In anomaly detection, the goal is to find objects that are

Transcription

In anomaly detection, the goal is to find objects that are
A Proposed Statistical Approach for Outlier
Detection
Dr. Amr Mohamed Mohamed Kamal
Ph.D. in Computers and Information
Information Technology Department
College of Applied Sciences
Ministry of Higher Education, Ibri, Sultanate of Oman.
Email: amrmkamal.ibr@cas.edu.om
Abstract:
This paper illustrates some applications,
causes, techniques, approaches of anomaly
detection, and important issues that need to
be addressed when dealing with anomalies.
It also suggests a proposed statistical
approach for anomaly detection.
Keywords
Anomalies detection; anomaly score; outlier
detection; outlier score; deviation detection;
data cleaning; discordant observation; and
exception mining.
1. Literature review:
Gupta provides a comprehensive and
structured overview of a large set of interesting
outlier definitions for various forms of
temporal data [3]. Ranjan presents a new
clustering approach for anomaly intrusion
detection by using the approach of K-medoids
method of clustering and its certain
modifications [5]. The proposed algorithm is
able to achieve high detection rate and
overcomes the disadvantages of K-means
algorithm [5]. Shon concentrated on machine
learning techniques for detecting attacks from
internet anomalies [6]. The machine learning
framework consists of two major components:
Genetic Algorithm (GA) for feature selection
and Support Vector Machine (SVM) for packet
classification. Thiprungsri examined the use of
clustering technology to automate fraud
filtering during an audit [4].
2. Introduction:
Anomaly is a pattern in the data that does not
conform to the expected behaviour. In anomaly
detection, the goal is to find objects that are
different from most other objects. Often,
anomalous objects are known as outliers, since
on a scatter plot of the data, they lie far away
from other data points. Anomaly detection is
also known as deviation detection, because
anomalous objects have attribute values that
deviate significantly from the expected or
typical attribute values, or as exception mining,
because anomalies are exceptional in some
cases. There are a variety of anomaly detection
approaches from several areas, including
statistics, machine learning, and data mining.
All try to capture the idea that an anomalous
data object is unusual or in some way
inconsistent with other objects. Although
unusual objects or events are, by definition,
relatively rare, this does not mean that they do
not occur frequently in absolute terms.
Anomalous values may indicate either a
problem or a new phenomenon to be
investigated. However, when they occur, their
consequences can be quite dramatic and quite
often in a negative sense. The following
examples illustrate some different applications
for which anomalies are of considerable
interest:
Fraud detection: The purchasing behavior of
someone who steals a credit card is probably
different from the original owner. Credit card
companies attempt to detect a theft by looking
for buying patterns that characterize theft or by
noticing a change from a typical behavior.
Intrusion detection: Unfortunately, attacks on
computer systems and computer networks are
commonplace. While some of these attacks
such as those designed to disable or
overwhelm computers and networks, are
obvious, other attacks, such as those designed
to secretly gather information, are difficult to
detect. Many of these instructions can only be
detected by monitoring systems and networks
for unusual behavior.
Ecosystem disturbances: In the natural world,
there are atypical events that can have a
significant effect on human beings. Examples
include hurricanes, floods, droughts, heat
weaves, global warming, and fires. The goal is
often to predict the likelihood of these events
and the causes of them.
Public health: If all children in a city are
vaccinated for a particular disease, e.g.,
measles, then the occurrence of a few cases
scattered across various hospitals in a city is an
anomalous event that may indicate a problem
with the vaccination programs in the city.
1
Although much of the recent interest in
anomaly detection has been driven by
applications in which anomalies are the focus,
historically, anomaly detection (and removal)
has been viewed as a technique for improving
data objects analysis. For instance, a relatively
small number of outliers can distort the mean
and standard deviation of a set of values or
alter the set of clusters produced by a
clustering algorithm. The term cluster refers to
a group of data objects among which there
exists a certain degree of similarity [1].
Therefore, anomaly detection (and removal) is
often a part of data processing.
3. Some issues of anomalies:
3.1 Data from different classes:
An object may be different from other objects,
(anomalous), because it is of a different type or
class. To illustrate, someone committing credit
