Anomaly detection is considered an unsupervised machine learning task because anomalies arise from conflicting or unlikely events with unknown distributions. However, the predictive performance of purely unsupervised anomaly detection often does not match the detection rates required in many tasks, and there is a need for labelled data to guide model generation.
In this article, I’ll walk you through what machine learning anomaly detection is. At the end of this article, you will also get some projects based on the problem of anomaly detection to learn its practical implementation.
What is Anomaly Detection?
The detection of anomalies involves identifying unlikely and rare events. The classic approach to anomaly detection is to calculate an accurate description of normal data.
Each newly arrived instance is compared to the normality model and an anomaly score is calculated. The score describes the deviations of the new instance from the average data instance, and if the deviation exceeds a predefined threshold, the instance is considered an anomaly or outlier and handled appropriately.
Identifying data with irregular and suspicious features is crucial in many applications such as medical imaging and network security. In particular, the latter has become a dynamic area of research as computer systems are increasingly exposed to security threats, such as worms, network attacks and malicious code.
Network intrusion detection is the detection of previously unknown threats and attacks in network traffic. Conventional security techniques for intrusion detection are based on identifying known patterns of misuse, so-called signatures and therefore, while effective against known attacks, do not fail to protect themselves from new threats.
Detection of anomalies is most beneficial in training scenarios where many instances of regular data are given, which allows the machine to come close to the underlying distribution and leads to a concise model of normality.
On the other hand, outliers and anomalies are rare and can even come from changes in distributions (for example, new classes of network attacks). Particularly in adversarial contexts, such as network intrusion detection, differences in training and testing distributions are prominent as new threats and tactics are constantly being developed.
Is It Supervised or Unsupervised?
Detection of anomalies is considered an unsupervised learning task and therefore it is not surprising that there are a large number of applications using unsupervised anomaly detection methods. Fully supervised approaches to anomaly detection typically ignore unlabeled data during the learning phase.
For example, finding anomalies in network traffic or program behaviour, reducing noise, or annotating and classifying images and documents.
How does Anomaly Detection Work?
In the tasks to detect anomalies, we are given n observations x1,. . . , xn ∈ X. The underlying assumption is that most of the data come from the same (unknown) distribution and we call this part of the data normal.
A few observations, however, come from different distributions and are considered anomalies. These anomalies can for example be caused by broken sensors or network attacks and cannot be sampled by definition.
The end task is to detect these anomalies by finding a concise description of the normal data, so that divergent observations become outliers.
Now, after the above explanation, you should understand that detection of anomalies is not a small concept in machine learning. Future advances in machine learning and deep learning technologies will only add to the reach of anomaly detection techniques and their value to business data.
The increasing volume and complexity of data translate into major opportunities to harness that information for business success. Here are some of the practical implementations of anomaly detection using machine learning:
Hope you liked this article on the concept of detection of anomalies or outliers in machine learning and how it works. Please feel free to ask your valuable questions in the comments section below.