Machine Learning For Anomaly Detection A Systemati
Machine Learning For Anomaly Detection A Systemati
fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.
Digital Object Identifier 10.1109/ACCESS.2017.Doi Number
ABSTRACT Anomaly detection has been used for decades to identify and extract anomalous components
from data. Many techniques have been used to detect anomalies. One of the increasingly significant
techniques is Machine Learning (ML), which plays an important role in this area. In this research paper,
we conduct a Systematic Literature Review (SLR) which analyzes ML models that detect anomalies in
their application. Our review analyzes the models from four perspectives; the applications of anomaly
detection, ML techniques, performance metrics for ML models, and the classification of anomaly
detection. In our review, we have identified 290 research articles, written from 2000-2020, that discuss ML
techniques for anomaly detection. After analyzing the selected research articles, we present 43 different
applications of anomaly detection found in the selected research articles. Moreover, we identify 29 distinct
ML models used in the identification of anomalies. Finally, we present 22 different datasets that are
applied in experiments on anomaly detection, as well as many other general datasets. In addition, we
observe that unsupervised anomaly detection has been adopted by researchers more than other
classification anomaly detection systems. Detection of anomalies using ML models is a promising area of
research, and there are a lot of ML models that have been implemented by researchers. Therefore, we
provide researchers with recommendations and guidelines based on this review.
INDEX TERMS Anomaly Detection, Machine Learning, Security and Privacy Protection.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
longitude and latitude of a location are contextual attributes not need anomaly class labels, they are more common than
in spatial datasets. Moreover, time is a contextual attribute supervised methods.
in time series data that determines an instance’s position on
the entire sequence. The second attribute is considered as • Unsupervised anomaly detection: In this case, training
attributes of behavior where it defines an instance’s datasets are not required for the methods. Therefore, those
noncontextual features. For example, the amount of rainfall methods imply that normal instances are much more
that occurs at any location in a spatial dataset describing the common than anomalies in test datasets. However, if the
world’s average rainfall is a behavioral attribute. assumption fails, it leads to a high false alarm rate for this
technique.
The preference for using the technique of contextual
anomaly detection is determined by the significance of the Many semi-supervised techniques can be adapted to operate
contextual abnormalities in the target area. The availability in an unsupervised mode by using unlabeled dataset
of qualitative attributes is another significant aspect. In samples as training data. Such adaptation assumes that there
some instances, it is easy to identify a context, and thus it are very few anomalies in the test data and these few
makes sense to apply a contextual detection technique. In anomalies are robust to the model learning during training.
other instances, it is not possible to establish a sense such
that certain methods are difficult to use. This study’s primary objective is to conduct a systematic
review that represents a comprehensive study of ML
3. Collective anomalies: If a set of associated data techniques for anomaly detection and their applications.
instances is anomalous for the entire dataset, it is called a Moreover, this review studies the accuracy of the ML
collective anomaly. models and the percentage of research papers that apply
supervised, semi-supervised, or unsupervised anomaly
Statistical anomaly detection techniques are some of the detection classification. We believe that this review will
oldest algorithms used to detect anomalies [10]. Statistical enable researchers to have a better understanding of the
methods build a statistical model for the ordinary behavior different anomaly detection methods and guide them in
of the data provided. A statistical inference test may then be reviewing the recent research done on this subject.
carried out to detect whether or not an instance belongs to To the best of our knowledge, there are very few
this model. Several methods are used to conduct statistical Systematic Literature Reviews (SLR) on detecting
anomaly detection [11]. This includes proximity based, anomalies through machine learning techniques, which has
parametric, non-parametric, and semi-parametric methods. motivated this work. Research articles were read
thoughtfully and were selected, based on Kitchenham and
Machine learning (ML) techniques are increasingly being Charter’s methodology [14]., with regards to (i) the main
used as one of the approaches to detect anomalies. ML is prediction research work done in anomaly detection, (ii) the
the effort to “automate the process of knowledge ML algorithms used in anomaly detection, (iii) the
acquisition from examples” [12]. The technique is used to estimation and accuracy of ML models proposed, and (iv)
build a model that distinguishes between ordinary and the strength and weaknesses of the ML technique used.
abnormal classes. Anomaly detection can therefore be split The remainder of this paper is divided into six sections:
into three broad categories based on the training data Section 2 provides information on related work. Section 3
function used to build the model. The three broad classes describes the methodology used in this research. Section 4
are [1], [13]: lists the results and discussions. Section 5 addresses the
limitations of this review. Finally, Section 6 contains a
• Supervised anomaly detection: In this class, both the discussion and suggestions for future work.
normal and anomalous training datasets contain labeled
instances. In this model, the approach is to build a A. Literature Review
predictive model for both anomaly and normal classes and Detection of anomalies is an important issue that has been
then compare these two models. However, in this mode, investigated in various fields of study and implementation.
two issues occur. First, the number of anomalies in the Many detection methods for anomalies have been created
training set is much lower when compared with normal specifically for certain applications, while others are more
instances. Second, precise and representative labels are generic. For example, Chandola et al. [1] provided an
challenging to identify, particularly for the anomaly class. extensive survey of anomaly detection techniques and
applications. A board review of different techniques of
• Semi-supervised anomaly detection: Training here Machine learning as well as non-machine learning, such as
includes only ordinary class cases. Therefore, anything that statistical and spectral detection methods, was discussed in
cannot be classified as ordinary is marked as anomalous.
detail. Moreover, the survey presents several applications of
Semi-supervised techniques presume that training data have
anomaly detection. Examples include cyber intrusion
labeled instances for the normal class alone. Since they do
detection, fraud detection, medical anomaly detection,
industrial damage detection, image processing detection,
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
textual anomaly detection, and sensor networks. The same Finally, Satpute et al. [25] presented a combination of
authors introduced another survey [10] on the topic of various machine learning techniques with particle swarm
anomaly detection for discrete sequence. The authors optimization to improve the efficiency of detecting anomalies
provided a comprehensive and structured overview of the in network intrusion systems.
existing research on the problem of detecting anomalies in
discrete/symbolic sequences. In addition, Hodge and Austin The detection of network anomalies has been an important
[15] presented an overall study of machine learning and area of research [26], [27] Therefore, many surveys focused
statistical anomaly detection methodologies. Also, the on that topic. For example, Bhuyan et al. [11] presented a
authors discussed comparatively the advantages and comprehensive study of network anomaly detection. They
disadvantages of each method. On the other hand, Agrawal identified the kinds of attacks that are usually encountered by
and Agrawal [8] proposed a survey on anomaly detection intrusion detection systems and then described and compared
using data mining techniques. the effectiveness of different anomaly detection methods. In
Several surveys were mainly focused on detecting addition, the authors discussed network defenders’ tools.
anomalies in specific domains and applications, such as [16] Similarly, Gogoi et al. [7] surveyed an extensive study of
where the authors presented an overall survey of wide well-known distance based, density based techniques as well
clustering based fraud detection and also compared those as supervised and unsupervised learning in network anomaly
techniques from several perspectives. In addition, Sodemann detection. On the other hand, Kwon et al. [28] mainly
et al. [17] presented anomaly detection in automated focused on deep learning techniques, such as restricted
surveillance, where they provided different models and Boltzmann machine based deep belief networks, deep
classification algorithms. The authors examined research recurrent neural networks, as well as machine learning
studies according to the problem domain, approach, and methods appropriate to network anomaly detection. In
method. Moreover, Zuo [18], provided a survey of the three addition, the authors presented experiments that
most widely used techniques of anomaly detection in the demonstrated the practicality of using deep learning
field of geochemical data processing; Fractal/multi-fractal techniques in network traffic analysis.
models, compositional data analysis, and machine learning
(ML), but the author focuses mainly on machine learning Our systematic review is different from those described
techniques. On the other hand, He et al. [19] surveyed the above, as we are presenting an extensive research study on
framework of log based anomaly detection. The authors detecting anomalies through machine learning techniques.
reviewed six representative anomaly detection methods and Table 6 in Appendix A summarizes the related work and
evaluated each one. The authors also compared and displays the differences between it and our work.
contrasted the precision and effectiveness of two Our study differs from the related work in various aspects,
representative datasets of the production log. Furthermore, such as:
Ibidunmoye et al. [20] provided an overview of anomaly 1. Machine learning techniques are included, and the
detection and bottleneck identification as they related to the model types of techniques include supervised, semi-
performance of computing systems. The authors identified supervised, or unsupervised anomaly detection.
the fundamental elements of the problem and then classified 2. Precision comparison of each technique
the existing solutions. 3. A comprehensive approach is presented which includes
the advantages and disadvantages of each technique.
Anomaly intrusion detection was the focus of many 4. Covers the period from 2000 to 2020, which is quite
researchers. For instance, Yu [21] presented a comprehensive recent.
study on anomaly intrusion detection techniques such as
statistical, machine learning, neural networks, and data II. METHODOLOGY
mining detection techniques. Also, Tsai et al. [22] reviewed In this study, we conducted a Systematic Literature Review
intrusion detection, but the authors focused on machine (SLR) based on Kitchenham and Charters methodology [14].
learning techniques. They provided an overview of machine The method includes the stages of planning and conducting
learning techniques designed to solve intrusion detection research, and reporting. There are several phases in each
problems written between 2000 and 2007. Moreover, the stage. The planning phase is divided into six different stages.
authors compared related work based on the types of The first stage is to identify study questions that are based on
classifier design, dataset, and other metrics. Similarly, Patcha the review's objectives. The second stage, in relation to
specifying the proper search terms, is developing the search
and Park [23] presented an extensive study of anomaly
strategy, for collecting research papers related to the topic
detection and intrusion detection techniques, and Buczak and
that fulfill the research questions. The third stage is to
Buvan [24] surveyed machine learning and data mining
identify the study selection procedures, which include the
methods for cyber intrusion detection. They provided a exclusion and inclusion rules. In the fourth stage, rules are
description of each method and addressed the challenges of identified for quality assessment to be used to filter the
using machine learning and data mining in cyber security. collected study papers. The fifth stage involves detailing an
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
extraction strategy to answer the research questions that were inclusive. The following four research questions (RQs) are
specified before. Finally, the sixth stage involves raised for this purpose:
synthesizing the data obtained. We followed the review
protocol, and this is demonstrated in the following 1.RQ1: What is the main prediction about research work
subsections. done in anomaly detection?
RQ1 aims to identify the prediction research work that is
Error! Reference source not found. below illustrates this done in anomaly detection, whether the prediction is an ML.
2.RQ2: What kinds of ML algorithms are being applied
in anomaly detection?
RQ2 aims at specifying the ML methods that have been
applied in the detection of anomalies.
3.RQ3: What is the overall estimation and accuracy of
machine learning models?
RQ3 is concerned with ML model estimation. Estimation
accuracy is the main performance metric for models of ML.
This question focuses on the following three elements of
estimation accuracy: dataset building, performance metric,
and accuracy value.
4.RQ4: What is the percentage of papers that address
unsupervised, semi-supervised, or supervised anomaly
detection?
RQ4 aims to present the percentage of collected research
papers that use unsupervised, semi- supervised, or
supervised anomaly detection techniques.
B. Search Strategy
C. Study Selection
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
Step 3: Remove review papers from the collected papers. Consider articles published
between 2000 and 2019.
Step 4: Apply quality assessment rules to include only the
qualified papers that ensure the best answer for our research research papers. Therefore 10 QARs are identified and each
questions. is given a value of 1 mark out of 10. The score of each QAR
Step 5: Search for additional related papers from references is selected as follows: “fully answered” = 1, “above average”
in the collected papers from step 4 and repeat step 4 on the =0.75, “average” = 0.5, “below average” = 0.25, “not
new added articles. answered” = 0. The summation of the marks obtained for the
10 QARs is the score of the article. Moreover, if the result is
The applied inclusion and exclusion criteria in this review are 5 or higher, we consider the article; otherwise, we exclude it.
discussed in Table 1. In the end, after conducting the Moreover, we choose the score 5 as it represents the middle
filtration steps, 290 papers were observed for this review. point of the good quality articles and it answers our intended
research questions.
D. Quality Assessment Rules (QARs)
QAR1: Are the study objectives clearly recognized?
The QARs were the final step in the identification of the final QAR2: Are the anomaly detection techniques well defined
list of papers to be included in this review. The QARs are and deliberated?
essential to guaranteeing and assessing the quality of the
Table 2. Selected Papers’ Quality Assessment Results
Result No. of papers Paper ID
3.5 1 A217 (Discarded)
4.75 1 A24 (Discarded)
5 6 A12, A43, A127, A163, A192 ,A208
5.25 1 A205
5.5 3 A141, A166, A201
5.75 4 A68, A147, A178, A195
6 6 A118, A173, A175, A183, A259, A278
6.25 8 A32, A134, A168, A187, A197, A28, A248, A282
6.5 7 A13, A25, A31, A33, A122, A174, A211
6.75 10 A11, A21, A22, A35, A36, A56, A57, A144, A186, A238
7 12 A3, A4, A30, A44, A62, A74, A77, A130, A140, A176, A200, A242
7.25 14 A26, A29, A58, A66, A67, A75, A101, A157, A224, A226, A227, A231, A266, A269
7.5 12 A20, A61, A72, A138, A142, A148, A153, A213, A244, A272, A280, A283
7.75 16 A1, A7, A19, A23, A41, A48, A53, A73, A135, A177, A181, A240, A261, A275, A281, A285
8 11 A27, A70, A92, A94, A105, A112, A164, A176, A185, A188, A268
8.25 16 A8, A16, A49, A76, A96, A149, A156, A169, A171, A182, A193, A207, A233, A267, A271, A286
A2, A9, A10, A18, A40, A42, A51, A52, A59, A60, A63, A64, A83, A124, A139, A143, A150,
8.5 23
A161, A170, A184, A203, A243, A255
A103, A109, A123, A126, A136, A14, A146, A17, A189, A209, A212, A215, A225, A229, A234,
8.75 31
A250, A260, A263, A279, A38, A39,A45, A46, A47, A5, A54, A71, A79, A82, A95, A99
A100, A106, A117, A120, A133, A137, A145, A15, 155, A159, A165, A180, A214, A219, A228,
9 32
A230, A246, A251, A252, A265, A276, A284, A34 A37, A50, A55, A65, A86, A89, A91, A93, A98
A104, A107, A108, A113, A114, A115, A125, A128, A129, A160, A191, A198, A223, A239, A247,
9.25 23
A249, A258, A6, A78, A80, A81, A84, A85
A110, A116, A131, A154, A158, A162, A190, A194, A204, A206, A216, A218, A220, A221, A222,
9.5 23
A254, A262, A273, A69, A87, A90, A97, A287
A102, A111, A119, A121, A132, A167, A172, A196, A199, A202, A232, A235, A237, A241, A257, A264,
9.75 20
A270, A274, A88, A289
10 10 A151, A152, A210, A236, A245, A253, A256, A277, A288, A290
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
QAR3: Is the specific application of anomaly detection research questions. Consequently, we extracted the following
clearly defined? information from each paper: paper number, title of the
QAR4: Does the paper cover practical experiments using the paper, publication year of the paper, publication type,
proposed technique? anomaly application type, RQ1, RQ2, RQ3, and RQ4. Due to
QAR5: Are the experiments well designed and justifiable? the unstructured nature of information, extraction was
QAR6: Are the experiments applied on sufficient datasets? challenging. For instance, for associated methods such as
QAR7: Are estimation accuracy criteria reported? “J48” or “C4.5,” researchers would use distinct
QAR8: Is the proposed estimation method compared with terminologies. It is essential to note that the four research
other methods? questions were not answered by all papers.