card fraud belongs to a different class of credit
card users than those people who use credit
cards legitimately.
3.2 Natural variation:
Many data sets can be modeled by statistical
distributions, such as a normal (Gaussian)
distribution, where most of the objects are near
a center (average object) and the probability of
a data object decreases rapidly as the distance
of the object from the center of the distribution
increases.
3.3 Data measurement and collection
errors:
Errors in data collection or measurement
process are another source of anomalies.
Measurement may be recorded incorrectly
because of human error, a problem with the
measuring device, or the presence of noise.
The goal is to eliminate such anomalies, since
they provide no interesting information but
also reduce the quality of the data and the
subsequent data analysis. Indeed, the removal
of this type of anomaly is the focus of data
preprocessing, specifically data cleaning. So,
noise should be removed before outlier
detection.
4. Techniques to anomaly detection:
I will illustrate a high level description of some
anomaly detection techniques and their
associated definitions of an anomaly.
4.1 Model based techniques:
Many anomaly detection techniques first build
a model of the data. Anomalies are objects that
do not fit the model very well. For example, a
model of the distribution of the data can be
created by using the data to estimate the
parameters of a probability distribution. An
object does not fit the model very well; i.e., it
is an anomaly, if it is not very likely under the
distribution. If the model is a set of clusters,
then an anomaly is an object that does not
strongly belong to any cluster [4]. When a
regression model is used, an anomaly is an
object that is relatively far from its predicted
value [4]. Because anomalous and normal
objects can be viewed as defining two distinct
classes, classification techniques can be used
for building models of these two classes [1].
In some cases, it is difficult to build a model;
e.g., because the statistical distribution of data
is unknown or no training data are available. In
these situations, techniques that do not require
a model, such as those described below, can be
used.
4.2 Proximity-based techniques:
It is often possible to define a proximity
measure between objects, and a number of
anomaly detection approaches are based on
proximities. Anomalous objects are those that
are distant from most of the other objects.
Many of the techniques in this area are based
on distances and are referred to as distancebased outlier detection techniques [1].
4.3 Density-based techniques:
Objects that are in regions of low density are
relatively distant from their neighbors, and can
be considered anomalous [5].
5. Use of class labels:
There are three basic approaches to anomaly
detection: unsupervised, supervised, and semisupervised [4]. The major distinction is the
degree to which class labels (anomaly or
normal) are available for at least some of the
data.
5.1 Supervised anomaly detection:
Labels are available for both normal data and
anomalies [4].
5.2 Unsupervised anomaly detection:
No labels are assumed. Based on the
assumption that anomalies are very rare
compared to normal data. In such cases, the
objective is to assign a score (or a label) each
instance that reflects the degree to which the
instance is anomalous [4].
5.3 Semi-supervised anomaly detection:
Labels are available only for normal data. In
Semi-supervised setting, the objective is to
find an anomaly label or score for a set of
given objects by using the information from
labeled normal objects.
6. Important issues that need to be
addressed when dealing with anomalies:
6.1 Number of attributes used to define an
anomaly:
Since an object may have many attributes, it
may have anomalous values for some
attributes, but ordinary values for other
attributes. Furthermore, an object may be
anomalous even none of its attribute values are
individually anomalous. For example, it is
common to have people who are 70 cm tall
2
(child) or are 150 kg in weight, but uncommon
to have a 70 cm tall person who weights 150
kg. A general definition of an anomaly must
specify how the values of multiple attributes
are used to determine weather or not an object
is an anomaly. This is a particularly important
issue when the dimensionality of data is high.
6.2 Global versus local perspective:
An object may seem unusual with respect to all
objects, but not with respect to objects in its
local neighborhood. For example, a person
whose height is 2.3 m is unusually tall with
respect to the general population, but not with
respect to professional basketball players.
6.3 Degree to which a point is an anomaly:
An object is either an anomaly or it is not.
Frequently, this does not reflect the underlying
reality that some objects are more extreme
anomalies than others. Hence, it is desirable to
have some assessment of the degree to which
