1,902 research outputs found
Autoencoders and Generative Adversarial Networks for Imbalanced Sequence Classification
Generative Adversarial Networks (GANs) have been used in many different
applications to generate realistic synthetic data. We introduce a novel GAN
with Autoencoder (GAN-AE) architecture to generate synthetic samples for
variable length, multi-feature sequence datasets. In this model, we develop a
GAN architecture with an additional autoencoder component, where recurrent
neural networks (RNNs) are used for each component of the model in order to
generate synthetic data to improve classification accuracy for a highly
imbalanced medical device dataset. In addition to the medical device dataset,
we also evaluate the GAN-AE performance on two additional datasets and
demonstrate the application of GAN-AE to a sequence-to-sequence task where both
synthetic sequence inputs and sequence outputs must be generated. To evaluate
the quality of the synthetic data, we train encoder-decoder models both with
and without the synthetic data and compare the classification model
performance. We show that a model trained with GAN-AE generated synthetic data
outperforms models trained with synthetic data generated both with standard
oversampling techniques such as SMOTE and Autoencoders as well as with state of
the art GAN-based models
Intrusion detection for industrial control systems
Industrial Control Systems (ICS) are rapidly shifting from closed local networks, to remotely accessible networks. This shift has created a need for strong cybersecurity anomaly and intrusion detection for these systems; however, due to the complexity and diversity of ICSs, well defined and reliable anomaly and intrusion detection systems are still being developed. Machine learning approaches for anomaly and intrusion detection on the network level may provide general protection that can be applied to any ICS. This paper explores two machine learning applications for classifying the attack label of the UNSW-NB15 dataset. The UNSW-NB15 is a benchmark dataset that was created off general network communications and includes labels for normal behavior and attack vectors. A baseline was created using K-Nearest Neighbors (kNN) due to its mathematical simplicity. Once the baseline was created a feed forward artificial neural network known as a Multi-Layer Perceptron (MLP), was implemented for comparison due to its ease of reuse for running in a production environment. The experimental results show that both kNN and MLPs are effective approaches for identifying malicious network traffic; although, both still need to be further refined and improved before implementation on a real-world production scale
DDMT: Denoising Diffusion Mask Transformer Models for Multivariate Time Series Anomaly Detection
Anomaly detection in multivariate time series has emerged as a crucial
challenge in time series research, with significant research implications in
various fields such as fraud detection, fault diagnosis, and system state
estimation. Reconstruction-based models have shown promising potential in
recent years for detecting anomalies in time series data. However, due to the
rapid increase in data scale and dimensionality, the issues of noise and Weak
Identity Mapping (WIM) during time series reconstruction have become
increasingly pronounced. To address this, we introduce a novel Adaptive Dynamic
Neighbor Mask (ADNM) mechanism and integrate it with the Transformer and
Denoising Diffusion Model, creating a new framework for multivariate time
series anomaly detection, named Denoising Diffusion Mask Transformer (DDMT).