QAR9: Are the techniques of analyzing the outcomes
suitable? F. Synthesis of Extracted Data
QAR10: Overall, does the study enrich the academic In order to synthesize the information obtained from the
community or industry? chosen papers, we used various processes to aggregate
evidence to answer the RQs. The following describes in
E. Data Extraction Strategy detail the method of synthesis we followed: We used the
In this step, our aim was to analyze the final list of papers to technique of narrative synthesis to tabulate the information
extract the required information for answering the four obtained in accordance with RQ1 and RQ2. We use binary
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
often in the anomaly detection area. In addition, the table ensemble, optimization, rule system, clustering, and
contains comprehensive information on the frequency with regression. Those ML techniques are used in two forms:
which anomaly detection application is used by the selected standalone or hybrid models. Hybrid models are obtained by
articles. combining two or more ML techniques. Table 4 represents
Moreover, the review shows that researchers began to adopt the frequency of ML techniques among the collected
more applications of anomaly detection between 2011 and research articles. According to Table 4 in Appendix A, it can
2020. For further information on results, Figure 2 illustrates be seen that a lot of researchers used to combine more than
the distribution of anomaly detection application per year one ML technique. This includes A2 (DBN with one class
during the period considered. SVM), A23 (SVM with GA), and A14 (SVM with K-
Medoids clustering). Moreover, SVM is the most used
technique as either standalone or in hybrid models.
B. Types of Machine Learning Techniques Feature selection/extraction has been discovered extensively
In this section, we address RQ2, which aims at specifying the in the literature and it is a significant move towards
machine learning techniques that have been used to detect discarding irrelevant data, which helps to enhance and
anomalies between 2000 and 2020. improve the precision and computational efficiency of the
As a fundamental point of this review, the most frequently suggested models. Figure 4 demonstrates 21 different feature
used ML methods in anomaly detection are identified along selection/extraction techniques that are being applied.
with an evaluation of these methods. The evaluation of the Moreover, we notice that PCA and CFS are the feature
methods considers all the phases of the method’s experiment, selection techniques being used most often in anomaly
such as the feature selection phase, extraction phase, etc. detection. Even though this step is very important, most of
the research articles did not include it. While some research
As shown in Figure 3, we identified 28 ML techniques that articles did apply this step, the techniques were not
had been applied by researchers in the development of discussed.
models to detect anomalies on their application. These
techniques can be divided into six categories: classification,
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
used real life dataset as training or testing datasets for their engineering, electrical engineering, e-learning, security,
models. Lastly, in RQ4 we counted the classification type of networking, signal processing and social media. Ali has
anomaly detection used in selected research articles. We published more than 65 refereed conference and journal
found that 27% of the selected papers applied unsupervised papers. Ali is a registered professional engineer (P.Eng) in
anomaly detection type, making it the most used approach Ontario, as well as a member of IEEE Computer Society.
among the research articles. The next most utilized approach
was applied supervised anomaly detection, at 18%, followed
by 7% of the papers which applied both supervised and is teaching at
MANAR ABU TALIB
unsupervised anomaly detection classification. the University of Sharjah in the
UAE. Dr. Abu Talib’s research
Based on this review, we recommend that researchers
interest includes software
conduct more research on ML studies of anomaly detection
engineering with substantial
to gain more evidence on ML model performance and
experience and knowledge in
efficiency. Moreover, researchers are also encouraged to
create a general structure for introducing experiments on ML conducting research in software
models. Moreover, since we found research papers that did measurement, software quality, software testing, ISO 27001
not mention feature selection/extraction type, this field is for Information Security and Open Source Software. Manar
important for improvement. Furthermore, some of the is also working on ISO standards for measuring the
research papers reported their results using one performance functional size of software and has been involved in
metric, such as accuracy, which needs more improvement developing the Arabic version of ISO 19761 (COSMIC-
and more consideration. We also noticed that several FFP measurement method). She published more than 50
researchers used old databases in conducting their research. refereed conferences, journals, manuals and technical
We recommend researchers use more recent datasets. reports. She is the ArabWIC VP of Chapters in Arab
Women in Computing Association (ArabWIC), Google
ACKNOWLEDGMENT Women Tech Maker Lead, Co-coordinator of OpenUAE
The corresponding author Dr. Ali Bou Nassif and co-authors Research & Development Group and the International
would like to thank the University of Sharjah and OpenUAE Collaborator to Software Engineering Research Laboratory
Research and Development Group for funding this research in Montreal, Canada.
study. We are also grateful to our research assistants who
helped in collecting, summarizing, and analyzing the
research articles for this SLR study.
is currently an associate
QASSIM NASIR
“Conflict of Interest: The authors declare that they have no professor at the University of Sharjah
competing interests”. since 2009 and the chairman of scientific
“Informed consent: This study does not involve any publishing unit. Dr. Nasir current
experiments on animals or humans”. research interests are in
telecommunication and network security
such as in CPS, IoT. He also conducts
research in drone and GPS jamming as well. He is a co-
Authors’ information coordinator in OpenUAE research group which focuses on
is currently
ALI BOU NASSIF
blockchain performance and security, and the use of
the Assistant Dean of
artificial intelligence in security applications. Prior to
Graduate Studies at the
joining the University of Sharjah, Dr. Nasir was working
University of Sharjah, UAE.
with Nortel Networks, Canada, as a senior system designer
Ali is also an Associate
in the network management group for OC-192 SONET. Dr.
Professor in the department of
Nasir was visiting professor at Helsinki University of
Computer Engineering, as
Technology, Finland, during the summers of 2002 to 2009,
well as an Adjunct Research
and GIPSA lab, Grenoble France to work on a Joint
Professor at Western
research project on “MAC protocol and MIMO” and
University, Canada. He obtained a Master’s degree in
“Sensor Networks and MIMO” research projects. Dr. Nasir
Computer Science and a Ph.D. degree in Electrical and
has published over 90 refereed conferences, journals, book
Computer Engineering from Western University, Canada in
chapter, and technical reports.
2009 and 2012, respectively. Ali’s research interests
include the applications of statistical and artificial
intelligence models in different areas such as software
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
is a student
FATIMA DAKALBAB
pursuing her MSc. in Computer
Science and a graduate research
assistant at the University of
Sharjah in the UAE. Fatima
earned her bachelor’s degree in
information technology
Multimedia with a 3.92/4 GPA.
She is currently working as a
graduate research assistant in
OpenUAE Research and
Development Group. Her interest in research includes
conducting systematic literature review research study on I
research interest includes inter-blockchain communication,
Internet of things (IoT), and Machine learning in anomaly
detection. Moreover, Fatima is currently a member of the
Sharjah Google Developer Group (GDG) and Arab Women
in Computing Association (ArabWIC) since 2016. In
addition to being a Events & Workshops Co-Coordinator in
the student chapter in UAE for Association for Computing
Machinery (ACM).
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
APPENDIX
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
identified various types of estimation accuracy of ensure both the cyber other hand, our work is
common anomalies and the each ML model as well the security and safety of more general, including
techniques and strategies type of anomaly detection connected vehicles. In the accuracy of evaluation
for detecting them. used. addition, they researched 65 of each ML model, as well
It covers the techniques of research articles and as the type of
In this survey, the authors fraud detection in established a novel identification of
review various clustering- particular. Our work is taxonomy, then classified anomalies.
based anomaly detection more general, and it the articles.
[16] 2015
techniques and they provide includes an estimation of In this survey, the authors
comparison between the the accuracy of each ML present an explanation of It includes the detection of
techniques. model as well the type of important contexts of real- anomalies in the real-time
anomaly detection used. time big data processing, processing of big data. In
Data mining methods are detection of anomalies, and contrast, our work is more
presented in this survey It includes various [9] 2019 machine learning general, and it includes an
under four task classes: anomaly detection algorithms. They estimation of the accuracy
[8] 2015
learning association rule, methods that focus on data acknowledge the real-time of each ML, model as well
clustering, classification, mining methods. big data processing research the type of anomaly
and regression. challenges in detecting detection.
The authors provide six anomalies.
techniques for identification It covers anomaly
of anomalies in this survey. detection in system log
They compare their analysis in particular. In
accuracy and effectiveness. contrast, our work is more
[19] 2016 They also published an general, and it includes an
open-source toolkit of the estimation of the accuracy
techniques used for of each ML model as well
identification of anomalies as the type of anomaly
that were discussed in the detection.
survey.
This article includes an
extensive overview of the
techniques of machine It includes both machine
learning and data mining learning and intrusion
[24] 2016
for intrusion detection detection methods,
cyber analytics, but…our research…
discussions, difficulties and
some recommendations.
The authors present the
methods of machine
learning that define It covers geochemical
geochemical anomalies in Anomalies in particular.
this survey. In addition, the However, our work is
[18] 2017
survey discusses techniques more general, and focuses
of analysis such as principle on ML techniques and
component analysis (PCA) their performance.
and the analysis of the
factor.
The authors present an
overview of methods of
It includes deep learning
detection of anomalies and
methods for detecting
deep learning techniques in
[28] 2017 anomalies in network
this survey. They also
intrusion systems, while
address the feasibility of
our research…
using deep learning to
detect network anomalies.
In this survey, the authors
examine the most
significant elements of
It covers network anomaly
anomaly detection in five
detection in particular. Our
areas: anomalies in network
work is more general and
2018 traffic, types of network
[29] includes an estimation of
data, and categories of
the accuracy of each ML
intrusion detection
model as well the type of
technologies, techniques
anomaly detection.
and systems detection, and
open issues of unresolved
problems.
In this survey, the authors It includes the detection of
present a comprehensive anomalies for cyber
[30] 2018
understanding of anomaly security and safety of
detection techniques to connected vehicles. On the
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
A41 "Unsupervised real-time anomaly detection for streaming data" Jour. 2017 [69]
A42 "Anomaly-based intrusion detection system through feature selection analysis and Jour. 2017 [70]
building hybrid efficient model"
A43 "MADAM: A Multi-level Anomaly Detector for Android Malware" Conf. 2012 [71]
A44 "Anomaly Detection Through a Bayesian Support Vector Machine" Jour. 2010 [72]
A45 "Sleep stage classification using unsupervised feature learning" Jour. 2012 [73]
A46 "Toward a more practical unsupervised anomaly detection system" Jour. 2011 [74]
A47 "A Deep Learning Approach for Intrusion Detection Using Recurrent Neural Networks" Jour. 2017 [75]
A48 "An autonomous labeling approach to support vector machines algorithms for network Jour. 2011 [76]
traffic anomaly detection"
A49 "Anomaly Detection in GPS Data Based on Visual Analytics" Conf. 2010 [77]
A50 "A data mining approach for fault diagnosis: An application of anomaly detection Jour. 2014 [78]
algorithm"
A51 "Systematic construction of anomaly detection benchmarks from real data" Jour. 2013 [79]
A52 "Anomaly detection in streaming environmental sensor data: A data-driven modeling Jour. 2009 [80]
approach"
A53 "Anomaly Detection in Medical Wireless Sensor Networks using Machine Learning Conf. 2015 [81]
Algorithms"
A54 "Anomaly intrusion detection based on PLS feature extraction and core vector machine" Jour. 2012 [82]
A55 "Transferred Deep Learning for Anomaly Detection in Hyperspectral Imagery" Jour. 2017 [83]
A56 "A close look on n-grams in intrusion detection: anomaly detection vs. classification" Conf. 2013 [84]
A57 "Robust tensor subspace learning for anomaly detection" Jour. 2011 [85]
A58 "Anomaly Detection with Robust Deep Autoencoders" Conf. 2017 [86]
A59 "UBL: unsupervised behavior learning for predicting performance anomalies in Conf. 2012 [87]
virtualized cloud systems"
A60 "Direct Robust Matrix Factorizatoin for Anomaly Detection" Conf. 2011 [88]
A61 "Anomaly Detection via Online Oversampling Principal Component Analysis" Jour. 2012 [89]
A62 "Generic and Scalable Framework for Automated Time-series Anomaly Detection" Conf. 2015 [90]
A63 "Sensor fault and patient anomaly detection and classification in medical wireless sensor Conf. 2013 [91]
networks"
A64 "Anomaly Detection for Hyperspectral Images Based on Robust Locally Linear Jour. 2010 [92]
Embedding"
A65 "A Robust Nonlinear Hyperspectral Anomaly Detection Approach" Jour. 2014 [93]
A66 "Anomaly detection based on eccentricity analysis" Conf. 2014 [94]
