0% found this document useful (0 votes)
42 views47 pages

Machine Learning For Anomaly Detection A Systemati

This document summarizes a systematic literature review of machine learning techniques for anomaly detection. The review analyzed models from four perspectives: applications of anomaly detection, machine learning techniques used, performance metrics, and classification of anomaly detection approaches. It identified 43 applications, 29 machine learning models, 22 datasets, and found unsupervised anomaly detection was most common. The review provides recommendations to guide future research in this area.

Uploaded by

Malli Kandimalla
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
42 views47 pages

Machine Learning For Anomaly Detection A Systemati

This document summarizes a systematic literature review of machine learning techniques for anomaly detection. The review analyzed models from four perspectives: applications of anomaly detection, machine learning techniques used, performance metrics, and classification of anomaly detection approaches. It identified 43 applications, 29 machine learning models, 22 datasets, and found unsupervised anomaly detection was most common. The review provides recommendations to guide future research in this area.

Uploaded by

Malli Kandimalla
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 47

This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.
Digital Object Identifier 10.1109/ACCESS.2017.Doi Number

Machine Learning for Anomaly


Detection: A Systematic Review
Ali Bou Nassif 1, Manar Abu Talib2, Qassim Nasir3, Fatima Mohamad Dakalbab2
1
Department of Computer Engineering, University of Sharjah, Sharjah, UAE
2
Department of Computer Science, University of Sharjah, Sharjah, UAE
3
Department of Electrical Engineering, University of Sharjah, Sharjah, UAE
Corresponding author: A. Nassif ([email protected]).
“This work was supported by University of Sharjah”

ABSTRACT Anomaly detection has been used for decades to identify and extract anomalous components
from data. Many techniques have been used to detect anomalies. One of the increasingly significant
techniques is Machine Learning (ML), which plays an important role in this area. In this research paper,
we conduct a Systematic Literature Review (SLR) which analyzes ML models that detect anomalies in
their application. Our review analyzes the models from four perspectives; the applications of anomaly
detection, ML techniques, performance metrics for ML models, and the classification of anomaly
detection. In our review, we have identified 290 research articles, written from 2000-2020, that discuss ML
techniques for anomaly detection. After analyzing the selected research articles, we present 43 different
applications of anomaly detection found in the selected research articles. Moreover, we identify 29 distinct
ML models used in the identification of anomalies. Finally, we present 22 different datasets that are
applied in experiments on anomaly detection, as well as many other general datasets. In addition, we
observe that unsupervised anomaly detection has been adopted by researchers more than other
classification anomaly detection systems. Detection of anomalies using ML models is a promising area of
research, and there are a lot of ML models that have been implemented by researchers. Therefore, we
provide researchers with recommendations and guidelines based on this review.

INDEX TERMS Anomaly Detection, Machine Learning, Security and Privacy Protection.

I. INTRODUCTION computer [7]. Another example would be the detection of


Detecting anomalies is a major issue that has been studied anomalies in the transaction data of a credit card, which
for centuries. Numerous distinct methods have been may indicate theft [8]. Besides, detecting an anomaly from
developed and used to detect anomalies for different an airplane sensor may result in the detection of a fault in
applications. Anomaly detection refers to “the problem of some of the components of the aircraft.
finding patterns in data that do not conform to expected Anomaly is defined at an abstract level as a pattern, not in
behavior” [1], [2]. The detection of anomalies is widely line with the ordinary anticipated behavior. Anomalies are
used in a broad variety of applications. Examples of these classified into three main categories [1], [9], [10]:
include fraud detection, loan application processing, and
monitoring of medical conditions, An example of a medical 1. Point Anomalies: If a single data instance can be
application is heart rate monitors [3]. Other widely used considered anomalous for the remainder of the data, the
applications of detecting anomalies include cyber security instance is called a point anomaly and is regarded as the
intrusion detection [4]–[6], fault detection for aviation simplest anomaly form.
safety study, streaming, and hyperspectral imagery, etc. The 2. Contextual Anomalies: If in a particular context a data
importance of detecting anomalies in various application instance is anomalous, but not in another context, it is
domains concerns the risk that unprotected data may called a contextual anomaly. There are two attributes of
represent significant, critical, and actionable information. contextual anomalies: contextual attributes and behavioral
For instance, detecting an anomalous computer network attributes. The first attribute is applied to determine an
traffic pattern may expose an attack from a hacked instance’s context (or neighborhood). For example, the

VOLUME XX, 2017 1

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

longitude and latitude of a location are contextual attributes not need anomaly class labels, they are more common than
in spatial datasets. Moreover, time is a contextual attribute supervised methods.
in time series data that determines an instance’s position on
the entire sequence. The second attribute is considered as • Unsupervised anomaly detection: In this case, training
attributes of behavior where it defines an instance’s datasets are not required for the methods. Therefore, those
noncontextual features. For example, the amount of rainfall methods imply that normal instances are much more
that occurs at any location in a spatial dataset describing the common than anomalies in test datasets. However, if the
world’s average rainfall is a behavioral attribute. assumption fails, it leads to a high false alarm rate for this
technique.
The preference for using the technique of contextual
anomaly detection is determined by the significance of the Many semi-supervised techniques can be adapted to operate
contextual abnormalities in the target area. The availability in an unsupervised mode by using unlabeled dataset
of qualitative attributes is another significant aspect. In samples as training data. Such adaptation assumes that there
some instances, it is easy to identify a context, and thus it are very few anomalies in the test data and these few
makes sense to apply a contextual detection technique. In anomalies are robust to the model learning during training.
other instances, it is not possible to establish a sense such
that certain methods are difficult to use. This study’s primary objective is to conduct a systematic
review that represents a comprehensive study of ML
3. Collective anomalies: If a set of associated data techniques for anomaly detection and their applications.
instances is anomalous for the entire dataset, it is called a Moreover, this review studies the accuracy of the ML
collective anomaly. models and the percentage of research papers that apply
supervised, semi-supervised, or unsupervised anomaly
Statistical anomaly detection techniques are some of the detection classification. We believe that this review will
oldest algorithms used to detect anomalies [10]. Statistical enable researchers to have a better understanding of the
methods build a statistical model for the ordinary behavior different anomaly detection methods and guide them in
of the data provided. A statistical inference test may then be reviewing the recent research done on this subject.
carried out to detect whether or not an instance belongs to To the best of our knowledge, there are very few
this model. Several methods are used to conduct statistical Systematic Literature Reviews (SLR) on detecting
anomaly detection [11]. This includes proximity based, anomalies through machine learning techniques, which has
parametric, non-parametric, and semi-parametric methods. motivated this work. Research articles were read
thoughtfully and were selected, based on Kitchenham and
Machine learning (ML) techniques are increasingly being Charter’s methodology [14]., with regards to (i) the main
used as one of the approaches to detect anomalies. ML is prediction research work done in anomaly detection, (ii) the
the effort to “automate the process of knowledge ML algorithms used in anomaly detection, (iii) the
acquisition from examples” [12]. The technique is used to estimation and accuracy of ML models proposed, and (iv)
build a model that distinguishes between ordinary and the strength and weaknesses of the ML technique used.
abnormal classes. Anomaly detection can therefore be split The remainder of this paper is divided into six sections:
into three broad categories based on the training data Section 2 provides information on related work. Section 3
function used to build the model. The three broad classes describes the methodology used in this research. Section 4
are [1], [13]: lists the results and discussions. Section 5 addresses the
limitations of this review. Finally, Section 6 contains a
• Supervised anomaly detection: In this class, both the discussion and suggestions for future work.
normal and anomalous training datasets contain labeled
instances. In this model, the approach is to build a A. Literature Review
predictive model for both anomaly and normal classes and Detection of anomalies is an important issue that has been
then compare these two models. However, in this mode, investigated in various fields of study and implementation.
two issues occur. First, the number of anomalies in the Many detection methods for anomalies have been created
training set is much lower when compared with normal specifically for certain applications, while others are more
instances. Second, precise and representative labels are generic. For example, Chandola et al. [1] provided an
challenging to identify, particularly for the anomaly class. extensive survey of anomaly detection techniques and
applications. A board review of different techniques of
• Semi-supervised anomaly detection: Training here Machine learning as well as non-machine learning, such as
includes only ordinary class cases. Therefore, anything that statistical and spectral detection methods, was discussed in
cannot be classified as ordinary is marked as anomalous.
detail. Moreover, the survey presents several applications of
Semi-supervised techniques presume that training data have
anomaly detection. Examples include cyber intrusion
labeled instances for the normal class alone. Since they do
detection, fraud detection, medical anomaly detection,
industrial damage detection, image processing detection,

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

textual anomaly detection, and sensor networks. The same Finally, Satpute et al. [25] presented a combination of
authors introduced another survey [10] on the topic of various machine learning techniques with particle swarm
anomaly detection for discrete sequence. The authors optimization to improve the efficiency of detecting anomalies
provided a comprehensive and structured overview of the in network intrusion systems.
existing research on the problem of detecting anomalies in
discrete/symbolic sequences. In addition, Hodge and Austin The detection of network anomalies has been an important
[15] presented an overall study of machine learning and area of research [26], [27] Therefore, many surveys focused
statistical anomaly detection methodologies. Also, the on that topic. For example, Bhuyan et al. [11] presented a
authors discussed comparatively the advantages and comprehensive study of network anomaly detection. They
disadvantages of each method. On the other hand, Agrawal identified the kinds of attacks that are usually encountered by
and Agrawal [8] proposed a survey on anomaly detection intrusion detection systems and then described and compared
using data mining techniques. the effectiveness of different anomaly detection methods. In
Several surveys were mainly focused on detecting addition, the authors discussed network defenders’ tools.
anomalies in specific domains and applications, such as [16] Similarly, Gogoi et al. [7] surveyed an extensive study of
where the authors presented an overall survey of wide well-known distance based, density based techniques as well
clustering based fraud detection and also compared those as supervised and unsupervised learning in network anomaly
techniques from several perspectives. In addition, Sodemann detection. On the other hand, Kwon et al. [28] mainly
et al. [17] presented anomaly detection in automated focused on deep learning techniques, such as restricted
surveillance, where they provided different models and Boltzmann machine based deep belief networks, deep
classification algorithms. The authors examined research recurrent neural networks, as well as machine learning
studies according to the problem domain, approach, and methods appropriate to network anomaly detection. In
method. Moreover, Zuo [18], provided a survey of the three addition, the authors presented experiments that
most widely used techniques of anomaly detection in the demonstrated the practicality of using deep learning
field of geochemical data processing; Fractal/multi-fractal techniques in network traffic analysis.
models, compositional data analysis, and machine learning
(ML), but the author focuses mainly on machine learning Our systematic review is different from those described
techniques. On the other hand, He et al. [19] surveyed the above, as we are presenting an extensive research study on
framework of log based anomaly detection. The authors detecting anomalies through machine learning techniques.
reviewed six representative anomaly detection methods and Table 6 in Appendix A summarizes the related work and
evaluated each one. The authors also compared and displays the differences between it and our work.
contrasted the precision and effectiveness of two Our study differs from the related work in various aspects,
representative datasets of the production log. Furthermore, such as:
Ibidunmoye et al. [20] provided an overview of anomaly 1. Machine learning techniques are included, and the
detection and bottleneck identification as they related to the model types of techniques include supervised, semi-
performance of computing systems. The authors identified supervised, or unsupervised anomaly detection.
the fundamental elements of the problem and then classified 2. Precision comparison of each technique
the existing solutions. 3. A comprehensive approach is presented which includes
the advantages and disadvantages of each technique.
Anomaly intrusion detection was the focus of many 4. Covers the period from 2000 to 2020, which is quite
researchers. For instance, Yu [21] presented a comprehensive recent.
study on anomaly intrusion detection techniques such as
statistical, machine learning, neural networks, and data II. METHODOLOGY
mining detection techniques. Also, Tsai et al. [22] reviewed In this study, we conducted a Systematic Literature Review
intrusion detection, but the authors focused on machine (SLR) based on Kitchenham and Charters methodology [14].
learning techniques. They provided an overview of machine The method includes the stages of planning and conducting
learning techniques designed to solve intrusion detection research, and reporting. There are several phases in each
problems written between 2000 and 2007. Moreover, the stage. The planning phase is divided into six different stages.
authors compared related work based on the types of The first stage is to identify study questions that are based on
classifier design, dataset, and other metrics. Similarly, Patcha the review's objectives. The second stage, in relation to
specifying the proper search terms, is developing the search
and Park [23] presented an extensive study of anomaly
strategy, for collecting research papers related to the topic
detection and intrusion detection techniques, and Buczak and
that fulfill the research questions. The third stage is to
Buvan [24] surveyed machine learning and data mining
identify the study selection procedures, which include the
methods for cyber intrusion detection. They provided a exclusion and inclusion rules. In the fourth stage, rules are
description of each method and addressed the challenges of identified for quality assessment to be used to filter the
using machine learning and data mining in cyber security. collected study papers. The fifth stage involves detailing an

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

extraction strategy to answer the research questions that were inclusive. The following four research questions (RQs) are
specified before. Finally, the sixth stage involves raised for this purpose:
synthesizing the data obtained. We followed the review
protocol, and this is demonstrated in the following 1.RQ1: What is the main prediction about research work
subsections. done in anomaly detection?
RQ1 aims to identify the prediction research work that is
Error! Reference source not found. below illustrates this done in anomaly detection, whether the prediction is an ML.
2.RQ2: What kinds of ML algorithms are being applied
in anomaly detection?
RQ2 aims at specifying the ML methods that have been
applied in the detection of anomalies.
3.RQ3: What is the overall estimation and accuracy of
machine learning models?
RQ3 is concerned with ML model estimation. Estimation
accuracy is the main performance metric for models of ML.
This question focuses on the following three elements of
estimation accuracy: dataset building, performance metric,
and accuracy value.
4.RQ4: What is the percentage of papers that address
unsupervised, semi-supervised, or supervised anomaly
detection?
RQ4 aims to present the percentage of collected research
papers that use unsupervised, semi- supervised, or
supervised anomaly detection techniques.

B. Search Strategy

We followed the following procedure to construct the search


term:
1) Main search terms are identified from the research
questions.
2) New terms were defined to replace main terms such as
intrusion, outliers, and synonyms.
3) Boolean operators (ANDs and ORs) are used to limit the
search results.
4) The search terms that are used in this review are related to
anomaly detection and machine learning.
Below are the digital libraries that we used in this search
(journals and conference papers):
Figure 1 Research Methodology
• Google Scholar
• ACM Digital Library
• Springer
research methodology. • Elsevier
• IEEE Explorer
A. Research Questions
This SLR intends to summarize, clarify and examine the ML According to our inclusion/exclusion criteria, 290 papers
techniques and implementations that were applied in were used in this review. They include 95 journal papers and
anomaly detection from 2000 through 2020 195 conference papers.

C. Study Selection

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

In the beginning, we collected 350 papers based on the


search terms mentioned earlier. Later, we filtered those Table 1 Inclusion & Exclusion Criteria
Inclusion criteria Exclusion criteria
papers to verify that only papers related to the topic were
Include only journals and Exclude papers with no clear publication
included in our review. The filtration process was discussed
conference papers. information.
among the co-authors at planned periodic meetings. The
Include anomaly detection Exclude articles that include machine
filtration and selection processes are explained below: applications. learning not related to anomaly detection.
Step 1: Remove all the duplicated articles that were collected Use machine learning Exclude all digital resources, which do not
from the different digital libraries. techniques to identify discuss anomaly detection techniques.
anomalies.
Step 2: Apply inclusion and exclusion criteria to avoid any Include studies that compare Exclude papers with predator journals
irrelevant papers. machine learning techniques.

Step 3: Remove review papers from the collected papers. Consider articles published
between 2000 and 2019.
Step 4: Apply quality assessment rules to include only the
qualified papers that ensure the best answer for our research research papers. Therefore 10 QARs are identified and each
questions. is given a value of 1 mark out of 10. The score of each QAR
Step 5: Search for additional related papers from references is selected as follows: “fully answered” = 1, “above average”
in the collected papers from step 4 and repeat step 4 on the =0.75, “average” = 0.5, “below average” = 0.25, “not
new added articles. answered” = 0. The summation of the marks obtained for the
10 QARs is the score of the article. Moreover, if the result is
The applied inclusion and exclusion criteria in this review are 5 or higher, we consider the article; otherwise, we exclude it.
discussed in Table 1. In the end, after conducting the Moreover, we choose the score 5 as it represents the middle
filtration steps, 290 papers were observed for this review. point of the good quality articles and it answers our intended
research questions.
D. Quality Assessment Rules (QARs)
QAR1: Are the study objectives clearly recognized?
The QARs were the final step in the identification of the final QAR2: Are the anomaly detection techniques well defined
list of papers to be included in this review. The QARs are and deliberated?
essential to guaranteeing and assessing the quality of the
Table 2. Selected Papers’ Quality Assessment Results
Result No. of papers Paper ID
3.5 1 A217 (Discarded)
4.75 1 A24 (Discarded)
5 6 A12, A43, A127, A163, A192 ,A208
5.25 1 A205
5.5 3 A141, A166, A201
5.75 4 A68, A147, A178, A195
6 6 A118, A173, A175, A183, A259, A278
6.25 8 A32, A134, A168, A187, A197, A28, A248, A282
6.5 7 A13, A25, A31, A33, A122, A174, A211
6.75 10 A11, A21, A22, A35, A36, A56, A57, A144, A186, A238
7 12 A3, A4, A30, A44, A62, A74, A77, A130, A140, A176, A200, A242
7.25 14 A26, A29, A58, A66, A67, A75, A101, A157, A224, A226, A227, A231, A266, A269
7.5 12 A20, A61, A72, A138, A142, A148, A153, A213, A244, A272, A280, A283
7.75 16 A1, A7, A19, A23, A41, A48, A53, A73, A135, A177, A181, A240, A261, A275, A281, A285
8 11 A27, A70, A92, A94, A105, A112, A164, A176, A185, A188, A268
8.25 16 A8, A16, A49, A76, A96, A149, A156, A169, A171, A182, A193, A207, A233, A267, A271, A286
A2, A9, A10, A18, A40, A42, A51, A52, A59, A60, A63, A64, A83, A124, A139, A143, A150,
8.5 23
A161, A170, A184, A203, A243, A255
A103, A109, A123, A126, A136, A14, A146, A17, A189, A209, A212, A215, A225, A229, A234,
8.75 31
A250, A260, A263, A279, A38, A39,A45, A46, A47, A5, A54, A71, A79, A82, A95, A99
A100, A106, A117, A120, A133, A137, A145, A15, 155, A159, A165, A180, A214, A219, A228,
9 32
A230, A246, A251, A252, A265, A276, A284, A34 A37, A50, A55, A65, A86, A89, A91, A93, A98
A104, A107, A108, A113, A114, A115, A125, A128, A129, A160, A191, A198, A223, A239, A247,
9.25 23
A249, A258, A6, A78, A80, A81, A84, A85
A110, A116, A131, A154, A158, A162, A190, A194, A204, A206, A216, A218, A220, A221, A222,
9.5 23
A254, A262, A273, A69, A87, A90, A97, A287
A102, A111, A119, A121, A132, A167, A172, A196, A199, A202, A232, A235, A237, A241, A257, A264,
9.75 20
A270, A274, A88, A289
10 10 A151, A152, A210, A236, A245, A253, A256, A277, A288, A290

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

Figure 1. Anomaly Detection Applications Iteration Per Year

QAR3: Is the specific application of anomaly detection research questions. Consequently, we extracted the following
clearly defined? information from each paper: paper number, title of the
QAR4: Does the paper cover practical experiments using the paper, publication year of the paper, publication type,
proposed technique? anomaly application type, RQ1, RQ2, RQ3, and RQ4. Due to
QAR5: Are the experiments well designed and justifiable? the unstructured nature of information, extraction was
QAR6: Are the experiments applied on sufficient datasets? challenging. For instance, for associated methods such as
QAR7: Are estimation accuracy criteria reported? “J48” or “C4.5,” researchers would use distinct
QAR8: Is the proposed estimation method compared with terminologies. It is essential to note that the four research
other methods? questions were not answered by all papers.
QAR9: Are the techniques of analyzing the outcomes
suitable? F. Synthesis of Extracted Data
QAR10: Overall, does the study enrich the academic In order to synthesize the information obtained from the
community or industry? chosen papers, we used various processes to aggregate
evidence to answer the RQs. The following describes in
E. Data Extraction Strategy detail the method of synthesis we followed: We used the
In this step, our aim was to analyze the final list of papers to technique of narrative synthesis to tabulate the information
extract the required information for answering the four obtained in accordance with RQ1 and RQ2. We use binary

Table 3. Anomaly Detection Applications among Articles


Application Freq. Application Freq.
Intrusion Detection 68 Finance Domain 2
network anomaly detection 66 Road Anomaly 2
anomaly detection 29 temperature anomaly 2
data 11 water treatment system 2
video anomaly detection 10 Automotive CAN bus 1
Mobile ad-hoc networks 8 Power Quality Measurements 1
Cloud computing 7 anti forensic 1
Hyperspectral Imagery 7 Botnets 1
medical application 7 corpus anomaly detection 1
sensor network 6 digits 1
Time Series 6 Electrical Substation Circuits 1
smart environment 5 electroencephalography 1
System Log 5 evolving connectionist systems 1
Space Craft 4 Gas Turbine Combustor 1
Artificial immune system 3 Web Service 1
SCADA System 3 Internet of Things (IoT) 1
wireless network security 3 manufacturing process 2
Cyber Physical System 3 Maritime domain 1
Advanced Monitoring Systems 2 netflow records 1
Aviation 2 Online Anomaly Prediction 1
energy consumption 2 vessel tracks 1
Fault Diagnosis 2

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

Figure 2. Machine Learning Techniques Observed


outcomes to analyses the results for the information obtained
A. Anomaly Detection Applications
(quantitative) in RQ3 and RQ4, which came from different In this section, we address RQ1 which aims to identify the
papers with distinct accuracy calculation methods that are prediction research work that has been done in anomaly
presented in a comparable way. detection.
III. RESULTS AND DISCUSSIONS Anomaly detection techniques are mainly divided into two
In this section, we address the outcomes of this review. classifications: machine learning based, and non-machine
This subsection gives an overview of the selected papers of learning based. The non-machine learning based techniques
this review. The results of each research question are can be classified into statistical and knowledge based.
addressed in detail in the following five sections. A total of Regarding this review, there are 274 articles that discuss the
290 studies were chosen which implemented machine detection of anomalies through machine learning techniques.
learning for anomaly detection. These research articles were On the other hand, there are 16 articles that focus on non-
machine learning based techniques.
published between 2000 and 2020. The list of these papers is
included in Table 7 in Appendix A. As explained earlier, a Detection of anomalies can be used in a wide variety of
quality assessment criterion is used to stream the articles on applications. In this review, we identified 43 different
the basis of the marks obtained. Research articles of grade 5 applications in the selected papers. The list of these
or higher (out of 10) have been taken into consideration. applications appears in Table 3.
Moreover, the frequency of the QAR score of the selected As shown in Table 3, the review indicates that intrusion
paper is listed in Table 2. detection, network anomaly detection, general anomaly
detection, and data applications are the studies applied most

Figure 3. Feature Selection/Extraction Techniques Observed in the Literature

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

Figure 4. Utilized Datasets in Collected Research Articles

often in the anomaly detection area. In addition, the table ensemble, optimization, rule system, clustering, and
contains comprehensive information on the frequency with regression. Those ML techniques are used in two forms:
which anomaly detection application is used by the selected standalone or hybrid models. Hybrid models are obtained by
articles. combining two or more ML techniques. Table 4 represents
Moreover, the review shows that researchers began to adopt the frequency of ML techniques among the collected
more applications of anomaly detection between 2011 and research articles. According to Table 4 in Appendix A, it can
2020. For further information on results, Figure 2 illustrates be seen that a lot of researchers used to combine more than
the distribution of anomaly detection application per year one ML technique. This includes A2 (DBN with one class
during the period considered. SVM), A23 (SVM with GA), and A14 (SVM with K-
Medoids clustering). Moreover, SVM is the most used
technique as either standalone or in hybrid models.
B. Types of Machine Learning Techniques Feature selection/extraction has been discovered extensively
In this section, we address RQ2, which aims at specifying the in the literature and it is a significant move towards
machine learning techniques that have been used to detect discarding irrelevant data, which helps to enhance and
anomalies between 2000 and 2020. improve the precision and computational efficiency of the
As a fundamental point of this review, the most frequently suggested models. Figure 4 demonstrates 21 different feature
used ML methods in anomaly detection are identified along selection/extraction techniques that are being applied.
with an evaluation of these methods. The evaluation of the Moreover, we notice that PCA and CFS are the feature
methods considers all the phases of the method’s experiment, selection techniques being used most often in anomaly
such as the feature selection phase, extraction phase, etc. detection. Even though this step is very important, most of
the research articles did not include it. While some research
As shown in Figure 3, we identified 28 ML techniques that articles did apply this step, the techniques were not
had been applied by researchers in the development of discussed.
models to detect anomalies on their application. These
techniques can be divided into six categories: classification,

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

Table 5 in Appendix A represents some of the research


articles that mentioned the strength or weakness of their
proposed machine learning model. Therefore, Table 5 shows
the research article number, the machine learning technique,
and the strength or weakness if mentioned.