an object is anomalous. This assessment is
known as the anomaly or outlier score.
7. Statistical approaches:
Depending on weather we are working with a
population or a sample, a numerical measure is
known as either a parameter or a statistic.
Parameter: is a measure computed from the
entire population. As long as, the population
does not change, the value of the parameter
will not change [2]. Statistic is a measure from
a sample that has been selected from a
population. The value of the statistic will
depend on which sample is selected [2].
Statistical approaches are model-based
approaches; i.e., a model is created for the
data, and objects are evaluated with respect to
how well they fit the model. Most statistical
approaches to outlier detection are based on
building a probability distribution model and
considering how likely objects are under that
model. This paper represents one of the
statistical approaches for outlier detection.
8. Probabilistic definition of an outlier:
An outlier is an object that has a low
probability with respect to a probability
distribution model. If data are assumed to have
a Gaussian distribution, then the mean and
standard deviation of the underlying
distribution can be estimated by computing the
mean and standard deviation of the data. The
probability of each object under the
distribution can then be estimated. A wide
variety of statistical tests have been devised to
detect outliers, or discordant observations. So,
there are two basic assumptions:
1. Normal objects are in the center of the data
space.
2. Outliers are located at the border of the data
space [±3].
So, we will use the statistical concepts of
central tendency (sample mean, median, and
mode) and measure of variation (variance and
standard deviation) in our proposed approach.
9. Important issues that need to be
addressed when dealing with probabilistic
definition of an outlier:
9.1 Identifying the specific distribution of a
data set:
Probability is the way decision makers express
their uncertainty about outcomes and events.
Discrete distributions such as (uniform,
binomial, multinomial, hyper geometric,
Poisson, negative binomial and geometric)
combined with the continuous distributions
such as (normal, gamma, exponential, Chisquare, and weibull) are used frequently in
business decision making. Discrete random
variables are determined by counting.
Continuous random variables are determined
by measuring. Of course, if the wrong model is
chosen, then an object can be erroneously
identified as an outlier.
9.2 The number of attributes used:
Data set is univariate, bivariate, or multivariate
depending on whether it contains information
on one variable only, on two variables, or on
more than two [9]. Most statistical outlier
detection techniques apply to a single attribute,
but some techniques have been defined for
multivariate data. In this paper, I propose a
framework for detecting outliers in a
Univariate environment.
10. Detecting outliers in a Univariate
Normal Distribution:
The Gaussian (normal) distribution is one of
the most frequently used distributions in
statistics, and I will use it to describe a simple
approach to statistical outlier detection. In
continuous probability distributions, we find
the probability that a value is within a specified
range. Its graph, called the normal curve, is
the bell shaped curve that describes the
distribution of so many sets of data which
occur in nature, industry, and research. The
mathematical equation for the probability
distribution of the continuous variable depends
on the two parameters µ and σ, its mean and
standard deviation. Here I shall denote the
density function of X by n(x; µ, σ)
The normal distribution density function of the
normal random variable X, with mean µ and
2
variance  , is
f(x) = n(x; µ, σ) =
1
e(1 / 2)[( x µ) /  ]
2 
Where
2
, -∞ <x<∞ ,
 =3.14159 and e=2.71828 [7]
3
Once µ, σ are specified, the normal curve is
completely determined. The area under a
probability curve must be equal to 1, and
therefore the more variable the set of
observations, the lower and wider the
corresponding curve will be.
10.1 Properties of the normal curve:
1. The highest point on the normal curve is
located at the mean, which is also the
median and the mode of the distribution.
2. The curve is symmetric about a vertical axis
through the mean µ.
3. If a random variable has a small variance or
standard deviation, we would expect most of
the values to be grouped around the mean. A
large value of  indicates a greater
variability, and therefore the area is to be
more spread out.
4. The normal curve approaches the horizontal
axis asymptotically as we proceed in either
direction away from the mean.
5. The total area under the curve and above the
horizontal axis is equal to 1.
I shall now show that the parameters µ and
 2 are indeed the mean and the variance of
the normal distribution. To evaluate the
meaning,
I
write
E(X)
=