A67 "Data stream anomaly detection through principal subspace tracking" Jour. 2010 [95]
A68 "A Neural Network Based Anomaly Intrusion Detection System" Conf. 2011 [96]
A69 "Network anomaly detection through nonlinear analysis" Jour. 2010 [97]
A70 "Frequency-based anomaly detection for the automotive CAN bus" Conf. 2015 [98]
A71 "Context-Aware Activity Recognition and Anomaly Detection in Video" Conf. 2012 [99]
A72 "An Anomaly Detection Framework for Autonomic Management of Compute Cloud Conf. 2010 [100]
Systems"
A73 "Anomaly detection on time series" Conf. 2010 [101]
A74 "Self-adaptive and dynamic clustering for online anomaly detection" Jour. 2011 [102]
A75 "An anomaly-based botnet detection approach for identifying stealthy botnets" Conf. 2011 [103]
A76 "Anomaly detection in ECG time signals via deep long short-term memory networks" Conf. 2015 [104]
A77 "Detecting anomalies in people’s trajectories using spectral graph analysis" Jour. 2011 [105]
A78 "Hybrid Deep-Learning-Based Anomaly Detection Scheme for Suspicious Flow Jour. 2019 [106]
Detection in SDN: A Social Multimedia Perspective"
A79 "An intelligent intrusion detection system (IDS) for anomaly and misuse detection in Jour. 2005 [107]
computer networks"
A80 "Learning classifiers for misuse and anomaly detection using a bag of system calls Conf. 2005 [108]
representation"
A81 "Anomaly detection based on unsupervised niche clustering with application to network Conf. 2004 [109]
intrusion detection"
A82 "A Discriminative Framework for Anomaly Detection in Large Videos" Conf. 2016 [110]
A83 "Anomaly Detection by Using CFS Subset and Neural Network with WEKA Tools" Conf. 2018 [111]
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
A84 "Online Learning and Sequential Anomaly Detection in Trajectories" Jour. 2013 [112]
A85 "Expected similarity estimation for large-scale batch and streaming anomaly detection" Jour. 2016 [113]
A86 "Self-Taught Anomaly Detection With Hybrid Unsupervised/Supervised Machine Jour. 2019 [114]
Learning in Optical Networks"
A87 "Anomaly detection based on unsupervised niche clustering with application to network Conf. 2004 [109]
intrusion detection"
A88 "Two-tier network anomaly detection model: a machine learning approach" Jour. 2015 [115]
A89 "Real-time network anomaly detection system using machine learning" Conf. 2015 [116]
A90 "Telemetry-mining: a machine learning approach to anomaly detection and fault Conf. 2006 [117]
diagnosis for space systems"
A91 "Machine learning-based anomaly detection for post-silicon bug diagnosis" Conf. 2013 [118]
A92 "Improving one-class SVM for anomaly detection" Conf. 2003 [119]
A93 "Machine Learning Approach for IP-Flow Record Anomaly Detection" Conf. 2011 [120]
A94 "Anomaly Detection for a Water Treatment System Using Unsupervised Machine Conf. 2017 [121]
Learning"
A95 "Network anomaly detection based on TCM-KNN algorithm" Conf. 2007 [122]
A96 "Seeing the invisible: forensic uses of anomaly detection and machine learning" Jour. 2008 [123]
A97 "Anomaly Detection in Sensor Systems Using Lightweight Machine Learning" Conf. 2013 [124]
A98 "Anomaly Detection on Shuttle data using Unsupervised Learning Techniques" Conf. 2019 [125]
A99 "Weighting technique on multi-timeline for machine learning-based anomaly detection Conf. 2015 [126]
system"
A100 "Anomaly Detection for Key Performance Indicators Through Machine Learning" Conf. 2018 [127]
A101 "Unsupervised Anomaly Detection in Time Series Using LSTM-Based Autoencoders" Conf. 2019 [128]
A102 "Research and application of One-class small hypersphere support vector machine for Conf. 2011 [129]
network anomaly detection"
A103 "Anomaly detection in network traffic using extreme learning machine" Conf. 2016 [130]
A104 "Deep Learning for Network Anomalies Detection" Conf. 2018 [131]
A105 "Using Immune Algorithm to Optimize Anomaly Detection Based on SVM" Conf. 2006 [132]
A106 "Detecting Anomalies in Application Performance Management System with Machine Conf. 2019 [133]
Learning Algorihms"
A107 "Learning Rules and Clusters for Anomaly Detection in Network Traffic" Jour. 2015 [134]
A108 "Machine Learning for Anomaly Detection and Categorization in Multi-Cloud Conf. 2017 [135]
Environments"
A109 "An Anomaly Detection Scheme Based on Machine Learning for WSN" Conf. 2009 [136]
A110 "Enhanced Network Anomaly Detection Based on Deep Neural Networks" Jour. 2018 [137]
A111 "CESVM: Centered Hyperellipsoidal Support Vector Machine Based Anomaly Conf. 2008 [138]
Detection"
A112 "Anomaly Detection in Electrical Substation Circuits via Unsupervised Machine Conf. 2016 [139]
Learning"
A113 "An anomaly intrusion detection method using the CSI-KNN algorithm" Conf. 2008 [140]
A114 "K-Means+ID3: A Novel Method for Supervised Anomaly Detection by Cascading K- Jour. 2007 [141]
Means Clustering and ID3 Decision Tree Learning Methods"
A115 "Toward a reliable anomaly-based intrusion detection in real-world environments" Jour. 2016 [142]
A116 "Anomaly intrusion detection using one class SVM" Conf. 2004 [143]
A117 "ANTIDOTE: understanding and defending against poisoning of anomaly detectors" Conf. 2009 [144]
A118 "Network traffic anomaly detection using clustering techniques and performance Conf. 2013 [145]
comparison"
A119 "Anomaly-Based Intrusion Detection using Fuzzy Rough Clustering" Conf. 2006 [146]
A120 "The Anomaly Detection by Using DBSCAN Clustering with Multiple Parameters" Conf. 2011 [147]
A121 "Anomaly detection in traffic using L1-norm minimization extreme learning machine" Jour. 2015 [148]
A122 "Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection" Conf. 2006 [149]
A123 "Web traffic anomaly detection using C-LSTM neural networks" Jour. 2018 [150]
A124 "Android anomaly detection system using machine learning classification" Conf. 2015 [148]
A125 "Anomaly Detection Using LibSVM Training Tools" Conf. 2008 [151]
A126 "Unsupervised SVM Based on p-kernels for Anomaly Detection" Conf. 2006 [152]
A127 "A Method for Anomaly Detection of User Behaviors Based on Machine Learning" Jour. 2006 [153]
VOLUME XX, 2017 3
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
A128 "Anomaly-Based Intrusion Detection Using Extreme Learning Machine and Aggregation of Jour. 2018 [154]
Network Traffic Statistics in Probability Space"
A129 "Ramp loss one-class support vector machine; A robust and effective approach to anomaly Jour. 2018 [155]
detection problems"
A130 "Estimation of subsurface temperature anomaly in the Indian Ocean during recent global surface Jour. 2015 [156]
warming hiatus from satellite measurements: A support vector machine approach"
A131 "Anomaly Detection Model Based on Hadoop Platform and Weka Interface" Conf. 2016 [157]
A132 "Attack and anomaly detection in IoT sensors in IoT sites using machine learning approaches" Jour. 2019 [158]
A133 "Deep and Machine Learning Approaches for Anomaly-Based Intrusion Detection of Imbalanced Jour. 2018 [159]
Network Traffic"
A134 "Anomaly Detection in Computer Security and an Application to File System Accesses" Conf. 2005 [160]
A135 "Network traffic anomaly detection using machine learning approaches" Conf. 2012 [161]
A136 "ManetSVM: Dynamic anomaly detection using one-class support vector machine in MANETs" Conf. 2013 [162]
A137 "Semi-Supervised Anomaly Detection for EEG Waveforms Using Deep Belief Nets" Conf. 2010 [163]
A138 "Using Machine Learning for Behavior-Based Access Control: Scalable Anomaly Detection on Conf. 2013 [164]
TCP Connections and HTTP Requests"
A139 "Applying machine learning classifiers to dynamic android malware detection at scale" Conf. 2013 [165]
A140 "Big Data Analytics for User-Activity Analysis and User-Anomaly Detection in Mobile Wireless Jour. 2017 [166]
Network"
A141 "Anomaly detection using machine learning with a case study" Conf. 2014 [167]
A142 "Octopus-IIDS: An anomaly based intelligent intrusion detection system" Conf. 2010 [168]
A143 "A hybrid method based on genetic algorithm, self-organised feature map, and support vector Conf. 2013 [169]
machine for better network anomaly detection"
A144 "Anomaly Detection Support Vector Machine and Its Application to Fault Diagnosis" Conf. 2008 [170]
A145 "Evaluation of Machine Learning-based Anomaly Detection Algorithms on an Industrial Conf. 2018 [171]
Modbus/TCP Data Set"
A146 "Network Anomaly Traffic Detection Method Based on Support Vector Machine" Conf. 2016 [172]
A147 "Anomaly detection of spacecraft based on least squares support vector machine" Conf. 2011 [173]
A148 "A Model Based on Hybrid Support Vector Machine and Self-Organizing Map for Anomaly Conf. 2010 [174]
Detection"
A149 "Anomaly detection in wide area network meshes using two machine learning algorithms" Jour. 2018 [175]
A150 "Image Anomaly Detection with Generative Adversarial Networks" Conf. 2019 [176]
A151 "Performance evaluation of BGP anomaly classifiers" Conf. 2015 [177]
A152 "An uncertainty-managing batch relevance-based approach to network anomaly detection" Jour. 2015 [178]
A153 "Energy Consumption Data Based Machine Anomaly Detection" Conf. 2014 [167]
A154 "A Novel Algorithm for Network Anomaly Detection Using Adaptive Machine Learning" Conf. 2017 [179]
A155 "Thermal anomaly prediction in data centers" Conf. 2010 [180]
A156 "On the symbiosis of specification-based and anomaly-based detection" Jour. 2010 [181]
A157 "A holistic smart home demonstrator for anomaly detection and response" Conf. 2015 [182]
A158 "Online Anomaly Detection in Crowd Scenes via Structure Analysis" Jour. 2014 [183]
A159 "Hierarchical Temporal Memory Based Machine Learning for Real-Time, Unsupervised Anomaly Conf. 2020 [184]
Detection in Smart Grid: WiP Abstract"
A160 "One-class extreme learning machines for gas turbine combustor anomaly detection" Conf. 2016 [185]
A161 "Recurrent Neural Network Attention Mechanisms for Interpretable System Log Anomaly Conf. 2018 [186]
Detection"
A162 "Anomaly detection based on profile signature in network using machine learning technique" Conf. 2016 [187]
A163 "Nonlinear structure of escape-times to falls for a passive dynamic walker on an irregular slope: Conf. 2011 [188]
Anomaly detection using multi-class support vector machine and latent state extraction by
canonical correlation analysis"
A164 "A Self-Adaptive Deep Learning-Based System for Anomaly Detection in 5G Networks" Jour. 2018 [189]
A165 "RoADS: A Road Pavement Monitoring System for Anomaly Detection Using Smart Phones" Conf. 2016 [190]
A166 "Unitary Anomaly Detection for Ubiquitous Safety in Machine Health Monitoring" Conf. 2012 [191]
A167 "An HMM-Based Anomaly Detection Approach for SCADA Systems" Conf. 2016 [192]
A168 "Symbolic time series analysis for anomaly detection: A comparative evaluation" Jour. 2005 [193]
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
A169 "Anomaly Detection Using Real-Valued Negative Selection" Jour. 2003 [194]
A170 "Anomaly detection using the correlational paraconsistent machine with digital signatures of Jour. 2017 [195]
network segment"
A171 "Combining negative selection and classification techniques for anomaly detection" Conf. 2002 [196]
A172 "A Geometric Framework for Unsupervised Anomaly Detection" Jour. 2002 [197]
A173 "Monitoring Smartphones for Anomaly Detection" Jour. 2008 [198]
A174 "Learning rules for anomaly detection of hostile network traffic" Conf. 2003 [199]
A175 "System Anomaly Detection: Mining Firewall Logs" Conf. 2006 [200]
A176 "Rule-Based Anomaly Detection on IP Flows" Conf. 2009 [201]
A177 "Is negative selection appropriate for anomaly detection?" Conf. 2005 [202]
A178 "Anomaly detection and classification in a laser powder bed additive manufacturing process using Jour. 2018 [203]
a trained computer vision algorithm"
A179 "Stealthy poisoning attacks on PCA-based anomaly detectors" Jour. 2009 [204]
A180 "Fusions of GA and SVM for Anomaly Detection in Intrusion Detection System" Conf. 2005 [205]
A181 "Deep Learning Anomaly Detection as Support Fraud Investigation in Brazilian Exports and Anti- Conf. 2016 [206]
Money Laundering"
A182 "An Anomaly Detection Method for Spacecraft Using Relevance Vector Learning" Conf. 2005 [207]
A183 "ALDO: An Anomaly Detection Framework for Dynamic Spectrum Access Networks" Conf. 2009 [208]
A184 "ADMIT: anomaly-based data mining for intrusions" Conf. 2002 [209]
A185 "IEEE 802.11 Network Anomaly Detection and Attack Classification: A Deep Learning Conf. 2017 [210]
Approach"
A186 "Defying the gravity of learning curve: a characteristic of nearest neighbour anomaly detectors" Jour. 2016 [211]
A187 "Detecting Anomaly in Videos from Trajectory Similarity Analysis" Conf. 2007 [212]
A188 "An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer Jour. 2005 [107]
networks"
A189 "DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning" Conf. 2017 [213]
A190 "Anomaly detection in earth dam and levee passive seismic data using support vector machines Jour. 2017 [214]
and automatic feature selection"
A191 "MS-LSTM: A multi-scale LSTM model for BGP anomaly detection" Conf. 2016 [215]
A192 "SAD: web session anomaly detection based on parameter estimation" Jour. 2004 [216]
A193 "Evolutionary Learning Program’s Behavior in Neural Networks for Anomaly Detection" Conf. 2004 [217]
A194 "Spatio-Temporal AutoEncoder for Video Anomaly Detection" Conf. 2017 [218]
A195 "Robust feature selection and robust PCA for internet traffic anomaly detection" Conf. 2012 [219]
A196 "Deep Anomaly Detection with Deviation Networks" Conf. 2019 [220]
A197 "Machine learning and transport simulations for groundwater anomaly detection" Jour. 2020 [221]
A198 "Unsupervised machine learning for network-centric anomaly detection in IoT" Conf. 2019 [222]
A199 "Hybrid Machine Learning for Network Anomaly Intrusion Detection" Conf. 2020 [223]
A200 "An anomaly prediction framework for financial IT systems using hybrid machine learning Jour. 2019 [224]
methods"
A201 "Kernel Eigenspace Separation Transform for Subspace Anomaly Detection in Hyperspectral Jour. 2007 [225]
Imagery"
A202 "An unsupervised anomaly intrusion detection algorithm based on swarm intelligence" Conf. 2005 [226]
A203 "Maritime situation analysis framework: Vessel interaction classification and anomaly detection" Conf. 2015 [227]
A204 "An ensemble learning framework for anomaly detection in building energy consumption" Jour. 2017 [228]
A205 "Ensemble methods for anomaly detection and distributed intrusion detection in Mobile Ad-Hoc Jour. 2008 [229]
Networks"
A206 "Unsupervised Anomaly Intrusion Detection via Localized Bayesian Feature Selection" Conf. 2011 [230]
A207 "McPAD: A multiple classifier system for accurate payload-based anomaly detection" Jour. 2009 [231]
A208 "Detecting errors within a corpus using anomaly detection" Conf. 2000 [232]
A209 "Efficient Top Rank Optimization with Gradient Boosting for Supervised Anomaly Detection" Conf. 2017 [233]
A210 "Semi-supervised learning based big data-driven anomaly detection in mobile wireless networks" Jour. 2018 [234]