C. Overall Estimation and Accuracy of ML Models


In this section, we address RQ3 which is concerned with the
estimation of ML models. Estimation accuracy is the primary
performance metric for machine learning models. This
question focuses on the following four aspects of estimation
accuracy: performance metric, accuracy value, dataset for
construction, and model validation methods.
Since building a ML model relies on the dataset, we
reviewed the data source of ML models for anomaly
detection utilized in the selected research articles. Moreover,
we identified 22 different datasets that have been used in the
experiments of related articles and many other general
datasets. The datasets can be classified as synthetic data, real Figure 5. Frequency of Performance Metrics among
life data, and virtualized data. Figure 5 demonstrates the Selected Articles
frequency of utilized datasets in the collected research
articles. As shown in Figure 5, the most frequently used
dataset in the selected research papers was real life dataset,
according to anomaly detection application. In addition, 48
research papers utilized KDD Cup 1999 virtualized dataset
and 38 research papers adopted benchmark datasets.
In addition to datasets, ML models should also be evaluated
with performance metrics. We found 276 papers that clearly
presented the performance metrics of their proposed models.
Figure 6 shows that the performance metric used most was
True Positive Rate (TPR), which is also known as detection
date, sensitivity, and recall. It measures the anomalies that
are correctly classified. Moreover, 116 papers used False
Positive Rate (FPR) as a performance metric. This metric
measures anomalies that are falsely classified, and it can be
known as false alarm rate as well. Furthermore, Accuracy
(Acc), precision, and were F-score applied often by
researchers as a performance metric. Acc is the percentage of Figure 6. Percentage of Anomaly Detection Type
anomalies that were correctly classified. Adding more, AUC time, training time, testing time, and computational time.
measures the whole two dimensional area under the entire Table 8 in appendix A presents each paper ID and the
ROC curve. ROC curve is one of the strongest metrics used proposed ML model along with the performance and
to efficiently assess intrusion detection systems performance, computational metrics applied. Moreover, it presents
and it is a graphical tool that illustrates accuracy across FPS. anomaly detection types whether it is supervised,
On the other hand, Precision is usually associated with F- unsupervised, and semi-supervised. As well as the dataset
score and recall, and it measures the ratio of anomalies that used for that model.
are correctly classified as an attack. In addition, we find that
64 of the 290 papers used only one performance metric, and
most of those papers used only accuracy or AUC, which is D. Percentage of Unsupervised, Semi-Supervised or
not sufficient to determine the quality performance of the ML Supervised Anomaly Detection Techniques
model. On the other hand, papers like A10 and A69 used 7 to In this section, we address RQ4, which aims to present the
9 performance metrics to represent the performance of their percentage of collected research papers that use supervised,
ML models. Furthermore, a lot of papers present semi-supervised, or unsupervised anomaly detection
computational performance metrics in addition to methods.
performance metrics, such as CPU utilization, execution

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

Figure 7. Anomaly Detection Classification Type per Year


detection. We excluded several non-relevant research papers
As previously mentioned, anomaly detection can be divided
by implementing our search approach in the first stages of the
into three broad classes depending on the feature of the
review. This ensured that the research papers chosen met the
training data that is applied to construct the model. The three
research requirements. However, we believe that this review
broad classes are unsupervised anomaly detection, semi-
would have been further enhanced by drawing on additional
supervised anomaly detection, and supervised anomaly
sources. Moreover, the same concept applies to quality
detection. For this RQ we reviewed the classification type of
assessment since we applied a strict QAR.
anomaly detection techniques used in research articles.
According to Figure 7, 27% of the selected papers applied
V. CONCLUSION
unsupervised anomaly detection type, making it the most This systematic literature review studied anomaly detection
used technique among the research articles. On the other through machine learning techniques (ML). It reviewed ML
hand, 18% applied supervised anomaly detection, while 7% models from four perspectives: the application of anomaly
applied both supervised and unsupervised anomaly detection detection type, the type of ML technique, the ML model
classification. In contrast, 5% of research articles adopted accuracy estimation, and the type of anomaly detection
semi-supervised learning. Furthermore, 1% applied semi- (supervised, semi-supervised, and unsupervised). The review
supervised with unsupervised anomaly detection. investigated the relevant studies that were published from
Surprisingly, 42% of the research articles did not mention the 2000-2020. We queried 290 research articles that answered
classification type of the anomaly detection they applied. the four research questions (RQs) raised in this review.
According to Figure 8, the unsupervised anomaly detection
type has been applied from 2002 until 2020. As for The findings of RQ1 were that we identified 43 different
supervised anomaly detection type, it was adopted by applications of anomaly detection in the selected papers. We
researchers in 2002 and has been used until the present time. observed that intrusion detection, network anomaly
Supervised and unsupervised anomaly detection types were detection, general anomaly detection, and data applications
utilized from 2005 to 2019. In contrast, supervised and semi- are the studies most often applied in the anomaly detection
supervised anomaly detection types were adopted only in area. Furthermore, between 2011 and 2019 researchers
2013 and 2018. Similarly, unsupervised and semi-supervised started to adopt more applications for anomaly detection. As
anomaly detection types have only been used twice, in 2011 for RQ2, we demonstrated 29 different ML models that have
and 2016. It can be seen then, that combining semi- been applied by researchers, with the most commonly used
supervised learning with either supervised or unsupervised being SVM. Moreover, we noted an interest in building
learning was not adopted by many researchers compared to hybrid models. In addition, we identified that PCA and CFS
the supervised anomaly detection type or unsupervised are the most commonly used among 21 feature
anomaly detection type. For further information on results, selection/extraction techniques. In RQ3 we presented the
Table 8 in Appendix A present the anomaly detection type of performance metrics applied by each research paper, and we
each research article. found that 64 of the 290 papers used accuracy or AUC as
their main performance metric, which is not efficient enough.
IV. LIMITATION OF THIS REVIEW Furthermore, we identified 22 different datasets that have
This systematic literature review is limited to journal and been used in the experiments of related articles as well as
conference papers related to ML in the field of anomaly many other general datasets, and most of the experiments

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

used real life dataset as training or testing datasets for their engineering, electrical engineering, e-learning, security,
models. Lastly, in RQ4 we counted the classification type of networking, signal processing and social media. Ali has
anomaly detection used in selected research articles. We published more than 65 refereed conference and journal
found that 27% of the selected papers applied unsupervised papers. Ali is a registered professional engineer (P.Eng) in
anomaly detection type, making it the most used approach Ontario, as well as a member of IEEE Computer Society.
among the research articles. The next most utilized approach
was applied supervised anomaly detection, at 18%, followed
by 7% of the papers which applied both supervised and is teaching at
MANAR ABU TALIB
unsupervised anomaly detection classification. the University of Sharjah in the
UAE. Dr. Abu Talib’s research
Based on this review, we recommend that researchers
interest includes software
conduct more research on ML studies of anomaly detection
engineering with substantial
to gain more evidence on ML model performance and
experience and knowledge in
efficiency. Moreover, researchers are also encouraged to
create a general structure for introducing experiments on ML conducting research in software
models. Moreover, since we found research papers that did measurement, software quality, software testing, ISO 27001
not mention feature selection/extraction type, this field is for Information Security and Open Source Software. Manar
important for improvement. Furthermore, some of the is also working on ISO standards for measuring the
research papers reported their results using one performance functional size of software and has been involved in
metric, such as accuracy, which needs more improvement developing the Arabic version of ISO 19761 (COSMIC-
and more consideration. We also noticed that several FFP measurement method). She published more than 50
researchers used old databases in conducting their research. refereed conferences, journals, manuals and technical
We recommend researchers use more recent datasets. reports. She is the ArabWIC VP of Chapters in Arab
Women in Computing Association (ArabWIC), Google
ACKNOWLEDGMENT Women Tech Maker Lead, Co-coordinator of OpenUAE
The corresponding author Dr. Ali Bou Nassif and co-authors Research & Development Group and the International
would like to thank the University of Sharjah and OpenUAE Collaborator to Software Engineering Research Laboratory
Research and Development Group for funding this research in Montreal, Canada.
study. We are also grateful to our research assistants who
helped in collecting, summarizing, and analyzing the
research articles for this SLR study.
is currently an associate
QASSIM NASIR
“Conflict of Interest: The authors declare that they have no professor at the University of Sharjah
competing interests”. since 2009 and the chairman of scientific
“Informed consent: This study does not involve any publishing unit. Dr. Nasir current
experiments on animals or humans”. research interests are in
telecommunication and network security
such as in CPS, IoT. He also conducts
research in drone and GPS jamming as well. He is a co-
Authors’ information coordinator in OpenUAE research group which focuses on
is currently
ALI BOU NASSIF
blockchain performance and security, and the use of
the Assistant Dean of
artificial intelligence in security applications. Prior to
Graduate Studies at the
joining the University of Sharjah, Dr. Nasir was working
University of Sharjah, UAE.
with Nortel Networks, Canada, as a senior system designer
Ali is also an Associate
in the network management group for OC-192 SONET. Dr.
Professor in the department of
Nasir was visiting professor at Helsinki University of
Computer Engineering, as
Technology, Finland, during the summers of 2002 to 2009,
well as an Adjunct Research
and GIPSA lab, Grenoble France to work on a Joint
Professor at Western
research project on “MAC protocol and MIMO” and
University, Canada. He obtained a Master’s degree in
“Sensor Networks and MIMO” research projects. Dr. Nasir
Computer Science and a Ph.D. degree in Electrical and
has published over 90 refereed conferences, journals, book
Computer Engineering from Western University, Canada in
chapter, and technical reports.
2009 and 2012, respectively. Ali’s research interests
include the applications of statistical and artificial
intelligence models in different areas such as software

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

is a student
FATIMA DAKALBAB
pursuing her MSc. in Computer
Science and a graduate research
assistant at the University of
Sharjah in the UAE. Fatima
earned her bachelor’s degree in
information technology
Multimedia with a 3.92/4 GPA.
She is currently working as a
graduate research assistant in
OpenUAE Research and
Development Group. Her interest in research includes
conducting systematic literature review research study on I
research interest includes inter-blockchain communication,
Internet of things (IoT), and Machine learning in anomaly
detection. Moreover, Fatima is currently a member of the
Sharjah Google Developer Group (GDG) and Arab Women
in Computing Association (ArabWIC) since 2016. In
addition to being a Events & Workshops Co-Coordinator in
the student chapter in UAE for Association for Computing
Machinery (ACM).

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

APPENDIX

Table 4. Machine Learning Techniques Among Research Articles


Technique Freq. Technique2 Freq.2 Technique3 Freq.3
SVM 23 CNN + DBN + SAE + LSTM 1 LR + DT + SVM + PCA 1
Cluster 11 CNN + LSTM + DNN 1 LR + RF 1
NN 8 CPM 1 LSTM + NN 1
OCSVM 8 CSI + KNN 1 LSTM + RNN 1
AE 8 CVM 1 LSTM + RT 1
Naïve Bayes 6 DBN + RBM 1 multiple kernel 1
DT 5 DBN + SVM 1 naïve Bayes + adaboost 1
Ensemble 5 DBSCAN + Clustering 1 Naïve Bayes + DT 1
ELM 4 DCM 1 naïve Bayes + DT + J48 1
KNN 4 DCNN + LSTM 1 Naïve Bayes + K-Means Clustering 1
PCA 4 D-Markov + KNN 1 negative selection 1
RT 4 DNN 1 negative selection + C4.5 + naïve Bayes 1
DBN 3 DNN + RF + VAE 1 negative selection + MP 1
GAN 3 DRBM 1 negative selection + NN 1
HMM 3 DRBM + SVM 1 negative selection + SVM 1
LSTM 3 DT + K-Means Clustering 1 NN + SOM 1
n-gram 3 DT + NN 1 NN + SVM 1
RF 3 DT + RF + ANN 1 NOF 1
RNN 3 ensemble + clustering 1 OCSVM + LSTM 1
SVM + RBF 3 Ensemble + SVM 1 PCA + NN 1
BN 2 FFNN + LSTM 1 RBM + AE 1
ENN 2 Fuzzy + C-means 1 Regression 2
FRaC 2 fuzzy + GA 1 RF + DT + SVM + Naïve bayes + NN 1
fuzzy 2 fuzzy + SVM 1 RF + Entropy 1
GA 2 fuzzy K-Means Clustering + ANN 1 RF + LR 1
Gaussian model 2 GA + SOM + SVM 1 RF + RT 1
HTM 2 GA + SVM 1 RLS + ELM + NN 1
IF 2 GAN + LSTM + RNN 1 RNN + LSTM 1
kernel 2 Gaussian mixture + PCA 1 RVM + Bayesian Network 1
KNN + OCSVM 2 HMM + Naïve Bayes 1 SAE 1
Naïve Bayes + KNN 2 HMM + SVM 1 sequence algorithm 1
RLS 2 J48 / C4.5 1 single window 1
SOM 2 J48 + Naïve bayes 2 SOM + K-Means 1
SOM + J48/C4.5 2 J48 + Naïve Bayes + SMO 1 SVM + C4.5 1
SVM + Entropy 2 k-means and Skip-gram 1 SVM + Cluster 1
SVM + SOM 2 Kernel + PCA 1 SVM + DNN 1
TR 2 kernel + regression 1 SVM + DT 1
wrappers 2 K-mean + SMO network 1 SVM + ensemble 1
AE + ANN 1 k-Means + C4.6 1 SVM + entropy + Adaboost 1
AE + ensemble + SVM + RF 1 K-means + cluster 1 SVM + GA 1
AE + K-Means 1 K-means + DT 1 SVM + GA + KNN 1
ANN 1 K-means + SVM 1 SVM + Kernel 1
Bayesian network 1 K-means cluster 1 SVM + K-Medoids clusting 1
boosting 1 k-means 1 SVM + Random Forest 1
+ clustering
CESVM 1 KNN + SVM 1 SVM + RF 1
CFS 1 LE 1 SVM + SVR network 1
CNN 1 LOF 1 TCM-KNN 1
RF + KNN + DT 1 FCM + KNN 1 TD 1
OCSVM + LOF 1 DT + RF + KNN + Boosting DT 1 Sub-Space Clustering (SSC) and One Class 1
Support Vector Machine (OCSVM)

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

A111 centered Strength:


Table 5. Machine Learning Techniques Strength and hyperellipsoidal CESVM is flexible in terms of
Weakness support vector parameter selection
machine CESVM
ID ML technique Strength and Weakness
A116 one class SVM Strength:
A1 SVM Weakness: (OCSVM) One-Class SVM achieves better
* Soft margin SVM can't be used for accuracy rates than the conventional
novel attacks because it needs pre- anomaly detectors.
acquired learning info A117 PCA Strength:
* One-class SVM is difficult to use in PCA substantially reduces the
real world because of high false effectiveness of poisoning for a variety
positive rate of scenarios and maintains a
A8 k-Means clustering + Weakness: significantly better balance between
C4.5 decision tree Cascading the k-Means clustering false positives and false negatives than
method with C4.5 decision tree the original method when under attack
learning alleviates two problems in k- A119 Fuzzy Rough C-means Strength:
Means clustering: 1) the Forced FRCM integrates the advantage of
Assignment problem and 2) the Class Fuzzy set theory and rough set theory
Dominance problem. that the improved algorithm to
A9 SVM + decision trees Strength: network intrusion detection
(DT) + Simulated SVM and SA can find the best selected A121 Extreme learning Strength:
annealing (SA) features to elevate the accuracy of machine (ELM) ELM hidden layer parameters are
anomaly intrusion detection, and by assigned randomly
analyzing the informatioon from using A122 random forest (RF) Strength:
KDD'99 dataset DT, and SA can obtain In random forests algorithm, there is
rules for new attacks and can really no need for crossvalidation or a test
improve accuraacy of classification set to get an unbiased estimate of the
A87 Niche Clustering Strength: test error. Since each tree is
UNC can handle noise constructed using the bootstrap
A88 Naïve Bayes with Strength: sample
adaboost low computation time A123 convolutional neural Strength:
A90 Relevance Vector Strength: network (CNN) + long The combination of CNN and+C14
Machine (RVM) and Their model is good for limit checking short-term memory LSTM can effectively extract features
Dynamic Bayesian (LSTM) + deep neural
Network network (DNN)
A93 one class SVM Strength: A125 LibSVM Strength:
(OCSVM) No need for sample data with free LibSVM is simple to use and high
anomalies precision
A94 SVM + DNN Weakness: A128 Extreme Learning Strength:
Dificulties in detecting gradual changes Machine (ELM) ELM for the single hidden layer feed
of sensor methods and detecting forward neural networks.
anomalous actuator behavior A130 SVM and SVR Strength:
Strength: Their model can be used to avoid
SVM takes approximatly 30 mins only difficulties of using linear functions in
to train the high dimensional feature space
A97 Recursive Least Weakness: and optimization problem is
Squares (RLS) low True Positive Rate transformed into dual convex
A98 OneClassSVM + Local Weakness: quadratic programming
Outlier Factor LOF + Their model requires large aamount of A131 Decision Tree (DT) Strength:
isolation forest + data with good coverage By tracking the nodes from the root of
Elliptic Envelope Strength: the tree based on the feature values of
Good performance and very effective an example, we can get the predicted
in anomaly detecion class of it.
A105 SVM Strength: A141 rule based decision Weakness:
SVM reduces computing complexity tree (RBDT) Low complexity classification learning
A107 LERAD +CLAD Weakness: technique on present hardware speed
LERAD assumes the training data are and easy analysis is required to
free of attacks estimate the decision on classified
Clad does not aim to generate a patterns.
concise model and doesnt explain A148 SVM and SOM Strength:
alerts well - SOM discover the hidden structure or
A108 LR Weakness: pattern in the training data
RF High detection accuracy - One-class SVM identifies outliers
Strength: among positive examples and uses
Low categorizing accuracy them as negative examples

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

A155 naïve Bayesian Weakness: A193 evolutionary neural Strength:


classifier - false positive rate needs to be networks -Evolutionary approach can reduce the
improved learning time as well as it has
Strength: advantage that the near optimal
- One of the simplest and effective network structure can be obtained.
classifiers - ENN does not require trial and error
A160 one class extreme Strength: cycles for designing the network
learning machine Fast learning and better generalization structure and the near optimal
Kernel (ELMk) structure can be obtained
A168 D-Markov machine Strength: automatically
with symbolic false The efficiency of numerical A194 3D convolutiona Strength:
nearest neighbors computation is significantly enhanced AutoEncoder Highly effective in various computer
relative to what can be achieved by vision tasks, as well as anomaly
direct analysis of the original time detection
series data A198 Auto encoder based Strength:
A170 correlational Weakness: on Artificial Neural Efficiently reconstruct inputs that
paraconsistent Applications often face uncertainties networks closely resemble normal network
machine (CPM) and inconsistencies when required to traffic but poorly reconstructs
characterize and analyze network anomalous or attack inputs
traffic. Most of the time, the processed A199 Random Forest Strength:
data may be incomplete or permeated algorithm and Enhance the generalisation of the
with noise regression tree learning algorithm and can thereby
A171 Negative selection + Strength: produce better results than when
multilayer neural Their model does not depend on any using single classifiers
network specific type of classification algorithm A202 swarm intelligence- Strength:
(backprogagation) + based clustering Model has increased detection
evolutionary accuracy and efficiency. As well as
algorithm intersting properties such as flexibility,
A174 LERAD Weakness: robustness, decentralization and self-
LERAD issues false alarms, because organization
unusual events are not always hostile A204 Ensemble learning + Strength:
Strength: AE+ SVR + RF Reduced false alarm rate, and
Can sometimes detect previously improved sensitivity
unknown attacks A209 Stochastic gradient Strength:
A176 Adaboost + SVM + Adaboost Weakness: boosting Stochastic gradient boosting highly
Entropy Poor behavior on noisy data, the low improve the quality of the top ranked
level of noise in our data makes the items
learning conditions ideal A213 Recurrent Neural Strength:
Entropy strength: Networks (RNN) RNN is capable of learning complex
Much more robust to noise temporal sequence
Overall Strength: A218 K-mean + SMO Weakness:
Scalable algorithms that are Takes more time than simple
guaranteed to converge with classification or clustering
predictable performance A219 most relevant Strength:
A180 SVM + GA with Neural Strength: principal components adapt to the dynamics in a time
Kernel Efficient optimization of both features + neural networks window and at the same time consider
and parameters for detection models the values of cloud performance
A185 Stacked Autoencoder Strength: metrics in previous windows
(SAE) Their model self learns the features A225 Fuzzy Adaptive Strength:
necessary to detect network anomalies Resonance Theory + can significantly reduce the false alarm
and is able to perform attack Evolving Fuzzy Neural rate while the attack detection rate
classification accurately Networks + SVM remains high
A187 k-means clustering Strength: A229 Conditional anomaly Strength:
K-means only requires pairwise detection takes into account the difference
distance of data, and the algorithm between the userspecified
does not require the distance to be environmental and indicator attributes
metric during the anomaly detection process
A188 SOM + J.48 decision Strength: “anomaly.”
tree Model is very robust, fast and simple. A231 Bayesian Networks Strength:
A189 LSTM, NN Strength: can learn cyclical baselines for gas
Their model adapts to new log paterns concentrations, thus reducing false
over time alarms usually caused by flatline
A190 two-class SVM with a perform in a continuous monitoring thresholds
Radial Basis Function situation A232 Naive Bayes with Strength:
(RBF) kernel adaboost AdaBoost's computational complexity
A192 Bayesian estimation Weakness: is generally lower than SOM, ANN and
Model has high false alarm rate SVM.

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

A233 Negative and positive Strength: type of anomaly detection.


selection + C4.5 and the increased ability of classifiers in
In this survey, 55 associated
Naïve Bayes identifying both previously known and studies on single, hybrid
innovative anomalies, and the maximal and ensemble classifiers are It covers anomaly
degradation of overfitting [22] 2009 reviewed by the authors. intrusion techniques
phenomenon Furthermore, a comparison between 2000 and 2007.
A240 Deep Neural Network Weakness: is provided between the
have an inherent problem linked to studies.
model visibility and interpretation In this survey, the authors
A253 fully convolutional Weakness: provide a comprehensive
It covers distance-based,
neural network -Too slow for patch-based methods; outlier detection method for
density-based and machine
thus, CNN is considered as being a network anomaly
learning based techniques
time-consuming procedure. [7] 2011 identification. They
before 2011, while ours
-Training a CNN is totally supervised classified the methods into:
covers the period up to
learning; thus, the detection of Distance-based, density-
2019.
based, and machine
anomalies in real-world videos suffers
learning.
from a basic impossibility of training
In this survey, the authors
large sets of samples from non-existing
present a detailed overview
classes of anomalies It covers anomaly
of detecting anomalies in
A255 Neural networks Strength: detection for discrete
discrete/symbolic sequence.
Neural networks are based on the [10] 2012 sequence in particular. In
They reveal the strength
concepts of statistical pattern contrast, our work is more
and weaknesses of
recognition and have general.
techniques discussed prior
emerged as a practical technology to 2012.
A259 Frequent itemset Strength: The authors present
mining (FIM) + C5.0 + conceptually simple and, therefore, anomaly intrusion detection
decision tree easy to understand and configure by a methods in this survey and It covers anomaly
network operator clarify its evolution. intrusion techniques until
[21] 2012
A275 LSTM-RNN Strength: Machine learning methods, 2012. Our study covers
ability to learn the behavior of a neural network, computer research up to 2019.
training set, and in this stage it acts like immunology, and data
mining were included.
a time series anomaly detection model
In this survey, the authors
A277 Ensemble learning Strength:
provide anomaly detection
known to produce more robust techniques in automated
results. For example, bootstrap surveillance. They provide In specific, it includes
aggregating (or bagging) tends to different models and anomaly detection
reduce problems related to overfitting classification algorithms methods in automated
to the training data [17] 2012
such as dynamic Bayesian surveillance. Our work, on
network, Bayesian topic the other hand, is more
models, artificial neural general.
network, clustering,
Table 6. Related Work Summary decision tree, and fuzzy
Differences between their reasoning.
Ref. Year Summary
review and ours In this survey, the authors
This survey provides an It covers outlier detection It covers network anomaly
addressed the causes and
overview of the techniques techniques, but it was detection in particular. Our
aspects of network
of outlier detection: published in 2004. work differs in that it is
anomalies. They add
[15] 2004 classification-based, Moreover, our work shows more general, and
[11] 2013 performance metrics and
clustering based, nearest the estimation accuracy of includes an estimation of
intrusion detection systems
neighbour based, and ML models as well the the accuracy of each ML
evaluation and provide a
statistical. type of anomaly detection. model as well the type of
list of tools and research
In this survey, the authors anomaly detection used.
issues.
provide a comprehensive In this survey, the authors
review of techniques and present machine learning
solutions in anomaly methods in network
It covers anomaly
detection. They indicate intrusion detection system
detection techniques It covers machine learning
[23] 2007 methods for statistical with particle swarm
before 2007. Ours covers and particle swarm
identification of anomalies, [25] 2013 optimization for anomaly
work up to 2019. optimization techniques up
anomaly detection based on detection. They provide
machine learning, sequence to 2013
intrusion detection system
analysis based on system types and present each
call, etc. technique's advantages and
This survey is similar to This survey covered disadvantages.
[15]. The authors include machine learning In this survey, the authors It covers anomaly
several techniques of techniques before 2009. provide a comprehensive detection and performance
[1] 2009 machine learning and non- Our work includes analysis of performance of bottlenecks in
machine learning. They additionally, an estimation [20] 2015
anomaly detection and particular. On the other
also include anomaly of the accuracy of each identification of bottleneck. hand, our work is more
detection applications. ML model as well as the In computing systems, they general, and includes the

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

identified various types of estimation accuracy of ensure both the cyber other hand, our work is
common anomalies and the each ML model as well the security and safety of more general, including
techniques and strategies type of anomaly detection connected vehicles. In the accuracy of evaluation
for detecting them. used. addition, they researched 65 of each ML model, as well
It covers the techniques of research articles and as the type of
In this survey, the authors fraud detection in established a novel identification of
review various clustering- particular. Our work is taxonomy, then classified anomalies.
based anomaly detection more general, and it the articles.
[16] 2015
techniques and they provide includes an estimation of In this survey, the authors
comparison between the the accuracy of each ML present an explanation of It includes the detection of
techniques. model as well the type of important contexts of real- anomalies in the real-time
anomaly detection used. time big data processing, processing of big data. In
Data mining methods are detection of anomalies, and contrast, our work is more
presented in this survey It includes various [9] 2019 machine learning general, and it includes an
under four task classes: anomaly detection algorithms. They estimation of the accuracy
[8] 2015
learning association rule, methods that focus on data acknowledge the real-time of each ML, model as well
clustering, classification, mining methods. big data processing research the type of anomaly
and regression. challenges in detecting detection.
The authors provide six anomalies.
techniques for identification It covers anomaly
of anomalies in this survey. detection in system log
They compare their analysis in particular. In
accuracy and effectiveness. contrast, our work is more
[19] 2016 They also published an general, and it includes an
open-source toolkit of the estimation of the accuracy
techniques used for of each ML model as well
identification of anomalies as the type of anomaly
that were discussed in the detection.
survey.
This article includes an
extensive overview of the
techniques of machine It includes both machine
learning and data mining learning and intrusion
[24] 2016
for intrusion detection detection methods,
cyber analytics, but…our research…
discussions, difficulties and
some recommendations.
The authors present the
methods of machine
learning that define It covers geochemical
geochemical anomalies in Anomalies in particular.
this survey. In addition, the However, our work is
[18] 2017
survey discusses techniques more general, and focuses
of analysis such as principle on ML techniques and
component analysis (PCA) their performance.
and the analysis of the
factor.
The authors present an
overview of methods of
It includes deep learning
detection of anomalies and
methods for detecting
deep learning techniques in
[28] 2017 anomalies in network
this survey. They also
intrusion systems, while
address the feasibility of
our research…
using deep learning to
detect network anomalies.
In this survey, the authors
examine the most
significant elements of
It covers network anomaly
anomaly detection in five
detection in particular. Our
areas: anomalies in network
work is more general and
2018 traffic, types of network
[29] includes an estimation of
data, and categories of
the accuracy of each ML
intrusion detection
model as well the type of
technologies, techniques
anomaly detection.
and systems detection, and
open issues of unresolved
problems.
In this survey, the authors It includes the detection of
present a comprehensive anomalies for cyber
[30] 2018
understanding of anomaly security and safety of
detection techniques to connected vehicles. On the

