Quantitative comparison of unsupervised anomaly detection algorithms for intrusion detection

Falcão, Filipe; Zoppi, Tommaso; Silva, Caio Barbosa Viera; Santos, Anderson; Fonseca, Baldoíno; Ceccarelli, Andrea; Bondavalli, Andrea

doi:10.1145/3297280.3297314

Cited by 43 publications

(31 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…k th NN assigns anomaly score of an instance by computing the distance to its k th -nearest-neighbor, whereas kNN takes the average distance over all k-nearest-neighbors. Both methods are shown to have competitive performance in various comparative studies [16,17,12,18]. In particular, the comparative study developed by Goldstein and Uchida [16] is the one of most comprehensive analysis to date that includes the discussion of NN-methods and, at the same time, aligns with the unsupervised anomaly detection setup.…”

Section: Empirical Performance Of Nn-methodsmentioning

confidence: 99%

Statistical Analysis of Nearest Neighbor Methods for Anomaly Detection

Gu,

Akoglu,

Rinaldo

2019

Preprint

View full text Add to dashboard Cite

Nearest-neighbor (NN) procedures are well studied and widely used in both supervised and unsupervised learning problems. In this paper we are concerned with investigating the performance of NN-based methods for anomaly detection. We first show through extensive simulations that NN methods compare favorably to some of the other state-of-the-art algorithms for anomaly detection based on a set of benchmark synthetic datasets. We further consider the performance of NN methods on real datasets, and relate it to the dimensionality of the problem. Next, we analyze the theoretical properties of NN-methods for anomaly detection by studying a more general quantity called distance-to-measure (DTM), originally developed in the literature on robust geometric and topological inference. We provide finite-sample uniform guarantees for the empirical DTM and use them to derive misclassification rates for anomalous observations under various settings. In our analysis we rely on Huber's contamination model and formulate mild geometric regularity assumptions on the underlying distribution of the data.33rd Conference on Neural Information Processing Systems (NeurIPS 2019),

show abstract

Section: Empirical Performance Of Nn-methodsmentioning

confidence: 99%

Statistical Analysis of Nearest Neighbor Methods for Anomaly Detection

Gu,

Akoglu,

Rinaldo

2019

Preprint

View full text Add to dashboard Cite

show abstract

“…The proposed anomaly detection approach supports anomaly detection in ongoing streaming sessions as it recalculates the probability for a specific session to be anomalous for each new streaming control event that is received. Falcão et al (2019) they evaluate experimentally a pool of twelve unsupervised anomaly detection algorithms on five attacks datasets. Results allow elaborating on a wide range of arguments, from the behavior of the individual algorithm to the suitability of the datasets to anomaly detection.…”

Section: Related Workmentioning

confidence: 99%

Anomaly Detection Algorithms for Streaming Data: Performance Comparison

Hasani¹

2020

Journal of Computer Science

View full text Add to dashboard Cite

Today's most of the data are streaming time-series data, where is very important anomaly detection over this data because gives significant information of possible critical situations. Detecting anomalies in big streaming data is yet difficult task because we have to process them in real time, even before they are stored and instantly alarm on potential threats. For real time streaming data is important the algorithm used for anomaly detection to be robust with low processing time, eventually at the cost of the accuracy. The aim of this paper is to measure the performance of such algorithms and them to compare with our previously proposed algorithm HW-GA with other existing methods as ARIMA, Moving Average and Holt Winters. The algorithms are implemented in R system and tested on the three Numenta datasets, with known anomalies and own e-dnevnik dataset with unknown anomalies. Evaluation is done by comparing achieved results (the algorithm execution time and CPU usage). As a result of this research we may say that our algorithm HW-GA outperforms others algorithm that we have compared by showing less CPU usage and execution time. Our continues interest is to monitor the streaming log data that are generating in the national educational network (e-dnevnik) that acquires a massive number of online queries and to detect anomalies in order to scale up performance, prevent network downs, alarm on possible attacks and similar.

show abstract

“…The authors Filipe Falcão, et.al., [6] they evaluate experimentally a pool of twelve unsupervised anomaly detection algorithms on ve attacks datasets. Results allow elaborating on a wide range of arguments, from the behavior of the individual algorithm to the suitability of the datasets to anomaly detection.…”

Section: Tp-true Positive Fp-false Positive Fn-false Negative Tn-tmentioning

confidence: 99%

Performance Comparison of Anomaly Detection Algorithms for Streaming Data

Hasani

Fondaj

2020

Preprint

View full text Add to dashboard Cite

Most of the today's world data are streaming, time-series data, where anomalies detection gives significant information of possible critical situations. Yet, detecting anomalies in big streaming data is a difficult task, requiring detectors to acquire and process data in a real-time, as they occur, even before they are stored and instantly alarm on potential threats. Suitable to the need for real-time alarm and unsupervised procedures for massive streaming data anomaly detection, algorithms have to be robust, with low processing time, eventually at the cost of the accuracy. In this work we compare the performance of our proposed anomaly detection algorithm HW-GA[1] with other existing methods as ARIMA [10], Moving Average [11] and Holt Winters [12]. The algorithms are tested and results are visualized in the system R, on the three Numenta datasets, with known anomalies and own e-dnevnik dataset with unknown anomalies. Evaluation is done by comparing achieved results (the algorithm execution time and CPU usage). Our interest is monitoring of the streaming log data that are generating in the national educational network (e-dnevnik) that acquires a massive number of online queries and to detect anomalies in order to scale up performance, prevent network downs, alarm on possible attacks and similar.

show abstract

Quantitative comparison of unsupervised anomaly detection algorithms for intrusion detection

Cited by 43 publications

References 39 publications

Statistical Analysis of Nearest Neighbor Methods for Anomaly Detection

Statistical Analysis of Nearest Neighbor Methods for Anomaly Detection

Anomaly Detection Algorithms for Streaming Data: Performance Comparison

Performance Comparison of Anomaly Detection Algorithms for Streaming Data

Contact Info

Product

Resources

About