A211 "Wireless Anomaly Detection Based on IEEE 802.11 Behavior Analysis" Jour. 2015 [235]
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
A212 "Spatial anomaly detection in sensor networks using neighborhood information" Jour. 2017 [236]
A213 "Anomaly Detection in Cyber Physical Systems Using Recurrent Neural Networks" Conf. 2017 [237]
A214 "Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA Jour. 2015 [238]
systems"
A215 "A hybrid approach for efficient anomaly detection using metaheuristic methods" Jour. 2015 [239]
A216 "Experience Report: System Log Analysis for Anomaly Detection" Conf. 2016 [19]
A217 "Towards Learning Normality for Anomaly Detection in Industrial Control Networks" Conf. 2013 [240]
A218 "Anomaly detection approach using hybrid algorithm of data mining technique" Conf. 2017 [241]
A219 "Adaptive Anomaly Identification by Exploring Metric Subspace in Cloud Computing Conf. 2013 [242]
Infrastructures"
A220 "Towards reliable data feature retrieval and decision engine in host-based anomaly detection Conf. 2015 [243]
systems"
A221 "Using an Ensemble of One-Class SVM Classifiers to Harden Payload-based Anomaly Detection Conf. 2006 [244]
Systems"
A222 "An anomaly detection method to detect web attacks using Stacked Auto-Encoder" Conf. 2018 [245]
A223 "Anomaly Detection Enhanced Classification in Computer Intrusion Detection" Conf. 2002 [246]
A224 "Simple, state-based approaches to program-based anomaly detection" Jour. 2002 [247]
A225 "Adaptive anomaly detection with evolving connectionist systems" Jour. 2007 [248]
A226 "Enhancing Anomaly Detection Using Temporal Pattern Discovery" Jour. 2009 [249]
A227 "Anomaly Detection in IPv4 and IPv6 networks using machine learning" Conf. 2015 [250]
A228 "A training-resistant anomaly detection system" Jour. 2018 [251]
A229 "Conditional Anomaly Detection" Jour. 2007 [252]
A230 "An anomaly detection in smart cities modeled as wireless sensor network" Conf. 2016 [253]
A231 "Spatiotemporal Anomaly Detection in Gas Monitoring Sensor Networks" Conf. 2008 [254]
A232 "Using Naive Bayes with AdaBoost to Enhance Network Anomaly Intrusion Detection" Conf. 2010 [255]
A233 "Applying both positive and negative selection to supervised learning for anomaly detection" Conf. 2005 [256]
A234 "Real-time camera anomaly detection for real-world video surveillance" Conf. 2011 [257]
A235 "Network Anomaly Detection with Stochastically Improved Autoencoder Based Models" Conf. 2017 [258]
A236 "Learning deep event models for crowd anomaly detection" Jour. 2017 [259]
A237 "GANomaly: Semi-supervised Anomaly Detection via Adversarial Training" Conf. 2018 [260]
A238 "Mote-Based Online Anomaly Detection Using Echo State Networks" Conf. 2009 [261]
A239 "Genetic algorithm with different feature selection techniques for anomaly detectors generation" Conf. 2013 [262]
A240 "RawPower: Deep Learning based Anomaly Detection from Raw Network Traffic Measurements" Conf. 2018 [263]
A241 "Network security and anomaly detection with Big-DAMA, a big data analytics framework" Conf. 2017 [264]
A242 "An efficient hidden Markov model training scheme for anomaly intrusion detection of server Conf. 2004 [265]
applications based on system calls"
A243 "An anomaly detection framework for BGP" Conf. 2011 [266]
A244 "Semantic anomaly detection in online data sources" Conf. 2002 [267]
A245 "A framework for efficient network anomaly intrusion detection with features selection" Conf. 2018 [268]
A246 "Cross-Layer Based Anomaly Detection in Wireless Mesh Networks" Conf. 2009 [269]
A247 "Reducing calculation requirements in FPGA implementation of deep learning algorithms for Conf. 2017 [270]
online anomaly intrusion detection"
A248 "Anomaly detection in network traffic using K-mean clustering" Conf. 2016 [271]
A249 "Stream-based Machine Learning for Network Security and Anomaly Detection" Conf. 2018 [272]
A250 "Multivariate Online Anomaly Detection Using Kernel Recursive Least Squares" Conf. 2007 [273]
A251 "A Hybrid Autoencoder and Density Estimation Model for Anomaly Detection" Conf. 2016 [274]
A252 "Optimizing false positive in anomaly based intrusion detection using Genetic algorithm" Conf. 2016 [275]
A253 "Deep-anomaly: Fully convolutional neural network for fast anomaly detection in crowded Jour. 2018 [276]
scenes"
A254 "Group Anomaly Detection Using Deep Generative Models" Conf. 2019 [277]
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
A289 "Anomaly detection in electronic invoice systems based on machine learning" Conf. 2020 [312]
A290 "Anomaly detection in wireless sensor network using machine learning algorithm" Jour. 2020 [313]
A291 "A Hybrid Unsupervised Clustering-Based Anomaly Detection Method" Jour. 2020 [314]
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
A292 “Network traffic anomalies detection and identification with flow monitoring” Conf. 2008 [315]
A293 “Network Traffic Anomaly Detection and Prevention, Concepts” Jour. 2017 [316]
A294 “Network Traffic Anomaly Detection Based on Information Gain and Deep Learning” Conf. 2019 [317]
A295 “Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation” Conf. 2005 [318]
A296 “Network traffic anomalies detection and identification with flow monitoring” Conf. 2008 [315]
A297 “Network Traffic Anomaly Detection and Prevention, Concepts” Jour. 2017 [316]
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
Networks (LSTM),
A165 supervised SVM Accuracy (ACC) 90% real life dataset
A166 NA Gaussian models na na na
A167 NA Hidden Markov Model Detection Rate (DR) 99.60% real life dataset
D-Markov machine with na na
A168 NA symbolic false nearest na
neighbors
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
Supervised: Logistic
regression, Decision
tree, and Support vector
supervised + Accuracy, Recall, Precision, F-
A216 machine (SVM) na HDFS and BGL
unsupervised measure
Unsupervised: Log
Clustering, PCA,
Invariants Mining
A217 unsupervised n-grams efficiency, stability, scaling na na
Detection Rate (DR) 94.48%
A218 supervised K-mean + SMO False Alarm Rate(FAR) 1.20% NSL-KDD
Accuracy (ACC) 97.37%
most relevant principal True Positive Rate (TPR) 91.40%
A219 NA components + neural False Positive Rate (FPR) 3.70% real life dataset
networks
Detection Rate (DR) 78%
A220 supervised KNN ADFA-LD
False Alarm Rate(FAR) 21%
desired false positive rate (DFP),
A221 unsupervised Ensemble of One-Class real false positive rate (RFP), na real life dataset
SVM DR, AUC
Accuracy (ACC) 88.32
Detection Rate (DR) 88.34
A222 unsupervised CSIC 2010 data set
Precision-Recall 80.79
Isolation Forest F-Score 84.12
support vector machines Detection Rate (DR) 90.30%
A223 supervised with a radial basis kernel False Positive Rate (FPR) 0.50% DARPA/KDD-99
(SVM-RBF)
A224 NA program behavior traces FP, Recall na 1998/1999 Dataset
False Positive Rate (FPR) 3.73%
Fuzzy Adaptive Hit Rate 80.00%
Resonance Theory Cost 0.424
False Positive Rate (FPR) 2.61%
Evolving Fuzzy Neural
A225 unsupervised Hit Rate 76.00% KDD Cup 1999
Networks
Cost 0.397
False Positive Rate (FPR) 15.70%
SVM Hit Rate 80.00%
Cost 1.14
Anomaly mean 0.76
A226 NA Anomaly standard deviation 0.14 real and synthetic dataset
Temporal relationships Anomaly threshold 0.99
Naive Bayes Accuracy (ACC) 78.941
Decision table Accuracy (ACC) 94.41
A227 NA KDD dataset
J48 Accuracy (ACC) 97.62
PART Accuracy (ACC) 97.5179
Digital Corpora, 2008, 2009, and
A228 NA detection rate na
Stream clustering-based real dataset
conditional anomaly
A229 unsupervised Precision-Recall 0.72 KDD CUP 1999
detection
neural network Neuro- Accuracy (ACC) 86.72%
fuzzy
real time data collected by the city
A230 NA method
of Aarhus, Denmark
Binary Support Vector Accuracy (ACC) 98.65%
Machines
A231 unsupervised Bayesian Networks Prediction errors na real time data
Naive Bayes with False Positive Rate (FPR) 4.23%
A232 supervised KDD Cup 1999
adaboost Detection Rate (DR) 84.32%
negative and positive True Positive Rate (TPR) 0.997
A233 supervised selection + C4.5 and False Positive Rate (FPR) 0.028 UCI data repository
Naïve Bayes
Precision 96.55%
A234 NA Online Kalman Filtering Recall 98.25% real time dataset
False Alarm Rate(FAR) 11.11%
Accuracy (ACC) 88.65%
Precision 96.48%
A235 NA NSL-KDD
Recall 83.08%
Auto Encoder F-Score 89.28%
AUC 92.50%
UCSD Ped1 Dataset, Avenue
A236 unsupervised deep Gaussian mixture Accuracy (ACC) 75.40%
Dataset
model + PCANet Equal Error Rate (EER) 15.10%
Generative Adversarial
A237 semi-supervised AUC AUC: 0.882 CIFAR10 Dataset, MNIST Dataset
Networks
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
vol. 36, no. 10, pp. 11994–12000, 2009, doi: [40] S. Fu, “Performance metric selection for autonomic anomaly
10.1016/j.eswa.2009.05.029. detection on cloud computing systems,” GLOBECOM - IEEE
[23] A. Patcha and J. M. Park, “An overview of anomaly detection Glob. Telecommun. Conf., 2011, doi:
techniques: Existing solutions and latest technological trends,” 10.1109/GLOCOM.2011.6134532.
Comput. Networks, vol. 51, no. 12, pp. 3448–3470, 2007, doi: [41] Y. Yasami and S. P. Mozaffari, “A novel unsupervised
10.1016/j.comnet.2007.02.001. classification approach for network anomaly detection by k-
[24] A. L. Buczak and E. Guven, “A Survey of Data Mining and Means clustering and ID3 decision tree learning methods,” 2010,
Machine Learning Methods for Cyber Security Intrusion doi: 10.1007/s11227-009-0338-x.
Detection,” vol. 18, no. October, pp. 1153–1176, 2016, doi: [42] R. Chitrakar and H. Chuanhe, “Anomaly detection using Support
10.1109/COMST.2015.2494502. Vector Machine classification with k-Medoids clustering,” Asian
[25] K. Satpute, S. Agrawal, J. Agrawal, and S. Sharma, “A Survey Himalayas Int. Conf. Internet, pp. 1–5, 2012, doi:
on Anomaly Detection in Network Intrusion Detection System 10.1109/AHICI.2012.6408446.
Using Swarm Optimization Based Machine Learning [43] N. Chand, P. Mishra, C. R. Krishna, E. S. Pilli, and M. C. Govil,
Techniques,” in International Conference on Frontiers of “A comparative analysis of SVM and its stacking with other
Intelligent Computing, 2013, vol. 199, pp. 441–452, doi: classification algorithm for intrusion detection,” Proc. - 2016
10.1007/978-3-642-35314-7. Int. Conf. Adv. Comput. Commun. Autom. ICACCA 2016, 2016,
[26] V. Sharma, R. Kumar, W. H. Cheng, M. Atiquzzaman, K. doi: 10.1109/ICACCA.2016.7578859.
Srinivasan, and A. Y. Zomaya, “NHAD: Neuro-Fuzzy Based [44] K. Noto, C. Brodley, and D. Slonim, “FRaC: A feature-modeling
Horizontal Anomaly Detection in Online Social Networks,” approach for semi-supervised and unsupervised anomaly
IEEE Trans. Knowl. Data Eng., 2018, doi: detection,” Data Min. Knowl. Discov., vol. 25, no. 1, pp. 109–
10.1109/TKDE.2018.2818163. 133, 2012, doi: 10.1007/s10618-011-0234-x.
[27] P. Zhao, Y. Zhang, M. Wu, S. C. H. Hoi, M. Tan, and J. Huang, [45] I. Assent, P. Kranen, C. Baldauf, and T. Seidl, “AnyOut:
“Adaptive Cost-Sensitive Online Classification,” IEEE Trans. Anytime outlier detection on streaming data,” Lect. Notes
Knowl. Data Eng., 2019, doi: 10.1109/TKDE.2018.2826011. Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect.
[28] D. Kwon, H. Kim, J. Kim, S. C. Suh, I. Kim, and K. J. Kim, “A Notes Bioinformatics), vol. 7238 LNCS, no. PART 1, pp. 228–
survey of deep learning-based network anomaly detection,” 242, 2012, doi: 10.1007/978-3-642-29038-1_18.
Cluster Comput., pp. 1–13, 2017, doi: 10.1007/s10586-017- [46] A. Kulkarni, Y. Pino, M. French, and T. Mohsenin, “Real-Time
1117-8. Anomaly Detection Framework for Many-Core Router through
[29] G. Fernandes, J. J. P. C. Rodrigues, L. F. Carvalho, J. F. Al- Machine-Learning Techniques,” ACM J. Emerg. Technol.
Muhtadi, and M. L. Proença, “A comprehensive survey on Comput. Syst., vol. 13, no. 1, pp. 1–22, 2016, doi:
network anomaly detection,” Telecommun. Syst., vol. 70, no. 3, 10.1145/2827699.
pp. 447–489, 2018, doi: 10.1007/s11235-018-0475-8. [47] J. Vanerio and P. Casas, “Ensemble-learning Approaches for
[30] G. K. Rajbahadur, A. J. Malton, A. Walenstein, and A. E. Network Security and Anomaly Detection,” pp. 1–6, 2017, doi:
Hassan, “A Survey of Anomaly Detection for Connected 10.1145/3098593.3098594.
Vehicle Cybersecurity and Safety,” IEEE Intell. Veh. Symp. [48] K. Noto, C. Brodley, and D. Slonim, “Anomaly detection using
Proc., vol. 2018-June, no. Iv, pp. 421–426, 2018, doi: an ensemble of feature models,” Proc. - IEEE Int. Conf. Data
10.1109/IVS.2018.8500383. Mining, ICDM, pp. 953–958, 2010, doi:
[31] T. Shon and J. Moon, “A hybrid machine learning approach to 10.1109/ICDM.2010.140.
network anomaly detection,” Inf. Sci. (Ny)., vol. 177, no. 18, pp. [49] P. Jongsuebsuk, N. Wattanapongsakorn, and C. Charnsripinyo,
3799–3821, 2007, doi: 10.1016/j.ins.2007.03.025. “Network intrusion detection with Fuzzy Genetic Algorithm for
[32] S. M. Erfani, S. Rajasegarar, S. Karunasekera, and C. Leckie, unknown attacks,” Int. Conf. Inf. Netw., pp. 1–5, 2013, doi:
“High-dimensional and large-scale anomaly detection using a 10.1109/ICOIN.2013.6496342.
linear one-class SVM with deep learning,” Pattern Recognit., [50] L. A. Maglaras and J. Jiang, “Intrusion detection in SCADA
vol. 58, pp. 121–134, 2016, doi: 10.1016/j.patcog.2016.03.028. systems using machine learning techniques,” Proc. 2014 Sci. Inf.
[33] M. Field, S. Das Bryanlmatthewsnasagov, N. C. Oza, B. L. Conf. SAI 2014, pp. 626–631, 2014, doi:
Matthews, and A. N. Srivastava, “Multiple Kernel Learning for 10.1109/SAI.2014.6918252.
Heterogeneous Anomaly Detection : Algorithm and Aviation [51] T. Shon, Y. Kim, C. Lee, and J. Moon, “A machine learning
Safety Case Study Categories and Subject Descriptors,” framework for network anomaly detection using SVM and GA,”
Computing, pp. 47–55, 2007. 2005, doi: 10.1109/IAW.2005.1495950.
[34] M. Amer, M. Goldstein, and S. Abdennadher, “Enhancing one- [52] P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, and E.
class support vector machines for unsupervised anomaly Vázquez, “Anomaly-based network intrusion detection:
detection,” pp. 8–15, 2013, doi: 10.1145/2500853.2500857. Techniques, systems and challenges,” Comput. Secur., vol. 28,
[35] Y. X. Meng, “The practice on using machine learning for no. 1–2, pp. 18–28, 2009, doi: 10.1016/j.cose.2008.08.003.
network anomaly intrusion detection,” Proc. - Int. Conf. Mach. [53] Sang-Jun Han and Sung-Bae Cho, “Evolutionary neural
Learn. Cybern., vol. 2, pp. 576–581, 2011, doi: networks for anomaly detection based on the behavior of a
10.1109/ICMLC.2011.6016798. program,” IEEE Trans. Syst. Man Cybern. Part B, vol. 36, no. 3,
[36] A. P. Muniyandi, R. Rajeswari, and R. Rajaram, “Network pp. 559–570, 2006, doi: 10.1109/tsmcb.2005.860136.
anomaly detection by cascading k-Means clustering and C4.5 [54] A. Nanduri and L. Sherry, “Anomaly Detection in Aircraft Data
decision tree algorithm,” Procedia Eng., vol. 30, no. 2011, pp. using Recurrent Neural Networks (RNN),” in 2016 Integrated
174–182, 2012, doi: 10.1016/j.proeng.2012.01.849. Communications Navigation and Surveillance (ICNS), 2016, pp.
