Online Anomaly Detection in Time-Series

Metody pro online detekci anomálií jsou navrženy pro odhalování anomalií ve spojitém proudu dat namísto ve statickém datasetu. Tyto metody jsou schopné se adaptovat na změny v charakteristice datového proudu, který může v čase nastávat (concept drift). Tato práce analyzuje čtyři metody vhodné pro online detekci anomálií v časových řadách (klouzavý průměr, local outlier factor, isolation forest, hierarchical temporal memory) a několik metod detekce concept driftu včetně některých nových přístupů. Je navrženo obecné schéma, které umožňuje kombinovat různé metody pro detekci anomálií a concept driftu. Pro všechny analyzované metody jsou provedeny experimenty na pěti realných datasetech a jednom umělém. Během experimentů byly zkoumány vlastnosti jednotlivých metod a porovnáván jejich výkon s ostatními metodami. Výsledky experimentů ukazují, že žádná metoda není lepší než ostatní na všech datasetech z hlediska F1 skóre upraveného pro úlohu detekce anomalií (harmonický průměr specificity a míry falešné pozitivních detekcí) a AUC. Ve většině případů bylo nalezeno optimální nastavení methody s F1 skóre >85% a AUC >90%.Methods for online anomaly detection are designed to reveal anomalies in a continuous stream of data rather than in a static dataset. These methods are able to adapt to the changes of underlying characteristics of the stream that might occur in time (concept drift). This thesis reviews four methods suitable for online anomaly detection in time-series (moving average, local outlier factor, isolation forest, hierarchical temporal memory) and several concept drift detection methods including some novel approaches. A general framework that allows to orthogonally combine various anomaly detection methods and concept drift detection methods is proposed. Experiments were executed for all reviewed methods on five real-world datasets and one artificial dataset. During the experiments, the properties of individual methods were examined as well as their performance compared to the other methods. Results of the experiments show that none of the methods is superior to the others on all datasets in terms of F1 score adapted for anomaly detection (harmonic mean of recall and false positive rate) and AUC. In the majority of cases, an optimal method settings with F1 score >85% and AUC >90% was found

Real-Time Detection of Demand Manipulation Attacks on a Power Grid

An increased usage in IoT devices across the globe has posed a threat to the power grid. When an attacker has access to multiple IoT devices within the same geographical location, they can possibly disrupt the power grid by regulating a botnet of high-wattage IoT devices. Based on the time and situation of the attack, an adversary needs access to a fixed number of IoT devices to synchronously switch on/off all of them, resulting in an imbalance between the supply and demand. When the frequency of the power generators drops below a threshold value, it can lead to the generators tripping and potentially failing. Attacks such as these can cause an imbalance in the grid frequency, line failures and cascades, can disrupt a black start or increase the operating cost. The challenge lies in early detection of abnormal demand peaks in a large section of the power grid from the power operator’s side, as it only takes seconds to cause a generator failure before any action could be taken. Anomaly detection comes handy to flag the power operator of an anomalous behavior while such an attack is taking place. However, it is difficult to detect anomalies especially when such attacks are taking place obscurely and for prolonged time periods. With this motive, we compare different anomaly detection systems in terms of detecting these anomalies collectively. We generate attack data using real-world power consumption data across multiple apartments to assess the performance of various prediction-based detection techniques as well as commercial detection applications and observe the cases when the attacks were not detected. Using static thresholds for the detection process does not reliably detect attacks when they are performed in different times of the year and also lets the attacker exploit the system to create the attack obscurely. To combat the effects of using static thresholds, we propose a novel dynamic thresholding mechanism, which improves the attack detection reaching up to 100% detection rate, when used with prediction-based anomaly score techniques

Investigation and Modelling of a Cortical Learning Algorithm in the Neocortex

Many algorithms today provide a good machine learning solution in the specific problem domain, like pattern recognition, clustering, classification, sequence learning, image recognition, etc. They are all suitable for solving some particular problem but are limited regarding flexibility. For example, the algorithm that plays Go cannot do image classification, anomaly detection, or learn sequences. Inspired by the functioning of the neocortex, this work investigates if it is possible to design and implement a universal algorithm that can solve more complex tasks more intelligently in the way the neocortex does. Motivated by the remarkable replication degree of the same and similar circuitry structures in the entire neocortex, this work focuses on the idea of the generality of the neocortex cortical algorithm and suggests the existence of canonical cortical units that can solve more complex tasks if combined in the right way inside of a neural network. Unlike traditional neural networks, algorithms used and created in this work rely only on the finding of neural sciences. Initially inspired by the concept of Hierarchical Temporal Memory (HTM), this work demonstrates how Sparse Encoding, Spatial- and Sequence-Learning can be used to model an artificial cortical area with the cortical algorithm called Neural Association Algorithm (NAA). The proposed algorithm generalises the HTM and can form canonical units that consist of biologically inspired neurons, synapses, and dendrite segments and explains how interconnected canonical units can build a semantical meaning. Results demonstrate how such units can store a large amount of information, learn sequences, build contextual associations that create meaning and provide robustness to noise with high spatial similarity. Inspired by findings in neurosciences, this work also improves some aspects of the existing HTM and introduces the newborn stage of the algorithm. The extended algorithm takes control of a homeostatic plasticity mechanism and ensures that learned patterns remain stable. Finally, this work also delivers the algorithm for the computation over distributed mini-columns that can be executed in parallel using the Actor Programming Model