El Navegador

The performances of different methods depend on the parameter selection. In this section, we evaluated the sensitivity of our methods to different modeling parameters. In order to do so, we selected one parameter at a time, systematically changed its value while fixing the others at their optimal values. Although our approaches have more parameters than the other two methods, the sensitivity analysis shows that performances of our methods are remarkably stable over a wide range of parameters. Next we show the sensitivity study on the stock indices data set for the parameters λ1 and λ2, δ, k. Similar results are observed

on the other two data sets.

In Figure 5.12, we show the stability by changing λ1 in GJSPCA. We observe that AUC

is quite stable over a wide range of λ1. A similar phenomenon is also observed when changing

λ2. On the middle part of figure 5.12, we performed sensitivity analysis on parameter δ. We

observe that AUC remains stable for δ ∈ [0.15, 0.6]. When δ = 0, the graph is a complete graph and the smoothness regularization will penalize the loadings of each source across the PCs to be similar each other. Hence very low δ leads to a worse performance. On the other hand, when δ = 1, the graph is just a set of isolated sources. The structure information is missing, therefore the performance is not optimal.

An important parameter in PCA based anomaly detection is k, the number of PCs spanning the normal subspace. In [48], Ringberg et al.claimed that the anomaly detection performance was very sensitive to k. From the right part of figure 5.12, it is clear that GJSPCA is still sensitive to the dimension of normal subspace. More specifically, the overall

−80 −6 −4 −2 0 2 0.2 0.4 0.6 0.8 1 log₂(λ1) AUC −80 −6 −4 −2 0 2 4 6 8 0.2 0.4 0.6 0.8 1 log₂(λ2) AUC 0 0.2 0.4 0.6 0.8 1 0.8 0.85 0.9 0.95 1 AUC δ 1 2 3 4 0 0.2 0.4 0.6 0.8 1 AUC # of Principal Componens

Figure 5.12: From left to right, sensitivity analysis of GSPCA on λ1, λ2, δ, and the dimension of

the normal subspace.

AUC gradually decreases from 0.96 to 0.72 as k changes from 1 to 3 and then increases to 0.77 at k = 4. However even in the worst case k = 3 it still has a good performance with AUC= 0.73.

Figure 5.13 shows the parameters sensitivity of KL extension and demonstrates that the effectiveness of KLE to stabilize performance.. The most noticeable improvement is the sensitivity of k shown in the last figure. Compared with PCA based method, GJSKLE successfully stabiles the localization performance when k changes. For k ∈ [1, 4], AUC remains above 0.9. Specifically, For k = 2, AUC has a 5% increase to 0.94, compared with the worst case 0.89 for k = 4. KL extension also has a considerable stabilizing effect on sensitivity with δ changing. When δ changes from 0 to 1 with step 0.1, AUC increases to

−80 −6 −4 −2 0 2 0.2 0.4 0.6 0.8 1 log2(λ1) AUC −80 −6 −4 −2 0 2 4 6 8 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 log2(λ2) AUC 0 0.2 0.4 0.6 0.8 1 0.8 0.85 0.9 0.95 1 AUC δ 1 2 3 4 0 0.2 0.4 0.6 0.8 1 AUC # of Principal Componens

Figure 5.13: From left to right, sensitivity analysis of GJSKLE on λ1, λ2, δ, and the dimension of

the normal subspace.

1 2 3 4 5 0 0.2 0.4 0.6 0.8 1

AUC

N

Figure 5.14: Sensitivity analysis of GJSKLE on N.

its optimum 0.94 at δ = 0.5, and then decreases 3% to its minimum 0.91 at δ = 1. The sharp decrease in the range [0, 0, 1] and [0.6, 1] in the last figure of 5.12 becomes much more

moderate.

JSKLE and GJSKLE involves one more parameter: the temporal correlation range N . To test the sensitivity of N , we repeated the experiments of KLE with different N from 1 to 5 on the finance data set. Note that (G)JSPCA is a special case of (G)JSKLE when N = 1. The result is shown in 5.14. With the changing of N , AUC performance is very stable. The difference between the optimal case (N = 1) and the worse case (N = 5) is just 0.07. It may be apparent that N = 1 (degenerated to (G)JSPCA) is better than other cases. However by selecting N = 2, AUC of GJSKLE is stabilized when changing δ and dimension of normal space, as we can see the difference in last two figures of 5.13.