[37] S. W. Lin, K. C. Ying, C. Y. Lee, and Z. J. Lee, “An intelligent 1–8, doi: 10.1109/ICNSURV.2016.7486356.
algorithm with feature selection and decision rules applied to [55] S. Rajasegarar, C. Leckie, J. C. Bezdek, and M. Palaniswami,
anomaly intrusion detection,” Appl. Soft Comput. J., vol. 12, no. “Centered hyperspherical and hyperellipsoidal one-class support
10, pp. 3285–3290, 2012, doi: 10.1016/j.asoc.2012.05.004. vector machines for anomaly detection in sensor networks,”
[38] S. Thaseen and C. A. Kumar, “An analysis of supervised tree IEEE Trans. Inf. Forensics Secur., 2010, doi:
based classifiers for intrusion detection system,” Proc. 2013 Int. 10.1109/TIFS.2010.2051543.
Conf. Pattern Recognition, Informatics Mob. Eng. PRIME 2013, [56] USACE, “Distribution Restriction Statement Approved for
pp. 294–299, 2013, doi: 10.1109/ICPRIME.2013.6496489. public release ; distribution is,” Engineer, vol. 2, 1994.
[39] G. Kim, S. Lee, and S. Kim, “A novel hybrid intrusion detection [57] B. Agarwal and N. Mittal, “Hybrid Approach for Detection of
method integrating anomaly detection with misuse detection,” Anomaly Network Traffic using Data Mining Techniques,”
Expert Syst. Appl., vol. 41, no. 4 PART 2, pp. 1690–1700, 2014, Procedia Technol., vol. 6, pp. 996–1003, 2012, doi:
doi: 10.1016/j.eswa.2013.08.066. 10.1016/j.protcy.2012.10.121.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
[58] J. Jabez and B. Muthukumar, “Intrusion detection system (ids): [77] Z. Liao, Y. Yu, and B. Chen, “Anomaly detection in GPS data
Anomaly detection using outlier detection approach,” Procedia based on visual analytics,” VAST 10 - IEEE Conf. Vis. Anal. Sci.
Comput. Sci., vol. 48, no. C, pp. 338–346, 2015, doi: Technol. 2010, Proc., pp. 51–58, 2010, doi:
10.1016/j.procs.2015.04.191. 10.1109/VAST.2010.5652467.
[59] M. Sheikhan and Z. Jadidi, “Flow-based anomaly detection in [78] A. Purarjomandlangrudi, A. H. Ghapanchi, and M. Esmalifalak,
high-speed links using modified GSA-optimized neural “A data mining approach for fault diagnosis: An application of
network,” Neural Comput. Appl., vol. 24, no. 3–4, pp. 599–611, anomaly detection algorithm,” Meas. J. Int. Meas. Confed., vol.
2014, doi: 10.1007/s00521-012-1263-0. 55, pp. 343–352, 2014, doi:
[60] S. Mascaro, A. E. Nicholson, and K. B. Korb, “Anomaly 10.1016/j.measurement.2014.05.029.
detection in vessel tracks using bayesian networks,” Int. J. [79] A. F. Emmott, S. Das, T. Dietterich, A. Fern, and W.-K. Wong,
Approx. Reason., vol. 55, pp. 84–98, 2013, doi: “Systematic construction of anomaly detection benchmarks from
10.1016/j.ijar.2013.03.012. real data,” pp. 16–21, 2013, doi: 10.1145/2500853.2500858.
[61] D. Liu et al., “Opprentice: Towards Practical and Automatic [80] D. J. Hill and B. S. Minsker, “Anomaly detection in streaming
Anomaly Detection Through Machine Learning,” Internet Meas. environmental sensor data: A data-driven modeling approach,”
Conf., pp. 51–78, 2015, doi: 10.2307/j.ctt1zkjzr0.7. Environ. Model. Softw., vol. 25, no. 9, pp. 1014–1022, 2010, doi:
[62] I. Syarif, A. Prugel-bennett, and G. Wills, “Unsupervised 10.1016/j.envsoft.2009.08.010.
Clustering Approach for Network Anomaly Detection,” pp. 135– [81] G. Pachauri and S. Sharma, “Anomaly Detection in Medical
145, 2012. Wireless Sensor Networks using Machine Learning
[63] O. Linda, M. Manic, T. Vollmer, and J. Wright, “Fuzzy logic Algorithms,” Procedia Comput. Sci., vol. 70, pp. 325–333, 2015,
based anomaly detection for embedded network security cyber doi: 10.1016/j.procs.2015.10.026.
sensor,” IEEE SSCI 2011 Symp. Ser. Comput. Intell. - CICS [82] X. S. Gan, J. S. Duanmu, J. F. Wang, and W. Cong, “Anomaly
2011 2011 IEEE Symp. Comput. Intell. Cyber Secur., pp. 202– intrusion detection based on PLS feature extraction and core
209, 2011, doi: 10.1109/CICYBS.2011.5949392. vector machine,” Knowledge-Based Syst., vol. 40, pp. 1–6, 2013,
[64] X. Xu, “Sequential anomaly detection based on temporal- doi: 10.1016/j.knosys.2012.09.004.
difference learning: Principles, models and case studies,” Appl. [83] W. Li, G. Wu, and Q. Du, “Transferred Deep Learning for
Soft Comput. J., vol. 10, no. 3, pp. 859–867, 2010, doi: Anomaly Detection in Hyperspectral Imagery,” IEEE Geosci.
10.1016/j.asoc.2009.10.003. Remote Sens. Lett., vol. 14, no. 5, pp. 597–601, 2017, doi:
[65] F. Iglesias and T. Zseby, “Analysis of network traffic features 10.1109/LGRS.2017.2657818.
for anomaly detection,” Mach. Learn., vol. 101, no. 1–3, pp. 59– [84] C. Wressnegger, G. Schwenk, D. Arp, and K. Rieck, “A close
84, 2015, doi: 10.1007/s10994-014-5473-9. look on n-grams in intrusion detection,” Proc. 2013 ACM Work.
[66] N. Pandeeswari and G. Kumar, “Anomaly Detection System in Artif. Intell. Secur. - AISec ’13, pp. 67–76, 2013, doi:
Cloud Environment Using Fuzzy Clustering Based ANN,” Mob. 10.1145/2517312.2517316.
Networks Appl., vol. 21, no. 3, pp. 494–505, 2016, doi: [85] J. Li, G. Han, J. Wen, and X. Gao, “Robust tensor subspace
10.1007/s11036-015-0644-x. learning for anomaly detection,” Int. J. Mach. Learn. Cybern.,
[67] K. Demertzis and I. Lazaros, “A Hybrid Network Anomaly and vol. 2, no. 2, pp. 89–98, 2011, doi: 10.1007/s13042-011-0017-0.
Intrusion Detection Approach Based on Evolving Spiking [86] C. Zhou and R. C. Paffenroth, “Anomaly Detection with Robust
Neural Network Classification,” Int. Conf. E-Democracy, vol. Deep Autoencoders,” pp. 665–674, 2017, doi:
441, pp. 11–23, 2014, doi: 10.1007/978-3-319-11710-2. 10.1145/3097983.3098052.
[68] K. Alrawashdeh and C. Purdy, “Toward an online anomaly [87] D. J. Dean, H. Nguyen, and X. Gu, “UBL: Unsupervised
intrusion detection system based on deep learning,” Proc. - 2016 Behavior Learning for Predicting Performance Anomalies in
15th IEEE Int. Conf. Mach. Learn. Appl. ICMLA 2016, pp. 195– Virtualized Cloud Systems,” Proc. 9th Int. Conf. Auton. Comput.
200, 2017, doi: 10.1109/ICMLA.2016.167. - ICAC ’12, pp. 191–200, 2012, doi: 10.1145/2371536.2371572.
[69] S. Ahmad, A. Lavin, S. Purdy, and Z. Agha, “Unsupervised real- [88] L. Xiong, X. Chen, and J. Schneider, “Direct robust matrix
time anomaly detection for streaming data,” Neurocomputing, factorization for anomaly detection,” Proc. - IEEE Int. Conf.
vol. 262, pp. 134–147, 2017, doi: Data Mining, ICDM, pp. 844–853, 2011, doi:
10.1016/j.neucom.2017.04.070. 10.1109/ICDM.2011.52.
[70] S. Aljawarneh, M. Aldwairi, and M. B. Yassein, “Anomaly- [89] Y. J. Lee, Y. R. Yeh, and Y. C. F. Wang, “Anomaly detection
based intrusion detection system through feature selection via online oversampling principal component analysis,” IEEE
analysis and building hybrid efficient model,” J. Comput. Sci., Trans. Knowl. Data Eng., vol. 25, no. 7, pp. 1460–1470, 2013,
vol. 25, pp. 152–160, 2018, doi: 10.1016/j.jocs.2017.03.006. doi: 10.1109/TKDE.2012.99.
[71] G. Dini, F. Martinelli, A. Saracino, and D. Sgandurra, [90] N. Laptev, S. Amizadeh, and I. Flint, “Generic and Scalable
“MADAM: A multi-level anomaly detector for android Framework for Automated Time-series Anomaly Detection,” pp.
malware,” Lect. Notes Comput. Sci. (including Subser. Lect. 1939–1947, 2015, doi: 10.1145/2783258.2788611.
Notes Artif. Intell. Lect. Notes Bioinformatics), vol. 7531 LNCS, [91] O. Salem, A. Guerassimov, A. Mehaoua, A. Marcus, and B.
pp. 240–253, 2012, doi: 10.1007/978-3-642-33704-8-21. Furht, “Sensor Fault and Patient Anomaly Detection and
[72] V. A. Sotiris, P. W. Tse, and M. G. Pecht, “Anomaly Detection Classification in Medical Wireless Sensor Networks,” IEEE Int.
Through a Bayesian Support Vector Machine,” vol. 59, no. 2, Conf. Commun., vol. 7, no. 4, pp. 272–284, 2013, doi:
pp. 277–286, 2010. 10.5626/JCSE.2013.7.4.272.
[73] M. Längkvist, L. Karlsson, and A. Loutfi, “Sleep Stage [92] L. Ma, M. M. Crawford, and J. Tian, “Anomaly detection for
Classification Using Unsupervised Feature Learning,” Adv. Artif. hyperspectral images based on robust locally linear embedding,”
Neural Syst., 2012, doi: 10.1155/2012/107046. J. Infrared, Millimeter, Terahertz Waves, vol. 31, no. 6, pp. 753–
[74] J. Song, H. Takakura, Y. Okabe, and K. Nakao, “Toward a more 762, 2010, doi: 10.1007/s10762-010-9630-3.
practical unsupervised anomaly detection system,” Inf. Sci. [93] R. Zhao, B. Du, and L. Zhang, “A robust nonlinear hyperspectral
(Ny)., vol. 231, pp. 4–14, 2013, doi: 10.1016/j.ins.2011.08.011. anomaly detection approach,” IEEE J. Sel. Top. Appl. Earth
[75] C. Yin, Y. Zhu, J. Fei, and X. He, “A Deep Learning Approach Obs. Remote Sens., vol. 7, no. 4, pp. 1227–1234, 2014, doi:
for Intrusion Detection Using Recurrent Neural Networks,” 10.1109/JSTARS.2014.2311995.
IEEE Access, vol. 5, pp. 21954–21961, 2017, doi: [94] P. Angelov, “Anomaly detection based on eccentricity analysis,”
10.1109/ACCESS.2017.2762418. IEEE SSCI 2014 - 2014 IEEE Symp. Ser. Comput. Intell. - EALS
[76] C. A. Catania, F. Bromberg, and C. G. Garino, “An autonomous 2014 2014 IEEE Symp. Evol. Auton. Learn. Syst. Proc., pp. 1–8,
labeling approach to support vector machines algorithms for 2014, doi: 10.1109/EALS.2014.7009497.
network traffic anomaly detection,” Expert Syst. Appl., vol. 39, [95] P. H. dos Santos Teixeira and R. L. Milidiú, “Data stream
no. 2, pp. 1822–1829, 2012, doi: 10.1016/j.eswa.2011.08.068. anomaly detection through principal subspace tracking,” p. 1609,
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
2010, doi: 10.1145/1774088.1774434. [114] X. Chen, B. Li, R. Proietti, Z. Zhu, S. Member, and S. J. Ben
[96] S. T. Faraj Al-Janabi and H. A. Saeed, “A neural network based Yoo, “Self-taught Anomaly Detection with Hybrid
anomaly intrusion detection system,” Proc. - 4th Int. Conf. Dev. Unsupervised/Supervised Machine Learning in Optical
eSystems Eng. DeSE 2011, pp. 221–226, 2011, doi: Networks.”
10.1109/DeSE.2011.19. [115] H. H. Pajouh, G. H. Dastghaibyfard, and S. Hashemi, “Two-tier
[97] F. Palmieri and U. Fiore, “Network anomaly detection through network anomaly detection model: a machine learning
nonlinear analysis,” Comput. Secur., vol. 29, no. 7, pp. 737–755, approach,” J. Intell. Inf. Syst., 2017, doi: 10.1007/s10844-015-
2010, doi: 10.1016/j.cose.2010.05.002. 0388-x.
[98] A. Taylor, N. Japkowicz, and S. Leblanc, “Frequency-based [116] S. Zhao, M. Chandrashekar, Y. Lee, and D. Medhi, Real-Time
anomaly detection for the automotive CAN bus,” 2015 World Network Anomaly Detection System Using Machine Learning. .
Congr. Ind. Control Syst. Secur. WCICSS 2015, pp. 45–49, [117] T. Yairi, Y. Kawahara, R. Fujimaki, Y. Sato, and K. Machida,
2016, doi: 10.1109/WCICSS.2015.7420322. “Telemetry-mining: A machine learning approach to anomaly
[99] Y. Zhu, N. M. Nayak, and A. K. Roy-Chowdhury, “Context- detection and fault diagnosis for space systems,” in Proceedings
aware activity recognition and anomaly detection in video,” - SMC-IT 2006: 2nd IEEE International Conference on Space
IEEE J. Sel. Top. Signal Process., vol. 7, no. 1, pp. 91–101, Mission Challenges for Information Technology, 2006, vol.
2013, doi: 10.1109/JSTSP.2012.2234722. 2006, pp. 466–473, doi: 10.1109/SMC-IT.2006.79.
[100] D. Smith, Q. Guan, and S. Fu, “An anomaly detection [118] A. Deorio, Q. Li, M. Burgess, and V. Bertacco, Machine
framework for autonomic management of compute cloud Learning-based Anomaly Detection for Post-silicon Bug
systems,” Proc. - Int. Comput. Softw. Appl. Conf., pp. 376–381, Diagnosis. .
