[PPT] - In Incorporating Feedback in into Tree-based Anomaly Detection PowerPoint Presentation

SLIDE 1

In Incorporating Feedback in into Tree-based Anomaly Detection

Shubhomoy Das, Weng-Keen Wong, Alan Fern, Thomas G. Dietterich and Md Amran Siddiqui School of EECS

SLIDE 2

Anomaly Detection

Goal: Identify rare or strange objects

2

SLIDE 3

Anomaly Detection

Goal: Identify rare or strange objects

2

SLIDE 4

Typical Investigation

3

Anomaly Detector 𝑔(𝑦) Ranking

SLIDE 5

Typical Investigation

3

Anomaly Detector 𝑔(𝑦) Ranking

SLIDE 6

Typical Investigation

3

Anomaly Detector 𝑔(𝑦) Ranking

SLIDE 7

Typical Investigation

3

Anomaly Detector 𝑔(𝑦) Ranking

. . .

SLIDE 8

Typical Investigation

Major problem: Statistical anomalies

don’t necessarily correspond to semantic anomalies

Need to deal with large number of

false positives

3

Anomaly Detector 𝑔(𝑦) Ranking

. . .

SLIDE 9

Investigation with Feedback

4

Anomaly Detector 𝑔(𝑦) Ranking

SLIDE 10

Investigation with Feedback

4

Anomaly Detector 𝑔(𝑦) Ranking Nominal

SLIDE 11

Investigation with Feedback

4

Anomaly Detector 𝑔(𝑦) Ranking Nominal

SLIDE 12

Investigation with Feedback

4

Anomaly Detector 𝑔(𝑦) Ranking

SLIDE 13

Investigation with Feedback

4

Anomaly Detector 𝑔(𝑦) Ranking Nominal

SLIDE 14

Investigation with Feedback

4

Anomaly Detector 𝑔(𝑦) Ranking Nominal

SLIDE 15

Investigation with Feedback

4

Anomaly Detector 𝑔(𝑦) Ranking

. . .

Nominal

SLIDE 16

Investigation with Feedback

4

Anomaly Detector 𝑔(𝑦) Ranking

. . .

Anomaly

SLIDE 17

Investigation with Feedback

4

Anomaly Detector 𝑔(𝑦) Ranking

. . .

Anomaly

SLIDE 18

Investigation with Feedback

Ranking is adaptive
Reduces false positive

4

Anomaly Detector 𝑔(𝑦) Ranking

. . .

Anomaly

SLIDE 19

Tree-based Anomaly Detection

Isolation Forest
HS-Trees
RS-Forest
RPAD
Random Projection Forest
…

5

SLIDE 20

Isolation Forest

6

Random feature and random split point Deeper leaf indicates nominal

Shallow leaf indicates anomaly

< ≥

SLIDE 21

Isolation Forest

6

Random feature and random split point Deeper leaf indicates nominal

Shallow leaf indicates anomaly

< ≥

SLIDE 22

Isolation Forest

6

Typically 100 trees in practice Random feature and random split point Deeper leaf indicates nominal

Shallow leaf indicates anomaly

< ≥

SLIDE 23

Weighted Representation of Trees

7

< ≥

𝒚 𝑨(𝑦) = −1, 0, 0, −1, 0, 0, 0, −1, −1, … 𝑈

(extremely sparse)

Weights for isolation forest:

𝑥 = 1, 1, 1, 1, 1, 1, 1, 1, 1, … 𝑈

Different set of weights will result other tree based detectors

𝑡𝑑𝑝𝑠𝑓 𝑦 = 𝑥𝑈. 𝑨 𝑦

SLIDE 24

Active Anomaly Discovery

8

𝑟𝜐

𝑢

𝑥𝑢

SLIDE 25

Active Anomaly Discovery

8

𝑟𝜐

𝑢

𝑥𝑢

SLIDE 26

Active Anomaly Discovery

8

𝑟𝜐

𝑢

Nominal 𝑥𝑢

SLIDE 27

Active Anomaly Discovery

8

𝑟𝜐

𝑢

𝑟𝜐

𝑢+1

Nominal 𝑥𝑢 𝑥𝑢+1

SLIDE 28

Active Anomaly Discovery

8

𝑟𝜐

𝑢

𝑟𝜐

𝑢+1

Nominal 𝑥𝑢 𝑥𝑢+1

SLIDE 29

Active Anomaly Discovery

8

𝑟𝜐

𝑢

𝑟𝜐

𝑢+1

Nominal Anomaly 𝑥𝑢 𝑥𝑢+1

SLIDE 30

Active Anomaly Discovery

8

𝑟𝜐

𝑢

𝑟𝜐

𝑢+1

𝑟𝜐

𝑢+2

Nominal Anomaly 𝑥𝑢 𝑥𝑢+1 𝑥𝑢+2

SLIDE 31

Active Anomaly Discovery

8

𝑟𝜐

𝑢

𝑟𝜐

𝑢+1

𝑟𝜐

𝑢+2

Nominal Anomaly 𝑥𝑢 𝑥𝑢+1 𝑥𝑢+2

SLIDE 32

Active Anomaly Discovery

8

𝑟𝜐

𝑢

𝑟𝜐

𝑢+1

𝑟𝜐

𝑢+2

Nominal Anomaly 𝑥𝑢 𝑥𝑢+1 𝑥𝑢+2

…

SLIDE 33

9

Synthetic Dataset Baseline discovers 12 anomalies in 35 iterations AAD discovers 23 anomalies in 35 iterations

True anomalies

Result

SLIDE 34

10

Result

0 Feedback

SLIDE 35

10

Result

0 Feedback 10 Feedback

SLIDE 36

10

Result

0 Feedback 10 Feedback 20 Feedback

SLIDE 37

10

Result

0 Feedback 10 Feedback 20 Feedback 25 Feedback

SLIDE 38

10

Result

0 Feedback 10 Feedback 20 Feedback 25 Feedback 35 Feedback

SLIDE 39

A closer look at the data with t-SNE

11

SLIDE 40

A closer look at the data with t-SNE

−50 50 −50 50 x y

o
o
o
o
+

+ + + + + + + + + + + +

+ + + + + + + + + + + + + + + + Abalone Baseline

−100 −50 50 100 −100 −50 50 100 x y

o
o
o
o
o
o
o
o
+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + ++ + + + + + + + + + + + + + + + + ANN Thyroid 1v3 Baseline

𝝥 False Positive + False Negative + True Positive

𝗉 True Negative

11

SLIDE 41

A closer look at the data with t-SNE

−50 50 −50 50 x y

o
o
o
o
+

+ + + + + + + + + + + +

+ + + + + + + + + + + + + + + + Abalone Baseline

−50 50 −50 50 x y

o
o
o
o
o
+

+ + + + + + + +

+ + + + + + + + + + + + + + + + + + + + Abalone IF-AAD

−100 −50 50 100 −100 −50 50 100 x y

o
o
o
o
o
o
o
o
+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + ++ + + + + + + + + + + + + + + + + ANN Thyroid 1v3 Baseline

𝝥 False Positive + False Negative + True Positive

𝗉 True Negative

−100 −50 50 100 −100 −50 50 100 x y

o
o
o
o
o
o
o
+

+ + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ++ + + + + + + + + + + + + + + + + + + ANN Thyroid 1v3 IF-AAD

11

SLIDE 42

A closer look at the data with t-SNE

−50 50 −50 50 x y

o
o
o
o
+

+ + + + + + + + + + + +

+ + + + + + + + + + + + + + + + Abalone Baseline

−50 50 −50 50 x y

o
o
o
o
o
+

+ + + + + + + +

+ + + + + + + + + + + + + + + + + + + + Abalone IF-AAD

−100 −50 50 100 −100 −50 50 100 x y

o
o
o
o
o
o
o
o
+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + ++ + + + + + + + + + + + + + + + + ANN Thyroid 1v3 Baseline

Effect of feedback
Increase focus where

anomalies have been discovered previously 𝝥 False Positive + False Negative + True Positive