2
1
 (1 / 2)[( x   ) /  ]
dx Setting
 xe
2  -
z= ( x   ) /  → z  = x- 
Differentiating both sides by x, we will get
z*0 +  *
dz
= 1-0 → dx=  dz
dx
So, we obtain

1
z
dz
 (   z )e
2  -
2/2
E(X) =
=
1  z
 e
2  
µ
 
 ze
2  
2/2
dz +
z2/2
dz
The first integral is µ times the area under a
normal curve with mean zero and variance 1,
and hence equal to µ. The second integral is
equal to zero.
The variance of the normal distribution is
given by
 2 = E [ (X - µ)2 ] =

1
2 (1 / 2)[( x   ) /  ]
dx
 (X - µ) e
2  -
2
Again setting z= ( x   ) /  → z  = x- 
Differentiating both sides by x, we will get
z*0 +  *
dz
= 1-0 → dx=  dz
dx
2
E [ (X - µ) ] =
2  2
z e
2  
z2/2
dz
Integrating by parts with u=z
 z2 / 2
ze
that
and dv=
 z2 / 2
so that du=dz and v=- e
, we find
2
2
2
E [ (X - µ) ]=  (0+1)= 
Changing µ shifts the distribution left or right.
Changing σ increases or decreases the spread
as shown in figure1.
No matter what  and  are, the area between
- and + is about 68%; the area between
-2 and +2 is about 95%; and the area
between -3 and +3 is about 99.7%.
Almost all values fall within 3 standard
deviations. Often, the three-sigma interval
[±3] is called a tolerance interval that
contains almost all of the measurements in a
normally distributed population [8] as shown
in figure2.
There is a unique normal curve for every
combination of  and  . There are many
theoretically unlimited numbers of such
combinations. Fortunately, we are able to
transform all the observations of any normal
random variable X to a new set of observations
of a normal random variable Z with mean zero
and variance 1. This can be done by means of
transformation Z= ( X   ) /  . Whenever X
assumes a value x, the corresponding value of
Z is given by z= ( x   ) /  .
f(X)
Changing μ shifts the
distribution left or right.
Changing σ increases or
decreases the spread.
X
Fig.1 Effect of changing

and 
Fig.2 Tolerance interval
4
Therefore, if X falls between the values x= x1
and x= x2 , the random variable Z will fall
between
the
corresponding
values
z1 = ( x1   ) /  and z2 = ( x2   ) /  .
So, all normal distributions can be converted
into the standard normal curve by subtracting
the mean and dividing by the standard
deviation
Consequently, we can write P( x1 <X< x2 )=
1 x  (1 / 2)[( x   ) /  ]
dx =
 xe
2  x
2
2
1
z2
1
z
 e
2 z
2/ 2
dz =
1
z2

n(z;0,1) dz= P( z1 <Z< z 2 )
Making Approach", seventh edition, Pearson International
Edition.Upper Saddle River, New Jersy, U.S.A, 2008.
[3] Manish Gupta, Jing Gao, Charu C. Aggarwal, and
Jiawei Han, "Outlier Detection for Temporal Data: A
Survey", IEEE transactions on knowledge and data
engineering, vol. 25, no. 1, January 2014
[4] Sutapat Thiprungsri, Miklos A. Vasarhelyi, "Cluster
Analysis for Anomaly Detection in Accounting Data: An
Audit Approach", The International Journal of Digital
Accounting Research Vol. 11, pp. 69 - 84 ISSN: 15778517, 2011.
[5] Ravi Ranjan and G. Sahoo, "A new clustering approach
for anomaly intrusion detection", International Journal of
Data Mining & Knowledge Management Process (IJDKP)
Vol.4, No.2, March 2014.
[6] Taeshik Shon, Yongdue Kim, Cheolwon Lee, and
Jongsub Moon,"A Machine Learning Framework for
Network Anomaly Detection using SVM and GA",
Proceedings of the 2005 IEEE Workshop on Information
Assurance and Security United States Military Academy,
West Point, NY, U.S.A, 2005.
[7] Derek L. Waller, "Statistics for business", Elsevier,
Book Aid International, Sabre Foundation, 2008.
[8] Bruce L. Bowerman, Richard T.O'Connell, J.B. Orris,
and Emily S. Murphree, "Essential of Business Statistics",
McGraw-Hill, Irwin, 2010.
[9] Heinz Kohler, "Statistics for Business and Economics",
Thomson Learning, Inc, 2002.
z1
But, it is very important to notice that:
1) Not all continuous random variables are
normally distributed.
2) Both the mean and standard deviation are
extremely sensitive to outliers. Effectively one
“bad point” can completely skew the mean.
3) It is important to evaluate how well the data
are approximated by a normal distribution.
11. A proposed statistical approach for
outlier detection:
1) Look at the histogram and check does it
appear bell shaped.
2) Compute descriptive summary measures
(mean, median, and mode).
3) Do about 68 % of observations lie within 1
standard deviation of the mean? Do about 95%
of observations lie within 2 standard deviations
of the mean? Do about 99% of observations lie
within 3 standard deviations of the mean?
4) Be cautious, about sample size, because the
distribution is highly influenced by sample
size.
12. Conclusion:
1. Outlier detection using Univariate Normal
Distribution is a very promising technique for
detecting critical information in data, and can
be applied in various application domains.
2. Nature of outlier detection problem is
dependent on the scope of application domain.
3. Different techniques are required to solve a
particular problem formulation.
References:
[1] Hongbo Du, "Data Mining Techniques and
Applications – An Introduction", Cengage Learning
EMEA, Cheriton House, North Way, Andover,
Hampshire, SP10 5BE, UK., 2010.
[2] David F. Groebner, Patrick W. Shannon, Phillip C. Fry,
and Kent D. Smith, "Business Statistics – A Decision
5