2010, doi: 10.1109/COMPSACW.2010.72. [119] K. L. Li, H. K. Huang, S. F. Tian, and W. Xu, “Improving one-
[101] M. Teng, “Anomaly Detection on Time Series,” IEEE Int. Conf. class SVM for anomaly detection,” in International Conference
Prog. Informatics Comput., pp. 603–608, 2010, [Online]. on Machine Learning and Cybernetics, 2003, vol. 5, pp. 3077–
Available: http://arxiv.org/abs/1708.02975. 3081, doi: 10.1109/icmlc.2003.1260106.
[102] S. Lee, G. Kim, and S. Kim, “Self-adaptive and dynamic [120] C. Wagner, J. François, R. State, and T. Engel, “Machine
clustering for online anomaly detection,” Expert Syst. Appl., vol. learning approach for IP-flow record anomaly detection,” in
38, no. 12, pp. 14891–14898, 2011, doi: Lecture Notes in Computer Science (including subseries Lecture
10.1016/j.eswa.2011.05.058. Notes in Artificial Intelligence and Lecture Notes in
[103] S. Arshad, M. Abbaspour, M. Kharrazi, and H. Sanatkar, “An Bioinformatics), 2011, vol. 6640 LNCS, no. PART 1, pp. 28–39,
anomaly-based botnet detection approach for identifying stealthy doi: 10.1007/978-3-642-20757-0_3.
botnets,” ICCAIE 2011 - 2011 IEEE Conf. Comput. Appl. Ind. [121] J. Inoue, Y. Yamagata, Y. Chen, C. M. Poskitt, and J. Sun,
Electron., no. Iccaie, pp. 564–569, 2011, doi: “Anomaly Detection for a Water Treatment System Using
10.1109/ICCAIE.2011.6162198. Unsupervised Machine Learning.”
[104] S. Chauhan and L. Vig, “Anomaly detection in ECG time signals [122] Y. Li, B. Fang, L. Guo, and Y. Chen, “Network anomaly
via deep long short-term memory networks,” Proc. 2015 IEEE detection based on TCM-KNN algorithm,” in Proceedings of the
Int. Conf. Data Sci. Adv. Anal. DSAA 2015, 2015, doi: 2nd ACM Symposium on Information, Computer and
10.1109/DSAA.2015.7344872. Communications Security, ASIACCS ’07, 2007, pp. 13–19, doi:
[105] S. Calderara, U. Heinemann, A. Prati, R. Cucchiara, and N. 10.1145/1229285.1229292.
Tishby, “Detecting anomalies in people’s trajectories using [123] F. Maggi, S. Zanero, and V. Iozzo, “Seeing the invisible:
spectral graph analysis,” Comput. Vis. Image Underst., 2011, Forensic uses of anomaly detection and machine learning,” in
doi: 10.1016/j.cviu.2011.03.003. Operating Systems Review (ACM), Apr. 2008, vol. 42, no. 3, pp.
[106] S. Garg, K. Kaur, N. Kumar, and J. J. P. C. Rodrigues, “Hybrid 51–58, doi: 10.1145/1368506.1368514.
deep-learning-based anomaly detection scheme for suspicious [124] H. H. W. J. Bosman, A. Liotta, G. Iacca, and H. J. Wörtche,
flow detection in SDN: A social multimedia perspective,” IEEE “Anomaly detection in sensor systems using lightweight
Trans. Multimed., vol. 21, no. 3, pp. 566–578, 2019, doi: machine learning,” in Proceedings - 2013 IEEE International
10.1109/TMM.2019.2893549. Conference on Systems, Man, and Cybernetics, SMC 2013,
[107] O. Depren, M. Topallar, E. Anarim, and M. K. Ciliz, “An 2013, pp. 7–13, doi: 10.1109/SMC.2013.9.
intelligent intrusion detection system (IDS) for anomaly and [125] S. Shriram and E. Sivasankar, “Anomaly Detection on Shuttle
misuse detection in computer networks,” Expert Syst. Appl., vol. data using Unsupervised Learning Techniques,” in Proceedings
29, no. 4, pp. 713–722, 2005, doi: 10.1016/j.eswa.2005.05.002. of 2019 International Conference on Computational Intelligence
[108] D. Kang, D. Fuller, and V. Honavar, “Learning Classifiers for and Knowledge Economy, ICCIKE 2019, 2019, pp. 221–225,
Misuse Detection Using a Bag of System Calls Represent ation,” doi: 10.1109/ICCIKE47802.2019.9004325.
Work. Inf. Assur. Secur., pp. 511–516, 2005. [126] K. Limthong, Y. Ji, K. Fukuda, and S. Yamada, “Weighting
[109] E. Leon, O. Nasraoui, and J. Gomez, “Anomaly detection based Technique on Multi-timeline for Machine Learning-based
on unsupervised niche clustering with application to network Anomaly Detection System Disaster Preparation and Response
intrusion detection,” 2004, doi: 10.1109/cec.2004.1330898. via Big Data Analysis and Robust Networking View project
[110] A. Del Giorno, J. A. Bagnell, and M. Hebert, “A Discriminative Application Offloading Based on R-OSGi in Mobile Cloud
Framework for Anomaly Detection in Large Videos,” Comput. Computing View proj,” ieeexplore.ieee.org, doi:
Vis. – ECCV 2016, vol. 9905, pp. 334–349, 2016, doi: 10.1109/CCCS.2015.7374168.
10.1007/978-3-319-46448-0. [127] J. Shi, G. He, and X. Liu, “Anomaly Detection for Key
[111] J. Jabez, S. Gowri, S. Vigneshwari, J. A. Mayan, and S. Performance Indicators Through Machine Learning,” in
Srinivasulu, “Anomaly Detection by Using CFS Subset and Proceedings of 2018 6th IEEE International Conference on
Neural Network with WEKA Tools,” Inf. Commun. Technol. Network Infrastructure and Digital Content, IC-NIDC 2018,
Intell. Syst., vol. 106, pp. 675–682, 2019, doi: 10.1007/978-981- 2018, pp. 1–5, doi: 10.1109/ICNIDC.2018.8525714.
13-1742-2. [128] O. I. Provotar, Y. M. Linder, and M. M. Veres, “Unsupervised
[112] R. Laxhammar and G. Falkman, “Online learning and sequential Anomaly Detection in Time Series Using LSTM-Based
anomaly detection in trajectories,” IEEE Trans. Pattern Anal. Autoencoders,” in 2019 IEEE International Conference on
Mach. Intell., vol. 36, no. 6, pp. 1158–1173, 2014, doi: Advanced Trends in Information Theory, ATIT 2019 -
10.1109/TPAMI.2013.172. Proceedings, 2019, pp. 513–517, doi:
[113] M. Schneider, W. Ertel, and F. Ramos, “Expected similarity 10.1109/ATIT49449.2019.9030505.
estimation for large-scale batch and streaming anomaly [129] S. Kumar, S. Nandi, and S. Biswas, “Research and application of
detection,” Mach. Learn., vol. 105, no. 3, pp. 305–333, 2016, One-class small hypersphere support vector machine for network
doi: 10.1007/s10994-016-5567-7. anomaly detection,” 2011, doi:
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
10.1109/COMSNETS.2011.5716425. 10.1109/CCECE.2013.6567739.
[130] Y. Imamverdiyev and L. Sukhostat, “Anomaly detection in [146] W. Chimphlee, A. H. Abdullah, M. Noor, M. Sap, S. Srinoy, and
network traffic using extreme learning machine,” 2017, doi: S. Chimphlee, “Anomaly-Based Intrusion Detection using Fuzzy
10.1109/ICAICT.2016.7991732. Rough Clustering,” 2006.
[131] A. Dawoud, S. Shahristani, and C. Raun, “Deep learning for [147] T. M. Thang and J. Kim, “The anomaly detection by using
network anomalies detection,” in Proceedings - International DBSCAN clustering with multiple parameters,” 2011, doi:
Conference on Machine Learning and Data Engineering, 10.1109/ICISA.2011.5772437.
iCMLDE 2018, 2019, pp. 117–120, doi: [148] Y. Wang, D. Li, Y. Du, and Z. Pan, “Anomaly detection in
10.1109/iCMLDE.2018.00035. traffic using L1-norm minimization extreme learning machine,”
[132] H. G. Zhou and C. De Yang, “Using immune algorithm to Neurocomputing, vol. 149, no. Part A, pp. 415–425, 2015, doi:
optimize anomaly detection based on SVM,” in Proceedings of 10.1016/j.neucom.2014.04.073.
the 2006 International Conference on Machine Learning and [149] J. Zhang and M. Zulkernine, “Anomaly Based Network
Cybernetics, 2006, vol. 2006, pp. 4257–4261, doi: Intrusion Detection with Unsupervised Outlier Detection,” 2006.
10.1109/ICMLC.2006.259008. [150] T.-Y. Kim and S.-B. Cho, “Web traffic anomaly detection using
[133] Y. Shi and K. Miao, “Detecting anomalies in application C-LSTM neural networks,” Expert Syst. Appl., vol. 106, pp. 66–
performance management system with machine learning 76, 2018, doi: 10.1016/j.eswa.2018.04.004.
algorihms,” in 2019 IEEE 3rd International Conference on [151] C. H. Lin, J. C. Liu, and C. H. Ho, “Anomaly detection using
Electronic Information Technology and Computer Engineering, LibSVM training tools,” in Proceedings of the 2nd International
EITCE 2019, 2019, pp. 1797–1800, doi: Conference on Information Security and Assurance, ISA 2008,
10.1109/EITCE47263.2019.9094916. 2008, vol. 2, no. 4, pp. 166–171, doi: 10.1109/ISA.2008.12.
[134] P. K. Chan, M. V. Mahoney, and M. H. Arshad, “Learning Rules [152] Kunlun Li and Guifa Teng, “Unsupervised SVM Based on p-
and Clusters for Anomaly Detection in Network Traffic,” in kernels for Anomaly Detection,” 2006, doi:
Managing Cyber Threats, Springer-Verlag, 2005, pp. 81–99. 10.1109/icicic.2006.371.
[135] T. Salman, D. Bhamare, A. Erbad, R. Jain, and M. Samaka, [153] X. G. Tian, L. Z. Gao, C. L. Sun, M. Y. Duan, and E. Y. Zhang,
“Machine Learning for Anomaly Detection and Categorization “A method for anomaly detection of user behaviors based on
in Multi-Cloud Environments,” Proc. - 4th IEEE Int. Conf. machine learning,” J. China Univ. Posts Telecommun., vol. 13,
Cyber Secur. Cloud Comput. CSCloud 2017 3rd IEEE Int. Conf. no. 2, 2006, doi: 10.1016/S1005-8885(07)60105-8.
Scalable Smart Cloud, SSC 2017, pp. 97–103, 2017, doi: [154] B. G. Atli, Y. Miche, A. Kalliola, I. Oliver, S. Holtmanns, and
10.1109/CSCloud.2017.15. A. Lendasse, “Anomaly-Based Intrusion Detection Using
[136] Z. Xiao, C. Liu, and C. Chen, “An anomaly detection scheme Extreme Learning Machine and Aggregation of Network Traffic
based on machine learning for WSN,” in 2009 1st International Statistics in Probability Space,” Cognit. Comput., vol. 10, no. 5,
Conference on Information Science and Engineering, ICISE pp. 848–863, Oct. 2018, doi: 10.1007/s12559-018-9564-y.
2009, 2009, pp. 3959–3962, doi: 10.1109/ICISE.2009.235. [155] S. Mojtaba, H. Bamakan, Y. Tian, M. Mirzabagheri, H. Wang,
[137] S. Naseer et al., “Enhanced network anomaly detection based on and Q. Qu, “ARTICLE IN PRESS JID: NEUCOM [m5G; Ramp
deep neural networks,” IEEE Access, vol. 6, pp. 48231–48246, loss one-class support vector machine; A robust and effective
2018, doi: 10.1109/ACCESS.2018.2863036. approach to anomaly detection problems,” Elsevier, 2018, doi:
[138] S. Rajasegarar, C. Leckie, and M. Palaniswami, “CESVM: 10.1016/j.neucom.2018.05.027.
Centered hyperellipsoidal support vector machine based [156] H. Su, X. Wu, X.-H. Yan, and A. Kidwell, “Estimation of
anomaly detection,” in IEEE International Conference on subsurface temperature anomaly in the Indian Ocean during
Communications, 2008, pp. 1610–1614, doi: recent global surface warming hiatus from satellite
10.1109/ICC.2008.311. measurements: A support vector machine approach Deeper
[139] A. Valdes, R. Macwan, and M. Backes, “Anomaly detection in Ocean Remote Sensing View project Sea Ice Remote Sensing
electrical substation circuits via unsupervised machine learning,” View project Estima,” Elsevier, 2015, doi:
in Proceedings - 2016 IEEE 17th International Conference on 10.1016/j.rse.2015.01.001.
Information Reuse and Integration, IRI 2016, 2016, pp. 500– [157] B. Cui and S. He, “Anomaly detection model based on hadoop
505, doi: 10.1109/IRI.2016.74. platform and weka interface,” in Proceedings - 2016 10th
[140] L. Kuang and M. Zulkemine, “An anomaly intrusion detection International Conference on Innovative Mobile and Internet
method using the CSI-KNN algorithm,” in Proceedings of the Services in Ubiquitous Computing, IMIS 2016, 2016, pp. 84–89,
ACM Symposium on Applied Computing, 2008, pp. 921–926, doi: 10.1109/IMIS.2016.50.
doi: 10.1145/1363686.1363897. [158] M. Hasan, M. M. Islam, M. I. I. Zarif, and M. M. A. Hashem,
[141] S. R. Gaddam, V. V. Phoha, and K. S. Balagani, “K- “Attack and anomaly detection in IoT sensors in IoT sites using
Means+ID3: A novel method for supervised anomaly detection machine learning approaches,” Internet of Things, vol. 7, p.
by cascading k-Means clustering and ID3 decision tree learning 100059, 2019, doi: 10.1016/j.iot.2019.100059.
methods,” IEEE Trans. Knowl. Data Eng., vol. 19, no. 3, pp. [159] R. Abdulhammed, M. Faezipour, A. Abuzneid, and A.
345–354, 2007, doi: 10.1109/TKDE.2007.44. Abumallouh, “Deep and Machine Learning Approaches for
[142] E. K. Viegas, A. O. Santin, and L. S. Oliveira, “Toward a Anomaly-Based Intrusion Detection of Imbalanced Network
reliable anomaly-based intrusion detection in real-world Traffic,” IEEE Sensors Lett., vol. 3, no. 1, 2019, doi:
environments,” Comput. Networks, vol. 127, pp. 200–216, 2017, 10.1109/LSENS.2018.2879990.
doi: 10.1016/j.comnet.2017.08.013. [160] S. J. Stolfo, S. Hershkop, L. H. Bui, R. Ferster, and K. Wang,
[143] Y. Wang, J. Wong, and A. Miner, “Anomaly intrusion detection “Anomaly detection in computer security and an application to
using one class SVM,” in Proceedings fron the Fifth Annual file system accesses,” in Lecture Notes in Computer Science
IEEE System, Man and Cybernetics Information Assurance (including subseries Lecture Notes in Artificial Intelligence and
Workshop, SMC, 2004, pp. 358–364, doi: Lecture Notes in Bioinformatics), 2005, vol. 3488 LNAI, pp. 14–
10.1109/iaw.2004.1437839. 28, doi: 10.1007/11425274_2.