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

Table 7. Selected Research Article


ID TITLE TYPE YEAR REFS.
A1 "A hybrid machine learning approach to network anomaly detection" Jour. 2007 [31]
A2 "High-dimensional and large-scale anomaly detection using a linear one-class SVM with Jour. 2016 [32]
deep learning"
A3 "Network anomaly detection with the restricted Boltzmann machine" Conf. 2013 [13]
A4 "Multiple kernel learning for heterogeneous anomaly detection: algorithm and aviation Conf. 2010 [33]
safety case study"
A5 "Unsupervised Anomaly Detection with Generative Adversarial Networks to Guide Conf. 2017 [3]
Marker Discovery"
A6 "Enhancing one-class support vector machines for unsupervised anomaly detection" Jour. 2013 [34]
A7 "The practice on using machine learning for network anomaly intrusion detection" Conf. 2011 [35]
A8 "Network Anomaly Detection by Cascading K-Means Clustering and C4.5 Decision Tree Conf. 2012 [36]
algorithm"
A9 "An intelligent algorithm with feature selection and decision rules applied to anomaly Jour. 2012 [37]
intrusion detection"
A10 "An analysis of supervised tree based classifiers for intrusion detection system" Conf. 2013 [38]
A11 "A novel hybrid intrusion detection method integrating anomaly detection with misuse Jour. 2013 [39]
detection"
A12 "Performance Metric Selection for Autonomic Anomaly Detection on Cloud Computing Conf. 2011 [40]
Systems"
A13 "A novel unsupervised classification approach for network anomaly detection by k- Jour. 2009 [41]
Means clustering and ID3 decision tree learning methods"
A14 "Anomaly detection using Support Vector Machine classification with k-Medoids Conf. 2012 [42]
clustering"
A15 "A comparative analysis of SVM and its stacking with other classification algorithm for Conf. 2016 [43]
intrusion detection"
A16 "FRaC: a feature-modeling approach for semi-supervised and unsupervised anomaly Jour. 2011 [44]
detection"
A17 "AnyOut: Anytime Outlier Detection on Streaming Data" Conf. 2012 [45]
A18 "Real-Time Anomaly Detection Framework for Many-Core Router through Machine- Jour. 2016 [46]
Learning Techniques"
A19 "Ensemble-learning Approaches for Network Security and Anomaly Detection" Conf. 2017 [47]
A20 "Anomaly Detection Using an Ensemble of Feature Models" Conf. 2011 [48]
A21 "Network intrusion detection with Fuzzy Genetic Algorithm for unknown attacks" Conf. 2013 [49]
A22 "Intrusion detection in SCADA systems using machine learning techniques" Conf. 2014 [50]
A23 "A machine learning framework for network anomaly detection using SVM and GA" Conf. 2005 [51]
A24 "Anomaly-based network intrusion detection: Techniques, systems and challenges" Jour. 2008 [52]
A25 "Evolutionary neural networks for anomaly detection based on the behavior of a Conf. 2005 [53]
program"
A26 "Anomaly detection in aircraft data using Recurrent Neural Networks (RNN)" Conf. 2016 [54]
A27 "Centered Hyperspherical and Hyperellipsoidal One-Class Support Vector Machines for Conf. 2010 [55]
Anomaly Detection in Sensor Networks"
A28 "Anomaly Detection Using Autoencoders with Nonlinear Dimensionality Reduction" Conf. 2014 [56]
A29 "Hybrid Approach for Detection of Anomaly Network Traffic using Data Mining Conf. 2012 [57]
Techniques"
A30 "Intrusion Detection System (IDS): Anomaly Detection Using Outlier Detection Conf. 2015 [58]
Approach"
A31 "Flow-based anomaly detection in high-speed links using modified GSA-optimized Jour. 2012 [59]
neural network"
A32 "Anomaly detection in vessel tracks using Bayesian networks" Jour. 2013 [60]
A33 "Opprentice: Towards Practical and Automatic Anomaly Detection Through Machine Conf. 2015 [61]
Learning"
A34 "Unsupervised Clustering Approach for Network Anomaly Detection" Conf. 2012 [62]
A35 "Fuzzy logic-based anomaly detection for embedded network security cyber sensor" Conf. 2011 [63]
A36 "Sequential anomaly detection based on temporal-difference learning: Principles, models Jour. 2009 [64]
and case studies"
A37 "Analysis of network traffic features for anomaly detection" Jour. 2014 [65]
A38 "Anomaly Detection System in Cloud Environment Using Fuzzy Clustering Based ANN" Jour. 2015 [66]
A39 "A Hybrid Network Anomaly and Intrusion Detection Approach Based on Evolving Conf. 2014 [67]
Spiking Neural Network Classification"
A40 "Toward an Online Anomaly Intrusion Detection System Based on Deep Learning" Conf. 2016 [68]

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

A41 "Unsupervised real-time anomaly detection for streaming data" Jour. 2017 [69]
A42 "Anomaly-based intrusion detection system through feature selection analysis and Jour. 2017 [70]
building hybrid efficient model"
A43 "MADAM: A Multi-level Anomaly Detector for Android Malware" Conf. 2012 [71]
A44 "Anomaly Detection Through a Bayesian Support Vector Machine" Jour. 2010 [72]
A45 "Sleep stage classification using unsupervised feature learning" Jour. 2012 [73]
A46 "Toward a more practical unsupervised anomaly detection system" Jour. 2011 [74]
A47 "A Deep Learning Approach for Intrusion Detection Using Recurrent Neural Networks" Jour. 2017 [75]
A48 "An autonomous labeling approach to support vector machines algorithms for network Jour. 2011 [76]
traffic anomaly detection"
A49 "Anomaly Detection in GPS Data Based on Visual Analytics" Conf. 2010 [77]
A50 "A data mining approach for fault diagnosis: An application of anomaly detection Jour. 2014 [78]
algorithm"
A51 "Systematic construction of anomaly detection benchmarks from real data" Jour. 2013 [79]
A52 "Anomaly detection in streaming environmental sensor data: A data-driven modeling Jour. 2009 [80]
approach"
A53 "Anomaly Detection in Medical Wireless Sensor Networks using Machine Learning Conf. 2015 [81]
Algorithms"
A54 "Anomaly intrusion detection based on PLS feature extraction and core vector machine" Jour. 2012 [82]
A55 "Transferred Deep Learning for Anomaly Detection in Hyperspectral Imagery" Jour. 2017 [83]
A56 "A close look on n-grams in intrusion detection: anomaly detection vs. classification" Conf. 2013 [84]
A57 "Robust tensor subspace learning for anomaly detection" Jour. 2011 [85]
A58 "Anomaly Detection with Robust Deep Autoencoders" Conf. 2017 [86]
A59 "UBL: unsupervised behavior learning for predicting performance anomalies in Conf. 2012 [87]
virtualized cloud systems"
A60 "Direct Robust Matrix Factorizatoin for Anomaly Detection" Conf. 2011 [88]
A61 "Anomaly Detection via Online Oversampling Principal Component Analysis" Jour. 2012 [89]
A62 "Generic and Scalable Framework for Automated Time-series Anomaly Detection" Conf. 2015 [90]
A63 "Sensor fault and patient anomaly detection and classification in medical wireless sensor Conf. 2013 [91]
networks"
A64 "Anomaly Detection for Hyperspectral Images Based on Robust Locally Linear Jour. 2010 [92]
Embedding"
A65 "A Robust Nonlinear Hyperspectral Anomaly Detection Approach" Jour. 2014 [93]
A66 "Anomaly detection based on eccentricity analysis" Conf. 2014 [94]
A67 "Data stream anomaly detection through principal subspace tracking" Jour. 2010 [95]
A68 "A Neural Network Based Anomaly Intrusion Detection System" Conf. 2011 [96]
A69 "Network anomaly detection through nonlinear analysis" Jour. 2010 [97]
A70 "Frequency-based anomaly detection for the automotive CAN bus" Conf. 2015 [98]
A71 "Context-Aware Activity Recognition and Anomaly Detection in Video" Conf. 2012 [99]
A72 "An Anomaly Detection Framework for Autonomic Management of Compute Cloud Conf. 2010 [100]
Systems"
A73 "Anomaly detection on time series" Conf. 2010 [101]
A74 "Self-adaptive and dynamic clustering for online anomaly detection" Jour. 2011 [102]
A75 "An anomaly-based botnet detection approach for identifying stealthy botnets" Conf. 2011 [103]
A76 "Anomaly detection in ECG time signals via deep long short-term memory networks" Conf. 2015 [104]
A77 "Detecting anomalies in people’s trajectories using spectral graph analysis" Jour. 2011 [105]
A78 "Hybrid Deep-Learning-Based Anomaly Detection Scheme for Suspicious Flow Jour. 2019 [106]
Detection in SDN: A Social Multimedia Perspective"
A79 "An intelligent intrusion detection system (IDS) for anomaly and misuse detection in Jour. 2005 [107]
computer networks"
A80 "Learning classifiers for misuse and anomaly detection using a bag of system calls Conf. 2005 [108]
representation"
A81 "Anomaly detection based on unsupervised niche clustering with application to network Conf. 2004 [109]
intrusion detection"
A82 "A Discriminative Framework for Anomaly Detection in Large Videos" Conf. 2016 [110]
A83 "Anomaly Detection by Using CFS Subset and Neural Network with WEKA Tools" Conf. 2018 [111]

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

A84 "Online Learning and Sequential Anomaly Detection in Trajectories" Jour. 2013 [112]
A85 "Expected similarity estimation for large-scale batch and streaming anomaly detection" Jour. 2016 [113]
A86 "Self-Taught Anomaly Detection With Hybrid Unsupervised/Supervised Machine Jour. 2019 [114]
Learning in Optical Networks"
A87 "Anomaly detection based on unsupervised niche clustering with application to network Conf. 2004 [109]
intrusion detection"
A88 "Two-tier network anomaly detection model: a machine learning approach" Jour. 2015 [115]
A89 "Real-time network anomaly detection system using machine learning" Conf. 2015 [116]
A90 "Telemetry-mining: a machine learning approach to anomaly detection and fault Conf. 2006 [117]
diagnosis for space systems"
A91 "Machine learning-based anomaly detection for post-silicon bug diagnosis" Conf. 2013 [118]
A92 "Improving one-class SVM for anomaly detection" Conf. 2003 [119]
A93 "Machine Learning Approach for IP-Flow Record Anomaly Detection" Conf. 2011 [120]
A94 "Anomaly Detection for a Water Treatment System Using Unsupervised Machine Conf. 2017 [121]
Learning"
A95 "Network anomaly detection based on TCM-KNN algorithm" Conf. 2007 [122]
A96 "Seeing the invisible: forensic uses of anomaly detection and machine learning" Jour. 2008 [123]
A97 "Anomaly Detection in Sensor Systems Using Lightweight Machine Learning" Conf. 2013 [124]
A98 "Anomaly Detection on Shuttle data using Unsupervised Learning Techniques" Conf. 2019 [125]
A99 "Weighting technique on multi-timeline for machine learning-based anomaly detection Conf. 2015 [126]
system"
A100 "Anomaly Detection for Key Performance Indicators Through Machine Learning" Conf. 2018 [127]
A101 "Unsupervised Anomaly Detection in Time Series Using LSTM-Based Autoencoders" Conf. 2019 [128]
A102 "Research and application of One-class small hypersphere support vector machine for Conf. 2011 [129]
network anomaly detection"
A103 "Anomaly detection in network traffic using extreme learning machine" Conf. 2016 [130]
A104 "Deep Learning for Network Anomalies Detection" Conf. 2018 [131]
A105 "Using Immune Algorithm to Optimize Anomaly Detection Based on SVM" Conf. 2006 [132]
A106 "Detecting Anomalies in Application Performance Management System with Machine Conf. 2019 [133]
Learning Algorihms"
A107 "Learning Rules and Clusters for Anomaly Detection in Network Traffic" Jour. 2015 [134]
A108 "Machine Learning for Anomaly Detection and Categorization in Multi-Cloud Conf. 2017 [135]
Environments"
A109 "An Anomaly Detection Scheme Based on Machine Learning for WSN" Conf. 2009 [136]
A110 "Enhanced Network Anomaly Detection Based on Deep Neural Networks" Jour. 2018 [137]
A111 "CESVM: Centered Hyperellipsoidal Support Vector Machine Based Anomaly Conf. 2008 [138]
Detection"
A112 "Anomaly Detection in Electrical Substation Circuits via Unsupervised Machine Conf. 2016 [139]
Learning"
A113 "An anomaly intrusion detection method using the CSI-KNN algorithm" Conf. 2008 [140]
A114 "K-Means+ID3: A Novel Method for Supervised Anomaly Detection by Cascading K- Jour. 2007 [141]
Means Clustering and ID3 Decision Tree Learning Methods"
A115 "Toward a reliable anomaly-based intrusion detection in real-world environments" Jour. 2016 [142]
A116 "Anomaly intrusion detection using one class SVM" Conf. 2004 [143]
A117 "ANTIDOTE: understanding and defending against poisoning of anomaly detectors" Conf. 2009 [144]
A118 "Network traffic anomaly detection using clustering techniques and performance Conf. 2013 [145]
comparison"
A119 "Anomaly-Based Intrusion Detection using Fuzzy Rough Clustering" Conf. 2006 [146]
A120 "The Anomaly Detection by Using DBSCAN Clustering with Multiple Parameters" Conf. 2011 [147]
A121 "Anomaly detection in traffic using L1-norm minimization extreme learning machine" Jour. 2015 [148]
A122 "Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection" Conf. 2006 [149]
A123 "Web traffic anomaly detection using C-LSTM neural networks" Jour. 2018 [150]
A124 "Android anomaly detection system using machine learning classification" Conf. 2015 [148]
A125 "Anomaly Detection Using LibSVM Training Tools" Conf. 2008 [151]
A126 "Unsupervised SVM Based on p-kernels for Anomaly Detection" Conf. 2006 [152]
A127 "A Method for Anomaly Detection of User Behaviors Based on Machine Learning" Jour. 2006 [153]
VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

A128 "Anomaly-Based Intrusion Detection Using Extreme Learning Machine and Aggregation of Jour. 2018 [154]
Network Traffic Statistics in Probability Space"
A129 "Ramp loss one-class support vector machine; A robust and effective approach to anomaly Jour. 2018 [155]
detection problems"
A130 "Estimation of subsurface temperature anomaly in the Indian Ocean during recent global surface Jour. 2015 [156]
warming hiatus from satellite measurements: A support vector machine approach"
A131 "Anomaly Detection Model Based on Hadoop Platform and Weka Interface" Conf. 2016 [157]
A132 "Attack and anomaly detection in IoT sensors in IoT sites using machine learning approaches" Jour. 2019 [158]
A133 "Deep and Machine Learning Approaches for Anomaly-Based Intrusion Detection of Imbalanced Jour. 2018 [159]
Network Traffic"
A134 "Anomaly Detection in Computer Security and an Application to File System Accesses" Conf. 2005 [160]
A135 "Network traffic anomaly detection using machine learning approaches" Conf. 2012 [161]
A136 "ManetSVM: Dynamic anomaly detection using one-class support vector machine in MANETs" Conf. 2013 [162]
A137 "Semi-Supervised Anomaly Detection for EEG Waveforms Using Deep Belief Nets" Conf. 2010 [163]
A138 "Using Machine Learning for Behavior-Based Access Control: Scalable Anomaly Detection on Conf. 2013 [164]
TCP Connections and HTTP Requests"
A139 "Applying machine learning classifiers to dynamic android malware detection at scale" Conf. 2013 [165]
A140 "Big Data Analytics for User-Activity Analysis and User-Anomaly Detection in Mobile Wireless Jour. 2017 [166]
Network"
A141 "Anomaly detection using machine learning with a case study" Conf. 2014 [167]
A142 "Octopus-IIDS: An anomaly based intelligent intrusion detection system" Conf. 2010 [168]
A143 "A hybrid method based on genetic algorithm, self-organised feature map, and support vector Conf. 2013 [169]
machine for better network anomaly detection"
A144 "Anomaly Detection Support Vector Machine and Its Application to Fault Diagnosis" Conf. 2008 [170]
A145 "Evaluation of Machine Learning-based Anomaly Detection Algorithms on an Industrial Conf. 2018 [171]
Modbus/TCP Data Set"
A146 "Network Anomaly Traffic Detection Method Based on Support Vector Machine" Conf. 2016 [172]
A147 "Anomaly detection of spacecraft based on least squares support vector machine" Conf. 2011 [173]
A148 "A Model Based on Hybrid Support Vector Machine and Self-Organizing Map for Anomaly Conf. 2010 [174]
Detection"
A149 "Anomaly detection in wide area network meshes using two machine learning algorithms" Jour. 2018 [175]
A150 "Image Anomaly Detection with Generative Adversarial Networks" Conf. 2019 [176]
A151 "Performance evaluation of BGP anomaly classifiers" Conf. 2015 [177]
A152 "An uncertainty-managing batch relevance-based approach to network anomaly detection" Jour. 2015 [178]
A153 "Energy Consumption Data Based Machine Anomaly Detection" Conf. 2014 [167]
A154 "A Novel Algorithm for Network Anomaly Detection Using Adaptive Machine Learning" Conf. 2017 [179]
A155 "Thermal anomaly prediction in data centers" Conf. 2010 [180]
A156 "On the symbiosis of specification-based and anomaly-based detection" Jour. 2010 [181]
A157 "A holistic smart home demonstrator for anomaly detection and response" Conf. 2015 [182]
A158 "Online Anomaly Detection in Crowd Scenes via Structure Analysis" Jour. 2014 [183]
A159 "Hierarchical Temporal Memory Based Machine Learning for Real-Time, Unsupervised Anomaly Conf. 2020 [184]
Detection in Smart Grid: WiP Abstract"
A160 "One-class extreme learning machines for gas turbine combustor anomaly detection" Conf. 2016 [185]
A161 "Recurrent Neural Network Attention Mechanisms for Interpretable System Log Anomaly Conf. 2018 [186]
Detection"
A162 "Anomaly detection based on profile signature in network using machine learning technique" Conf. 2016 [187]
A163 "Nonlinear structure of escape-times to falls for a passive dynamic walker on an irregular slope: Conf. 2011 [188]
Anomaly detection using multi-class support vector machine and latent state extraction by
canonical correlation analysis"
A164 "A Self-Adaptive Deep Learning-Based System for Anomaly Detection in 5G Networks" Jour. 2018 [189]
A165 "RoADS: A Road Pavement Monitoring System for Anomaly Detection Using Smart Phones" Conf. 2016 [190]
A166 "Unitary Anomaly Detection for Ubiquitous Safety in Machine Health Monitoring" Conf. 2012 [191]
A167 "An HMM-Based Anomaly Detection Approach for SCADA Systems" Conf. 2016 [192]
A168 "Symbolic time series analysis for anomaly detection: A comparative evaluation" Jour. 2005 [193]

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

A169 "Anomaly Detection Using Real-Valued Negative Selection" Jour. 2003 [194]
A170 "Anomaly detection using the correlational paraconsistent machine with digital signatures of Jour. 2017 [195]
network segment"
A171 "Combining negative selection and classification techniques for anomaly detection" Conf. 2002 [196]
A172 "A Geometric Framework for Unsupervised Anomaly Detection" Jour. 2002 [197]
A173 "Monitoring Smartphones for Anomaly Detection" Jour. 2008 [198]
A174 "Learning rules for anomaly detection of hostile network traffic" Conf. 2003 [199]
A175 "System Anomaly Detection: Mining Firewall Logs" Conf. 2006 [200]
A176 "Rule-Based Anomaly Detection on IP Flows" Conf. 2009 [201]
A177 "Is negative selection appropriate for anomaly detection?" Conf. 2005 [202]
A178 "Anomaly detection and classification in a laser powder bed additive manufacturing process using Jour. 2018 [203]
a trained computer vision algorithm"
A179 "Stealthy poisoning attacks on PCA-based anomaly detectors" Jour. 2009 [204]
A180 "Fusions of GA and SVM for Anomaly Detection in Intrusion Detection System" Conf. 2005 [205]
A181 "Deep Learning Anomaly Detection as Support Fraud Investigation in Brazilian Exports and Anti- Conf. 2016 [206]
Money Laundering"
A182 "An Anomaly Detection Method for Spacecraft Using Relevance Vector Learning" Conf. 2005 [207]
A183 "ALDO: An Anomaly Detection Framework for Dynamic Spectrum Access Networks" Conf. 2009 [208]
A184 "ADMIT: anomaly-based data mining for intrusions" Conf. 2002 [209]
A185 "IEEE 802.11 Network Anomaly Detection and Attack Classification: A Deep Learning Conf. 2017 [210]
Approach"
A186 "Defying the gravity of learning curve: a characteristic of nearest neighbour anomaly detectors" Jour. 2016 [211]
A187 "Detecting Anomaly in Videos from Trajectory Similarity Analysis" Conf. 2007 [212]
A188 "An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer Jour. 2005 [107]
networks"
A189 "DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning" Conf. 2017 [213]
A190 "Anomaly detection in earth dam and levee passive seismic data using support vector machines Jour. 2017 [214]
and automatic feature selection"
A191 "MS-LSTM: A multi-scale LSTM model for BGP anomaly detection" Conf. 2016 [215]
A192 "SAD: web session anomaly detection based on parameter estimation" Jour. 2004 [216]
A193 "Evolutionary Learning Program’s Behavior in Neural Networks for Anomaly Detection" Conf. 2004 [217]
A194 "Spatio-Temporal AutoEncoder for Video Anomaly Detection" Conf. 2017 [218]
A195 "Robust feature selection and robust PCA for internet traffic anomaly detection" Conf. 2012 [219]
A196 "Deep Anomaly Detection with Deviation Networks" Conf. 2019 [220]
A197 "Machine learning and transport simulations for groundwater anomaly detection" Jour. 2020 [221]
A198 "Unsupervised machine learning for network-centric anomaly detection in IoT" Conf. 2019 [222]
A199 "Hybrid Machine Learning for Network Anomaly Intrusion Detection" Conf. 2020 [223]
A200 "An anomaly prediction framework for financial IT systems using hybrid machine learning Jour. 2019 [224]
methods"
A201 "Kernel Eigenspace Separation Transform for Subspace Anomaly Detection in Hyperspectral Jour. 2007 [225]
Imagery"
A202 "An unsupervised anomaly intrusion detection algorithm based on swarm intelligence" Conf. 2005 [226]
A203 "Maritime situation analysis framework: Vessel interaction classification and anomaly detection" Conf. 2015 [227]
A204 "An ensemble learning framework for anomaly detection in building energy consumption" Jour. 2017 [228]
A205 "Ensemble methods for anomaly detection and distributed intrusion detection in Mobile Ad-Hoc Jour. 2008 [229]
Networks"
A206 "Unsupervised Anomaly Intrusion Detection via Localized Bayesian Feature Selection" Conf. 2011 [230]
A207 "McPAD: A multiple classifier system for accurate payload-based anomaly detection" Jour. 2009 [231]
A208 "Detecting errors within a corpus using anomaly detection" Conf. 2000 [232]
A209 "Efficient Top Rank Optimization with Gradient Boosting for Supervised Anomaly Detection" Conf. 2017 [233]
A210 "Semi-supervised learning based big data-driven anomaly detection in mobile wireless networks" Jour. 2018 [234]
A211 "Wireless Anomaly Detection Based on IEEE 802.11 Behavior Analysis" Jour. 2015 [235]

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

A212 "Spatial anomaly detection in sensor networks using neighborhood information" Jour. 2017 [236]
A213 "Anomaly Detection in Cyber Physical Systems Using Recurrent Neural Networks" Conf. 2017 [237]
A214 "Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA Jour. 2015 [238]
systems"
A215 "A hybrid approach for efficient anomaly detection using metaheuristic methods" Jour. 2015 [239]
A216 "Experience Report: System Log Analysis for Anomaly Detection" Conf. 2016 [19]
A217 "Towards Learning Normality for Anomaly Detection in Industrial Control Networks" Conf. 2013 [240]
A218 "Anomaly detection approach using hybrid algorithm of data mining technique" Conf. 2017 [241]
A219 "Adaptive Anomaly Identification by Exploring Metric Subspace in Cloud Computing Conf. 2013 [242]
Infrastructures"
A220 "Towards reliable data feature retrieval and decision engine in host-based anomaly detection Conf. 2015 [243]
systems"
A221 "Using an Ensemble of One-Class SVM Classifiers to Harden Payload-based Anomaly Detection Conf. 2006 [244]
Systems"
A222 "An anomaly detection method to detect web attacks using Stacked Auto-Encoder" Conf. 2018 [245]
A223 "Anomaly Detection Enhanced Classification in Computer Intrusion Detection" Conf. 2002 [246]
A224 "Simple, state-based approaches to program-based anomaly detection" Jour. 2002 [247]
A225 "Adaptive anomaly detection with evolving connectionist systems" Jour. 2007 [248]
A226 "Enhancing Anomaly Detection Using Temporal Pattern Discovery" Jour. 2009 [249]
A227 "Anomaly Detection in IPv4 and IPv6 networks using machine learning" Conf. 2015 [250]
A228 "A training-resistant anomaly detection system" Jour. 2018 [251]
A229 "Conditional Anomaly Detection" Jour. 2007 [252]
A230 "An anomaly detection in smart cities modeled as wireless sensor network" Conf. 2016 [253]
A231 "Spatiotemporal Anomaly Detection in Gas Monitoring Sensor Networks" Conf. 2008 [254]
A232 "Using Naive Bayes with AdaBoost to Enhance Network Anomaly Intrusion Detection" Conf. 2010 [255]
A233 "Applying both positive and negative selection to supervised learning for anomaly detection" Conf. 2005 [256]
A234 "Real-time camera anomaly detection for real-world video surveillance" Conf. 2011 [257]
A235 "Network Anomaly Detection with Stochastically Improved Autoencoder Based Models" Conf. 2017 [258]
A236 "Learning deep event models for crowd anomaly detection" Jour. 2017 [259]
A237 "GANomaly: Semi-supervised Anomaly Detection via Adversarial Training" Conf. 2018 [260]
A238 "Mote-Based Online Anomaly Detection Using Echo State Networks" Conf. 2009 [261]
A239 "Genetic algorithm with different feature selection techniques for anomaly detectors generation" Conf. 2013 [262]
A240 "RawPower: Deep Learning based Anomaly Detection from Raw Network Traffic Measurements" Conf. 2018 [263]
A241 "Network security and anomaly detection with Big-DAMA, a big data analytics framework" Conf. 2017 [264]
A242 "An efficient hidden Markov model training scheme for anomaly intrusion detection of server Conf. 2004 [265]
applications based on system calls"
A243 "An anomaly detection framework for BGP" Conf. 2011 [266]
A244 "Semantic anomaly detection in online data sources" Conf. 2002 [267]
A245 "A framework for efficient network anomaly intrusion detection with features selection" Conf. 2018 [268]
A246 "Cross-Layer Based Anomaly Detection in Wireless Mesh Networks" Conf. 2009 [269]
A247 "Reducing calculation requirements in FPGA implementation of deep learning algorithms for Conf. 2017 [270]
online anomaly intrusion detection"
A248 "Anomaly detection in network traffic using K-mean clustering" Conf. 2016 [271]
A249 "Stream-based Machine Learning for Network Security and Anomaly Detection" Conf. 2018 [272]
A250 "Multivariate Online Anomaly Detection Using Kernel Recursive Least Squares" Conf. 2007 [273]
A251 "A Hybrid Autoencoder and Density Estimation Model for Anomaly Detection" Conf. 2016 [274]
A252 "Optimizing false positive in anomaly based intrusion detection using Genetic algorithm" Conf. 2016 [275]
A253 "Deep-anomaly: Fully convolutional neural network for fast anomaly detection in crowded Jour. 2018 [276]
scenes"
A254 "Group Anomaly Detection Using Deep Generative Models" Conf. 2019 [277]

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

A255 "Anomaly Detection in IaaS Clouds" Conf. 2013 [278]


