracy of underlying k-NN density estimator – LOF: Estimates the relative-density based on k-NN distance • Heavily relies on the accuracy of underlying k-NN density estimator • Hence, ensemble version of LOF (Zimek et al., 2013) requires a larger sample size than iNNE 32

  33. Detection of local anomalies 
 33

  34. Resilient to low relevant dimensions ▪ 1000 dimensional dataset used, while changing percentage of relevant dimensions from 1% to 30% ▪ Irrelevant dimensions have random noise ▪ iNNE is more resilient than iForest

  35. Axis parallel masking 
 ▪ iNNE produces better contour maps of anomaly scores, tightly fitted to the data distribution iForest iNNE Dataset • Spiral dataset with 4000 normal instances (blue cross) and 6 anomaly instances (red diamond) • iNNE : AUC = 1:00, Anomaly Ranking: 1 - 6 • iForest : AUC = 0:86, Anomaly Ranking: 75, 320, 345, 354, 563, 1802 35

  36. Scaleup test: Increasing size of dataset ▪ Compared execution time against iForest , LOF and ORCA ▪ 5 dimensional datasets are used with increasing size ▪ iNNE can efficiently scale up to very large datasets ▪ For a 10-million dataset iForest : 9 m iNNE : 1 h 40 m LOF: 220 d (projected) LOFIndexed: 7 h 30 m ORCA: 15 d (projected) LOFIndexed = LOF with R*-Tree indexing Isolation-based anomaly detection: A re-examination 36

  37. Scaleup test: Increasing dimensions of dataset ▪ Compared execution time against LOF and ORCA ▪ 100,000 instance datasets are used with increasing dimensions ▪ For 1000-dimension dataset iNNE( Ψ = 2): 14m iNNE( Ψ = 32): 3 h 40 m LOF: 12h 50m LOFIndexed: 15h ▪ iNNE efficiently scales up to high dimensional datasets ▪ An indexing scheme becomes more expensive in high dimensions 37

  38. Performance in Benchmark datasets 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier) in a dataset is an instance that is abnormal or unlikely based on the rest of the dataset If the instances in the dataset are labeled as

760 views • 19 slides
What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

DataCamp Anomaly Detection in R ANOMALY DETECTION IN R What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining the term anomaly Anomaly: a data point or collection of data points that do not follow the

870 views • 21 slides
Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative Anomaly Detection Motivation Developing an anomaly detection system Anomaly detection vs. supervised learning Choosing what features

514 views • 34 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

984 views • 72 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

905 views • 74 slides
Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

575 views • 18 slides
&lt;Title&gt; Yiqun Hu, SP Group Agenda Condition monitoring &amp; anomaly detection

&lt;Title&gt; Yiqun Hu, SP Group Agenda Condition monitoring &amp; anomaly detection

Data Council Singapre 2019 Autoencoder Forest for Anomaly Detection from IoT Time Series &lt;Title&gt; Yiqun Hu, SP Group Agenda Condition monitoring &amp; anomaly detection Autoencoder for anomaly detection Autoencoder

540 views • 27 slides
In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong, Alan Fern, Thomas G. Dietterich and Md Amran Siddiqui School of EECS Anomaly Detection Goal: Identify rare or strange objects 2 Anomaly

756 views • 51 slides
Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The

Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The

Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The Pennsylvania State University Anomaly Intrusion Detection Systems Anomaly Intrusion Detection Systems Model normal behavior. Attack - Any

417 views • 20 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Isolation trees Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Isolation

Isolation trees Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Isolation

DataCamp Anomaly Detection in R ANOMALY DETECTION IN R Isolation trees Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Isolation tree DataCamp Anomaly Detection in R Isolation tree plots DataCamp Anomaly Detection in R

631 views • 19 slides
On Entropy in Network Traffic Anomaly Detection Jayro Santiago-Paz, Deni Torres-Roman.

On Entropy in Network Traffic Anomaly Detection Jayro Santiago-Paz, Deni Torres-Roman.

Introduction Feature Extraction Entropy Calculation Anomaly detection Classification Open Issues On Entropy in Network Traffic Anomaly Detection Jayro Santiago-Paz, Deni Torres-Roman. Cinvestav, Campus Guadalajara, Mexico November 2015

690 views • 24 slides
ACCT 420: Topic modeling and anomaly detection Session 8 Dr. Richard M. Crowley 1 Front matter

ACCT 420: Topic modeling and anomaly detection Session 8 Dr. Richard M. Crowley 1 Front matter

ACCT 420: Topic modeling and anomaly detection Session 8 Dr. Richard M. Crowley 1 Front matter 2 . 1 Learning objectives Theory: NLP Anomaly detection Application: Understand annual report readability Examine the

1.12k views • 85 slides
An Evaluation of Effect of Packet Sampling on Anomaly Detection Method Takuya Motodate