[144] B. I. P. Rubinstein et al., “Antidote: Understanding and [161] K. Limthong and T. Tawsook, “Network traffic anomaly
defending against poisoning of anomaly detectors,” in detection using machine learning approaches,”
Proceedings of the ACM SIGCOMM Internet Measurement ieeexplore.ieee.org, 2012, doi: 10.1109/NOMS.2012.6211951.
Conference, IMC, 2009, pp. 1–14, doi: [162] F. Barani and S. Gerami, “ManetSVM: Dynamic anomaly
10.1145/1644893.1644895. detection using one-class support vector machine in MANETs,”
[145] D. Liu, C. H. Lung, I. Lambadaris, and N. Seddigh, “Network 2013, doi: 10.1109/ISCISC.2013.6767325.
traffic anomaly detection using clustering techniques and [163] B. Litt, D. Wulsin, J. Blanco, and R. Mani, “Semi-Supervised
performance comparison,” 2013, doi: Anomaly Detection for EEG Waveforms Using Deep Belief
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
Nets,” ieeexplore.ieee.org, 2011, doi: 10.1109/ICMLA.2010.71. [181] N. Stakhanova, S. Basu, and J. Wong, “On the symbiosis of
[164] A. Adler, M. J. Mayhew, J. Cleveland, M. Atighetchi, and R. specification-based and anomaly-based detection,” Comput.
Greenstadt, “Using Machine Learning for Behavior-Based Secur., 2010, doi: 10.1016/j.cose.2009.08.007.
Access Control: Scalable Anomaly Detection on TCP [182] J. Lundstrom, W. O. De Morais, and M. Cooney, “A holistic
Connections and HTTP Requests.” smart home demonstrator for anomaly detection and response,”
[165] B. Amos, H. Turner, and J. White, “Applying machine learning in 2015 IEEE International Conference on Pervasive Computing
classifiers to dynamic android malware detection at scale,” 2013 and Communication Workshops, PerCom Workshops 2015,
9th Int. Wirel. Commun. Mob. Comput. Conf. IWCMC 2013, pp. 2015, pp. 330–335, doi: 10.1109/PERCOMW.2015.7134058.
1666–1671, 2013, doi: 10.1109/IWCMC.2013.6583806. [183] Y. Yuan, J. Fang, and Q. Wang, “Online Anomaly Detection in
[166] M. S. Parwez, D. B. Rawat, and M. Garuba, “Big data analytics Crowd Scenes via Structure Analysis,” IEEE Trans. Cybern.,
for user-activity analysis and user-anomaly detection in mobile vol. 45, no. 3, 2015, doi: 10.1109/TCYB.2014.2330853.
wireless network,” IEEE Trans. Ind. Informatics, vol. 13, no. 4, [184] A. Barua, D. Muthirayan, P. P. Khargonekar, and M. A. Al
pp. 2058–2065, 2017, doi: 10.1109/TII.2017.2650206. Faruque, “Hierarchical Temporal Memory Based Machine
[167] G. Shah and A. Tiwari, “Anomaly detection in IIoT: A case Learning for Real-Time, Unsupervised Anomaly Detection in
study using machine learning,” in ACM International Smart Grid: WiP Abstract,” in Proceedings - 2020 ACM/IEEE
Conference Proceeding Series, 2018, pp. 295–300, doi: 11th International Conference on Cyber-Physical Systems,
10.1145/3152494.3156816. ICCPS 2020, 2020, pp. 188–189, doi:
[168] P. M. Mafra, V. Moll, J. Da Silva Fraga, and A. O. Santin, 10.1109/ICCPS48487.2020.00027.
“Octopus-IIDS: An anomaly based intelligent intrusion detection [185] W. Yan, “One-class extreme learning machines for gas turbine
system,” in Proceedings - IEEE Symposium on Computers and combustor anomaly detection,” in Proceedings of the
Communications, 2010, pp. 405–410, doi: International Joint Conference on Neural Networks, 2016, vol.
10.1109/ISCC.2010.5546735. 2016-Octob, pp. 2909–2914, doi:
[169] S. Anil and R. Remya, “A hybrid method based on genetic 10.1109/IJCNN.2016.7727567.
algorithm, self-organised feature map, and support vector [186] A. Brown, B. Hutchinson, A. Tuor, and N. Nichols, “Recurrent
machine for better network anomaly detection,” 2013, doi: neural network attention mechanisms for interpretable system
10.1109/ICCCNT.2013.6726604. log anomaly detection,” Jun. 2018, doi:
[170] R. Fujimaki, “Anomaly detection support vector machine and its 10.1145/3217871.3217872.
application to fault diagnosis,” in Proceedings - IEEE [187] K. Atefi, S. Yahya, A. Rezaei, and S. H. B. M. Hashim,
International Conference on Data Mining, ICDM, 2008, pp. “Anomaly detection based on profile signature in network using
797–802, doi: 10.1109/ICDM.2008.69. machine learning technique,” in Proceedings - 2016 IEEE
[171] S. Duque Anton et al., “Evaluation of Machine Learning-based Region 10 Symposium, TENSYMP 2016, 2016, pp. 71–76, doi:
Anomaly Detection Algorithms on an Industrial Modbus/TCP 10.1109/TENCONSpring.2016.7519380.
Data Set "Evaluation of Machine Learning-based Anomaly [188] H. Suetani, A. M. Ideta, and J. Morimoto, “Nonlinear structure
Detection Algo-rithms on an Industrial Modbus/TCP Data Set of escape-times to falls for a passive dynamic walker on an
CCS CONCEPTS • Security and privacy → Intrusion,” irregular slope: Anomaly detection using multi-class support
dl.acm.org, vol. 41, no. 9, pp. 1–41, Aug. 2018, doi: vector machine and latent state extraction by canonical
10.1145/3230833.3232818. correlation analysis,” in IEEE International Conference on
[172] G. Yan, “Network Anomaly Traffic Detection Method Based on Intelligent Robots and Systems, 2011, pp. 2715–2722, doi:
Support Vector Machine,” in Proceedings - 2016 International 10.1109/IROS.2011.6048434.
Conference on Smart City and Systems Engineering, ICSCSE [189] L. Fernandez Maimo, A. L. Perales Gomez, F. J. Garcia
2016, 2017, pp. 3–6, doi: 10.1109/ICSCSE.2016.0011. Clemente, M. Gil Perez, and G. Martinez Perez, “A Self-
[173] L. Xiong, H. D. Ma, H. Z. Fang, K. X. Zou, and D. W. Yi, Adaptive Deep Learning-Based System for Anomaly Detection
“Anomaly detection of spacecraft based on least squares support in 5G Networks,” IEEE Access, vol. 6, pp. 7700–7712, 2018,
vector machine,” 2011, doi: 10.1109/PHM.2011.5939470. doi: 10.1109/ACCESS.2018.2803446.
[174] F. Wang, Y. Qian, Y. Dai, and Z. Wang, “A model based on [190] F. Seraj, J. Van Der Zwaag, P. Havinga, A. Dilo, and T. Luarasi,
hybrid support vector machine and self-organizing map for “RoADS: A Road Pavement Monitoring System for Anomaly
anomaly detection,” in 2010 WRI International Conference on Detection Using Smart Phones,” Springer, vol. 9546, pp. 128–
Communications and Mobile Computing, CMC 2010, 2010, vol. 146, 2016, doi: 10.1007/978-3-319-29009-6_7.
1, pp. 97–101, doi: 10.1109/CMC.2010.9. [191] M. Amar, I. Gondal, and C. Wilson, “Unitary anomaly detection
[175] J. Zhang, R. Gardner, and I. Vukotic, “Anomaly detection in for ubiquitous safety in machine health monitoring,” in Lecture
wide area network meshes using two machine learning Notes in Computer Science (including subseries Lecture Notes in
algorithms,” Futur. Gener. Comput. Syst., vol. 93, pp. 418–426, Artificial Intelligence and Lecture Notes in Bioinformatics),
Jan. 2019, doi: 10.1016/j.future.2018.07.023. 2012, vol. 7667 LNCS, no. PART 5, pp. 361–368, doi:
[176] L. Deecke, R. Vandermeulen, L. Ruff, S. Mandt, and M. Kloft, 10.1007/978-3-642-34500-5_43.
“Image anomaly detection with generative adversarial [192] K. Stefanidis and A. G. Voyiatzis, “An HMM-based anomaly
networks,” in Lecture Notes in Computer Science (including detection approach for SCADA systems,” in Lecture Notes in
subseries Lecture Notes in Artificial Intelligence and Lecture Computer Science (including subseries Lecture Notes in
Notes in Bioinformatics), 2019, vol. 11051 LNAI, pp. 3–17, doi: Artificial Intelligence and Lecture Notes in Bioinformatics),
10.1007/978-3-030-10925-7_1. 2016, vol. 9895 LNCS, pp. 85–99, doi: 10.1007/978-3-319-
[177] M. Ćosović, S. Obradović, and L. Trajković, “Performance 45931-8_6.
Evaluation of BGP Anomaly Classifiers.” [193] S. C. Chin, A. Ray, and V. Rajagopalan, “Symbolic time series
[178] G. D’Angelo, F. Palmieri, M. Ficco, and S. Rampone, “An analysis for anomaly detection: A comparative evaluation $,”
uncertainty-managing batch relevance-based approach to Signal Processing, vol. 85, pp. 1859–1868, 2005, doi:
network anomaly detection,” Appl. Soft Comput. J., vol. 36, pp. 10.1016/j.sigpro.2005.03.014.
408–418, 2015, doi: 10.1016/j.asoc.2015.07.029. [194] F. A. González and D. Dasgupta, “Anomaly detection using real-
[179] D. Ashok Kumar and S. R. Venugopalan, “A novel algorithm for valued negative selection,” in Genetic Programming and
network anomaly detection using adaptive machine learning,” in Evolvable Machines, Dec. 2003, vol. 4, no. 4, pp. 383–403, doi:
Advances in Intelligent Systems and Computing, 2018, vol. 564, 10.1023/A:1026195112518.
pp. 59–69, doi: 10.1007/978-981-10-6875-1_7. [195] E. H. Pena, L. F. Carvalho, S. Barbon Jr, J. JPC Rodrigues, and
[180] M. Marwah, R. Sharma, and C. Bash, “Thermal anomaly M. Lemes Proença Jr, “Anomaly detection using the
prediction in data centers,” 2010, doi: correlational paraconsistent machine with digital signatures of
10.1109/ITHERM.2010.5501330. network segment,” Inf. Sci. (Ny)., vol. 420, pp. 313–328, 2017,
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
doi: 10.1016/j.ins.2017.08.074. [213] M. Du, F. Li, G. Zheng, and V. Srikumar, “DeepLog: Anomaly
[196] F. Gonzalez, D. Dasgupta, and R. Kozma, “Combining negative detection and diagnosis from system logs through deep
selection and classification techniques for anomaly detection,” in learning,” in Proceedings of the ACM Conference on Computer
Proceedings of the 2002 Congress on Evolutionary and Communications Security, Oct. 2017, pp. 1285–1298, doi:
Computation, CEC 2002, 2002, vol. 1, pp. 705–710, doi: 10.1145/3133956.3134015.
10.1109/CEC.2002.1007012. [214] W. Fisher, T. Camp, V. V Krzhizhanovskaya, W. D. Fisher, and
[197] E. Eskin, A. Arnold, M. Prerau, L. Portnoy, and S. Stolfo, “A T. K. Camp, “Anomaly Detection in Earth Dam and Levee
Geometric Framework for Unsupervised Anomaly Detection,” Passive Seismic Data Using Support Vector Machines and
2002, pp. 77–101. Automatic Feature Selection Modeling the Human Innate
[198] A. D. Schmidt, F. Peters, F. Lamour, C. Scheel, S. A. Çamtepe, Immune System: in-silico studies View project Anomaly
and Ş. Albayrak, “Monitoring smartphones for anomaly detection in earth dam and levee passive seismic da,” Artic. J.
detection,” Mob. Networks Appl., vol. 14, no. 1, pp. 92–106, Comput. Sci., vol. 20, pp. 143–153, 2017, doi:
Feb. 2009, doi: 10.1007/s11036-008-0113-x. 10.1016/j.jocs.2016.11.016.
[199] M. V Mahoney and P. K. Chan, “Learning rules for anomaly [215] M. Cheng, Q. Li, J. Lv, W. Liu, and J. Wang, “Multi-Scale
detection of hostile network traffic,” in Proceedings - IEEE LSTM Model for BGP Anomaly Classification,” IEEE Trans.
International Conference on Data Mining, ICDM, 2003, pp. Serv. Comput., 2018, doi: 10.1109/TSC.2018.2824809.
601–604, doi: 10.1109/icdm.2003.1250987. [216] S. Cho and S. Cha, “SAD: Web session anomaly detection based
[200] R. Winding, T. Wright, and M. Chapple, “System anomaly on parameter estimation,” Comput. Secur., vol. 23, no. 4, pp.
detection: Mining firewall logs,” 2006, doi: 312–319, 2004, doi: 10.1016/j.cose.2004.01.006.
10.1109/SECCOMW.2006.359572. [217] S. J. Han, K. J. Kim, and S. B. Cho, “Evolutionary learning
[201] N. Duffield, P. Haffner, B. Krishnamurthy, and H. Ringberg, program’s behavior in neural networks for anomaly detection,”
“Rule-based anomaly detection on IP flows,” in Proceedings - Lect. Notes Comput. Sci. (including Subser. Lect. Notes Artif.
IEEE INFOCOM, 2009, pp. 424–432, doi: Intell. Lect. Notes Bioinformatics), vol. 3316, pp. 236–241,
10.1109/INFCOM.2009.5061947. 2004, doi: 10.1007/978-3-540-30499-9_35.
[202] T. Stibor, P. Mohr, and J. Timmis, “Is negative selection [218] Y. Zhao, B. Deng, C. Shen, Y. Liu, H. Lu, and X. S. Hua,
appropriate for anomaly detection ?,” in GECCO 2005 - Genetic “Spatio-temporal AutoEncoder for video anomaly detection,” in
and Evolutionary Computation Conference, 2005, pp. 321–328, MM 2017 - Proceedings of the 2017 ACM Multimedia
doi: 10.1145/1068009.1068061. Conference, Oct. 2017, pp. 1933–1941, doi:
[203] L. Scime and J. Beuth, “Anomaly detection and classification in 10.1145/3123266.3123451.
a laser powder bed additive manufacturing process using a [219] C. Pascoal, M. Rosário De Oliveira, R. Valadas, P. Filzmoser, P.
trained computer vision algorithm,” Addit. Manuf., vol. 19, pp. Salvador, and A. Pacheco, Robust Feature Selection and Robust
114–126, 2018, doi: 10.1016/j.addma.2017.11.009. PCA for Internet Traffic Anomaly Detection. .
[204] B. I. P. Rubinstein et al., “Stealthy poisoning attacks on PCA- [220] G. Pang, C. Shen, and A. Van Den Hengel, “Deep Anomaly
based anomaly detectors,” in Performance Evaluation Review, Detection with Deviation Networks,” dl.acm.org, pp. 353–362,
Oct. 2009, vol. 37, no. 2, pp. 73–74, doi: Jul. 2019, doi: 10.1145/3292500.3330871.
10.1145/1639562.1639592. [221] J. Liu, J. Gu, H. Li, and K. H. Carlson, “Machine learning and
[205] D. D. Kim, S.-Y. Ohn, D. Kim, H. Nguyen, S. Ohn, and J. Park, transport simulations for groundwater anomaly detection,” J.