References

[1] D. P. Bertsekas. Nonlinear programming. Athena Scientific. 2nd edition., 1999.

[2] S. Boyd and L. Vandenberghe. Convex Optimization. Cambridge University Press, 2004.

[3] D. Brauckhoff, X. Dimitropoulos, A. Wagner, and K. Salamatian. Anomaly extraction in back- bone networks using association rules. In Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference, IMC ’09, pages 28–34, 2009.

[4] D. Brauckhoff, K. Salamatian, and M. May. Applying pca for traffic anomaly detection: Problems and solutions. In INFOCOM, pages 2866–2870. IEEE, 2009.

[5] S. Budhaditya, D.-S. Pham, M. Lazarescu, and S. Venkatesh. Effective anomaly detection in sensor networks data streams. IEEE International Conference on Data Mining, ICDM2009, 0:722–727, 2009.

[6] A. B. Chan, V. Mahadevan, and N. Vasconcelos. Generalized stauffer-grimson background subtraction for dynamic scenes. Mach. Vis. Appl., 22(5):751–766, 2011.

[7] V. Chandola, A. Banerjee, and V. Kumar. Anomaly detection: A survey. ACM Comput. Surv., 41(3):15:1–15:58, July 2009.

[8] V. Chandola, A. Banerjee, and V. Kumar. Anomaly detection: A survey. ACM Comput. Surv., 41(3), 2009.

[9] X. Chen, W. Pan, J. T. Kwok, and J. G. Carbonell. Accelerated gradient method for multi-task sparse learning problem. In ICDM, pages 746–751, 2009.

[10] P. H. dos Santos Teixeira and R. L. Milidi´u. Data stream anomaly detection through prin- cipal subspace tracking. In SAC ’10: Proceedings of the 2010 ACM Symposium on Applied Computing, pages 1609–1616, New York, NY, USA, 2010. ACM.

[11] M. Eiermann, O. G. Ernst, and E. Ullmann. Computational aspects of the stochastic finite element method. Comput. Vis. Sci., 10:3–15, February 2007.

[12] H. Fei and J. Huan. Boosting with structure information in the functional space: an application to graph classification. In Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (SIGKDD), 2010.

[13] A. Frank and A. Asuncion. UCI machine learning repository, 2010.

[14] C. Franke and M. Gertz. Orden: outlier region detection and exploration in sensor networks. In SIGMOD Conference, pages 1075–1078, 2009.

[15] Z. Fu, W. Hu, and T. Tan. Similarity based vehicle trajectory clustering and anomaly detection. In ICIP (2), pages 602–605, 2005.

[16] K. Fukunaga. Introduction to statistical pattern recognition (2nd ed.). Academic Press Profes- sional, Inc., San Diego, CA, USA, 1990.

[17] S. R. Gaddam, V. V. Phoha, and K. S. Balagani. K-means+id3: A novel method for supervised anomaly detection by cascading k-means clustering and id3 decision tree learning methods. IEEE Trans. on Knowl. and Data Eng., 19(3):345–354, Mar. 2007.

[18] J. Gao, F. Liang, W. Fan, C. Wang, Y. Sun, and J. Han. On community outliers and their efficient detection in information networks. In Proceedings of the 16th ACM SIGKDD inter- national conference on Knowledge discovery and data mining, KDD ’10, pages 813–822, New York, NY, USA, 2010. ACM.

[19] X. Gu and H. Wang. Online anomaly prediction for robust cluster systems. In ICDE, pages 1000–1011, 2009.

[20] S. Hirose, K. Yamanishi, T. Nakata, and R. Fujimaki. Network anomaly detection based on eigen equation compression. In KDD ’09: Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining, pages 1185–1194, 2009.

[21] L. Huang, M. I. Jordan, A. Joseph, M. Garofalakis, and N. Taft. In-network pca and anomaly detection. In In NIPS, pages 617–624, 2006.

[22] T. Id´e, A. C. Lozano, N. Abe, and Y. Liu. Proximity-based anomaly detection using sparse structure learning. In SDM, pages 97–108, 2009.