The ADNM module is introduced to mitigate information leakage between input and
output features during data reconstruction, thereby alleviating the problem of
WIM during reconstruction. The Denoising Diffusion Transformer (DDT) employs
the Transformer as an internal neural network structure for Denoising Diffusion
Model. It learns the stepwise generation process of time series data to model
the probability distribution of the data, capturing normal data patterns and
progressively restoring time series data by removing noise, resulting in a
clear recovery of anomalies. To the best of our knowledge, this is the first
model that combines Denoising Diffusion Model and the Transformer for
multivariate time series anomaly detection. Experimental evaluations were
conducted on five publicly available multivariate time series anomaly detection
datasets. The results demonstrate that the model effectively identifies
anomalies in time series data, achieving state-of-the-art performance in
anomaly detection.Comment: 16 pages, 9 figure
A Family of Joint Sparse PCA Algorithms for Anomaly Localization in Network Data Streams
Determining anomalies in data streams that are collected and transformed from various types of networks has recently attracted significant research interest. Principal Component Analysis (PCA) is arguably the most widely applied unsupervised anomaly detection technique for networked data streams due to its simplicity and efficiency. However, none of existing PCA based approaches addresses the problem of identifying the sources that contribute most to the observed anomaly, or anomaly localization. In this paper, we first proposed a novel joint sparse PCA method to perform anomaly detection and localization for network data streams. Our key observation is that we can detect anomalies and localize anomalous sources by identifying a low dimensional abnormal subspace that captures the abnormal behavior of data. To better capture the sources of anomalies, we incorporated the structure of the network stream data in our anomaly localization framework. Also, an extended version of PCA, multidimensional KLE, was introduced to stabilize the localization performance. We performed comprehensive experimental studies on four real-world data sets from different application domains and compared our proposed techniques with several state-of-the-arts. Our experimental studies demonstrate the utility of the proposed methods
Archetype analysis: A new subspace outlier detection approach
The problem of detecting outliers in multivariate data sets with continuous numerical features is addressed by a new method. This method combines projections into relevant subspaces by archetype analysis with a nearest neighbor algorithm, through an appropriate ensemble of the results. Our method is able to detect an anomaly in a simple data set with a linear correlation of two features, while other methods fail to recognize that anomaly. Our method performs among top in an extensive comparison with 23 state-of-the-art outlier detection algorithms with several benchmark data sets. Finally, a novel industrial data set is introduced, and an outlier analysis is carried out to improve the fit of footwear, since this kind of analysis has never been fully exploited in the anthropometric field.Funding for open access charge: CRUE-Universitat Jaume
Unsupervised Anomaly Detectors to Detect Intrusions in the Current Threat Landscape
Anomaly detection aims at identifying unexpected fluctuations in the expected
behavior of a given system. It is acknowledged as a reliable answer to the
identification of zero-day attacks to such extent, several ML algorithms that
suit for binary classification have been proposed throughout years. However,
the experimental comparison of a wide pool of unsupervised algorithms for
anomaly-based intrusion detection against a comprehensive set of attacks
datasets was not investigated yet. To fill such gap, we exercise seventeen
unsupervised anomaly detection algorithms on eleven attack datasets. Results
allow elaborating on a wide range of arguments, from the behavior of the
individual algorithm to the suitability of the datasets to anomaly detection.
We conclude that algorithms as Isolation Forests, One-Class Support Vector
Machines and Self-Organizing Maps are more effective than their counterparts
for intrusion detection, while clustering algorithms represent a good
alternative due to their low computational complexity. Further, we detail how
attacks with unstable, distributed or non-repeatable behavior as Fuzzing, Worms
and Botnets are more difficult to detect. Ultimately, we digress on
capabilities of algorithms in detecting anomalies generated by a wide pool of
unknown attacks, showing that achieved metric scores do not vary with respect
to identifying single attacks.Comment: Will be published on ACM Transactions Data Scienc
Unsupervised Model Selection for Time-series Anomaly Detection
Anomaly detection in time-series has a wide range of practical applications.
While numerous anomaly detection methods have been proposed in the literature,
a recent survey concluded that no single method is the most accurate across
various datasets. To make matters worse, anomaly labels are scarce and rarely
available in practice. The practical problem of selecting the most accurate
model for a given dataset without labels has received little attention in the
literature. This paper answers this question i.e. Given an unlabeled dataset
and a set of candidate anomaly detectors, how can we select the most accurate
model? To this end, we identify three classes of surrogate (unsupervised)
metrics, namely, prediction error, model centrality, and performance on
injected synthetic anomalies, and show that some metrics are highly correlated
with standard supervised anomaly detection performance metrics such as the
score, but to varying degrees. We formulate metric combination with
multiple imperfect surrogate metrics as a robust rank aggregation problem. We
then provide theoretical justification behind the proposed approach.
Large-scale experiments on multiple real-world datasets demonstrate that our
proposed unsupervised approach is as effective as selecting the most accurate
model based on partially labeled data.Comment: Accepted at International Conference on Learning Representations
(ICLR) 2023 with a notable-top-25% recommendation. Reviewer, AC and author
discussion available at https://openreview.net/forum?id=gOZ_pKANaP
- …