An Evaluation of Effect of Packet Sampling on Anomaly Detection Method Takuya Motodate

An Evaluation of Effect of Packet Sampling on Anomaly Detection Method Takuya Motodate April 25, 2010 The 3rd CAIDA-WIDE-CASFI Joint Measurement Workshop @Osaka 1 2010 4 25 Background Anomaly Detection:

331 views • 20 slides
Anomaly Detection with State Space Models Multi-dimensional State Space Models SVD Method EM

Anomaly Detection with State Space Models Multi-dimensional State Space Models SVD Method EM

Anomaly Detection CAMCOS 2009 Introduction ADAPT Anomaly Detection with State Space Models Multi-dimensional State Space Models SVD Method EM Algorithm Kalman Filter Maja Derek, Kate Isaacs, Duncan McElfresh, Jennifer Alarm Murguia,

1.4k views • 96 slides
ACCT 420: Topic modeling and anomaly detection Session 9 Dr. Richard M. Crowley 1 Front matter

ACCT 420: Topic modeling and anomaly detection Session 9 Dr. Richard M. Crowley 1 Front matter

ACCT 420: Topic modeling and anomaly detection Session 9 Dr. Richard M. Crowley 1 Front matter 2 . 1 Learning objectives Theory: NLP Anomaly detection Application: Understand the distribution of readability Examine

1.31k views • 82 slides
T h e p h y s i c a l o r i g i n o f l o n g g a s d e p l e t i

T h e p h y s i c a l o r i g i n o f l o n g g a s d e p l e t i

T h e p h y s i c a l o r i g i n o f l o n g g a s d e p l e t i o n t i me s i n g a l a x i e s w h y ? V a d i m S e me n o v A n d r e y K r a v t s o v N i c k G

531 views • 10 slides
Inference by enumeration Slightly intelligent way to sum out variables from the joint without

Inference by enumeration Slightly intelligent way to sum out variables from the joint without

Inference by enumeration Slightly intelligent way to sum out variables from the joint without actually constructing its explicit representation Simple query on the burglary network: Inference in Bayesian networks B E P ( B | j, m ) = P ( B, j,

465 views • 7 slides
JIN Ting He A Photo A Photo

JIN Ting He A Photo A Photo

JIN Ting He A Photo A Photo

653 views • 17 slides
GENERAL MEETING 19-August-20 38th ABMB Annual General Meeting 19 August 2020 Key Results

GENERAL MEETING 19-August-20 38th ABMB Annual General Meeting 19 August 2020 Key Results

38 th ANNUAL GENERAL MEETING 19-August-20 38th ABMB Annual General Meeting 19 August 2020 Key Results Contents 1 FY20 Financial Performance 2 FY20 Transformation Achievements 19-August-20 38th ABMB Annual General Meeting 19-August-20 38th

742 views • 17 slides
Ha Hardes est T t Things A s Abou out C t CCPA Pr Privacy &amp; Security Academy Oc

Ha Hardes est T t Things A s Abou out C t CCPA Pr Privacy &amp; Security Academy Oc

Ha Hardes est T t Things A s Abou out C t CCPA Pr Privacy &amp; Security Academy Oc October 15, 2019 Introduction Part rtici cipa pants Industry Professionals Fenwick Aaron Ting Lael Bellamy Lead Counsel, Product &amp; Privacy

295 views • 25 slides
Hypergeometric Series and Gaussian Hypergeometric Functions Fang-Ting Tu , joint with Alyson

Hypergeometric Series and Gaussian Hypergeometric Functions Fang-Ting Tu , joint with Alyson

Hypergeometric Series and Gaussian Hypergeometric Functions Fang-Ting Tu , joint with Alyson Deines, Jenny Fuselier, Ling Long, Holly Swisher a Women in Numbers 3 project National Center for Theoretical Sciences, Taiwan Mini-workshop at LSU on

666 views • 32 slides
Noise characterization for LISA Julien Sylvestre Massimo Tinto Caltech/JPL GWDAW 2003 1 of 8

Noise characterization for LISA Julien Sylvestre Massimo Tinto Caltech/JPL GWDAW 2003 1 of 8

Noise characterization for LISA Julien Sylvestre Massimo Tinto Caltech/JPL GWDAW 2003 1 of 8 Noise characterization with one IFO Measured signals are the sum of (possibly continuous) gravitational wave signals and of instrumental noise

461 views • 8 slides
Utah Leaders for Health 2016 Purpose: Convener of a large group of stakeholders to align

Utah Leaders for Health 2016 Purpose: Convener of a large group of stakeholders to align

Utah Leaders for Health 2016 Purpose: Convener of a large group of stakeholders to align efforts to engage individuals, groups and communities in the adoption of healthy behaviors by: Sector engagement Education Businesses Faith

527 views • 6 slides

More recommend