[23] T. Id´e, S. Papadimitriou, and M. Vlachos. Computing correlation anomaly scores using stochastic nearest neighbors. In ICDM ’07: Proceedings of the 2007 Seventh IEEE Inter- national Conference on Data Mining, pages 523–528, Washington, DC, USA, 2007.

[24] M. Isaac, B. Raul, E. Gerard, and G. Mois`es. On-line fault diagnosis based on the identification of transient stages. In in Proc. of 20th European Symposium on Computer Aided Process Engineering C ESCAPE20. Elsevier B.V., 2010.

[25] S. Jakubek and T. Strasser. Fault-diagnosis using neural networks with ellipsoidal basis func- tions. In Proceedings of the American Control Conference, volume 5, pages 3846–3851, 2002. [26] R. Jenatton, G. Obozinski, and F. Bach. Structured sparse principal component analysis.

In Proceedings of the 13th International Conference on Artificial Intelligence and Statistics (AISTATS) 2010, 2010.

[27] S. Ji and J. Ye. An accelerated gradient method for trace norm minimization. In ICML ’09: Proceedings of the 26th Annual International Conference on Machine Learning, pages 457–464, New York, NY, USA, 2009. ACM.

[28] R. Jiang, H. Fei, and J. Huan. Anomaly localization by joint sparse pca in wireless sensor networks. In Proceedings of the The 4th International Workshop on Knowledge Discovery from Sensor Data (SensorKDD-2010), 2010.

[29] E. Keogh and T. Folias. The ucr time series data mining archive. Website, 2002. http: //www.cs.ucr.edu/eamonn/TSDMA/index.html.

[30] E. Keogh, J. Lin, and A. Fu. Hot sax: Efficiently finding the most unusual time series sub- sequence. In Proceedings of the Fifth IEEE International Conference on Data Mining, ICDM ’05, pages 226–233, Washington, DC, USA, 2005.

[31] D. Kosambi. Statistics in function space. 7:76–88, 1943.

[32] A. Lakhina, M. Crovella, and C. Diot. Diagnosing network-wide traffic anomalies. In In ACM SIGCOMM, pages 219–230, 2004.

[33] A. Lakhina, M. Crovella, and C. Diot. Mining anomalies using traffic feature distributions. In In ACM SIGCOMM, pages 217–228, 2005.

[34] J.-G. Lee, J. Han, and X. Li. Trajectory outlier detection: A partition-and-detect framework. In ICDE, pages 140–149, 2008.

[35] E. Leon, O. Nasraoui, and J. Gomez. Anomaly detection based on unsupervised niche clus- tering with application to network intrusion. In In Proceedings of the congress of evolutionary Computation, pages 502–508. Press, 2004.

[36] J. Liu, S. Ji, and J. Ye. Multi-task feature learning via efficient l2,1-norm minimization. In Conference on Uncertainty in Artificial Intelligence (UAI) 2009, 2009.

[37] X. Liu, X. Wu, H. Wang, R. Z. 0003, J. Bailey, and K. Ramamohanarao. Mining distribution change in stock order streams. In ICDE, pages 105–108, 2010.

[38] A. Lung-Yut-Fong, C. L´evy-Leduc, and O. Capp´e. Distributed detection/localization of change-points in high-dimensional network traffic data. CoRR, abs/0909.5524, 2009.

[39] V. Mahadevan, W. Li, V. Bhalodia, and N. Vasconcelos. Anomaly detection in crowded scenes. In CVPR, pages 1975–1981, 2010.

[40] L. M. Manevitz and M. Yousef. Document classification on neural networks using only posi- tive examples (poster session). In Proceedings of the 23rd annual international ACM SIGIR conference on Research and development in information retrieval, SIGIR ’00, pages 304–306, New York, NY, USA, 2000. ACM.

[41] S. L. Marple. Digital Spectral Analysis With Applications. Prentice Hall, Australia, Sydney, 1987.

[42] S. Mukkamala and A. H. Sung. Feature selection for intrusion detection using neural networks and support vector machines. Journal of the Transportation Research Board of the National Academies, pages 33–39, 2003.

[43] Y. Nesterov. Introductory lectures on convex optimization: A basic course. 2003.

[44] H. Nguyen, Y. Tan, and X. Gu. Pal: Propagation-aware anomaly localization for cloud hosted distributed applications. In PST, Cascais, Portugal, 2011.