𝗉 True Negative

−100 −50 50 100 −100 −50 50 100 x y

o
o
o
o
o
o
o
+

+ + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ++ + + + + + + + + + + + + + + + + + + ANN Thyroid 1v3 IF-AAD

11

SLIDE 43

A closer look at the data with t-SNE

−50 50 −50 50 x y

o
o
o
o
+

+ + + + + + + + + + + +

+ + + + + + + + + + + + + + + + Abalone Baseline

−50 50 −50 50 x y

o
o
o
o
o
+

+ + + + + + + +

+ + + + + + + + + + + + + + + + + + + + Abalone IF-AAD

−100 −50 50 100 −100 −50 50 100 x y

o
o
o
o
o
o
o
o
+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + ++ + + + + + + + + + + + + + + + + ANN Thyroid 1v3 Baseline

Effect of feedback
Increase focus where

anomalies have been discovered previously

Remove focus from

unpromising regions 𝝥 False Positive + False Negative + True Positive

𝗉 True Negative

−100 −50 50 100 −100 −50 50 100 x y

o
o
o
o
o
o
o
+

+ + + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ++ + + + + + + + + + + + + + + + + + + ANN Thyroid 1v3 IF-AAD

11

SLIDE 44

12

10 20 30 40 50 60 10 20 30 40 50 60

iter # anomalies seen IForest Baseline IF−AAD LODA−AAD

20 40 60 80 100 20 40 60 80 100

iter # anomalies seen IForest Baseline IF−AAD LODA−AAD

20 40 60 80 100 20 40 60 80 100

iter # anomalies seen IForest Baseline IF−AAD LODA−AAD

Abalone Covtype Mammography

10 20 30 40 50 60 10 20 30 40 50 60

iter # anomalies seen IForest Baseline IF−AAD LODA−AAD

20 40 60 80 100 20 40 60 80 100

iter # anomalies seen IForest Baseline IF−AAD LODA−AAD

10 20 30 40 50 60 10 20 30 40 50 60

iter # anomalies seen IForest Baseline IF−AAD LODA−AAD

Cardiotocography KDDCup99 ANN Thyroid 1v3

SLIDE 45

Conclusion & Future Work

Human feedback is essential and improves the unsupervised learner ☺

13

SLIDE 46

Conclusion & Future Work

Human feedback is essential and improves the unsupervised learner ☺
Extend to other types of anomaly detectors

13

SLIDE 47

Conclusion & Future Work

Human feedback is essential and improves the unsupervised learner ☺
Extend to other types of anomaly detectors
Explanation based feedback

13

SLIDE 48

Questions?

14

SLIDE 49

Extra Slides

15

SLIDE 50

50 100 150 200 250 300 10 20 30 40 iter # anomalies seen

IForest Baseline IF−AAD IF−AAD−Tree

racle

50 100 150 200 250 300 50 100 150 200 250 300 iter # anomalies seen

IForest Baseline IF−AAD IF−AAD−Tree

racle

50 100 150 200 250 300 20 40 60 iter # anomalies seen

IForest Baseline IF−AAD IF−AAD−Tree

racle

Cardiotocography KDDCup99 ANN Thyroid 1v3

Results (adjusting tree weights instead of node-weights)

50 100 150 200 250 300 5 10 15 20 25 30 iter # anomalies seen

IForest Baseline IF−AAD IF−AAD−Tree

racle

50 100 150 200 250 300 50 100 150 200 250 300 iter # anomalies seen

IForest Baseline IF−AAD IF−AAD−Tree

racle

50 100 150 200 250 300 50 100 150 200 250 iter # anomalies seen

IForest Baseline IF−AAD IF−AAD−Tree

racle

Abalone Covtype Mammography

16

SLIDE 51

Timing Plots

50 100 150 200 250 300 50 100 150 200 250 300

number of queries time (secs)

IF−AAD

50 100 150 200 250 300 50 100 150 200 250 300

number of queries time (secs)

IF−AAD

50 100 150 200 250 300 50 100 150 200 250 300

number of queries time (secs)

IF−AAD

Covtype Mammography Shuttle

17