A256 "An ensemble framework of anomaly detection using hybridized feature selection approach Conf. 2015 [279]
(HFSA)"
A257 "Anomaly detection combining one-class SVMs and particle swarm optimization algorithms" Jour. 2011 [280]
A258 "Anomaly detection through on-line isolation Forest: An application to plasma etching" Conf. 2017 [281]
A259 "Practical anomaly detection based on classifying frequent traffic patterns" Conf. 2012 [282]
A260 "A hybrid model for anomaly-based intrusion detection in SCADA networks" Conf. 2018 [283]
A261 "CH-SVM Based Network Anomaly Detection" Conf. 2007 [284]
A262 "MAD-GAN: Multivariate Anomaly Detection for Time Series Data with Generative Adversarial Conf. 2019 [285]
Networks"
A263 "Anomaly Detection from Network Logs Using Diffusion Maps" Conf. 2011 [286]
A264 "A Deep Learning Approach for Network Anomaly Detection Based on AMF-LSTM" Conf. 2018 [287]
A265 "Reducing Features of KDD CUP 1999 Dataset for Anomaly Detection Using Back Propagation Conf. 2015 [288]
Neural Network"
A266 "Online Anomaly Prediction for Robust Cluster Systems" Conf. 2009 [289]
A267 "A study on anomaly detection ensembles" Jour. 2017 [290]
A268 "Big data analytics for network anomaly detection from netflow data" Conf. 2017 [291]
A269 "An anomaly-based network intrusion detection system using Deep learning" Conf. 2017 [292]
A270 "An Empirical Evaluation of Deep Learning for Network Anomaly Detection" Conf. 2018 [293]
A271 "Network Anomaly Detection Using Random Forests and Entropy of Traffic Features" Conf. 2013 [294]
A272 "Quarter Sphere Based Distributed Anomaly Detection in Wireless Sensor Networks" Conf. 2007 [295]
A273 "Anomaly based intrusion detection using meta ensemble classifier" Conf. 2012 [296]
A274 "Applying Machine Learning to Anomaly-Based Intrusion Detection Systems" Conf. 2019 [297]
A275 "Collective Anomaly Detection Based on Long Short-Term Memory Recurrent Neural Networks" Conf. 2016 [298]
A276 "AD-IoT: Anomaly Detection of IoT Cyberattacks in Smart City Using Machine Learning" Conf. 2019 [299]
A277 "Less is More: Building Selective Anomaly Ensembles" Jour. 2016 [300]
A278 "The best of both worlds: a framework for the synergistic operation of host and cloud anomaly- Conf. 2014 [301]
based IDS for smartphones"
A279 "A-GHSOM: An adaptive growing hierarchical self-organizing map for network anomaly Jour. 2012 [302]
detection"
A280 "Single-image splicing localization through autoencoder-based anomaly detection" Conf. 2017 [303]
A281 "Efficacy of Hidden Markov Models Over Neural Networks in Anomaly Intrusion Detection" Conf. 2006 [304]
A282 "An approach to spacecraft anomaly detection problem using kernel feature space" Conf. 2005 [305]
A283 "Machine Learning in Anomaly Detection: Example of Colluded Applications Attack in Android Conf. 2019 [306]
Devices"
A284 "Optimal virtual machine selection for anomaly detection using a swarm intelligence approach" Jour. 2019 [307]
A285 "Anomaly Detection in Power Quality Measurements Using Proximity-Based Unsupervised Conf. 2019 [308]
Machine Learning Techniques"
A286 “Network-Wide Traffic Anomaly Detection and Localization Based on Robust Multivariate Jour. 2015 [309]
Probabilistic Calibration Model”
A287 “Machine learning for anomaly detection and process phase classification to improve safety and Jour. 2020 [310]
maintenance activities.”
A288 “Anomaly detection based on machine learning in IoT-based vertical plant wall for indoor climate Jour. 2020 [311]
control. ”

A289 "Anomaly detection in electronic invoice systems based on machine learning" Conf. 2020 [312]

A290 "Anomaly detection in wireless sensor network using machine learning algorithm" Jour. 2020 [313]

A291 "A Hybrid Unsupervised Clustering-Based Anomaly Detection Method" Jour. 2020 [314]

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

A292 “Network traffic anomalies detection and identification with flow monitoring” Conf. 2008 [315]

A293 “Network Traffic Anomaly Detection and Prevention, Concepts” Jour. 2017 [316]
A294 “Network Traffic Anomaly Detection Based on Information Gain and Deep Learning” Conf. 2019 [317]
A295 “Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation” Conf. 2005 [318]
A296 “Network traffic anomalies detection and identification with flow monitoring” Conf. 2008 [315]
A297 “Network Traffic Anomaly Detection and Prevention, Concepts” Jour. 2017 [316]

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

Table 8. Performance Metrics Among Selected Papers


ID Type ML Model Performance Metrics value Dataset
Detection Rate (DR) 87.74
supervised and False Positive Rate (FPR) 10.2
A1 enhanced SVM MIT Lincoln Lab
unsupervised False Negative Rate (FNR) NA
Processing Time (PT) 27.27
Area Under Curve (AUC) 0.9863 six real life data set from UCI
Accuracy (ACC) 0.0625 machine learning repository and
A2 unsupervised DBN with 1SVM
Testing Time 0.2093 two synthetic "Banana" and
"Smiley"
A3 semi-supervised DRBM Accuracy (ACC) 0.94 KDD99
Statistics Discrete 19
A4 semi-supervised multipule kernel Statistics Continouss 94 Flight Data Recorders
Statistics Heterogneous 114
Precision 0.8834
Recall 0.7277
Generative Adversarial
A5 unsupervised Sensitivity 0.7279 real-life-datasets
Network (GAN)
Specificity 0.8928
Area Under Curve (AUC) 0.89
Area Under Curve (AUC) 0.9972
A6 unsupervised eta one-class SVM UCI machine learning repository
CPU execution 27.48±0.25 ms
supervised and (99.6298% -
A7 J48 Accuracy (ACC) KDD99
unsupervised 99.9767%)
F-Score 94
True Positive Rate (TPR) 99.6
A8 supervised k-Means with C4.5 False Positive Rate (FPR) 0.1 KDD99
Accuracy (ACC) 95.8
Precision 95.6
A9 na SVM + DT + SA Accuracy (ACC) 99.96% KDD99
Mean Absolute Error (MAE) 0.0321
Root Mean squared Error (RMSE) 0.0321
Kappa Statistics 0.8926
Error Measure 0.254
A10 supervised Random Tree Recall 0.968 NSL-KDD 99
Precision 0.968
F-Score 0.968
False Alarm Rate(FAR) 0.074
Accuracy (ACC) 0.9974
one class SVM with False Positive Rate (FPR)
A11 na NSL-KDD 99
C4.5 Testing Time 11.2
A12 semi-supervised decision tree NA NA NA
Sensitivity 0.961538
Specificity 0.999747
ID3 decision tree + k- real evaluation test bed network
A13 unsupervised Negative likelihood 0.038471
Means clustering datasets
Positive Predictive Ratio 0.981567
Negative Predictive Ratio 0.999444
Accuracy (ACC) 99.79
SVM + K-Medoids Kyoto2006+ data set and KDD
A14 unsupervised Detection Rate (DR) 99.87
clustering Cup 1999
False Alarm Rate(FAR) 0.99
Accuracy (ACC) 97.5
Sensitivity 93.49
A15 supervised SVM + Random Forest Specificity 98.38 NSL-KDD99 dataset
Precision 97.6
Recall 97.6
semi-supervised
A16 and FRaC Area Under Curve (AUC) 1 UCI machine learning repository
unsupervised
A17 supervised Cluster Area Under Curve (AUC) 0.996 UCI machine learning repository
Accuracy (ACC) 95% to 97%
supervised and “Golden Dataset” for Real-Time
A18 SVM Precision NA
unsupervised Anomaly Detection
Recall NA
Area Under Curve (AUC) 0.999
Super Learner ensemble
A19 supervised False Positive Rate (FPR) 5% MAWILab dataset
learning model
Detection Rate (DR) 97%
A20 semi-supervised FRaC Area Under Curve (AUC) 0.9 UCI machine learning repository
Detection Rate (DR) 97.92
A21 supervised fuzzy genetic algorithm False Negative Rate (FNR) 4.10% KDD99 dataset
False Positive Rate (FPR) 1.13%
A22 supervised one-class SVM Accuracy (ACC) 98.8796 network dataset

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

Correction Rate 94.7


supervised and
A23 SVM + GA False Positive Rate (FPR) 5.23 MIT Lincoln Lab
unsupervised
False Negative Rate (FNR) NA
A24 supervised NA NA NA NA
evolutionary neural False Alarm Rate(FAR) 0.7
A25 supervised 1999 DARPA IDEVAL dataset
networks Detection Rate (DR) 100%
semi-supervised Precision 1
Recurrent Neural
A26 and Recall 0.818 X-Plane simulation
Networks (RNN)
unsupervised F-Score 0.89
(CESVM) and Detection Rate (DR) 80%
A27 NA UCI machine learning repository
(QSSVM) Area Under Curve (AUC) 0.9932
Area Under Curve (AUC) 0.9764 spacecrafts’ telemetry data and
A28 unsupervised autoencoder
generated data from Lorenz system
Correctly Classification rate (CCR) 97.25%
A29 NA SVM + Entropy MIT Lincoln (DARPA, 1999)
Misclassified Rate (MR) 2.75%
Detection Rate (DR) 2400
Neighborhood Outlier
A30 NA CPU Utilization 10% KDD cup 99 dataset
Factor (NOF)
Testing Time 95000 ms
Correctly Classification rate (CCR) 97.76
modified gravitational
Misclassified Rate (MR) 2.48
A31 supervised search algorithm NA
False Alarm Rate(FAR) 0.21
(MGSA)
Error Rate 2.24
Area Under Curve (AUC) 0.727
real world Automated
A32 unsupervised Bayesian networks False Positive Rate (FPR) NA
Identification System
True Positive Rate (TPR) NA
A33 supervised random forest Precision 0.89 KPI data
Accuracy (ACC) 80.15%
A34 unsupervised Clustering algorithms NSL-KDD
False Positive Rate (FPR) 21.14%
Correctly Classification rate (CCR) 99.36% set of network data recorded from
False Negative Rate (FNR) 0.90% an experimental test-bed
A35 unsupervised Fuzzy Rule Based Testing Time 0.212 ms mimicking the environment of a
critical infrastructure control
system.
A36 supervised TD False Alarm Rate(FAR) 0.002951 real life time data
Accuracy (ACC) 99.21±0.04
filters and regerssion Area Under Curve (AUC) 0.997±0.001
A37 supervised NSL-KDD
wrappers Recall 99.16±0.12
Precision 99.57±0.05
Precision 99.94
Fuzzy Means clustering Recall 97.2
A38 NA algorithm and Artificial F-Score 99.32 DARPA’s KDD cup dataset 1999
Neural Network Detection Rate (DR) 99.96
False Alarm Rate(FAR) 0.2
supervised and evolving Spiking Neural Accuracy (ACC) 99.90%
A39 KDD Cup 1999 data
unsupervised Network
Accuracy (ACC) 97.90%
deep belief network True Positive Rate (TPR) 97.51%
A40 unsupervised using Logistic True Negative Rate (TNR) 99.48% DARPA KDDCUP’99 dataset
Regression False Positive Rate (FPR) 0.51%
False Negative Rate (FNR) 2.48%
Hierarchical Prediticion Error NA
A41 unsupervised Temporal Memory CPU Utilization NA Benchmark dataset (NAB)
(HTM)
Accuracy (ACC) 99.9
supervised and
A42 True Positive Rate (TPR) 0.997 NSL-KDD dataset
unsupervised
False Positive Rate (FPR) 0.003
CPU Utilization 7%
A43 NA K-Nearest Neighbors NA
False Positive Rate (FPR) 0.000171
A44 supervised CALCEsvm Accuracy (ACC) 94% NA
Accuracy (ACC) Benchmark Dataset and Home
A45 unsupervised DBN 72.2±9.7
Sleep Dataset
Accuracy of normal data (ACC) 100%
Accuracy of attack data (ACC) 79%
A46 unsupervised cluster + 1-SVM real traffic data
False Negative Rate (FNR) 0.10%
False Positive Rate (FPR) 20.50%
Detection Rate (DR) 97.09%
A47 supervised RNN Accuracy (ACC) 81.29% benchmark NSL-KDD dataset
False Positive Rate (FPR) 0.07
Detection Rate (DR) 87.64
A48 unsupervised SVM 1998 DARPA
False Alarm Rate(FAR) 6.73

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

Accuracy (ACC) 0.81


A49 supervised conditional random field GPS data
Query by Committee 0.9
A50 supervised SVM Accuracy (ACC) 97% NSF I/UCR Center
Isolation Forest model Area Under Curve (AUC) 17
(IF)
A51 NA benchmark dataset
Ensemble Gaussian Area Under Curve (AUC) 14
Mixture Model (egmm)
NC + MLP + LC +AD False Positive Rate (FPR) 5.18%
NC + MLP + LC+ AD False Negative Rate (FNR) 5.30%
A52 NA UCI machine learning repository
NC + MLP + LC+ ADAM False Positive Rate (FPR) 6.38%
NC + MLP + LC+ ADAM False Negative Rate (FNR) 0.00%
Random Forest (RF) + Mean Absolute Error(MAE) 0.0145
A53 NA real medical datasets
Linear Regression (LR) Testing Time 1.43 s
CPU Execution Time 2.72 s
Support Vector 21
A54 NA core Vector Machine KDD'99 dataset
Detection Rate (DR) 99.74%
Accuracy (ACC) 99.87%
Accuracy (ACC) 98.28 Airborne Visible/Infrared Imaging
convolutional neural
A55 NA Testing Time 483 s Spectrometer and AVIRIS sensor
network
data
True Positive Rate (TPR) 81.50%
A56 NA SVM DARPA IDS evaluation dataset
False Positive Rate (FPR) 0.01
A57 NA NA similarity measurment NA two video sequence
F-Score 0.64
supervised and
A58 neural network Recall 0.64 MNIST dataset
unsupervised
Precision 0.64
Self Organizing Map True Positive Rate (TPR) 98% IBM Systems and MemLeak and
A59 unsupervised
(SOM) False Positive Rate (FPR) 1.70% NetHog dataset
Precision 0.805
A60 unsupervised DRMF simulation and real-world data set
Testing Time 23.760 s
Area Under Curve (AUC) 0.9987
CPU Execution Time 2.697 s
A61 NA PCA KDD data set
True Positive Rate (TPR) 0.9133±0.0327
False Positive Rate (FPR) 0.0697±0.0188
A62 unsupervised Extensible Generic Accuracy (ACC) 0.9 real and synthetic data
decision tree (DT) and True Positive Rate (TPR) 100% real patient datasets from
A63 NA
linear regression (LR) False Positive Rate (FPR) 7.40% Physionet database
Testing Time 29.1 data from Hyperion on the EO-1
A64 NA Linear Embedding (LE) satellite and HYDICE on an
airborne platform
A65 unsupervised kernel + regression Area Under Curve (AUC) 0.89669 nonlinear synthetic data
A66 NA NA NA NA NA
A67 NA NA F-Score 0.86 Abilene datasets and ISP datasets
Detection Rate (DR) 90%
A68 NA neural network KDD'99
Positive rate (PR) 3%
Correctly Classification rate (CCR) 98.24%
Misclassified Rate (MR) 1.46%
Precision 0.985
A69 supervised SVM Recall 1 DARPA dataset
Mean Absolute Error(MAE) 0.015
Kappa Statistics 0.646
Area Under Curve (AUC) 0.949
Area Under Curve (AUC) 0.9905 CAN bus data from a 2011 Ford
A70 NA one-class support vector
Testing Time 0.4 s Explorer
Area Under Curve (AUC) (video clips)
79.8%
A71 NA SVM VIRATGroundDataset
Area Under Curve (AUC) (continuous
videos) 68.5%
A72 unsupervised Bayesian Network + PCA NA NA NA
False Alarm Rate(FAR) 0.225 UCR time series
A73 supervised k-NN
Computational Cost 0.025 classification/clustering page
Detection Rate (DR) 0.966 KDD cup 99 dataset and Kyoto
A74 unsupervised SOM + k-means
False Positive Rate (FPR) 0.13 data set
Detection Rate (DR) 100% database produced by Domain-IP
A75 NA cluster
Mapping component
F-Score 0.9645
Precision 0.975
A76 NA neural network Recall 0.4647 MIT-BIH Arrhythmia Database
False Positive Rate (FPR) 0.0119
True Positive Rate (TPR) 39.05

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

NA NA Edinburgh Informatics Forum


A77 unsupervised NA
Pedestrian Database
Detection Rate (DR) 99.04
False Positive Rate (FPR) 1.31
A78 supervised RBM and SVM Accuracy (ACC) 99.98 real-time and benchmark datasets
Precision 99.03
F-Score 99.5
Detection Rate (DR) 99.90%
supervised and
A79 SOM + J.48 Correctly Classification rate (CCR) 99.84 KDD cup 99 dataset
unsupervised
False Positive Rate (FPR) 1.25
one class Naive Accuracy (ACC) 99.28% MIT Lincoln Labs and University
A80 unsupervised Bayes algorithm and K- Detection Rate (DR) 100% of New Mexico (UNM) ) system
Means clustering False Positive Rate (FPR) 1.29 call sequences
Accuracy (ACC) 95.7 synthetic and real data sets
Detection Rate (DR) 96.32 (KDDCup'99 data set and
A81 unsupervised clustering
False Positive Rate (FPR) 7.75 Wisconsin Breast Cancer and
Indian Diabetes)
Area Under Curve (AUC) 0.91 Avenue Dataset and Subway
surveillance dataset and the
A82 unsupervised NA
Personal Vacation Dataset and the
UMN Unusual Activity Dataset
CPU Utilization 13% trained data of about two thousand
Detection Rate (DR) 83% connection records and test data
supervised and Testing Time 110000 ms includes five thousand connection
A83 Neural network + CFS
unsupervised records and a group of forty-one
derived features received from
every connection
Accuracy (ACC) 88.3
supervised and four different labeled trajectory
A84 SHNN-CAD F-Score 0.75
unsupervised datasets
Detection Delay 10.3
Area Under Curve (AUC) 1.85 smaller benchmark
kernel methods Accuracy (ACC) 1.7 datasetswithknownanomalyclasse
A85 unsupervised
(EXPoSE) and KDD'99 cup and forest cover
type
False Negative Rate (FNR) 0.91
supervised and
A86 DCM and DCRM False Positive Rate (FPR) 0.07 testbed
unsupervised
Freq. of validation 29.82
accuracy 96.99% synthetic and real data set
A87 unsupervised Niche Clustering
KDDCup'99
Detection Rate (DR) 83.24
A88 NA Naïve Bayes, KNN NSL-KDD
False Alarm Rate(FAR) 4.83
A89 NA SVM cross-validation 90.3 na
Relevance Vector Ratio of Thruster, Estimated na
Machine (RVM) and Outputs of All Thrusters
A90 NA Rendezvous Simulation
Dynamic Bayesian
Network
Anomaly mean 0.76 real data of raw sensor data and
A91 NA temporal relations Anomaly standard deviation 0.14 synthetic data of instances of a
Anomaly threshold 0.99 predefined set of activities
A92 NA One-class SVM Accuracy (ACC) 96% 1999 DARPA audit logs
Accuracy (ACC) 93.8
Flame website dataset plus
A93 unsupervised OCSVM False Positive Rate (FPR) 0.1
extending it with their own
True Negative Rate (TNR) 100
Precision 98.2
SVM
A94 NA Recall 69.9 SWaT testbed
DNN
F-Score 80.2
True Positive Rate (TPR) 99.48
A95 NA KSS Cup 1999
TCM-KNN True Negative Rate (TNR) 2.81
A96 NA na Detection Rate (DR) 100 generated dataset
Recursive Least Squares True Positive Rate (TPR) 21 3 synthetic datasets and the real-
A97 NA
(RLS) True Negative Rate (TNR) 4.9 world datase
OneClassSVM Precision 99%
Local Outlier Factor Recall 99%
Shuttle dataset
A98 unsupervised LOF F-Score 99% satellite dataset
isolation forest
Elliptic Envelope
knearest neighbor, and F-Score na
A99 NA one-class support vector real life time data
machine
LSTM Precision 92%
A100 NA Gradient Boosting Recall 63.94% na
Regression Trees F-Score 89.37

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

OneClassSVM Accuracy (ACC) 87%


A101 unsupervised DCASE
LSTM
One-class small Precision 98.17%
hypersphere Recall 97.16%
A102 NA NSL-KDD
support vector machine
classifier (OCSHSVM)
A103 NA ELM Accuracy (ACC) 99.94% NSL-KDD
Accuracy (ACC) 995
A104 unsupervised KDD99
AE K-Means Precision 99%
Detection Time 25.43s
A105 NA SVM na
Accuracy (ACC) 96.57%
Precision 80.64%
A106 NA xgboost Recall 78.23% real world dataset
F-Score 79%
LERAD na na
A107 NA
CLAD DARPA 99
Accuracy (ACC) 99%
A108 supervised LR + RF UNSW
categorizing Accuracy 93.60%
False Positive Rate (FPR) 3%
A109 NA DAPRA 1998
Bayesian Detection Rate (DR) 99%
A110 NA DCNN + LSTM Accuracy (ACC) 89% NSLKDD
centered hyperellipsoidal Detection Rate (DR) 80%
A111 NA support vector machine False Positive Rate (FPR) 10% real world dataset
CESVM
A112 unsupervised na Detection Rate (DR) 92.06% RTDS
Detection Rate (DR) 94.60%
A113 NA CSI-KNN False Positive Rate (FPR) 3% KDD99
Accuracy (ACC) 95.10%
Accuracy (ACC) 96.24%
False Positive Rate (FPR) 0.03% NAD
K-means
A114 NA True Positive Rate (TPR) 0.76% DED
ID3 Decision Tree
F-Score na MSD
Precision na
Accuracy (DT): 99.36%
Decision Tree FP (DT): 1.29%
FN (DT): 0.00%
A115 NA DARPA1998
Accuracy (NB) 95.23%
Naïve Bayes FP (NB) 8.57%
FN (NB) 0.97%
Accuracy 95.50%
Detection rate 93.30%
A116 unsupervised once class SVM UNM dataset
False AIarm: 2.30%
Correlation: 0.85
Detection Rate (DR) na
A117 NA PCA False Negative Rate (FNR) na Abilene (Internet2 backbone)
AUC na
Fuzzy c-means na na
clustering (FCM) + K-
A118 NA means clustering and Netflow data
Gaussian mixture Model
(GMM)
Accuracy (ACC) 82.46%
Detection Rate (DR) 91.45%
A119 unsupervised Fuzzy Rough C-means KDDCup’99
False Alarm Rate(FAR) 24.80%
correlation 0.556
Detection Rate (DR) 0.961
A120 NA KDD Cup 1999
DBSCAN Clustering False Alarm Rate(FAR) 0.362
Extreme learning Recall 0.98897 synthetic datasets and three UCI
A121 NA
machine Accuracy (ACC) 0.9513 datasets
False Positive Rate (FPR) na
A122 unsupervised KDD Cup 1999
random forest Detection Rate (DR) na
convolutional neural Accuracy (ACC) 98.60%
network (CNN), long Recall 89.70%
A123 NA short-term memory Yahoo S5 Webscope Dataset
(LSTM), and deep
neural network (DNN)
Accuracy (ACC) 85.60%
A124 NA SVM True Positive Rate (TPR) na real life dataset
False Positive Rate (FPR) na
Detection Rate (DR) 95%
A125 unsupervised KDD Cup 1999
LibSVM False Positive Rate (FPR) 7%

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

Detection Rate (DR) 98%


A126 unsupervised SVM and P-kernel KDD Cup 1999
False Positive Rate (FPR) 6%
sequence-matching False Positive Rate (FPR) 1.5
A127 NA True Positive Rate (TPR) 92.8 Purdue University dataset
algorithm
Extreme Learning Detection Rate (DR) 91%
A128 supervised ISCX-IDS 2012 dataset
Machine (ELM) Misclassified Rate (MR) 9%
one-class support vector Accuracy (ACC) 98.59
NSL-KDD and UNSW-NB15 and
A129 semisupervised machine with ramp lose Detection Rate (DR) 98.25
UCI repository
function False Alarm Rate(FAR) 1.25
A130 supervised SVM and SVR Mean Absolute Error(MAE) na The Argo datasets
Accuracy (ACC) 90%
Precision 0.0973
A131 NA decision tree KDD Cup 1999
Recall 0.9074
ROC Area 0.9073
Accuracy (ACC) 99.40%
Decision Tree, Random Precision 0.99
A132 NA DS2OS traffic traces
Forest, and ANN Recall 0.99
F-Score 0.99
deep neural network Accuracy (ACC) 99.99%
(DNN), random forest
A133 NA (RF), variational CIDDS-001
autoencoder
(VAE)
Probabilistic Anomaly Detection Rate 95%
A134 unsupervised DQetection, File False Positive Rate (FPR) 2% real life dataset
Wrapper
F-Score na
Precision na
A135 supervised real life dataset
naive Bayes and knearest Recall na
neighbo ROC Area na
one-class support vector Detection Rate (DR) 95.61%
A136 NA real life dataset
machine (OCSVM) Falses Alarm Rate (FAR) 2.14%
F-Score 0.4752 ±
0.0044
A137 semisupervised Deep Belief Nets real life dataset
Recall 0.5514
Precision 0.4175
KMeans clustering and True Positive Rate (TPR) na
A138 supervised WHOIS data
SVM SMO False Positive Rate (FPR) na
Detection Rate (DR) 81.25%
A139 NA Bayes net True Positive Rate (TPR) 97.30% Google play dataset
False Positive Rate (FPR) 31.03%
k-means clustering Mean Squared Error(MSE) na
A140 unsupervised real life dataset
and hierarchical
clustering
rule based decision tree False Positive Rate 0.13%
A141 supervised real life dataset
(RBDT) Detection Rate (DR) na
Kohonen neural network Detection Rate (DR) 83.90%
A142 NA (KNN) and support KDD Cup 1999
vector machine (SVM)
Genetic Algorithm, Self- Detection Rate (DR) 88.28
supervised and Organised Feature Map, False Positive rate (FPR) 9.17
A143 KDD Cup 1999
unsupervised and Support Vector False Negative Rate (FNR) 15.75
Machine
0.826 automobile dataset and UCI
A144 NA SVM Standard deviations
benchmark datasets
Accuracy (ACC) 0,999 701
Support Vector Machine
F-Score 0,999 851
A145 supervised synthetic data set
Accuracy (ACC) 0,999 936
Random Forest
F-Score 0,999 968
Detection Rate (DR) na
A146 supervised SVM+entropy KDD Cup 1999
ROC Area na
Least Squares Support na na
A147 unsupervised real life dataset
Vector Machine
Support Vector Machine Detection Rate 92.30%
A148 unsupervised and Self-Organizing KDD Cup 1999
Map
Boosted Decision Tree, Accuracy (ACC) 0.928 Simulated Dataset and Real-world
A149 supervised
Neural Network ROC Area na Dataset

