Anomaly detection

Anomaly detection

Anomaly detection, also referred to as outlier detection[1] refers to detecting patterns in a given data set that do not conform to an established normal behavior.[2] The patterns thus detected are called anomalies and often translate to critical and actionable information in several application domains. Anomalies are also referred to as outliers, change, deviation, surprise, aberrant, peculiarity, intrusion, etc.

In particular in the context of abuse and network intrusion detection, the interesting objects are often not rare objects, but unexpected bursts in activity. This pattern does not adhere to the common statistical definition of an outlier as a rare object, and many outlier detection methods (in particular unsupervised methods) will fail on such data, unless it has been aggregated appropriately. Instead, a cluster analysis algorithm may be able to detect the micro clusters formed by these patterns.

Three broad categories of anomaly detection techniques exist. Unsupervised anomaly detection techniques detect anomalies in an unlabeled test data set under the assumption that the majority of the instances in the data set are normal by looking for instances that seem to fit least to the remainder of the data set. Supervised anomaly detection techniques require a data set that has been labeled as "normal" and "abnormal" and involves training a classifier (the key difference to many other statistical classification problems is the inherent unbalanced nature of outlier detection). Semi-supervised anomaly detection techniques construct a model representing normal behavior from a given normal training data set, and then testing the likelihood of a test instance to be generated by the learnt model.[citation needed]



Anomaly detection is applicable in a variety of domains, such as intrusion detection, fraud detection, fault detection, system health monitoring, event detection in sensor networks, and detecting eco-system disturbances. It is often used in preprocessing to remove anomalous data from the dataset. In supervised learning, removing the anomalous data from the dataset often results in a statistically significant increase in accuracy.[3][4]

Popular Anomaly Detection Techniques

Several anomaly detection techniques have been proposed in literature. Some of the popular techniques are:

Application to Data Security

Anomaly detection was proposed for Intrusion detection systems (IDS) by Dorothy Denning in 1986.[6] Anomaly detection for IDS is normally accomplished with thresholds and statistics, but can also be done with Soft computing, and inductive learning[7]. Types of statistics proposed by 1999 included profiles of users, workstations, networks, remote hosts, groups of users, and programs based on frequencies, means, variances, covariances, and standard deviations.[8] The counterpart of Anomaly detection in Intrusion detection is Misuse Detection.

See also


  1. ^ Hans-Peter Kriegel, Peer Kröger, Arthur Zimek (2009). "Outlier Detection Techniques (Tutorial)". 13th Pacific-Asia Conference on Knowledge Discovery and Data Mining (PAKDD 2009) (Bangkok, Thailand). Retrieved 2010-06-05. 
  2. ^ Varun Chandola, Arindam Banerjee, and Vipin Kumar, Anomaly Detection: A Survey, ACM Computing Surveys, Vol. 41(3), Article 15, July 2009
  3. ^ Ivan Tomek (1976). "An Experiment with the Edited Nearest-Neighbor Rule". IEEE Transactions on Systems, Man and Cybernetics. 6. pp. 448-452. 
  4. ^ Michael R Smith and Tony Martinez (2011). "Improving Classification Accuracy by Identifying and Removing Instances that Should Be Misclassified". Proceedings of International Joint Conference on Neural Networks (IJCNN 2011). pp. 2690-2697. 
  5. ^ Breunig, M. M.; Kriegel, H. -P.; Ng, R. T.; Sander, J. (2000). "LOF: Identifying Density-based Local Outliers". ACM SIGMOD Record 29: 93. doi:10.1145/335191.335388.  edit
  6. ^ Denning, Dorothy, "An Intrusion Detection Model," Proceedings of the Seventh IEEE Symposium on Security and Privacy, May 1986, pages 119-131.
  7. ^ Teng, Henry S., Chen, Kaihu, and Lu, Stephen C-Y, "Adaptive Real-time Anomaly Detection Using Inductively Generated Sequential Patterns," 1990 IEEE Symposium on Security and Privacy
  8. ^ Jones, Anita K., and Sielken, Robert S., "Computer System Intrusion Detection: A Survey," Technical Report, Department of Computer Science, University of Virginia, Charlottesville, VA, 1999

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Anomaly Detection — …   Википедия

  • Network Behavior Anomaly Detection — Contents 1 Network Behavior Anomaly Detection (NBAD) 2 Popular Threat Detections within NBAD 3 Commercial NBAD Products 4 External links …   Wikipedia

  • Anomaly-based intrusion detection system — An Anomaly Based Intrusion Detection System, is a system for detecting computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous . The classification is based on heuristics or rules, rather than …   Wikipedia

  • Anomaly (Primeval) — Anomalies are fictional phenomena which occur in the science fiction television series Primeval and are a type of time portal. The anomaly is shown as an orb of fractured reflective or refractive triangles in the air, much like shards of broken… …   Wikipedia

  • Intrusion detection system — An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.[1] Some systems may attempt to stop …   Wikipedia

  • Magnetic anomaly detector — MAD rear boom on P 3C The SH 60B Seahawk helicopter carries …   Wikipedia

  • Change detection — In statistical analysis, change detection tries to identify changes in the probability distribution of a stochastic process or time series. In general the problem concerns both detecting whether or not a change has occurred, or whether several… …   Wikipedia

  • Intrusion detection — In Information Security, intrusion detection is the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource. When Intrusion detection takes a preventive measure without direct human… …   Wikipedia

  • Misuse Detection — actively works against potential insider threats to vulnerable company data.MisuseMisuse detection is an approach in detecting attacks. In misuse detection approach, we define abnormal system behaviour at first, and then define any other… …   Wikipedia

  • Misuse detection — actively works against potential insider threats to vulnerable company data. Contents 1 Misuse 1.1 Theory 2 References 3 Further reading …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.