[45] S. Pandit, D. H. Chau, S. Wang, and C. Faloutsos. Netprobe: a fast and scalable system for fraud detection in online auction networks. In Proceedings of the 16th international conference on World Wide Web, WWW ’07, pages 201–210, New York, NY, USA, 2007. ACM.

[46] R. Perdisci and G. Gu. Using an ensemble of one-class svm classifiers to harden payload-based anomaly detection systems. In In Proceedings of the IEEE International Conference on Data Mining (ICDM06, pages 488–498. IEEE Computer Society, 2006.

[47] C. Phua, V. Lee, K. Smith-Miles, and R. Gayler. A comprehensive survey of data mining-based fraud detection research. 2005.

[48] H. Ringberg, A. Soule, J. Rexford, and C. Diot. Sensitivity of pca for traffic anomaly detection. In SIGMETRICS ’07: Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, pages 109–120, 2007.

[49] C. A. Schenk and G. I. Schu¨eller. Uncertainty Assessment of Large Finite Element Systems, volume 24. Springer-Verlag, Berlin/Heidelberg/New York, 2005.

[50] R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, and S. Zhou. Specification- based anomaly detection: A new approach for detecting network intrusions, 2002.

[51] J. Silva and R. Willett. Detection of anomalous meetings in a social network. In 42nd Annual Conference on Information Sciences and Systems, 2008. CISS 2008., pages 636 –641, 2008.

[52] T. Stibor, J. Timmis, and C. Eckert. A comparative study of real-valued negative selection to statistical anomaly detection techniques. In Proceedings of the 4th International Conference on Artificial Immune Systems, volume 3627 of LNCS, pages 262–275. Springer, 2005.

[53] J. B. Tenenbaum, V. de Silva, and J. C. Langford. A Global Geometric Framework for Nonlinear Dimensionality Reduction. Science, 290(5500):2319 – 2323, 2000.

[54] M. Tuba, D. Bulatovic, O. Miljkovic, and D. Simian. Specific attack adjusted bayesian network for intrusion detection system. In Proceedings of the 9th WSEAS International Conference on Mathematics & Computers In Biology & Chemistry, MCBC’08, pages 107–111, Stevens Point, Wisconsin, USA, 2008. World Scientific and Engineering Academy and Society (WSEAS). [55] G. C. M. W. Weng-Keen Wong, Andrew Moore. Bayesian network anomaly pattern detection

for disease outbreaks. In T. Fawcett and N. Mishra, editors, Proceedings of the Twentieth International Conference on Machine Learning, pages 808–815, Menlo Park, California, August 2003. AAAI Press.

[56] W.-K. Wong, A. Moore, G. Cooper, and M. Wagner. Rule-based anomaly pattern detection for detecting disease outbreaks. In In Proceedings of the 18th National Conference on Artificial Intelligence, pages 217–223. MIT Press, 2002.

[57] M. Xie, S. Han, B. Tian, and S. Parvin. Anomaly detection in wireless sensor networks: A survey. J. Netw. Comput. Appl., 34(4):1302–1325, July 2011.

[58] N. Xu, S. Rangwala, and et al. A wireless sensor network for structural monitoring. In IN SENSYS, pages 13–24, 2004.

[59] J. Zhang, Q. Gao, and H. Wang. Anomaly detection in high-dimensional network data streams: A case study. In IEEE International Conference on Intelligence and Security Informatics, 2008. ISI 2008., pages 251 –253, June 2008.

[60] R. Zhang, S. Zhang, S. Muthuraman, and J. Jiang. One class support vector machine for anomaly detection in the communication network performance data. In Proceedings of the

5th conference on Applied electromagnetics, wireless and optical communications, ELECTRO- SCIENCE’07, pages 31–37, Stevens Point, Wisconsin, USA, 2007. World Scientific and Engi- neering Academy and Society (WSEAS).

[61] H. Zou and T. Hastie. Regularization and variable selection via the elastic net. Journal of the Royal Statistical Society B, 67:301–320, 2005.

[62] H. Zou, T. Hastie, and R. Tibshirani. Sparse principal component analysis. Journal of Com- putational and Graphical Statistics, 15(2):265–286, 2006.