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

Generative Adversarial AUC 0.641


A150 unsupervised real life dataset
Networks
F-Score 0.88
Matthews correlation coefficient 0.867
A151 NA SVM-RBF Slammer, Nimda, Code Red I
ROC Area 0.907
Precision-Recall 0.8
Accuracy (ACC) 0.941
Sensitivity 0.893
Specificity 0.967
a batch relevance-based
Precision 0.936
A152 supervised fuzzyfied learning NSL-KDD
F-Score 0.914
algorithm
correlation 0.87
ROC Area 0.93
Error Ratio 0.059
Artifical Neural Network na na
and Mahalanobis Real and synthesized energy
A153 semisupervised
distance based statistical consumption data
approach
Detection Rate (DR) 0.9336
Adaptive Network
Accuracy (ACC) 0.9666
A154 semisupervised Anomaly Detection Kyoto University’s 2006+
False Alarm Rate(FAR) 0.0159
Algorithm
F-Score 0.9148
ROC Area na
naïve Bayesian Total Events 252
A155 NA real life dataset
classifier True Positive Rate (TPR) 29 (17.7%)
Average Prediction Time 12.2s
supervised and Detection Rate (DT) 100%
A156 SVM synthetic dataset
unsupervised False Positive Rate (FPR) 8%
random forest, t Accuracy (ACC) 85%
distributed stochastic
A157 unsupervised real life dataset
neighbor embedding (t-
SNE)
A158 NA structure analysis AUC 0.9967 UMN Dataset
Accuracy (ACC) - standard 96%
Accuracy (ACC) - 96%
Hierarchical Temporal
A159 unsupervised reward few false positive μPMU Dataset
Memory (HTM)
Accuracy (ACC) - 98%
reward few false negative
one class extreme AUC 0.9706±0.0029
A160 unsupervised learning machine Kernel real life dataset
(ELMk)
Recurrent Neural AUC - word 0.984
A161 unsupervised LANL Dataset
Network + LSTM AUC - character 0.977
Accuracy (ACC) 98%
True Positive Rate (TPR) 99.4987
Genetic Algorithms + False Positive Rate (FPR) 1.7806
A162 NA KDD Cup 1998
SVM True Negative Rate (TNR) 98.2194
False Negative Rate (FNR) 0.5013
Mean Squared Error(MSE) 0.0167
Canonical Correlation Mean Squared Error(MSE) 7.5
Analysis (CCA) +
A163 NA novel dataset
Support Vector
Machines (SVMs)
Convolutional Neural precision 0.95
Recall 0.38
Networks (CNN), Deep F-Score 0.54
Belief Networks (DBN),
Stacked
supervised and
A164 CTU dataset and real life dataset
unsupervised
AutoEncoders (SAE),
Long Short-Term
Memory Recurrent

Networks (LSTM),
A165 supervised SVM Accuracy (ACC) 90% real life dataset
A166 NA Gaussian models na na na
A167 NA Hidden Markov Model Detection Rate (DR) 99.60% real life dataset
D-Markov machine with na na
A168 NA symbolic false nearest na
neighbors

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

real-value negative Detection Rate (DR) na


A169 unsupervised selection + multilayer False Alarm Rate(FAR) na MIT -Darpa 98, MIT- Darpa 99
perceptron
correlational True Positive Rate (TPR) 95%
A170 unsupervised paraconsistent machine False Positive Rate (FPR) 4% real life dataset
(CPM) ROC Area na
Negative selection + Detection Rate (DR) 100%
multilayer neural True Positive Rate (TPR) 100
Iris dataset: Setosa, Virginica,
A171 NA network False Positive Rate (FPR) 0
Versicolor
(backprogagation) + True Negative Rate (TNR) 50
evolutionary algorithm False Negative Rate (FNR) 0
* Cluster-based Detection Rate na
Estimation False Positive Rate na KDD CUP 1999, 1999 Lincoln
A172 unsupervised
* K-nearest neighbor ROC Area na Labs DARPA
* One Class SVM
A173 NA na Accuracy (ACC) about 80% real-time data from smartphone
False Alarm Rate(FAR) na 1999
A174 NA DARPA/Lincoln and real-time
LERAD dataset
Correctly Classification rate (CCR) 99.92%
Incorrectly classified instance na
A175 NA real life dataset
Kappa Statistics na
Clustering Mean Absoulte Error na
* Adaboost
A176 supervised * SVM AUC, Average Precision 0.99 real life dataset
* Entropy
V-detector
A177 supervised negative selection detection rate, false alarm rate 99.98 Fisher Iris
SVM ocSVM100
A178 unsupervised Cluster confusion matrix na generated dataset
Principal Components
A179 unsupervised ROC, FPR, TPR na real life dataset
Analysis
SVM + GA with Neural
A180 NA detection rate 99% KDD Cup 1999
Kernel
A181 unsupervised AutoEncoder mean squared error na real life dataset
relevance vector
telemetry data obtained from an
A182 NA regression and false alarms rate, detection rate na
orbital rendezvous simulation
autoregression
False alarm probability, Path loss
exponent, Transmission ISR,
A183 NA na real life dataset
Number of unauthorized
One class SVM transmitters
detection rate 80.3% nine UNIX users from Purdue
A184 unsupervised clustering
false positive rate 15.30% University
A185 supervised a Stacked Auto-encoder accuracy 98.67% real life dataset
CoverType, Mulcross, Smtp, U2R,
A186 unsupervised accuracy na
Nearest neighbour etc..
A187 supervised k-means clustering na na real life dataset
detection rate 99.90%
semi-
A188 SOM + J.48 decision classification rate 99.84% KDD Cup 99
supervisesd
tree false positive rate 1.25%
False Positive Rate (FPR) 833
semi- False Negative Rate (FNR) 619
A189 real life dataset
supervisesd F-Score 96%
LSTM, NN detection rate (DR) 99.99%
two-class SVM with a Accuracy (ACC) 94%
Radial experimental laboratory earth
A190 unsupervised
Basis Function (RBF) F-Score 96% embankments
kernel
A191 NA LSTM accuarcy 99.50% Code Red, Nimda, Slammer
Bayesian
A192 NA accuracy, false alarm, learning time accuracy: 99% real life dataset
estimation
evolutionary neural
A193 supervised Detection rate, False Alarm rate na 1999 DARPA
networks
3D convolutiona AUC 91.2 UCSD pedestrian dataset, . The
A194 unsupervised
AutoEncoder EER 16.7 UMN dataset
A195 unsupervised PCA recall, FPR, Precision na real life dataset
AUC-ROC, 0.916±0.004
A196 semi-supervised real-world dataset
Neural Network AUC-PR(Precision-Recall) 0.574±0.008

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

synthetic data and data in public


A197 supervised na na domains such as: Colorado Water
1-SVM Watch
Auto encoder based on Precision 0.996 benign
A198 unsupervised Artificial Neural recall 0.999
networks F-Score 0.997 IoT traffic
accuracy, false alarm rate, 95.73
precision, recall, f1-measure
False Alarm Rate(FAR) 11.86
A199 supervised UNSW-NB15
Random Forest precision 78.65
algorithm and regression recall 78.65
tree F-Score 78.65
four single classifers Precision 0.8803
(DT, RF, kNN and Recall 0.7017
GBDT) and Linear F-Score 0.8376 System Log of server clusters in a
A200 NA
Regression Biz Business financial company
GBDT: gradient Type
boosting Decision Tree
simulated data and real HYDICE
A201 NA non linear Mercer kernel ROC curves na
function images
swarm Detection Rate (DR) 92%
A202 unsupervised intelligence-based False Positive Rate (FPS) 10% KDD Cup 1999
clustering
precision 86.16% massive real-world datasets from
Hidden Markov Model
recall 80.07% AIS
A203 NA and Support Vector
F-Score 83.00% vessel tracking in coastal waters of
Machine
accuarcy 96.70% North America
Ensemble learning True Positive Rate (TPR) 98.1
Autoencoder False Positive Rate (FPR) 1.98
real-world data provided by
A204 NA Support vector AUC na Powersmiths
regression
Random forest
simulated MANET and real life
A205 NA ROC na
ensemble + clustering dataset
Accuracy 85.2
A206 unsupervised KDD Cup 1999
Bayesian mixture False Positive Rate (FPR) 7.3
ensemble of one class
A207 unsupervised AUC, ROC na DARPA’99 , GATECH
SVM
Error Rate 44%
System Error 202 out 4000
A208 NA Naive Bayes real life dataset
unsure 40 out of 4000
corpus error 158 out of 4000
AUC-ROC 0.8661 ±
Stochastic gradient 0.0150
A209 supervised real life dataset
boosting Precision 0.8351 ±
0.0100
Accuracy (ACC) 92.79%
Error Rate (ER) 7.21%
F-Score 94.26% call detail records of real cellular
A210 semi-supervised Gaussian model
False Positive Rate (FPR) 14.13% network
Precision 92.34%
Recall 97.05%
Detection Rate (DR) 99%
Channel 6
A211 supervised False Positive Rate (FPR) 0.10%
dataset
n-gram ROC Area na
recursive least squares
(RLS) + online
sequential extreme
learning machin (OS-
A212 unsupervised Precision, Recall, F-measure na real world dataset
ELM) + single-layer
feed-forward neural
network
(SLFN)
Secure Water
A213 unsupervised Recurrent Neural Cumulative Sum, false positive rate na
Networks Treatment Testbed (SWaT)
Single-window True Positive Rate (TPR) 93%
A214 NA real life traffic dataset
classification False Positive Rate (FPR) 0.86%
A215 NA negative selection-based Accuracy (ACC) 96.10% KDD Cup 1999

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

Supervised: Logistic
regression, Decision
tree, and Support vector
supervised + Accuracy, Recall, Precision, F-
A216 machine (SVM) na HDFS and BGL
unsupervised measure
Unsupervised: Log
Clustering, PCA,
Invariants Mining
A217 unsupervised n-grams efficiency, stability, scaling na na
Detection Rate (DR) 94.48%
A218 supervised K-mean + SMO False Alarm Rate(FAR) 1.20% NSL-KDD
Accuracy (ACC) 97.37%
most relevant principal True Positive Rate (TPR) 91.40%
A219 NA components + neural False Positive Rate (FPR) 3.70% real life dataset
networks
Detection Rate (DR) 78%
A220 supervised KNN ADFA-LD
False Alarm Rate(FAR) 21%
desired false positive rate (DFP),
A221 unsupervised Ensemble of One-Class real false positive rate (RFP), na real life dataset
SVM DR, AUC
Accuracy (ACC) 88.32
Detection Rate (DR) 88.34
A222 unsupervised CSIC 2010 data set
Precision-Recall 80.79
Isolation Forest F-Score 84.12
support vector machines Detection Rate (DR) 90.30%
A223 supervised with a radial basis kernel False Positive Rate (FPR) 0.50% DARPA/KDD-99
(SVM-RBF)
A224 NA program behavior traces FP, Recall na 1998/1999 Dataset
False Positive Rate (FPR) 3.73%
Fuzzy Adaptive Hit Rate 80.00%
Resonance Theory Cost 0.424
False Positive Rate (FPR) 2.61%
Evolving Fuzzy Neural
A225 unsupervised Hit Rate 76.00% KDD Cup 1999
Networks
Cost 0.397
False Positive Rate (FPR) 15.70%
SVM Hit Rate 80.00%
Cost 1.14
Anomaly mean 0.76
A226 NA Anomaly standard deviation 0.14 real and synthetic dataset
Temporal relationships Anomaly threshold 0.99
Naive Bayes Accuracy (ACC) 78.941
Decision table Accuracy (ACC) 94.41
A227 NA KDD dataset
J48 Accuracy (ACC) 97.62
PART Accuracy (ACC) 97.5179
Digital Corpora, 2008, 2009, and
A228 NA detection rate na
Stream clustering-based real dataset
conditional anomaly
A229 unsupervised Precision-Recall 0.72 KDD CUP 1999
detection
neural network Neuro- Accuracy (ACC) 86.72%
fuzzy
real time data collected by the city
A230 NA method
of Aarhus, Denmark
Binary Support Vector Accuracy (ACC) 98.65%
Machines
A231 unsupervised Bayesian Networks Prediction errors na real time data
Naive Bayes with False Positive Rate (FPR) 4.23%
A232 supervised KDD Cup 1999
adaboost Detection Rate (DR) 84.32%
negative and positive True Positive Rate (TPR) 0.997
A233 supervised selection + C4.5 and False Positive Rate (FPR) 0.028 UCI data repository
Naïve Bayes
Precision 96.55%
A234 NA Online Kalman Filtering Recall 98.25% real time dataset
False Alarm Rate(FAR) 11.11%
Accuracy (ACC) 88.65%
Precision 96.48%
A235 NA NSL-KDD
Recall 83.08%
Auto Encoder F-Score 89.28%
AUC 92.50%
UCSD Ped1 Dataset, Avenue
A236 unsupervised deep Gaussian mixture Accuracy (ACC) 75.40%
Dataset
model + PCANet Equal Error Rate (EER) 15.10%
Generative Adversarial
A237 semi-supervised AUC AUC: 0.882 CIFAR10 Dataset, MNIST Dataset
Networks

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

False negative, false positive,


A238 supervised
Echo State Networks Detection rate na real life dataset
accuracy:
A239 NA accuracy NSL-KDD
Genetic algorithm (GA) 85.38%
Detection Rate (DR) 70%
A240 NA Deep Neural Network real life dataset
False Alarm Rate(FAR) < 3%
CART Decision Trees
(CART), Random Forest
(RF), Support Vector
supervised and
A241 Machines (SVM), Naive ROC ROC: 0.997 MAWILab
unsupervised
Bayes
(NB) and Neural
Networks (MLP)
A242 NA Hidden Markov Model training time na “inetd” and “sride" dataset
A243 NA SVM classified, actual na real time dataset
augmented Daikon and
A244 unsupervised TP, TN, FP, FN na stock quote data sources
Mean. Daikon
J48 + Naïve
supervised and
A245 accuracy, TP, TN, FP, FN 88% UNSW-NB15
unsupervised
Bayes
Detection Rate (DR) 99.8
J48
False Alarm Rate(FAR) 0.1
Detection Rate (DR) 99.9
A246 NA BayseNet real time dataset
False Alarm Rate(FAR) 0
Detection Rate (DR) 98.6
SMO
False Alarm Rate(FAR) 2.9
Deep Belief Network Accuracy (ACC) 94% MINIST
A247 semi-supervised and Restricted Accuracy (ACC) 94.66% NSL-KDD
Boltzmann Machine Accuracy (ACC) 95% HTTP CSIC 2010
A248 unsupervised K-means clustering na na KDD cup 1999
AUC Area 0.96
K-NN
Accuracy (ACC) 85.60%
Hoeffding Adaptive AUC Area 0.79
Trees (HAT) Accuracy (ACC) 99.60%
A249 NA MAWILab
Adaptive Random AUC Area 0.99
Forests (ARF) Accuracy (ACC) 98.20%
Stochastic Gradient AUC Area 0.99
Descent (SGD) Accuracy (ACC) 99.30%
Detected 25
supervised and
A250 Kernel Recursive Least Missed 9 network-wide traffic datasets
unsupervised
Squares FALSE 0
Autoencoder + Kernel AUC Area 0.987
density estimation model
(OCKDE)
A251 NA Autoencoder + Centroid AUC Area 0.986 NSL-KDD
(OCCEN)
Once class classifier AUC Area 0.971
Autoencoder (OCAE)
False Positive Rate (FPR) 1.2
A252 NA KDD Cup 1999
Genetic algorithm (GA) True Positive Rate (TPR) 96.49
AUC-EER-Exit 90.2/16 UCSD (Ucsd anomaly detection
supervised and fully convolutional AUC-EER-Entrance 90.4/17 dataset, 2017) and Subway
A253
unsupervised neural network
benchmarks (Adam et al., 2008)
Adversarial autoencoder Area Under Precision Recall Curve 1
(AAE) (AUPRC)
A254 NA synthetic data, cifar-10, Pixabay,
variational autoencoder Area Under Precision Recall Curve 1
(VAE) (AUPRC)
A255 supervised Neural networks Detection Error Rate, 0,01375% simulation dataset
True Positive Rate (TPR) 98
False Positive Rate (FPR) 0.021
A256 NA NSL-KDD
F-Score 98
ensemble ROC Area 99.6
one class SVM + particle
supervised and
A257 AUC 0.952 UCI data set
unsupervised
swarm optimization
Precision 92.50%
A258 NA Isolation Forest real life dataset
Recall 82.84%
frequent item-set mining Accuracy (ACC) > 98%
A259 supervised (FIM) + C5.0 + decision False Positive Rate (FPR) < 1% real life dataset
tree
VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

J48 classifier + Bayes


A260 supervised accuracy, precision, recall, F-value 99.50% real life dataset
Net
A261 NA convex-hull SVM ROC curve na KDD’99
Precision 70
Recall 95.4 SWaT
GAN to train LSTM- F-Score 0.81
A262 NA
RNNs Precision 53.75
Recall 74.92 WADI
F-Score 0.62
Accuracy (ACC) 0.999
A263 NA n-grams real life dataset
Precision 0.998
Precision 0.98
Recall 0.91
A264 NA CICIDS2017
Attention-base Multi- F-Score 0.94
Flow LSTM Flows 348631
Accuracy (ACC) 91%
Precision 0.996699
A265 NA KDD Cup 1999
Back Propagation Neural Recall 0.90059
Network F-Score 0.94615
Bayesian Learning + true positive rate, false positive
A266 NA na real life dataset
Markov models rate, accuracy
greedy
AUC, True postive rate, false ALOI and synthetic data from
A267 unsupervised AUC: 0.84
positive rate, ROC curve MNIST and UCI datasets
ensemble
A268 unsupervised clustering-based Accuarcy (ACC) 96% public data
Restricted Boltzmann
unsupervised
A269 Machines (RBM) and na na KDD Cup 1999
and supervised
Autoencoder
Accuracy (ACC) 99%
Precision 98.30%
A270 unsupervised NSL-KDD and Kyoto-Honeypot
Recall 99.60%
LSTM F-Score 99.00%
Precision 0.83
A271 NA Random Forests and Recall 0.85 DARPA 1999 dataset
Entropy F-Score 0.84
one-class quarter sphere
A272 NA detection rate, false positive rate na real life dataset
SVM
A273 NA ensamble Accuracy (ACC) na UCI
Precision 0.9992
A274 unsupervised Random Forest Recall 0.9969 NSL-KDD
Classifier F-Score 0.998
A275 NA LSTM-RNN classification accuracy na KDD 1999 dataset
Accuracy (ACC) 99.34%
Precision 0.98
A276 NA UNSW-NB15
Recall 0.98
Random Forest F-Score 0.98
unsupervised
A277 Accuracy (ACC) na UCI
and supervised ensamble
Accuracy (ACC) 99.60% SMS- real life dataset
Accuracy (ACC) 99.10% iDMA- real life dataset
A278 NA
Accuracy (ACC) 99.20% iTL- real life dataset
Random Forest Accuracy (ACC) 80.60% Touchstroke- real life dataset
Accuracy (ACC) 97.12% TD-Sim
False Positive Rate (FPR) 2.60% TD-Sim
A279 unsupervised
growing hierarchical self Accuracy (ACC) 99.63% KDD Cup 1999
organizing map False Positive Rate (FPR) 1.80% KDD Cup 1999
true positive rate, false positive F-measure:
A280 unsupervised synthetic dataset
Autoencoder rate, F-measure 0.418 (basic)
normal Generalization 80
Intrusive Generaliztion 83
Computer Immune Systems
A281 NA Hidden Markov Models Overall Generaliztio 81.48
benchmark data
False Positive Rate 20
False Negative Rate 17
Probability Density Function,
A282 NA na telemetry data
Kernel PCA Thruster Duty
Accuracy (ACC) 96.41%
LSTM
F-Score 0.98
A283 NA real life dataset
Accuracy (ACC) 94.49%
FFNN
F-Score 0.97

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

Neural network, Precision 95.70%


A284 NA Analogous Particle System Efficiency 5.60% real life dataset
swarm optimization Error Rate 0.0403
Local Outlier Factor
A285 unsupervised True Positive Rate na real life time series dataset
(LOF)
Precision 99.90%
Decision Forest Recall 99.90%
F-score 0.9999
A286 supervised real life dataset
Precision 99.21%
Decision Jungle Recall 99.21%
F-score 0.9921
Mean Absolute Error(MAE) 2.9
Mean Squared Error(MSE) 15.8
A287 supervised autoencoder (AE) AUC 0.9969 real life dataset
True Positive Rate (TPR) 98.6
False Positive Rate (FPR) 0.9
A288 supervised k-means and Skip-gram accuracy 98 real life dataset
Detection Rate (DR) 86%
AUC 0.54
Locally Weighted F1-score 0.86
A289 na real life dataset
Projection Regression Precision 0.85
Accuracy (ACC) 0.91
Error rate 16%
Sub-Space Clustering Detection Rate (DR) 0.9
(SSC) and One Class False Alarm Rate(FAR) 0.0905
A290 unsupervised NSL-KDD dataset
Support Vector Machine
(OCSVM)

Anomaly Detection: Methods, Systems and Tools,” IEEE


REFERENCES Commun. Surv. TUTORIALS, Accept. Publ., pp. 1–34, 2013,
[1] V. Chandola, A. Banerjee, and V. Kumar, “Anomaly Detection : [Online]. Available:
A Survey,” ACM Comput. Surv., vol. 41, no. 3, pp. 71–97, 2009, http://ieeexplore.ieee.org/document/6524462/.
doi: 10.1145/1541880.1541882. [12] I. Bose and R. K. Mahapatra, “Business data mining - A
[2] M. Injadat, F. Salo, A. B. Nassif, A. Essex, and A. Shami, machine learning perspective,” Inf. Manag., vol. 39, no. 3, pp.
“Bayesian Optimization with Machine Learning Algorithms 211–225, 2001, doi: 10.1016/S0378-7206(01)00091-X.
Towards Anomaly Detection,” in 2018 IEEE Global [13] U. Fiore, F. Palmieri, A. Castiglione, and A. De Santis,
Communications Conference (GLOBECOM), 2018, pp. 1–6, doi: “Network anomaly detection with the restricted Boltzmann
10.1109/GLOCOM.2018.8647714. machine,” Neurocomputing, vol. 122, pp. 13–23, 2013, doi:
[3] T. Schlegl, P. Seeb¨ock, S. M. Waldstein, U. Schmidt-Erfurth, 10.1016/j.neucom.2012.11.050.
and G. Langs, Unsupervised Anomaly Detection with Generative [14] B. Kitchenham and S. Charters, “Guidelines for performing
Adversarial Networks to Guide Marker Discovery, vol. 10265, Systematic Literature reviews in Software Engineering Version
no. 2. Cham: Springer International Publishing, 2017. 2.3,” Engineering, vol. 45, no. 4ve, p. 1051, 2007, doi:
[4] F. Salo, M. Injadat, A. B. Nassif, A. Shami, and A. Essex, “Data 10.1145/1134285.1134500.
mining techniques in intrusion detection systems: A systematic [15] V. Hodge and J. Austin, “A Survey of Outlier Detection
literature review,” IEEE Access. 2018, doi: Methodologies,” Artif. Intell. Rev., no. 1969, pp. 85–126, 2004,
10.1109/ACCESS.2018.2872784. doi: 10.4324/9781315744988.
[5] F. Salo, M. N. Injadat, A. Moubayed, A. B. Nassif, and A. [16] M. Ahmed, A. N. Mahmood, and M. R. Islam, “A survey of
Essex, “Clustering Enabled Classification using Ensemble anomaly detection techniques in financial domain,” Futur.
Feature Selection for Intrusion Detection,” 2019, doi: Gener. Comput. Syst., vol. 55, pp. 278–288, 2015, doi:
10.1109/ICCNC.2019.8685636. 10.1016/j.future.2015.01.001.
[6] F. Salo, A. B. Nassif, and A. Essex, “Dimensionality reduction [17] A. A. Sodemann, M. P. Ross, and B. J. Borghetti, “A review of
with IG-PCA and ensemble classifier for network intrusion anomaly detection in automated surveillance,” IEEE Trans. Syst.
detection,” Comput. Networks, vol. 148, pp. 164–175, Jan. 2019, Man Cybern. Part C Appl. Rev., vol. 42, no. 6, pp. 1257–1272,
doi: 10.1016/J.COMNET.2018.11.010. 2012, doi: 10.1109/TSMCC.2012.2215319.
[7] P. Gogoi, D. K. Bhattacharyya, B. Borah, and J. K. Kalita, “A [18] R. Zuo, “Machine Learning of Mineralization-Related
survey of outlier detection methods in network anomaly Geochemical Anomalies: A Review of Potential Methods,” Nat.
identification,” Comput. J., vol. 54, no. 4, pp. 570–588, 2011, Resour. Res., vol. 26, no. 4, pp. 457–464, 2017, doi:
doi: 10.1093/comjnl/bxr026. 10.1007/s11053-017-9345-4.
[8] S. Agrawal and J. Agrawal, “Survey on anomaly detection using [19] S. He, J. Zhu, P. He, and M. R. Lyu, “Experience Report:
data mining techniques,” Procedia Comput. Sci., vol. 60, no. 1, System Log Analysis for Anomaly Detection,” Proc. - Int. Symp.
pp. 708–713, 2015, doi: 10.1016/j.procs.2015.08.220. Softw. Reliab. Eng. ISSRE, pp. 207–218, 2016, doi:
[9] R. A. Ariyaluran Habeeb, F. Nasaruddin, A. Gani, I. A. Targio 10.1109/ISSRE.2016.21.
Hashem, E. Ahmed, and M. Imran, “Real-time big data [20] O. Ibidunmoye, F. Hernández-Rodriguez, and E. Elmroth,
processing for anomaly detection: A Survey,” Int. J. Inf. “Performance Anomaly Detection and Bottleneck
Manage., vol. 45, no. February, pp. 289–307, 2019, doi: Identification,” ACM Comput. Surv., vol. 48, no. 1, pp. 1–35,
10.1016/j.ijinfomgt.2018.08.006. 2015, doi: 10.1145/2791120.
[10] V. Chandola, A. Banerjee, and V. Kumar, “Anomaly Detection [21] Y. Yu, “A survey of anomaly intrusion detection techniques,” J.
for Discrete Sequences: A Survey,” IEEE Trans. Knowl. Data Comput. Sci. Coll., pp. 9–17, 2012, [Online]. Available:
Eng., vol. 24, no. 5, pp. 1–16, 2012. http://dl.acm.org/citation.cfm?id=2379707.
[11] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, “Network [22] C. F. Tsai, Y. F. Hsu, C. Y. Lin, and W. Y. Lin, “Intrusion
detection by machine learning: A review,” Expert Syst. Appl.,

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

vol. 36, no. 10, pp. 11994–12000, 2009, doi: [40] S. Fu, “Performance metric selection for autonomic anomaly
10.1016/j.eswa.2009.05.029. detection on cloud computing systems,” GLOBECOM - IEEE
[23] A. Patcha and J. M. Park, “An overview of anomaly detection Glob. Telecommun. Conf., 2011, doi:
techniques: Existing solutions and latest technological trends,” 10.1109/GLOCOM.2011.6134532.
Comput. Networks, vol. 51, no. 12, pp. 3448–3470, 2007, doi: [41] Y. Yasami and S. P. Mozaffari, “A novel unsupervised
10.1016/j.comnet.2007.02.001. classification approach for network anomaly detection by k-
[24] A. L. Buczak and E. Guven, “A Survey of Data Mining and Means clustering and ID3 decision tree learning methods,” 2010,
Machine Learning Methods for Cyber Security Intrusion doi: 10.1007/s11227-009-0338-x.
Detection,” vol. 18, no. October, pp. 1153–1176, 2016, doi: [42] R. Chitrakar and H. Chuanhe, “Anomaly detection using Support
10.1109/COMST.2015.2494502. Vector Machine classification with k-Medoids clustering,” Asian
[25] K. Satpute, S. Agrawal, J. Agrawal, and S. Sharma, “A Survey Himalayas Int. Conf. Internet, pp. 1–5, 2012, doi:
on Anomaly Detection in Network Intrusion Detection System 10.1109/AHICI.2012.6408446.
Using Swarm Optimization Based Machine Learning [43] N. Chand, P. Mishra, C. R. Krishna, E. S. Pilli, and M. C. Govil,
Techniques,” in International Conference on Frontiers of “A comparative analysis of SVM and its stacking with other
Intelligent Computing, 2013, vol. 199, pp. 441–452, doi: classification algorithm for intrusion detection,” Proc. - 2016
10.1007/978-3-642-35314-7. Int. Conf. Adv. Comput. Commun. Autom. ICACCA 2016, 2016,
[26] V. Sharma, R. Kumar, W. H. Cheng, M. Atiquzzaman, K. doi: 10.1109/ICACCA.2016.7578859.
Srinivasan, and A. Y. Zomaya, “NHAD: Neuro-Fuzzy Based [44] K. Noto, C. Brodley, and D. Slonim, “FRaC: A feature-modeling
Horizontal Anomaly Detection in Online Social Networks,” approach for semi-supervised and unsupervised anomaly
IEEE Trans. Knowl. Data Eng., 2018, doi: detection,” Data Min. Knowl. Discov., vol. 25, no. 1, pp. 109–
10.1109/TKDE.2018.2818163. 133, 2012, doi: 10.1007/s10618-011-0234-x.
[27] P. Zhao, Y. Zhang, M. Wu, S. C. H. Hoi, M. Tan, and J. Huang, [45] I. Assent, P. Kranen, C. Baldauf, and T. Seidl, “AnyOut:
“Adaptive Cost-Sensitive Online Classification,” IEEE Trans. Anytime outlier detection on streaming data,” Lect. Notes
Knowl. Data Eng., 2019, doi: 10.1109/TKDE.2018.2826011. Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect.
[28] D. Kwon, H. Kim, J. Kim, S. C. Suh, I. Kim, and K. J. Kim, “A Notes Bioinformatics), vol. 7238 LNCS, no. PART 1, pp. 228–
survey of deep learning-based network anomaly detection,” 242, 2012, doi: 10.1007/978-3-642-29038-1_18.
Cluster Comput., pp. 1–13, 2017, doi: 10.1007/s10586-017- [46] A. Kulkarni, Y. Pino, M. French, and T. Mohsenin, “Real-Time
1117-8. Anomaly Detection Framework for Many-Core Router through
[29] G. Fernandes, J. J. P. C. Rodrigues, L. F. Carvalho, J. F. Al- Machine-Learning Techniques,” ACM J. Emerg. Technol.
Muhtadi, and M. L. Proença, “A comprehensive survey on Comput. Syst., vol. 13, no. 1, pp. 1–22, 2016, doi:
network anomaly detection,” Telecommun. Syst., vol. 70, no. 3, 10.1145/2827699.
pp. 447–489, 2018, doi: 10.1007/s11235-018-0475-8. [47] J. Vanerio and P. Casas, “Ensemble-learning Approaches for
[30] G. K. Rajbahadur, A. J. Malton, A. Walenstein, and A. E. Network Security and Anomaly Detection,” pp. 1–6, 2017, doi:
Hassan, “A Survey of Anomaly Detection for Connected 10.1145/3098593.3098594.
Vehicle Cybersecurity and Safety,” IEEE Intell. Veh. Symp. [48] K. Noto, C. Brodley, and D. Slonim, “Anomaly detection using
Proc., vol. 2018-June, no. Iv, pp. 421–426, 2018, doi: an ensemble of feature models,” Proc. - IEEE Int. Conf. Data
10.1109/IVS.2018.8500383. Mining, ICDM, pp. 953–958, 2010, doi:
[31] T. Shon and J. Moon, “A hybrid machine learning approach to 10.1109/ICDM.2010.140.
network anomaly detection,” Inf. Sci. (Ny)., vol. 177, no. 18, pp. [49] P. Jongsuebsuk, N. Wattanapongsakorn, and C. Charnsripinyo,
3799–3821, 2007, doi: 10.1016/j.ins.2007.03.025. “Network intrusion detection with Fuzzy Genetic Algorithm for
[32] S. M. Erfani, S. Rajasegarar, S. Karunasekera, and C. Leckie, unknown attacks,” Int. Conf. Inf. Netw., pp. 1–5, 2013, doi:
“High-dimensional and large-scale anomaly detection using a 10.1109/ICOIN.2013.6496342.
linear one-class SVM with deep learning,” Pattern Recognit., [50] L. A. Maglaras and J. Jiang, “Intrusion detection in SCADA
vol. 58, pp. 121–134, 2016, doi: 10.1016/j.patcog.2016.03.028. systems using machine learning techniques,” Proc. 2014 Sci. Inf.
[33] M. Field, S. Das Bryanlmatthewsnasagov, N. C. Oza, B. L. Conf. SAI 2014, pp. 626–631, 2014, doi:
Matthews, and A. N. Srivastava, “Multiple Kernel Learning for 10.1109/SAI.2014.6918252.
Heterogeneous Anomaly Detection : Algorithm and Aviation [51] T. Shon, Y. Kim, C. Lee, and J. Moon, “A machine learning
Safety Case Study Categories and Subject Descriptors,” framework for network anomaly detection using SVM and GA,”
Computing, pp. 47–55, 2007. 2005, doi: 10.1109/IAW.2005.1495950.
[34] M. Amer, M. Goldstein, and S. Abdennadher, “Enhancing one- [52] P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, and E.
class support vector machines for unsupervised anomaly Vázquez, “Anomaly-based network intrusion detection:
detection,” pp. 8–15, 2013, doi: 10.1145/2500853.2500857. Techniques, systems and challenges,” Comput. Secur., vol. 28,
[35] Y. X. Meng, “The practice on using machine learning for no. 1–2, pp. 18–28, 2009, doi: 10.1016/j.cose.2008.08.003.
network anomaly intrusion detection,” Proc. - Int. Conf. Mach. [53] Sang-Jun Han and Sung-Bae Cho, “Evolutionary neural
Learn. Cybern., vol. 2, pp. 576–581, 2011, doi: networks for anomaly detection based on the behavior of a
10.1109/ICMLC.2011.6016798. program,” IEEE Trans. Syst. Man Cybern. Part B, vol. 36, no. 3,
[36] A. P. Muniyandi, R. Rajeswari, and R. Rajaram, “Network pp. 559–570, 2006, doi: 10.1109/tsmcb.2005.860136.
anomaly detection by cascading k-Means clustering and C4.5 [54] A. Nanduri and L. Sherry, “Anomaly Detection in Aircraft Data
decision tree algorithm,” Procedia Eng., vol. 30, no. 2011, pp. using Recurrent Neural Networks (RNN),” in 2016 Integrated
174–182, 2012, doi: 10.1016/j.proeng.2012.01.849. Communications Navigation and Surveillance (ICNS), 2016, pp.
[37] S. W. Lin, K. C. Ying, C. Y. Lee, and Z. J. Lee, “An intelligent 1–8, doi: 10.1109/ICNSURV.2016.7486356.
algorithm with feature selection and decision rules applied to [55] S. Rajasegarar, C. Leckie, J. C. Bezdek, and M. Palaniswami,
anomaly intrusion detection,” Appl. Soft Comput. J., vol. 12, no. “Centered hyperspherical and hyperellipsoidal one-class support
10, pp. 3285–3290, 2012, doi: 10.1016/j.asoc.2012.05.004. vector machines for anomaly detection in sensor networks,”
[38] S. Thaseen and C. A. Kumar, “An analysis of supervised tree IEEE Trans. Inf. Forensics Secur., 2010, doi:
based classifiers for intrusion detection system,” Proc. 2013 Int. 10.1109/TIFS.2010.2051543.
Conf. Pattern Recognition, Informatics Mob. Eng. PRIME 2013, [56] USACE, “Distribution Restriction Statement Approved for
pp. 294–299, 2013, doi: 10.1109/ICPRIME.2013.6496489. public release ; distribution is,” Engineer, vol. 2, 1994.
[39] G. Kim, S. Lee, and S. Kim, “A novel hybrid intrusion detection [57] B. Agarwal and N. Mittal, “Hybrid Approach for Detection of
method integrating anomaly detection with misuse detection,” Anomaly Network Traffic using Data Mining Techniques,”
Expert Syst. Appl., vol. 41, no. 4 PART 2, pp. 1690–1700, 2014, Procedia Technol., vol. 6, pp. 996–1003, 2012, doi:
doi: 10.1016/j.eswa.2013.08.066. 10.1016/j.protcy.2012.10.121.

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

[58] J. Jabez and B. Muthukumar, “Intrusion detection system (ids): [77] Z. Liao, Y. Yu, and B. Chen, “Anomaly detection in GPS data
Anomaly detection using outlier detection approach,” Procedia based on visual analytics,” VAST 10 - IEEE Conf. Vis. Anal. Sci.
Comput. Sci., vol. 48, no. C, pp. 338–346, 2015, doi: Technol. 2010, Proc., pp. 51–58, 2010, doi:
10.1016/j.procs.2015.04.191. 10.1109/VAST.2010.5652467.
[59] M. Sheikhan and Z. Jadidi, “Flow-based anomaly detection in [78] A. Purarjomandlangrudi, A. H. Ghapanchi, and M. Esmalifalak,
high-speed links using modified GSA-optimized neural “A data mining approach for fault diagnosis: An application of
network,” Neural Comput. Appl., vol. 24, no. 3–4, pp. 599–611, anomaly detection algorithm,” Meas. J. Int. Meas. Confed., vol.
2014, doi: 10.1007/s00521-012-1263-0. 55, pp. 343–352, 2014, doi:
[60] S. Mascaro, A. E. Nicholson, and K. B. Korb, “Anomaly 10.1016/j.measurement.2014.05.029.
detection in vessel tracks using bayesian networks,” Int. J. [79] A. F. Emmott, S. Das, T. Dietterich, A. Fern, and W.-K. Wong,
Approx. Reason., vol. 55, pp. 84–98, 2013, doi: “Systematic construction of anomaly detection benchmarks from
10.1016/j.ijar.2013.03.012. real data,” pp. 16–21, 2013, doi: 10.1145/2500853.2500858.
[61] D. Liu et al., “Opprentice: Towards Practical and Automatic [80] D. J. Hill and B. S. Minsker, “Anomaly detection in streaming
Anomaly Detection Through Machine Learning,” Internet Meas. environmental sensor data: A data-driven modeling approach,”
Conf., pp. 51–78, 2015, doi: 10.2307/j.ctt1zkjzr0.7. Environ. Model. Softw., vol. 25, no. 9, pp. 1014–1022, 2010, doi:
[62] I. Syarif, A. Prugel-bennett, and G. Wills, “Unsupervised 10.1016/j.envsoft.2009.08.010.
Clustering Approach for Network Anomaly Detection,” pp. 135– [81] G. Pachauri and S. Sharma, “Anomaly Detection in Medical
145, 2012. Wireless Sensor Networks using Machine Learning
[63] O. Linda, M. Manic, T. Vollmer, and J. Wright, “Fuzzy logic Algorithms,” Procedia Comput. Sci., vol. 70, pp. 325–333, 2015,
based anomaly detection for embedded network security cyber doi: 10.1016/j.procs.2015.10.026.
sensor,” IEEE SSCI 2011 Symp. Ser. Comput. Intell. - CICS [82] X. S. Gan, J. S. Duanmu, J. F. Wang, and W. Cong, “Anomaly
2011 2011 IEEE Symp. Comput. Intell. Cyber Secur., pp. 202– intrusion detection based on PLS feature extraction and core
209, 2011, doi: 10.1109/CICYBS.2011.5949392. vector machine,” Knowledge-Based Syst., vol. 40, pp. 1–6, 2013,
[64] X. Xu, “Sequential anomaly detection based on temporal- doi: 10.1016/j.knosys.2012.09.004.
difference learning: Principles, models and case studies,” Appl. [83] W. Li, G. Wu, and Q. Du, “Transferred Deep Learning for
Soft Comput. J., vol. 10, no. 3, pp. 859–867, 2010, doi: Anomaly Detection in Hyperspectral Imagery,” IEEE Geosci.
10.1016/j.asoc.2009.10.003. Remote Sens. Lett., vol. 14, no. 5, pp. 597–601, 2017, doi:
[65] F. Iglesias and T. Zseby, “Analysis of network traffic features 10.1109/LGRS.2017.2657818.
for anomaly detection,” Mach. Learn., vol. 101, no. 1–3, pp. 59– [84] C. Wressnegger, G. Schwenk, D. Arp, and K. Rieck, “A close
84, 2015, doi: 10.1007/s10994-014-5473-9. look on n-grams in intrusion detection,” Proc. 2013 ACM Work.
[66] N. Pandeeswari and G. Kumar, “Anomaly Detection System in Artif. Intell. Secur. - AISec ’13, pp. 67–76, 2013, doi:
Cloud Environment Using Fuzzy Clustering Based ANN,” Mob. 10.1145/2517312.2517316.
Networks Appl., vol. 21, no. 3, pp. 494–505, 2016, doi: [85] J. Li, G. Han, J. Wen, and X. Gao, “Robust tensor subspace
10.1007/s11036-015-0644-x. learning for anomaly detection,” Int. J. Mach. Learn. Cybern.,
[67] K. Demertzis and I. Lazaros, “A Hybrid Network Anomaly and vol. 2, no. 2, pp. 89–98, 2011, doi: 10.1007/s13042-011-0017-0.
Intrusion Detection Approach Based on Evolving Spiking [86] C. Zhou and R. C. Paffenroth, “Anomaly Detection with Robust
Neural Network Classification,” Int. Conf. E-Democracy, vol. Deep Autoencoders,” pp. 665–674, 2017, doi:
441, pp. 11–23, 2014, doi: 10.1007/978-3-319-11710-2. 10.1145/3097983.3098052.
[68] K. Alrawashdeh and C. Purdy, “Toward an online anomaly [87] D. J. Dean, H. Nguyen, and X. Gu, “UBL: Unsupervised
intrusion detection system based on deep learning,” Proc. - 2016 Behavior Learning for Predicting Performance Anomalies in
15th IEEE Int. Conf. Mach. Learn. Appl. ICMLA 2016, pp. 195– Virtualized Cloud Systems,” Proc. 9th Int. Conf. Auton. Comput.
200, 2017, doi: 10.1109/ICMLA.2016.167. - ICAC ’12, pp. 191–200, 2012, doi: 10.1145/2371536.2371572.
[69] S. Ahmad, A. Lavin, S. Purdy, and Z. Agha, “Unsupervised real- [88] L. Xiong, X. Chen, and J. Schneider, “Direct robust matrix
time anomaly detection for streaming data,” Neurocomputing, factorization for anomaly detection,” Proc. - IEEE Int. Conf.
vol. 262, pp. 134–147, 2017, doi: Data Mining, ICDM, pp. 844–853, 2011, doi:
10.1016/j.neucom.2017.04.070. 10.1109/ICDM.2011.52.
[70] S. Aljawarneh, M. Aldwairi, and M. B. Yassein, “Anomaly- [89] Y. J. Lee, Y. R. Yeh, and Y. C. F. Wang, “Anomaly detection
based intrusion detection system through feature selection via online oversampling principal component analysis,” IEEE
analysis and building hybrid efficient model,” J. Comput. Sci., Trans. Knowl. Data Eng., vol. 25, no. 7, pp. 1460–1470, 2013,
vol. 25, pp. 152–160, 2018, doi: 10.1016/j.jocs.2017.03.006. doi: 10.1109/TKDE.2012.99.
[71] G. Dini, F. Martinelli, A. Saracino, and D. Sgandurra, [90] N. Laptev, S. Amizadeh, and I. Flint, “Generic and Scalable
“MADAM: A multi-level anomaly detector for android Framework for Automated Time-series Anomaly Detection,” pp.
malware,” Lect. Notes Comput. Sci. (including Subser. Lect. 1939–1947, 2015, doi: 10.1145/2783258.2788611.
Notes Artif. Intell. Lect. Notes Bioinformatics), vol. 7531 LNCS, [91] O. Salem, A. Guerassimov, A. Mehaoua, A. Marcus, and B.
pp. 240–253, 2012, doi: 10.1007/978-3-642-33704-8-21. Furht, “Sensor Fault and Patient Anomaly Detection and
[72] V. A. Sotiris, P. W. Tse, and M. G. Pecht, “Anomaly Detection Classification in Medical Wireless Sensor Networks,” IEEE Int.
Through a Bayesian Support Vector Machine,” vol. 59, no. 2, Conf. Commun., vol. 7, no. 4, pp. 272–284, 2013, doi:
pp. 277–286, 2010. 10.5626/JCSE.2013.7.4.272.
[73] M. Längkvist, L. Karlsson, and A. Loutfi, “Sleep Stage [92] L. Ma, M. M. Crawford, and J. Tian, “Anomaly detection for
Classification Using Unsupervised Feature Learning,” Adv. Artif. hyperspectral images based on robust locally linear embedding,”
Neural Syst., 2012, doi: 10.1155/2012/107046. J. Infrared, Millimeter, Terahertz Waves, vol. 31, no. 6, pp. 753–
[74] J. Song, H. Takakura, Y. Okabe, and K. Nakao, “Toward a more 762, 2010, doi: 10.1007/s10762-010-9630-3.
practical unsupervised anomaly detection system,” Inf. Sci. [93] R. Zhao, B. Du, and L. Zhang, “A robust nonlinear hyperspectral
(Ny)., vol. 231, pp. 4–14, 2013, doi: 10.1016/j.ins.2011.08.011. anomaly detection approach,” IEEE J. Sel. Top. Appl. Earth
[75] C. Yin, Y. Zhu, J. Fei, and X. He, “A Deep Learning Approach Obs. Remote Sens., vol. 7, no. 4, pp. 1227–1234, 2014, doi:
for Intrusion Detection Using Recurrent Neural Networks,” 10.1109/JSTARS.2014.2311995.
IEEE Access, vol. 5, pp. 21954–21961, 2017, doi: [94] P. Angelov, “Anomaly detection based on eccentricity analysis,”
10.1109/ACCESS.2017.2762418. IEEE SSCI 2014 - 2014 IEEE Symp. Ser. Comput. Intell. - EALS
[76] C. A. Catania, F. Bromberg, and C. G. Garino, “An autonomous 2014 2014 IEEE Symp. Evol. Auton. Learn. Syst. Proc., pp. 1–8,
labeling approach to support vector machines algorithms for 2014, doi: 10.1109/EALS.2014.7009497.
network traffic anomaly detection,” Expert Syst. Appl., vol. 39, [95] P. H. dos Santos Teixeira and R. L. Milidiú, “Data stream
no. 2, pp. 1822–1829, 2012, doi: 10.1016/j.eswa.2011.08.068. anomaly detection through principal subspace tracking,” p. 1609,

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

2010, doi: 10.1145/1774088.1774434. [114] X. Chen, B. Li, R. Proietti, Z. Zhu, S. Member, and S. J. Ben
[96] S. T. Faraj Al-Janabi and H. A. Saeed, “A neural network based Yoo, “Self-taught Anomaly Detection with Hybrid
anomaly intrusion detection system,” Proc. - 4th Int. Conf. Dev. Unsupervised/Supervised Machine Learning in Optical
eSystems Eng. DeSE 2011, pp. 221–226, 2011, doi: Networks.”
10.1109/DeSE.2011.19. [115] H. H. Pajouh, G. H. Dastghaibyfard, and S. Hashemi, “Two-tier
[97] F. Palmieri and U. Fiore, “Network anomaly detection through network anomaly detection model: a machine learning
nonlinear analysis,” Comput. Secur., vol. 29, no. 7, pp. 737–755, approach,” J. Intell. Inf. Syst., 2017, doi: 10.1007/s10844-015-
2010, doi: 10.1016/j.cose.2010.05.002. 0388-x.
[98] A. Taylor, N. Japkowicz, and S. Leblanc, “Frequency-based [116] S. Zhao, M. Chandrashekar, Y. Lee, and D. Medhi, Real-Time
anomaly detection for the automotive CAN bus,” 2015 World Network Anomaly Detection System Using Machine Learning. .
Congr. Ind. Control Syst. Secur. WCICSS 2015, pp. 45–49, [117] T. Yairi, Y. Kawahara, R. Fujimaki, Y. Sato, and K. Machida,
2016, doi: 10.1109/WCICSS.2015.7420322. “Telemetry-mining: A machine learning approach to anomaly
[99] Y. Zhu, N. M. Nayak, and A. K. Roy-Chowdhury, “Context- detection and fault diagnosis for space systems,” in Proceedings
aware activity recognition and anomaly detection in video,” - SMC-IT 2006: 2nd IEEE International Conference on Space
IEEE J. Sel. Top. Signal Process., vol. 7, no. 1, pp. 91–101, Mission Challenges for Information Technology, 2006, vol.
2013, doi: 10.1109/JSTSP.2012.2234722. 2006, pp. 466–473, doi: 10.1109/SMC-IT.2006.79.
[100] D. Smith, Q. Guan, and S. Fu, “An anomaly detection [118] A. Deorio, Q. Li, M. Burgess, and V. Bertacco, Machine
framework for autonomic management of compute cloud Learning-based Anomaly Detection for Post-silicon Bug
systems,” Proc. - Int. Comput. Softw. Appl. Conf., pp. 376–381, Diagnosis. .
2010, doi: 10.1109/COMPSACW.2010.72. [119] K. L. Li, H. K. Huang, S. F. Tian, and W. Xu, “Improving one-
[101] M. Teng, “Anomaly Detection on Time Series,” IEEE Int. Conf. class SVM for anomaly detection,” in International Conference
Prog. Informatics Comput., pp. 603–608, 2010, [Online]. on Machine Learning and Cybernetics, 2003, vol. 5, pp. 3077–
Available: http://arxiv.org/abs/1708.02975. 3081, doi: 10.1109/icmlc.2003.1260106.
[102] S. Lee, G. Kim, and S. Kim, “Self-adaptive and dynamic [120] C. Wagner, J. François, R. State, and T. Engel, “Machine
clustering for online anomaly detection,” Expert Syst. Appl., vol. learning approach for IP-flow record anomaly detection,” in
38, no. 12, pp. 14891–14898, 2011, doi: Lecture Notes in Computer Science (including subseries Lecture
10.1016/j.eswa.2011.05.058. Notes in Artificial Intelligence and Lecture Notes in
[103] S. Arshad, M. Abbaspour, M. Kharrazi, and H. Sanatkar, “An Bioinformatics), 2011, vol. 6640 LNCS, no. PART 1, pp. 28–39,
anomaly-based botnet detection approach for identifying stealthy doi: 10.1007/978-3-642-20757-0_3.
botnets,” ICCAIE 2011 - 2011 IEEE Conf. Comput. Appl. Ind. [121] J. Inoue, Y. Yamagata, Y. Chen, C. M. Poskitt, and J. Sun,
Electron., no. Iccaie, pp. 564–569, 2011, doi: “Anomaly Detection for a Water Treatment System Using
10.1109/ICCAIE.2011.6162198. Unsupervised Machine Learning.”
[104] S. Chauhan and L. Vig, “Anomaly detection in ECG time signals [122] Y. Li, B. Fang, L. Guo, and Y. Chen, “Network anomaly
via deep long short-term memory networks,” Proc. 2015 IEEE detection based on TCM-KNN algorithm,” in Proceedings of the
Int. Conf. Data Sci. Adv. Anal. DSAA 2015, 2015, doi: 2nd ACM Symposium on Information, Computer and
10.1109/DSAA.2015.7344872. Communications Security, ASIACCS ’07, 2007, pp. 13–19, doi:
[105] S. Calderara, U. Heinemann, A. Prati, R. Cucchiara, and N. 10.1145/1229285.1229292.
Tishby, “Detecting anomalies in people’s trajectories using [123] F. Maggi, S. Zanero, and V. Iozzo, “Seeing the invisible:
spectral graph analysis,” Comput. Vis. Image Underst., 2011, Forensic uses of anomaly detection and machine learning,” in
doi: 10.1016/j.cviu.2011.03.003. Operating Systems Review (ACM), Apr. 2008, vol. 42, no. 3, pp.
[106] S. Garg, K. Kaur, N. Kumar, and J. J. P. C. Rodrigues, “Hybrid 51–58, doi: 10.1145/1368506.1368514.
deep-learning-based anomaly detection scheme for suspicious [124] H. H. W. J. Bosman, A. Liotta, G. Iacca, and H. J. Wörtche,
flow detection in SDN: A social multimedia perspective,” IEEE “Anomaly detection in sensor systems using lightweight
Trans. Multimed., vol. 21, no. 3, pp. 566–578, 2019, doi: machine learning,” in Proceedings - 2013 IEEE International
10.1109/TMM.2019.2893549. Conference on Systems, Man, and Cybernetics, SMC 2013,
[107] O. Depren, M. Topallar, E. Anarim, and M. K. Ciliz, “An 2013, pp. 7–13, doi: 10.1109/SMC.2013.9.
intelligent intrusion detection system (IDS) for anomaly and [125] S. Shriram and E. Sivasankar, “Anomaly Detection on Shuttle
misuse detection in computer networks,” Expert Syst. Appl., vol. data using Unsupervised Learning Techniques,” in Proceedings
29, no. 4, pp. 713–722, 2005, doi: 10.1016/j.eswa.2005.05.002. of 2019 International Conference on Computational Intelligence
[108] D. Kang, D. Fuller, and V. Honavar, “Learning Classifiers for and Knowledge Economy, ICCIKE 2019, 2019, pp. 221–225,
Misuse Detection Using a Bag of System Calls Represent ation,” doi: 10.1109/ICCIKE47802.2019.9004325.
Work. Inf. Assur. Secur., pp. 511–516, 2005. [126] K. Limthong, Y. Ji, K. Fukuda, and S. Yamada, “Weighting
[109] E. Leon, O. Nasraoui, and J. Gomez, “Anomaly detection based Technique on Multi-timeline for Machine Learning-based
on unsupervised niche clustering with application to network Anomaly Detection System Disaster Preparation and Response
intrusion detection,” 2004, doi: 10.1109/cec.2004.1330898. via Big Data Analysis and Robust Networking View project
[110] A. Del Giorno, J. A. Bagnell, and M. Hebert, “A Discriminative Application Offloading Based on R-OSGi in Mobile Cloud
Framework for Anomaly Detection in Large Videos,” Comput. Computing View proj,” ieeexplore.ieee.org, doi:
Vis. – ECCV 2016, vol. 9905, pp. 334–349, 2016, doi: 10.1109/CCCS.2015.7374168.
10.1007/978-3-319-46448-0. [127] J. Shi, G. He, and X. Liu, “Anomaly Detection for Key
[111] J. Jabez, S. Gowri, S. Vigneshwari, J. A. Mayan, and S. Performance Indicators Through Machine Learning,” in
Srinivasulu, “Anomaly Detection by Using CFS Subset and Proceedings of 2018 6th IEEE International Conference on
Neural Network with WEKA Tools,” Inf. Commun. Technol. Network Infrastructure and Digital Content, IC-NIDC 2018,
Intell. Syst., vol. 106, pp. 675–682, 2019, doi: 10.1007/978-981- 2018, pp. 1–5, doi: 10.1109/ICNIDC.2018.8525714.
13-1742-2. [128] O. I. Provotar, Y. M. Linder, and M. M. Veres, “Unsupervised
[112] R. Laxhammar and G. Falkman, “Online learning and sequential Anomaly Detection in Time Series Using LSTM-Based
anomaly detection in trajectories,” IEEE Trans. Pattern Anal. Autoencoders,” in 2019 IEEE International Conference on
Mach. Intell., vol. 36, no. 6, pp. 1158–1173, 2014, doi: Advanced Trends in Information Theory, ATIT 2019 -
10.1109/TPAMI.2013.172. Proceedings, 2019, pp. 513–517, doi:
[113] M. Schneider, W. Ertel, and F. Ramos, “Expected similarity 10.1109/ATIT49449.2019.9030505.
estimation for large-scale batch and streaming anomaly [129] S. Kumar, S. Nandi, and S. Biswas, “Research and application of
detection,” Mach. Learn., vol. 105, no. 3, pp. 305–333, 2016, One-class small hypersphere support vector machine for network
doi: 10.1007/s10994-016-5567-7. anomaly detection,” 2011, doi:

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

10.1109/COMSNETS.2011.5716425. 10.1109/CCECE.2013.6567739.
[130] Y. Imamverdiyev and L. Sukhostat, “Anomaly detection in [146] W. Chimphlee, A. H. Abdullah, M. Noor, M. Sap, S. Srinoy, and
network traffic using extreme learning machine,” 2017, doi: S. Chimphlee, “Anomaly-Based Intrusion Detection using Fuzzy
10.1109/ICAICT.2016.7991732. Rough Clustering,” 2006.
[131] A. Dawoud, S. Shahristani, and C. Raun, “Deep learning for [147] T. M. Thang and J. Kim, “The anomaly detection by using
network anomalies detection,” in Proceedings - International DBSCAN clustering with multiple parameters,” 2011, doi:
Conference on Machine Learning and Data Engineering, 10.1109/ICISA.2011.5772437.
iCMLDE 2018, 2019, pp. 117–120, doi: [148] Y. Wang, D. Li, Y. Du, and Z. Pan, “Anomaly detection in
10.1109/iCMLDE.2018.00035. traffic using L1-norm minimization extreme learning machine,”
[132] H. G. Zhou and C. De Yang, “Using immune algorithm to Neurocomputing, vol. 149, no. Part A, pp. 415–425, 2015, doi:
optimize anomaly detection based on SVM,” in Proceedings of 10.1016/j.neucom.2014.04.073.
the 2006 International Conference on Machine Learning and [149] J. Zhang and M. Zulkernine, “Anomaly Based Network
Cybernetics, 2006, vol. 2006, pp. 4257–4261, doi: Intrusion Detection with Unsupervised Outlier Detection,” 2006.
10.1109/ICMLC.2006.259008. [150] T.-Y. Kim and S.-B. Cho, “Web traffic anomaly detection using
[133] Y. Shi and K. Miao, “Detecting anomalies in application C-LSTM neural networks,” Expert Syst. Appl., vol. 106, pp. 66–
performance management system with machine learning 76, 2018, doi: 10.1016/j.eswa.2018.04.004.
algorihms,” in 2019 IEEE 3rd International Conference on [151] C. H. Lin, J. C. Liu, and C. H. Ho, “Anomaly detection using
Electronic Information Technology and Computer Engineering, LibSVM training tools,” in Proceedings of the 2nd International
EITCE 2019, 2019, pp. 1797–1800, doi: Conference on Information Security and Assurance, ISA 2008,
10.1109/EITCE47263.2019.9094916. 2008, vol. 2, no. 4, pp. 166–171, doi: 10.1109/ISA.2008.12.
[134] P. K. Chan, M. V. Mahoney, and M. H. Arshad, “Learning Rules [152] Kunlun Li and Guifa Teng, “Unsupervised SVM Based on p-
and Clusters for Anomaly Detection in Network Traffic,” in kernels for Anomaly Detection,” 2006, doi:
Managing Cyber Threats, Springer-Verlag, 2005, pp. 81–99. 10.1109/icicic.2006.371.
[135] T. Salman, D. Bhamare, A. Erbad, R. Jain, and M. Samaka, [153] X. G. Tian, L. Z. Gao, C. L. Sun, M. Y. Duan, and E. Y. Zhang,
“Machine Learning for Anomaly Detection and Categorization “A method for anomaly detection of user behaviors based on
in Multi-Cloud Environments,” Proc. - 4th IEEE Int. Conf. machine learning,” J. China Univ. Posts Telecommun., vol. 13,
Cyber Secur. Cloud Comput. CSCloud 2017 3rd IEEE Int. Conf. no. 2, 2006, doi: 10.1016/S1005-8885(07)60105-8.
Scalable Smart Cloud, SSC 2017, pp. 97–103, 2017, doi: [154] B. G. Atli, Y. Miche, A. Kalliola, I. Oliver, S. Holtmanns, and
10.1109/CSCloud.2017.15. A. Lendasse, “Anomaly-Based Intrusion Detection Using
[136] Z. Xiao, C. Liu, and C. Chen, “An anomaly detection scheme Extreme Learning Machine and Aggregation of Network Traffic
based on machine learning for WSN,” in 2009 1st International Statistics in Probability Space,” Cognit. Comput., vol. 10, no. 5,
Conference on Information Science and Engineering, ICISE pp. 848–863, Oct. 2018, doi: 10.1007/s12559-018-9564-y.
2009, 2009, pp. 3959–3962, doi: 10.1109/ICISE.2009.235. [155] S. Mojtaba, H. Bamakan, Y. Tian, M. Mirzabagheri, H. Wang,
[137] S. Naseer et al., “Enhanced network anomaly detection based on and Q. Qu, “ARTICLE IN PRESS JID: NEUCOM [m5G; Ramp
deep neural networks,” IEEE Access, vol. 6, pp. 48231–48246, loss one-class support vector machine; A robust and effective
2018, doi: 10.1109/ACCESS.2018.2863036. approach to anomaly detection problems,” Elsevier, 2018, doi:
[138] S. Rajasegarar, C. Leckie, and M. Palaniswami, “CESVM: 10.1016/j.neucom.2018.05.027.
Centered hyperellipsoidal support vector machine based [156] H. Su, X. Wu, X.-H. Yan, and A. Kidwell, “Estimation of
anomaly detection,” in IEEE International Conference on subsurface temperature anomaly in the Indian Ocean during
Communications, 2008, pp. 1610–1614, doi: recent global surface warming hiatus from satellite
10.1109/ICC.2008.311. measurements: A support vector machine approach Deeper
[139] A. Valdes, R. Macwan, and M. Backes, “Anomaly detection in Ocean Remote Sensing View project Sea Ice Remote Sensing
electrical substation circuits via unsupervised machine learning,” View project Estima,” Elsevier, 2015, doi:
in Proceedings - 2016 IEEE 17th International Conference on 10.1016/j.rse.2015.01.001.
Information Reuse and Integration, IRI 2016, 2016, pp. 500– [157] B. Cui and S. He, “Anomaly detection model based on hadoop
505, doi: 10.1109/IRI.2016.74. platform and weka interface,” in Proceedings - 2016 10th
[140] L. Kuang and M. Zulkemine, “An anomaly intrusion detection International Conference on Innovative Mobile and Internet
method using the CSI-KNN algorithm,” in Proceedings of the Services in Ubiquitous Computing, IMIS 2016, 2016, pp. 84–89,
ACM Symposium on Applied Computing, 2008, pp. 921–926, doi: 10.1109/IMIS.2016.50.
doi: 10.1145/1363686.1363897. [158] M. Hasan, M. M. Islam, M. I. I. Zarif, and M. M. A. Hashem,
[141] S. R. Gaddam, V. V. Phoha, and K. S. Balagani, “K- “Attack and anomaly detection in IoT sensors in IoT sites using
Means+ID3: A novel method for supervised anomaly detection machine learning approaches,” Internet of Things, vol. 7, p.
by cascading k-Means clustering and ID3 decision tree learning 100059, 2019, doi: 10.1016/j.iot.2019.100059.
methods,” IEEE Trans. Knowl. Data Eng., vol. 19, no. 3, pp. [159] R. Abdulhammed, M. Faezipour, A. Abuzneid, and A.
345–354, 2007, doi: 10.1109/TKDE.2007.44. Abumallouh, “Deep and Machine Learning Approaches for
[142] E. K. Viegas, A. O. Santin, and L. S. Oliveira, “Toward a Anomaly-Based Intrusion Detection of Imbalanced Network
reliable anomaly-based intrusion detection in real-world Traffic,” IEEE Sensors Lett., vol. 3, no. 1, 2019, doi:
environments,” Comput. Networks, vol. 127, pp. 200–216, 2017, 10.1109/LSENS.2018.2879990.
doi: 10.1016/j.comnet.2017.08.013. [160] S. J. Stolfo, S. Hershkop, L. H. Bui, R. Ferster, and K. Wang,
[143] Y. Wang, J. Wong, and A. Miner, “Anomaly intrusion detection “Anomaly detection in computer security and an application to
using one class SVM,” in Proceedings fron the Fifth Annual file system accesses,” in Lecture Notes in Computer Science
IEEE System, Man and Cybernetics Information Assurance (including subseries Lecture Notes in Artificial Intelligence and
Workshop, SMC, 2004, pp. 358–364, doi: Lecture Notes in Bioinformatics), 2005, vol. 3488 LNAI, pp. 14–
10.1109/iaw.2004.1437839. 28, doi: 10.1007/11425274_2.
[144] B. I. P. Rubinstein et al., “Antidote: Understanding and [161] K. Limthong and T. Tawsook, “Network traffic anomaly
defending against poisoning of anomaly detectors,” in detection using machine learning approaches,”
Proceedings of the ACM SIGCOMM Internet Measurement ieeexplore.ieee.org, 2012, doi: 10.1109/NOMS.2012.6211951.
Conference, IMC, 2009, pp. 1–14, doi: [162] F. Barani and S. Gerami, “ManetSVM: Dynamic anomaly
10.1145/1644893.1644895. detection using one-class support vector machine in MANETs,”
[145] D. Liu, C. H. Lung, I. Lambadaris, and N. Seddigh, “Network 2013, doi: 10.1109/ISCISC.2013.6767325.
traffic anomaly detection using clustering techniques and [163] B. Litt, D. Wulsin, J. Blanco, and R. Mani, “Semi-Supervised
performance comparison,” 2013, doi: Anomaly Detection for EEG Waveforms Using Deep Belief

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

Nets,” ieeexplore.ieee.org, 2011, doi: 10.1109/ICMLA.2010.71. [181] N. Stakhanova, S. Basu, and J. Wong, “On the symbiosis of
[164] A. Adler, M. J. Mayhew, J. Cleveland, M. Atighetchi, and R. specification-based and anomaly-based detection,” Comput.
Greenstadt, “Using Machine Learning for Behavior-Based Secur., 2010, doi: 10.1016/j.cose.2009.08.007.
Access Control: Scalable Anomaly Detection on TCP [182] J. Lundstrom, W. O. De Morais, and M. Cooney, “A holistic
Connections and HTTP Requests.” smart home demonstrator for anomaly detection and response,”
[165] B. Amos, H. Turner, and J. White, “Applying machine learning in 2015 IEEE International Conference on Pervasive Computing
classifiers to dynamic android malware detection at scale,” 2013 and Communication Workshops, PerCom Workshops 2015,
9th Int. Wirel. Commun. Mob. Comput. Conf. IWCMC 2013, pp. 2015, pp. 330–335, doi: 10.1109/PERCOMW.2015.7134058.
1666–1671, 2013, doi: 10.1109/IWCMC.2013.6583806. [183] Y. Yuan, J. Fang, and Q. Wang, “Online Anomaly Detection in
[166] M. S. Parwez, D. B. Rawat, and M. Garuba, “Big data analytics Crowd Scenes via Structure Analysis,” IEEE Trans. Cybern.,
for user-activity analysis and user-anomaly detection in mobile vol. 45, no. 3, 2015, doi: 10.1109/TCYB.2014.2330853.
wireless network,” IEEE Trans. Ind. Informatics, vol. 13, no. 4, [184] A. Barua, D. Muthirayan, P. P. Khargonekar, and M. A. Al
pp. 2058–2065, 2017, doi: 10.1109/TII.2017.2650206. Faruque, “Hierarchical Temporal Memory Based Machine
[167] G. Shah and A. Tiwari, “Anomaly detection in IIoT: A case Learning for Real-Time, Unsupervised Anomaly Detection in
study using machine learning,” in ACM International Smart Grid: WiP Abstract,” in Proceedings - 2020 ACM/IEEE
Conference Proceeding Series, 2018, pp. 295–300, doi: 11th International Conference on Cyber-Physical Systems,
10.1145/3152494.3156816. ICCPS 2020, 2020, pp. 188–189, doi:
[168] P. M. Mafra, V. Moll, J. Da Silva Fraga, and A. O. Santin, 10.1109/ICCPS48487.2020.00027.
“Octopus-IIDS: An anomaly based intelligent intrusion detection [185] W. Yan, “One-class extreme learning machines for gas turbine
system,” in Proceedings - IEEE Symposium on Computers and combustor anomaly detection,” in Proceedings of the
Communications, 2010, pp. 405–410, doi: International Joint Conference on Neural Networks, 2016, vol.
10.1109/ISCC.2010.5546735. 2016-Octob, pp. 2909–2914, doi:
[169] S. Anil and R. Remya, “A hybrid method based on genetic 10.1109/IJCNN.2016.7727567.
algorithm, self-organised feature map, and support vector [186] A. Brown, B. Hutchinson, A. Tuor, and N. Nichols, “Recurrent
machine for better network anomaly detection,” 2013, doi: neural network attention mechanisms for interpretable system
10.1109/ICCCNT.2013.6726604. log anomaly detection,” Jun. 2018, doi:
[170] R. Fujimaki, “Anomaly detection support vector machine and its 10.1145/3217871.3217872.
application to fault diagnosis,” in Proceedings - IEEE [187] K. Atefi, S. Yahya, A. Rezaei, and S. H. B. M. Hashim,
International Conference on Data Mining, ICDM, 2008, pp. “Anomaly detection based on profile signature in network using
797–802, doi: 10.1109/ICDM.2008.69. machine learning technique,” in Proceedings - 2016 IEEE
[171] S. Duque Anton et al., “Evaluation of Machine Learning-based Region 10 Symposium, TENSYMP 2016, 2016, pp. 71–76, doi:
Anomaly Detection Algorithms on an Industrial Modbus/TCP 10.1109/TENCONSpring.2016.7519380.
Data Set "Evaluation of Machine Learning-based Anomaly [188] H. Suetani, A. M. Ideta, and J. Morimoto, “Nonlinear structure
Detection Algo-rithms on an Industrial Modbus/TCP Data Set of escape-times to falls for a passive dynamic walker on an
CCS CONCEPTS • Security and privacy → Intrusion,” irregular slope: Anomaly detection using multi-class support
dl.acm.org, vol. 41, no. 9, pp. 1–41, Aug. 2018, doi: vector machine and latent state extraction by canonical
10.1145/3230833.3232818. correlation analysis,” in IEEE International Conference on
[172] G. Yan, “Network Anomaly Traffic Detection Method Based on Intelligent Robots and Systems, 2011, pp. 2715–2722, doi:
Support Vector Machine,” in Proceedings - 2016 International 10.1109/IROS.2011.6048434.
Conference on Smart City and Systems Engineering, ICSCSE [189] L. Fernandez Maimo, A. L. Perales Gomez, F. J. Garcia
2016, 2017, pp. 3–6, doi: 10.1109/ICSCSE.2016.0011. Clemente, M. Gil Perez, and G. Martinez Perez, “A Self-
[173] L. Xiong, H. D. Ma, H. Z. Fang, K. X. Zou, and D. W. Yi, Adaptive Deep Learning-Based System for Anomaly Detection
“Anomaly detection of spacecraft based on least squares support in 5G Networks,” IEEE Access, vol. 6, pp. 7700–7712, 2018,
vector machine,” 2011, doi: 10.1109/PHM.2011.5939470. doi: 10.1109/ACCESS.2018.2803446.
[174] F. Wang, Y. Qian, Y. Dai, and Z. Wang, “A model based on [190] F. Seraj, J. Van Der Zwaag, P. Havinga, A. Dilo, and T. Luarasi,
hybrid support vector machine and self-organizing map for “RoADS: A Road Pavement Monitoring System for Anomaly
anomaly detection,” in 2010 WRI International Conference on Detection Using Smart Phones,” Springer, vol. 9546, pp. 128–
Communications and Mobile Computing, CMC 2010, 2010, vol. 146, 2016, doi: 10.1007/978-3-319-29009-6_7.
1, pp. 97–101, doi: 10.1109/CMC.2010.9. [191] M. Amar, I. Gondal, and C. Wilson, “Unitary anomaly detection
[175] J. Zhang, R. Gardner, and I. Vukotic, “Anomaly detection in for ubiquitous safety in machine health monitoring,” in Lecture
wide area network meshes using two machine learning Notes in Computer Science (including subseries Lecture Notes in
algorithms,” Futur. Gener. Comput. Syst., vol. 93, pp. 418–426, Artificial Intelligence and Lecture Notes in Bioinformatics),
Jan. 2019, doi: 10.1016/j.future.2018.07.023. 2012, vol. 7667 LNCS, no. PART 5, pp. 361–368, doi:
[176] L. Deecke, R. Vandermeulen, L. Ruff, S. Mandt, and M. Kloft, 10.1007/978-3-642-34500-5_43.
“Image anomaly detection with generative adversarial [192] K. Stefanidis and A. G. Voyiatzis, “An HMM-based anomaly
networks,” in Lecture Notes in Computer Science (including detection approach for SCADA systems,” in Lecture Notes in
subseries Lecture Notes in Artificial Intelligence and Lecture Computer Science (including subseries Lecture Notes in
Notes in Bioinformatics), 2019, vol. 11051 LNAI, pp. 3–17, doi: Artificial Intelligence and Lecture Notes in Bioinformatics),
10.1007/978-3-030-10925-7_1. 2016, vol. 9895 LNCS, pp. 85–99, doi: 10.1007/978-3-319-
[177] M. Ćosović, S. Obradović, and L. Trajković, “Performance 45931-8_6.
Evaluation of BGP Anomaly Classifiers.” [193] S. C. Chin, A. Ray, and V. Rajagopalan, “Symbolic time series
[178] G. D’Angelo, F. Palmieri, M. Ficco, and S. Rampone, “An analysis for anomaly detection: A comparative evaluation $,”
uncertainty-managing batch relevance-based approach to Signal Processing, vol. 85, pp. 1859–1868, 2005, doi:
network anomaly detection,” Appl. Soft Comput. J., vol. 36, pp. 10.1016/j.sigpro.2005.03.014.
408–418, 2015, doi: 10.1016/j.asoc.2015.07.029. [194] F. A. González and D. Dasgupta, “Anomaly detection using real-
[179] D. Ashok Kumar and S. R. Venugopalan, “A novel algorithm for valued negative selection,” in Genetic Programming and
network anomaly detection using adaptive machine learning,” in Evolvable Machines, Dec. 2003, vol. 4, no. 4, pp. 383–403, doi:
Advances in Intelligent Systems and Computing, 2018, vol. 564, 10.1023/A:1026195112518.
pp. 59–69, doi: 10.1007/978-981-10-6875-1_7. [195] E. H. Pena, L. F. Carvalho, S. Barbon Jr, J. JPC Rodrigues, and
[180] M. Marwah, R. Sharma, and C. Bash, “Thermal anomaly M. Lemes Proença Jr, “Anomaly detection using the
prediction in data centers,” 2010, doi: correlational paraconsistent machine with digital signatures of
10.1109/ITHERM.2010.5501330. network segment,” Inf. Sci. (Ny)., vol. 420, pp. 313–328, 2017,

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

doi: 10.1016/j.ins.2017.08.074. [213] M. Du, F. Li, G. Zheng, and V. Srikumar, “DeepLog: Anomaly
[196] F. Gonzalez, D. Dasgupta, and R. Kozma, “Combining negative detection and diagnosis from system logs through deep
selection and classification techniques for anomaly detection,” in learning,” in Proceedings of the ACM Conference on Computer
Proceedings of the 2002 Congress on Evolutionary and Communications Security, Oct. 2017, pp. 1285–1298, doi:
Computation, CEC 2002, 2002, vol. 1, pp. 705–710, doi: 10.1145/3133956.3134015.
10.1109/CEC.2002.1007012. [214] W. Fisher, T. Camp, V. V Krzhizhanovskaya, W. D. Fisher, and
[197] E. Eskin, A. Arnold, M. Prerau, L. Portnoy, and S. Stolfo, “A T. K. Camp, “Anomaly Detection in Earth Dam and Levee
Geometric Framework for Unsupervised Anomaly Detection,” Passive Seismic Data Using Support Vector Machines and
2002, pp. 77–101. Automatic Feature Selection Modeling the Human Innate
[198] A. D. Schmidt, F. Peters, F. Lamour, C. Scheel, S. A. Çamtepe, Immune System: in-silico studies View project Anomaly
and Ş. Albayrak, “Monitoring smartphones for anomaly detection in earth dam and levee passive seismic da,” Artic. J.
detection,” Mob. Networks Appl., vol. 14, no. 1, pp. 92–106, Comput. Sci., vol. 20, pp. 143–153, 2017, doi:
Feb. 2009, doi: 10.1007/s11036-008-0113-x. 10.1016/j.jocs.2016.11.016.
[199] M. V Mahoney and P. K. Chan, “Learning rules for anomaly [215] M. Cheng, Q. Li, J. Lv, W. Liu, and J. Wang, “Multi-Scale
detection of hostile network traffic,” in Proceedings - IEEE LSTM Model for BGP Anomaly Classification,” IEEE Trans.
International Conference on Data Mining, ICDM, 2003, pp. Serv. Comput., 2018, doi: 10.1109/TSC.2018.2824809.
601–604, doi: 10.1109/icdm.2003.1250987. [216] S. Cho and S. Cha, “SAD: Web session anomaly detection based
[200] R. Winding, T. Wright, and M. Chapple, “System anomaly on parameter estimation,” Comput. Secur., vol. 23, no. 4, pp.
detection: Mining firewall logs,” 2006, doi: 312–319, 2004, doi: 10.1016/j.cose.2004.01.006.
10.1109/SECCOMW.2006.359572. [217] S. J. Han, K. J. Kim, and S. B. Cho, “Evolutionary learning
[201] N. Duffield, P. Haffner, B. Krishnamurthy, and H. Ringberg, program’s behavior in neural networks for anomaly detection,”
“Rule-based anomaly detection on IP flows,” in Proceedings - Lect. Notes Comput. Sci. (including Subser. Lect. Notes Artif.
IEEE INFOCOM, 2009, pp. 424–432, doi: Intell. Lect. Notes Bioinformatics), vol. 3316, pp. 236–241,
10.1109/INFCOM.2009.5061947. 2004, doi: 10.1007/978-3-540-30499-9_35.
[202] T. Stibor, P. Mohr, and J. Timmis, “Is negative selection [218] Y. Zhao, B. Deng, C. Shen, Y. Liu, H. Lu, and X. S. Hua,
appropriate for anomaly detection ?,” in GECCO 2005 - Genetic “Spatio-temporal AutoEncoder for video anomaly detection,” in
and Evolutionary Computation Conference, 2005, pp. 321–328, MM 2017 - Proceedings of the 2017 ACM Multimedia
doi: 10.1145/1068009.1068061. Conference, Oct. 2017, pp. 1933–1941, doi:
[203] L. Scime and J. Beuth, “Anomaly detection and classification in 10.1145/3123266.3123451.
a laser powder bed additive manufacturing process using a [219] C. Pascoal, M. Rosário De Oliveira, R. Valadas, P. Filzmoser, P.
trained computer vision algorithm,” Addit. Manuf., vol. 19, pp. Salvador, and A. Pacheco, Robust Feature Selection and Robust
114–126, 2018, doi: 10.1016/j.addma.2017.11.009. PCA for Internet Traffic Anomaly Detection. .
[204] B. I. P. Rubinstein et al., “Stealthy poisoning attacks on PCA- [220] G. Pang, C. Shen, and A. Van Den Hengel, “Deep Anomaly
based anomaly detectors,” in Performance Evaluation Review, Detection with Deviation Networks,” dl.acm.org, pp. 353–362,
Oct. 2009, vol. 37, no. 2, pp. 73–74, doi: Jul. 2019, doi: 10.1145/3292500.3330871.
10.1145/1639562.1639592. [221] J. Liu, J. Gu, H. Li, and K. H. Carlson, “Machine learning and
[205] D. D. Kim, S.-Y. Ohn, D. Kim, H. Nguyen, S. Ohn, and J. Park, transport simulations for groundwater anomaly detection,” J.
“Fusions of GA and SVM for Anomaly Detection in Intrusion Comput. Appl. Math., vol. 380, 2020, doi:
Detection System Software Defined Networking based Moving 10.1016/j.cam.2020.112982.
Target Defense View project Decomposition of convex [222] R. Bhatia, S. Benno, J. Esteban, T. V. Lakshman, and J. Grogan,
structuring elements View project Fusions of GA and SVM for “Unsupervised machine learning for network-centric anomaly
Anomaly Detection in Intrusi,” LNCS, vol. 3498, no. III, pp. detection in IoT,” in Big-DAMA 2019 - Proceedings of the 3rd
415–420, 2005, doi: 10.1007/11427469_67. ACM CoNEXT Workshop on Big DAta, Machine Learning and
[206] E. L. Paula, M. Ladeira, R. N. Carvalho, and T. Marzagão, Artificial Intelligence for Data Communication Networks, Part
“Deep learning anomaly detection as suppor fraud investigation of CoNEXT 2019, Dec. 2019, pp. 42–48, doi:
in Brazilian exports and anti-money laundering,” in Proceedings 10.1145/3359992.3366641.
- 2016 15th IEEE International Conference on Machine [223] Z. Chkirbene, S. Eltanbouly, M. Bashendy, N. Alnaimi, and A.
Learning and Applications, ICMLA 2016, 2017, pp. 954–960, Erbad, “Hybrid Machine Learning for Network Anomaly
doi: 10.1109/ICMLA.2016.73. Intrusion Detection,” in 2020 IEEE International Conference on
[207] R. Fujimaki, T. Yairi, and K. Machida, “An anomaly detection Informatics, IoT, and Enabling Technologies, ICIoT 2020, 2020,
method for spacecraft using relevance vector learning,” in pp. 163–170, doi: 10.1109/ICIoT48696.2020.9089575.
Lecture Notes in Computer Science (including subseries Lecture [224] J. Wang et al., “An anomaly prediction framework for financial
Notes in Artificial Intelligence and Lecture Notes in IT systems using hybrid machine learning methods,” Artic. J.
Bioinformatics), 2005, vol. 3518 LNAI, pp. 785–790, doi: Ambient Intell. Humaniz. Comput., 2019, doi: 10.1007/s12652-
10.1007/11430919_92. 019-01645-z.
[208] S. Liu, Y. Chen, W. Trappe, L. J. Greenstein, and N. Brunswick, [225] H. Goldberg, H. Kwon, and N. M. Nasrabadi, “Kernel
ALDO: An Anomaly Detection Framework for Dynamic eigenspace separation transform for subspace anomaly detection
Spectrum Access Networks. . in hyperspectral imagery,” IEEE Geosci. Remote Sens. Lett., vol.
[209] K. Sequeira and M. Zaki, “ADMIT: Anomaly-based data mining 4, no. 4, pp. 581–585, Oct. 2007, doi:
for intrusions,” in Proceedings of the ACM SIGKDD 10.1109/LGRS.2007.903083.
International Conference on Knowledge Discovery and Data [226] Y. Feng, Z. F. Wu, K. G. Wu, Z. Y. Xiong, and Y. Zhou, “An
Mining, 2002, pp. 386–395. unsupervised anomaly intrusion detection algorithm based on
[210] V. L. L. Thing, “IEEE 802.11 network anomaly detection and swarm intelligence,” in 2005 International Conference on
attack classification: A deep learning approach,” 2017, doi: Machine Learning and Cybernetics, ICMLC 2005, 2005, pp.
10.1109/WCNC.2017.7925567. 3965–3969, doi: 10.1109/icmlc.2005.1527630.
[211] K. M. Ting, T. Washio, J. R. Wells, and S. Aryal, “Defying the [227] H. Y. Shahir, U. Glasser, A. Y. Shahir, and H. Wehn, “Maritime
gravity of learning curve: a characteristic of nearest neighbour situation analysis framework: Vessel interaction classification
anomaly detectors,” Mach. Learn., vol. 106, no. 1, pp. 55–91, and anomaly detection,” in Proceedings - 2015 IEEE
2017, doi: 10.1007/s10994-016-5586-4. International Conference on Big Data, IEEE Big Data 2015,
[212] Y. Zhou, S. Yan, and T. S. Huang, “DETECTING ANOMALY 2015, pp. 1279–1289, doi: 10.1109/BigData.2015.7363883.
IN VIDEOS FROM TRAJECTORY SIMILARITY [228] D. B. Araya, K. Grolinger, H. F. ElYamany, M. A. M. Capretz,
ANALYSIS.” and G. Bitsuamlak, “An ensemble learning framework for

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

anomaly detection in building energy consumption,” Energy Encoder. 2018.


Build., vol. 144, pp. 191–206, 2017, doi: [246] M. Fugate and J. R. Gattiker, “Anomaly detection enhanced
10.1016/j.enbuild.2017.02.058. classification in computer intrusion detection,” in Lecture Notes
[229] J. B. D. Cabrera, C. Gutiérrez, and R. K. Mehra, “Ensemble in Computer Science (including subseries Lecture Notes in
methods for anomaly detection and distributed intrusion Artificial Intelligence and Lecture Notes in Bioinformatics),
detection in Mobile Ad-Hoc Networks,” Inf. Fusion, vol. 9, no. 2002, vol. 2388, pp. 186–197, doi: 10.1007/3-540-45665-1_15.
1, pp. 96–119, 2008, doi: 10.1016/j.inffus.2007.03.001. [247] C. C. Michael and A. Ghosh, “Simple, State-Based Approaches
[230] W. Fan, N. Bouguila, and D. Ziou, “Unsupervised anomaly to Program-Based Anomaly Detection,” ACM Trans. Inf. Syst.
intrusion detection via localized Bayesian feature selection,” in Secur., vol. 5, no. 3, pp. 203–237, 2002, doi:
Proceedings - IEEE International Conference on Data Mining, 10.1145/545186.545187.
ICDM, 2011, pp. 1032–1037, doi: 10.1109/ICDM.2011.152. [248] Y. Liao, V. R. Vemuri, and A. Pasos, “Adaptive anomaly
[231] R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, and W. Lee, detection with evolving connectionist systems,” J. Netw.
“McPAD : A Multiple Classifier System for Accurate Payload- Comput. Appl., vol. 30, no. 1, pp. 60–80, 2007, doi:
based Anomaly Detection.” 10.1016/j.jnca.2005.08.005.
[232] E. Eskin, “Detecting Errors within a Corpus using Anomaly [249] V. R. Jakkula, A. S. Crandall, and D. J. Cook, “Enhancing
Detection.” anomaly detection using temporal pattern discovery,” in
[233] J. Frery, A. Habrard, M. Sebban, O. Caelen, and L. He-Guelton, Advanced Intelligent Environments, Springer US, 2009, pp. 175–
“Efficient Top Rank Optimization with Gradient Boosting for 194.
Supervised Anomaly Detection,” in Lecture Notes in Computer [250] B. Vrat, N. Aggarwal, and S. Venkatesan, “Anomaly Detection
Science (including subseries Lecture Notes in Artificial in IPv4 and IPv6 networks using machine learning,” 2016, doi:
Intelligence and Lecture Notes in Bioinformatics), 2017, vol. 10.1109/INDICON.2015.7443752.
10534 LNAI, pp. 20–35, doi: 10.1007/978-3-319-71249-9_2. [251] S. Muller, J. Lancrenon, C. Harpes, Y. Le Traon, S. Gombault,
[234] B. Hussain, Q. Du, and P. Ren, “Semi-supervised learning based and J.-M. Bonnin, “A Training-Resistant Anomaly Detection
big data-driven anomaly detection in mobile wireless networks,” System.”
in China Communications, 2018, vol. 15, no. 4, pp. 41–57, doi: [252] S. Xiuyao, W. Mingxi, C. Jermaine, and S. Ranka, “Conditional
10.1109/CC.2018.8357700. anomaly detection,” IEEE Trans. Knowl. Data Eng., vol. 19, no.
[235] H. Alipour, Y. B. Al-Nashif, P. Satam, and S. Hariri, “Wireless 5, pp. 631–644, May 2007, doi: 10.1109/TKDE.2007.1009.
Anomaly Detection Based on IEEE 802.11 Behavior Analysis,” [253] R. Jain and H. Shah, “An anomaly detection in smart cities
IEEE Trans. Inf. Forensics Secur., vol. 10, no. 10, pp. 2158– modeled as wireless sensor network,” 2017, doi:
2170, 2015, doi: 10.1109/TIFS.2015.2433898. 10.1109/ICONSIP.2016.7857445.
[236] H. H. Bosman, G. Iacca, A. Tejada, H. J. Wörtche, and A. Liotta, [254] X. R. Wang, J. T. Lizier, O. Obst, M. Prokopenko, and P. Wang,
“Spatial anomaly detection in sensor networks using “Spatiotemporal anomaly detection in gas monitoring sensor
neighborhood information,” Inf. Fusion, vol. 33, pp. 41–56, networks,” in Lecture Notes in Computer Science (including
2017, doi: 10.1016/j.inffus.2016.04.007. subseries Lecture Notes in Artificial Intelligence and Lecture
[237] S. Adepu, Y. Xiang, M. Tan, J. Goh, and L. Z. Shan, “Anomaly Notes in Bioinformatics), 2008, vol. 4913 LNCS, pp. 90–105,
Detection in Cyber Physical Systems Using Recurrent Neural doi: 10.1007/978-3-540-77690-1_6.
Networks Cyber Physical System Protection View project [255] W. Li and Q. X. Li, “Using naive Bayes with AdaBoost to
Advancing Security of Public Infrastructure using Resilience and enhance network anomaly intrusion detection,” in Proceedings -
Economics View project Anomaly Detection in Cyber Physical 3rd International Conference on Intelligent Networks and
Systems u,” ieeexplore.ieee.org, 2017, doi: Intelligent Systems, ICINIS 2010, 2010, pp. 486–489, doi:
10.1109/HASE.2017.36. 10.1109/ICINIS.2010.133.
[238] N. Erez and A. Wool, “Control variable classification, modeling [256] X. Hang and H. Dai, “Applying both positive and negative
and anomaly detection in Modbus/TCP SCADA systems,” Int. J. selection to supervised learning for anomaly detection,” in
Crit. Infrastruct. Prot., vol. 10, pp. 59–70, 2015, doi: GECCO 2005 - Genetic and Evolutionary Computation
10.1016/j.ijcip.2015.05.001. Conference, 2005, pp. 345–352, doi: 10.1145/1068009.1068064.
[239] T. F. Ghanem, W. S. Elkilani, and H. M. Abdul-kader, “A hybrid [257] Y. K. Wang, C. T. Fan, K. Y. Cheng, and P. S. Deng, “Real-time
approach for efficient anomaly detection using metaheuristic camera anomaly detection for real-world video surveillance,” in
methods,” J. Adv. Res., vol. 6, no. 4, pp. 609–619, 2015, doi: Proceedings - International Conference on Machine Learning
10.1016/j.jare.2014.02.009. and Cybernetics, 2011, vol. 4, pp. 1520–1525, doi:
[240] F. Schuster, A. Paul, and H. König, “Towards learning normality 10.1109/ICMLC.2011.6017032.
for anomaly detection in industrial control networks,” in Lecture [258] R. C. Aygun and A. G. Yavuz, “Network Anomaly Detection
Notes in Computer Science (including subseries Lecture Notes in with Stochastically Improved Autoencoder Based Models,” in
Artificial Intelligence and Lecture Notes in Bioinformatics), Proceedings - 4th IEEE International Conference on Cyber
2013, vol. 7943 LNCS, pp. 61–72, doi: 10.1007/978-3-642- Security and Cloud Computing, CSCloud 2017 and 3rd IEEE
38998-6_8. International Conference of Scalable and Smart Cloud, SSC
[241] S. M. A. M. Gadal and R. A. Mokhtar, “Anomaly detection 2017, 2017, pp. 193–198, doi: 10.1109/CSCloud.2017.39.
approach using hybrid algorithm of data mining technique,” [259] Y. Feng, Y. Yuan, and X. Lu, “Learning deep event models for
2017, doi: 10.1109/ICCCCEE.2017.7867661. crowd anomaly detection,” Neurocomputing, vol. 219, pp. 548–
[242] Q. Guan and S. Fu, “Adaptive anomaly identification by 556, 2017, doi: 10.1016/j.neucom.2016.09.063.
exploring metric subspace in cloud computing infrastructures,” [260] S. Akcay, A. Atapour-Abarghouei, and T. P. Breckon,
in Proceedings of the IEEE Symposium on Reliable Distributed “GANomaly: Semi-supervised Anomaly Detection via
Systems, 2013, pp. 205–214, doi: 10.1109/SRDS.2013.29. Adversarial Training,” in Lecture Notes in Computer Science
[243] W. Haider, J. Hu, and M. Xie, “Towards reliable data feature (including subseries Lecture Notes in Artificial Intelligence and
retrieval and decision engine in host-based anomaly detection Lecture Notes in Bioinformatics), 2019, vol. 11363 LNCS, pp.
systems,” in Proceedings of the 2015 10th IEEE Conference on 622–637, doi: 10.1007/978-3-030-20893-6_39.
Industrial Electronics and Applications, ICIEA 2015, 2015, pp. [261] M. Chang, A. Terzis, and P. Bonnet, “Mote-based online
513–517, doi: 10.1109/ICIEA.2015.7334166. anomaly detection using echo state networks,” in Lecture Notes
[244] R. Perdisci, G. Gu, and W. Lee, “Using an Ensemble of One- in Computer Science (including subseries Lecture Notes in
Class SVM Classifiers to Harden Payload-based Anomaly Artificial Intelligence and Lecture Notes in Bioinformatics),
Detection Systems.” 2009, vol. 5516 LNCS, pp. 72–86, doi: 10.1007/978-3-642-
[245] A. M. Vartouni, S. S. Kashi, and M. Teshnehlab, An Anomaly 02085-8_6.
Detection Method to Detect Web Attacks Using Stacked Auto- [262] A. Sayed et al., Genetic Algorithm with Different Feature

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

Selection Techniques for Anomaly Detectors Generation. . Artificial Intelligence and Lecture Notes in Bioinformatics),
[263] G. Marín, P. Casas, and G. Capdehourat, “RawPower: Deep 2019, vol. 11051 LNAI, pp. 173–189, doi: 10.1007/978-3-030-
learning based anomaly detection from raw network traffic 10925-7_11.
measurements,” in SIGCOMM 2018 - Proceedings of the 2018 [278] F. Doelitzscher, M. Knahl, C. Reich, and N. Clarke, “Anomaly
Posters and Demos, Part of SIGCOMM 2018, Aug. 2018, pp. detection in IaaS Clouds,” in Proceedings of the International
75–77, doi: 10.1145/3234200.3234238. Conference on Cloud Computing Technology and Science,
[264] / Casas, P. ; Soro, F. ; Vanerio, J. ; Settanni, and G. ; D’alconzo, CloudCom, 2013, vol. 1, pp. 387–394, doi:
“Network security and anomaly detection with Big-DAMA, a 10.1109/CloudCom.2013.57.
big data analytics framework,” ieeexplore.ieee.org, pp. 1–7, [279] F. M. Shah, N. F. Haq, and A. Rahman Onik, “An Ensemble
2017, doi: 10.1109/CloudNet.2017.8071525. Framework of Anomaly Detection Using Hybridized Feature
[265] X. D. Hoang and J. Hu, “An efficient hidden markov model Selection Approach (HFSA),” ieeexplore.ieee.org, 2015, doi:
training scheme for anomaly intrusion detection of server 10.1109/IntelliSys.2015.7361264.
applications based on system calls,” in Proceedings - IEEE [280] J. Tian, H. Gu, J. Tian, and · H Gu, “Anomaly detection
International Conference on Networks, ICON, 2004, vol. 2, pp. combining one-class SVMs and particle swarm optimization
470–474, doi: 10.1109/ICON.2004.1409210. algorithms,” Springer, vol. 61, no. 1–2, pp. 303–310, Jul. 2010,
[266] I. O. De Urbina Cazenave, E. Köşlük, and M. C. Ganiz, “An doi: 10.1007/s11071-009-9650-5.
anomaly detection framework for BGP,” in INISTA 2011 - 2011 [281] G. A. Susto, A. Beghi, and S. McLoone, “Anomaly Detection
International Symposium on INnovations in Intelligent SysTems through on-line Isolation Forest: An application to plasma
and Applications, 2011, pp. 107–111, doi: etching,” in 2017 28th Annual SEMI Advanced Semiconductor
10.1109/INISTA.2011.5946083. Manufacturing Conference (ASMC), 2017, pp. 89–94, doi:
[267] O. Raz, P. Koopman, and M. Shaw, “Semantic anomaly 10.23919/mipro.2017.7966552.
detection in online data sources,” in Proceedings - International [282] I. Paredes-Oliva, I. Castell-Uroz, P. Barlet-Ros, X.
Conference on Software Engineering, 2002, pp. 302–312, doi: Dimitropoulos, and J. Solé-Pareta, “Practical Anomaly Detection
10.1145/581339.581378. based on Classifying Frequent Traffic Patterns,” 2012.
[268] H. M. Anwer, M. Farouk, and A. Abdel-Hamid, “A framework [283] I. Ullah and Q. H. Mahmoud, “A hybrid model for anomaly-
for efficient network anomaly intrusion detection with features based intrusion detection in SCADA networks,” in Proceedings
selection,” in 2018 9th International Conference on Information - 2017 IEEE International Conference on Big Data, Big Data
and Communication Systems, ICICS 2018, 2018, vol. 2018- 2017, 2017, vol. 2018-Janua, pp. 2160–2167, doi:
Janua, pp. 157–162, doi: 10.1109/IACS.2018.8355459. 10.1109/BigData.2017.8258164.
[269] X. Wang, J. S. Wong, F. Stanley, and S. Basu, “Cross-layer [284] X. Q. Zhang and C. H. Gu, “CH-SVM based network anomaly
based anomaly detection in wireless mesh networks,” in detection,” in Proceedings of the Sixth International Conference
Proceedings - 2009 9th Annual International Symposium on on Machine Learning and Cybernetics, ICMLC 2007, 2007, vol.
Applications and the Internet, SAINT 2009, 2009, pp. 9–15, doi: 6, pp. 3261–3266, doi: 10.1109/ICMLC.2007.4370710.
10.1109/SAINT.2009.11. [285] D. Li, D. Chen, B. Jin, L. Shi, J. Goh, and S. K. Ng, “MAD-
[270] K. Alrawashdeh and C. Purdy, “Reducing calculation GAN: Multivariate Anomaly Detection for Time Series Data
requirements in FPGA implementation of deep learning with Generative Adversarial Networks,” in Lecture Notes in
algorithms for online anomaly intrusion detection,” in Computer Science (including subseries Lecture Notes in
Proceedings of the IEEE National Aerospace Electronics Artificial Intelligence and Lecture Notes in Bioinformatics),
Conference, NAECON, 2018, vol. 2017-June, pp. 57–62, doi: 2019, vol. 11730 LNCS, pp. 703–716, doi: 10.1007/978-3-030-
10.1109/NAECON.2017.8268745. 30490-4_56.
[271] R. Kumari, Sheetanshu, M. K. Singh, R. Jha, and N. K. Singh, [286] T. Sipola, A. Juvonen, and J. Lehtonen, “Anomaly detection
“Anomaly detection in network traffic using K-mean clustering,” from network logs using diffusion maps,” in IFIP Advances in
in 2016 3rd International Conference on Recent Advances in Information and Communication Technology, 2011, vol. 363
Information Technology, RAIT 2016, 2016, pp. 387–393, doi: AICT, no. PART 1, pp. 172–181, doi: 10.1007/978-3-642-
10.1109/RAIT.2016.7507933. 23957-1_20.
[272] P. Mulinka and P. Casas, “Stream-based machine learning for [287] M. Zhu, K. Ye, Y. Wang, and C. Z. Xu, “A deep learning
network security and anomaly detection,” in Big-DAMA 2018 - approach for network anomaly detection based on AMF-LSTM,”
Proceedings of the 2018 Workshop on Big Data Analytics and in Lecture Notes in Computer Science (including subseries
Machine Learning for Data Communication Networks, Part of Lecture Notes in Artificial Intelligence and Lecture Notes in
SIGCOMM 2018, Aug. 2018, pp. 1–7, doi: Bioinformatics), 2018, vol. 11276 LNCS, pp. 137–141, doi:
10.1145/3229607.3229612. 10.1007/978-3-030-05677-3_13.
[273] T. Ahmed, M. Coates, and A. Lakhina, “Multivariate Online [288] B. Shah and B. H. Trivedi, “Reducing features of KDD CUP
Anomaly Detection Using Kernel Recursive Least Squares.” 1999 dataset for anomaly detection using back propagation
[274] V. L. Cao, M. Nicolau, and J. McDermott, “A hybrid neural network,” in International Conference on Advanced
autoencoder and density estimation model for anomaly Computing and Communication Technologies, ACCT, 2015, vol.
detection,” in Lecture Notes in Computer Science (including 2015-April, pp. 247–251, doi: 10.1109/ACCT.2015.131.
subseries Lecture Notes in Artificial Intelligence and Lecture [289] X. Gu and H. Wang, “Online Anomaly Prediction for Robust
Notes in Bioinformatics), 2016, vol. 9921 LNCS, pp. 717–726, Cluster Systems.”
doi: 10.1007/978-3-319-45823-6_67. [290] A. Chiang, E. David, Y. J. Lee, G. Leshem, and Y. R. Yeh, “A
[275] D. Narsingyani and O. Kale, “Optimizing false positive in study on anomaly detection ensembles,” J. Appl. Log., vol. 21,
anomaly based intrusion detection using Genetic algorithm,” in pp. 1–13, 2017, doi: 10.1016/j.jal.2016.12.002.
Proceedings of the 2015 IEEE 3rd International Conference on [291] D. S. Terzi, R. Terzi, and S. Sagiroglu, “Big data analytics for
MOOCs, Innovation and Technology in Education, MITE 2015, network anomaly detection from netflow data,” in 2nd
2016, pp. 72–77, doi: 10.1109/MITE.2015.7375291. International Conference on Computer Science and
[276] M. Sabokrou, M. Fayyaz, M. Fathy, Z. Moayed, and R. Klette, Engineering, UBMK 2017, 2017, pp. 592–597, doi:
“Deep-anomaly: Fully convolutional neural network for fast 10.1109/UBMK.2017.8093473.
anomaly detection in crowded scenes,” Comput. Vis. Image [292] N. T. Van, T. N. Thinh, and L. T. Sach, “An anomaly-based
Underst., vol. 172, pp. 88–97, 2018, doi: network intrusion detection system using Deep learning,” in
10.1016/j.cviu.2018.02.006. Proceedings - 2017 International Conference on System Science
[277] R. Chalapathy, E. Toth, and S. Chawla, “Group anomaly and Engineering, ICSSE 2017, 2017, pp. 210–214, doi:
detection using deep generative models,” in Lecture Notes in 10.1109/ICSSE.2017.8030867.
Computer Science (including subseries Lecture Notes in [293] R. K. Malaiya, D. Kwon, S. C. Suh, H. Kim, I. Kim, and J. Kim,

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access

“An Empirical Evaluation of Deep Learning for Network probabilistic calibration model,” Math. Probl. Eng., 2015, doi:
Anomaly Detection,” IEEE Access, vol. 7, pp. 140806–140817, 10.1155/2015/923792.
2019, doi: 10.1109/ACCESS.2019.2943249. [310] E. Quatrini, F. Costantino, G. Di Gravio, and R. Patriarca,
[294] D. Yao, M. Yin, J. Luo, and S. Zhang, “Network anomaly “Machine learning for anomaly detection and process phase
detection using Random Forests and entropy of traffic features,” classification to improve safety and maintenance activities,” J.
in Proceedings - 2012 4th International Conference on Manuf. Syst., vol. 56, pp. 117–132, Jul. 2020, doi:
Multimedia and Security, MINES 2012, 2012, pp. 926–929, doi: 10.1016/j.jmsy.2020.05.013.
10.1109/MINES.2012.146. [311] Y. Liu, Z. Pang, M. Karlsson, and S. Gong, “Anomaly detection
[295] S. Rajasegarar, C. Leckie, M. Palaniswami, and J. C. Bezdek, based on machine learning in IoT-based vertical plant wall for
“Quarter sphere based distributed anomaly detection in wireless indoor climate control,” Build. Environ., vol. 183, p. 107212,
sensor networks,” in IEEE International Conference on Oct. 2020, doi: 10.1016/j.buildenv.2020.107212.
Communications, 2007, pp. 3864–3869, doi: [312] P. Tang et al., “Anomaly detection in electronic invoice systems
10.1109/ICC.2007.637. based on machine learning,” Inf. Sci. (Ny)., vol. 535, pp. 172–
[296] D. Boro, B. Nongpoh, and D. K. Bhattacharyya, “Anomaly 186, Oct. 2020, doi: 10.1016/j.ins.2020.03.089.
based intrusion detection using meta ensemble classifier,” in [313] I. G. A. Poornima and B. Paramasivan, “Anomaly detection in
Proceedings of the 5th International Conference on Security of wireless sensor network using machine learning algorithm,”
Information and Networks, SIN’12, 2012, pp. 143–147, doi: Comput. Commun., vol. 151, pp. 331–337, Feb. 2020, doi:
10.1145/2388576.2388596. 10.1016/j.comcom.2020.01.005.
[297] F. Yihunie, E. Abdelfattah, and A. Regmi, “Applying Machine [314] G. Pu, L. Wang, J. Shen, and F. Dong, “A hybrid unsupervised
Learning to Anomaly-Based Intrusion Detection Systems,” May clustering-based anomaly detection method,” Tsinghua Sci.
2019, doi: 10.1109/LISAT.2019.8817340. Technol., vol. 26, no. 2, pp. 146–153, Apr. 2021, doi:
[298] L. Bontemps, V. L. Cao, J. McDermott, and N. A. Le-Khac, 10.26599/TST.2019.9010051.
“Collective anomaly detection based on long short-term memory [315] A. N. Huy, V. N. Tam, I. K. Dong, and D. Choi, “Network
recurrent neural networks,” in Lecture Notes in Computer traffic anomalies detection and identification with flow
Science (including subseries Lecture Notes in Artificial monitoring,” 2008, doi: 10.1109/WOCN.2008.4542524.
Intelligence and Lecture Notes in Bioinformatics), 2016, vol. [316] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, Network
10018 LNCS, pp. 141–152, doi: 10.1007/978-3-319-48057-2_9. Traffic Anomaly Detection and Prevention. 2017.
[299] I. Alrashdi, A. Alqazzaz, E. Aloufi, R. Alharthi, M. Zohdy, and [317] X. Lu, P. Liu, and J. Lin, “Network traffic anomaly detection
H. Ming, “AD-IoT: Anomaly detection of IoT cyberattacks in based on information gain and deep learning,” in ACM
smart city using machine learning,” in 2019 IEEE 9th Annual International Conference Proceeding Series, Apr. 2019, pp. 11–
Computing and Communication Workshop and Conference, 15, doi: 10.1145/3325917.3325946.
CCWC 2019, 2019, pp. 305–310, doi: [318] Y. Gu, A. McCallum, and D. Towsley, “Detecting anomalies in
10.1109/CCWC.2019.8666450. network traffic using maximum entropy estimation,” 2005, doi:
[300] S. Rayana and L. Akoglu, “Less is more: Building selective 10.1145/1330107.1330148.
anomaly ensembles,” ACM Trans. Knowl. Discov. Data, vol. 10,
no. 4, May 2016, doi: 10.1145/2890508.
[301] D. Damopoulos, G. Kambourakis, and G. Portokalidis, “The best
of both worlds. A framework for the synergistic operation of
host and cloud anomaly-based IDS for smartphones,” 2014, doi:
10.1145/2592791.2592797.
[302] D. Ippoliti and X. Zhou, “A-GHSOM: An adaptive growing
hierarchical self organizing map for network anomaly
detection,” J. Parallel Distrib. Comput., vol. 72, no. 12, pp.
1576–1590, 2012, doi: 10.1016/j.jpdc.2012.09.004.
[303] D. Cozzolino and L. Verdoliva, “Single-image splicing
localization through autoencoder-based anomaly detection,”
2017, doi: 10.1109/WIFS.2016.7823921.
[304] M. Al-Subaie and M. Zulkernine, “Efficacy of Hidden Markov
Models over neural networks in anomaly intrusion detection,” in
Proceedings - International Computer Software and
Applications Conference, 2006, vol. 1, pp. 325–332, doi:
10.1109/COMPSAC.2006.40.
[305] R. Fujimaki, T. Yairi, and K. Machida, “An approach to
spacecraft anomaly detection problem using Kernel Feature
Space,” in Proceedings of the ACM SIGKDD International
Conference on Knowledge Discovery and Data Mining, 2005,
pp. 401–410, doi: 10.1145/1081870.1081917.
[306] I. Khokhlov, M. Perez, and L. Reznik, “Machine learning in
anomaly detection: Example of colluded applications attack in
android devices,” in Proceedings - 18th IEEE International
Conference on Machine Learning and Applications, ICMLA
2019, 2019, pp. 1328–1333, doi: 10.1109/ICMLA.2019.00216.
[307] A. Selvaraj, R. Patan, A. H. Gandomi, G. G. Deverajan, and M.
Pushparaj, “Optimal virtual machine selection for anomaly
detection using a swarm intelligence approach,” Appl. Soft
Comput. J., vol. 84, 2019, doi: 10.1016/j.asoc.2019.105686.
[308] R. Punmiya, O. Zyabkina, S. Choe, and J. Meyer, “Anomaly
detection in power quality measurements using proximity-based
unsupervised machine learning techniques,” 2019, doi:
10.1109/PQ.2019.8818236.
[309] Y. Li, X. Luo, Y. Qian, and X. Zhao, “Network-wide traffic
anomaly detection and localization based on robust multivariate

VOLUME XX, 2017 3

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/

You might also like