“Fusions of GA and SVM for Anomaly Detection in Intrusion Comput. Appl. Math., vol. 380, 2020, doi:
Detection System Software Defined Networking based Moving 10.1016/j.cam.2020.112982.
Target Defense View project Decomposition of convex [222] R. Bhatia, S. Benno, J. Esteban, T. V. Lakshman, and J. Grogan,
structuring elements View project Fusions of GA and SVM for “Unsupervised machine learning for network-centric anomaly
Anomaly Detection in Intrusi,” LNCS, vol. 3498, no. III, pp. detection in IoT,” in Big-DAMA 2019 - Proceedings of the 3rd
415–420, 2005, doi: 10.1007/11427469_67. ACM CoNEXT Workshop on Big DAta, Machine Learning and
[206] E. L. Paula, M. Ladeira, R. N. Carvalho, and T. Marzagão, Artificial Intelligence for Data Communication Networks, Part
“Deep learning anomaly detection as suppor fraud investigation of CoNEXT 2019, Dec. 2019, pp. 42–48, doi:
in Brazilian exports and anti-money laundering,” in Proceedings 10.1145/3359992.3366641.
- 2016 15th IEEE International Conference on Machine [223] Z. Chkirbene, S. Eltanbouly, M. Bashendy, N. Alnaimi, and A.
Learning and Applications, ICMLA 2016, 2017, pp. 954–960, Erbad, “Hybrid Machine Learning for Network Anomaly
doi: 10.1109/ICMLA.2016.73. Intrusion Detection,” in 2020 IEEE International Conference on
[207] R. Fujimaki, T. Yairi, and K. Machida, “An anomaly detection Informatics, IoT, and Enabling Technologies, ICIoT 2020, 2020,
method for spacecraft using relevance vector learning,” in pp. 163–170, doi: 10.1109/ICIoT48696.2020.9089575.
Lecture Notes in Computer Science (including subseries Lecture [224] J. Wang et al., “An anomaly prediction framework for financial
Notes in Artificial Intelligence and Lecture Notes in IT systems using hybrid machine learning methods,” Artic. J.
Bioinformatics), 2005, vol. 3518 LNAI, pp. 785–790, doi: Ambient Intell. Humaniz. Comput., 2019, doi: 10.1007/s12652-
10.1007/11430919_92. 019-01645-z.
[208] S. Liu, Y. Chen, W. Trappe, L. J. Greenstein, and N. Brunswick, [225] H. Goldberg, H. Kwon, and N. M. Nasrabadi, “Kernel
ALDO: An Anomaly Detection Framework for Dynamic eigenspace separation transform for subspace anomaly detection
Spectrum Access Networks. . in hyperspectral imagery,” IEEE Geosci. Remote Sens. Lett., vol.
[209] K. Sequeira and M. Zaki, “ADMIT: Anomaly-based data mining 4, no. 4, pp. 581–585, Oct. 2007, doi:
for intrusions,” in Proceedings of the ACM SIGKDD 10.1109/LGRS.2007.903083.
International Conference on Knowledge Discovery and Data [226] Y. Feng, Z. F. Wu, K. G. Wu, Z. Y. Xiong, and Y. Zhou, “An
Mining, 2002, pp. 386–395. unsupervised anomaly intrusion detection algorithm based on
[210] V. L. L. Thing, “IEEE 802.11 network anomaly detection and swarm intelligence,” in 2005 International Conference on
attack classification: A deep learning approach,” 2017, doi: Machine Learning and Cybernetics, ICMLC 2005, 2005, pp.
10.1109/WCNC.2017.7925567. 3965–3969, doi: 10.1109/icmlc.2005.1527630.
[211] K. M. Ting, T. Washio, J. R. Wells, and S. Aryal, “Defying the [227] H. Y. Shahir, U. Glasser, A. Y. Shahir, and H. Wehn, “Maritime
gravity of learning curve: a characteristic of nearest neighbour situation analysis framework: Vessel interaction classification
anomaly detectors,” Mach. Learn., vol. 106, no. 1, pp. 55–91, and anomaly detection,” in Proceedings - 2015 IEEE
2017, doi: 10.1007/s10994-016-5586-4. International Conference on Big Data, IEEE Big Data 2015,
[212] Y. Zhou, S. Yan, and T. S. Huang, “DETECTING ANOMALY 2015, pp. 1279–1289, doi: 10.1109/BigData.2015.7363883.
IN VIDEOS FROM TRAJECTORY SIMILARITY [228] D. B. Araya, K. Grolinger, H. F. ElYamany, M. A. M. Capretz,
ANALYSIS.” and G. Bitsuamlak, “An ensemble learning framework for
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
Selection Techniques for Anomaly Detectors Generation. . Artificial Intelligence and Lecture Notes in Bioinformatics),
[263] G. Marín, P. Casas, and G. Capdehourat, “RawPower: Deep 2019, vol. 11051 LNAI, pp. 173–189, doi: 10.1007/978-3-030-
learning based anomaly detection from raw network traffic 10925-7_11.
measurements,” in SIGCOMM 2018 - Proceedings of the 2018 [278] F. Doelitzscher, M. Knahl, C. Reich, and N. Clarke, “Anomaly
Posters and Demos, Part of SIGCOMM 2018, Aug. 2018, pp. detection in IaaS Clouds,” in Proceedings of the International
75–77, doi: 10.1145/3234200.3234238. Conference on Cloud Computing Technology and Science,
[264] / Casas, P. ; Soro, F. ; Vanerio, J. ; Settanni, and G. ; D’alconzo, CloudCom, 2013, vol. 1, pp. 387–394, doi:
“Network security and anomaly detection with Big-DAMA, a 10.1109/CloudCom.2013.57.
big data analytics framework,” ieeexplore.ieee.org, pp. 1–7, [279] F. M. Shah, N. F. Haq, and A. Rahman Onik, “An Ensemble
2017, doi: 10.1109/CloudNet.2017.8071525. Framework of Anomaly Detection Using Hybridized Feature
[265] X. D. Hoang and J. Hu, “An efficient hidden markov model Selection Approach (HFSA),” ieeexplore.ieee.org, 2015, doi:
training scheme for anomaly intrusion detection of server 10.1109/IntelliSys.2015.7361264.
applications based on system calls,” in Proceedings - IEEE [280] J. Tian, H. Gu, J. Tian, and · H Gu, “Anomaly detection
International Conference on Networks, ICON, 2004, vol. 2, pp. combining one-class SVMs and particle swarm optimization
470–474, doi: 10.1109/ICON.2004.1409210. algorithms,” Springer, vol. 61, no. 1–2, pp. 303–310, Jul. 2010,
[266] I. O. De Urbina Cazenave, E. Köşlük, and M. C. Ganiz, “An doi: 10.1007/s11071-009-9650-5.
anomaly detection framework for BGP,” in INISTA 2011 - 2011 [281] G. A. Susto, A. Beghi, and S. McLoone, “Anomaly Detection
International Symposium on INnovations in Intelligent SysTems through on-line Isolation Forest: An application to plasma
and Applications, 2011, pp. 107–111, doi: etching,” in 2017 28th Annual SEMI Advanced Semiconductor
10.1109/INISTA.2011.5946083. Manufacturing Conference (ASMC), 2017, pp. 89–94, doi:
[267] O. Raz, P. Koopman, and M. Shaw, “Semantic anomaly 10.23919/mipro.2017.7966552.
detection in online data sources,” in Proceedings - International [282] I. Paredes-Oliva, I. Castell-Uroz, P. Barlet-Ros, X.
Conference on Software Engineering, 2002, pp. 302–312, doi: Dimitropoulos, and J. Solé-Pareta, “Practical Anomaly Detection
10.1145/581339.581378. based on Classifying Frequent Traffic Patterns,” 2012.
[268] H. M. Anwer, M. Farouk, and A. Abdel-Hamid, “A framework [283] I. Ullah and Q. H. Mahmoud, “A hybrid model for anomaly-
for efficient network anomaly intrusion detection with features based intrusion detection in SCADA networks,” in Proceedings
selection,” in 2018 9th International Conference on Information - 2017 IEEE International Conference on Big Data, Big Data
and Communication Systems, ICICS 2018, 2018, vol. 2018- 2017, 2017, vol. 2018-Janua, pp. 2160–2167, doi:
Janua, pp. 157–162, doi: 10.1109/IACS.2018.8355459. 10.1109/BigData.2017.8258164.
[269] X. Wang, J. S. Wong, F. Stanley, and S. Basu, “Cross-layer [284] X. Q. Zhang and C. H. Gu, “CH-SVM based network anomaly
based anomaly detection in wireless mesh networks,” in detection,” in Proceedings of the Sixth International Conference
Proceedings - 2009 9th Annual International Symposium on on Machine Learning and Cybernetics, ICMLC 2007, 2007, vol.
Applications and the Internet, SAINT 2009, 2009, pp. 9–15, doi: 6, pp. 3261–3266, doi: 10.1109/ICMLC.2007.4370710.
10.1109/SAINT.2009.11. [285] D. Li, D. Chen, B. Jin, L. Shi, J. Goh, and S. K. Ng, “MAD-
[270] K. Alrawashdeh and C. Purdy, “Reducing calculation GAN: Multivariate Anomaly Detection for Time Series Data
requirements in FPGA implementation of deep learning with Generative Adversarial Networks,” in Lecture Notes in
algorithms for online anomaly intrusion detection,” in Computer Science (including subseries Lecture Notes in
Proceedings of the IEEE National Aerospace Electronics Artificial Intelligence and Lecture Notes in Bioinformatics),
Conference, NAECON, 2018, vol. 2017-June, pp. 57–62, doi: 2019, vol. 11730 LNCS, pp. 703–716, doi: 10.1007/978-3-030-
10.1109/NAECON.2017.8268745. 30490-4_56.
[271] R. Kumari, Sheetanshu, M. K. Singh, R. Jha, and N. K. Singh, [286] T. Sipola, A. Juvonen, and J. Lehtonen, “Anomaly detection
“Anomaly detection in network traffic using K-mean clustering,” from network logs using diffusion maps,” in IFIP Advances in
in 2016 3rd International Conference on Recent Advances in Information and Communication Technology, 2011, vol. 363
Information Technology, RAIT 2016, 2016, pp. 387–393, doi: AICT, no. PART 1, pp. 172–181, doi: 10.1007/978-3-642-
10.1109/RAIT.2016.7507933. 23957-1_20.
[272] P. Mulinka and P. Casas, “Stream-based machine learning for [287] M. Zhu, K. Ye, Y. Wang, and C. Z. Xu, “A deep learning
network security and anomaly detection,” in Big-DAMA 2018 - approach for network anomaly detection based on AMF-LSTM,”
Proceedings of the 2018 Workshop on Big Data Analytics and in Lecture Notes in Computer Science (including subseries
Machine Learning for Data Communication Networks, Part of Lecture Notes in Artificial Intelligence and Lecture Notes in
SIGCOMM 2018, Aug. 2018, pp. 1–7, doi: Bioinformatics), 2018, vol. 11276 LNCS, pp. 137–141, doi:
10.1145/3229607.3229612. 10.1007/978-3-030-05677-3_13.
[273] T. Ahmed, M. Coates, and A. Lakhina, “Multivariate Online [288] B. Shah and B. H. Trivedi, “Reducing features of KDD CUP
Anomaly Detection Using Kernel Recursive Least Squares.” 1999 dataset for anomaly detection using back propagation
[274] V. L. Cao, M. Nicolau, and J. McDermott, “A hybrid neural network,” in International Conference on Advanced
autoencoder and density estimation model for anomaly Computing and Communication Technologies, ACCT, 2015, vol.
detection,” in Lecture Notes in Computer Science (including 2015-April, pp. 247–251, doi: 10.1109/ACCT.2015.131.
subseries Lecture Notes in Artificial Intelligence and Lecture [289] X. Gu and H. Wang, “Online Anomaly Prediction for Robust
Notes in Bioinformatics), 2016, vol. 9921 LNCS, pp. 717–726, Cluster Systems.”
doi: 10.1007/978-3-319-45823-6_67. [290] A. Chiang, E. David, Y. J. Lee, G. Leshem, and Y. R. Yeh, “A
[275] D. Narsingyani and O. Kale, “Optimizing false positive in study on anomaly detection ensembles,” J. Appl. Log., vol. 21,
anomaly based intrusion detection using Genetic algorithm,” in pp. 1–13, 2017, doi: 10.1016/j.jal.2016.12.002.
Proceedings of the 2015 IEEE 3rd International Conference on [291] D. S. Terzi, R. Terzi, and S. Sagiroglu, “Big data analytics for
MOOCs, Innovation and Technology in Education, MITE 2015, network anomaly detection from netflow data,” in 2nd
2016, pp. 72–77, doi: 10.1109/MITE.2015.7375291. International Conference on Computer Science and
[276] M. Sabokrou, M. Fayyaz, M. Fathy, Z. Moayed, and R. Klette, Engineering, UBMK 2017, 2017, pp. 592–597, doi:
“Deep-anomaly: Fully convolutional neural network for fast 10.1109/UBMK.2017.8093473.
anomaly detection in crowded scenes,” Comput. Vis. Image [292] N. T. Van, T. N. Thinh, and L. T. Sach, “An anomaly-based
Underst., vol. 172, pp. 88–97, 2018, doi: network intrusion detection system using Deep learning,” in
10.1016/j.cviu.2018.02.006. Proceedings - 2017 International Conference on System Science
[277] R. Chalapathy, E. Toth, and S. Chawla, “Group anomaly and Engineering, ICSSE 2017, 2017, pp. 210–214, doi:
detection using deep generative models,” in Lecture Notes in 10.1109/ICSSE.2017.8030867.
Computer Science (including subseries Lecture Notes in [293] R. K. Malaiya, D. Kwon, S. C. Suh, H. Kim, I. Kim, and J. Kim,
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3083060, IEEE Access
“An Empirical Evaluation of Deep Learning for Network probabilistic calibration model,” Math. Probl. Eng., 2015, doi:
Anomaly Detection,” IEEE Access, vol. 7, pp. 140806–140817, 10.1155/2015/923792.
2019, doi: 10.1109/ACCESS.2019.2943249. [310] E. Quatrini, F. Costantino, G. Di Gravio, and R. Patriarca,
[294] D. Yao, M. Yin, J. Luo, and S. Zhang, “Network anomaly “Machine learning for anomaly detection and process phase
detection using Random Forests and entropy of traffic features,” classification to improve safety and maintenance activities,” J.
in Proceedings - 2012 4th International Conference on Manuf. Syst., vol. 56, pp. 117–132, Jul. 2020, doi:
Multimedia and Security, MINES 2012, 2012, pp. 926–929, doi: 10.1016/j.jmsy.2020.05.013.
10.1109/MINES.2012.146. [311] Y. Liu, Z. Pang, M. Karlsson, and S. Gong, “Anomaly detection
[295] S. Rajasegarar, C. Leckie, M. Palaniswami, and J. C. Bezdek, based on machine learning in IoT-based vertical plant wall for
“Quarter sphere based distributed anomaly detection in wireless indoor climate control,” Build. Environ., vol. 183, p. 107212,
sensor networks,” in IEEE International Conference on Oct. 2020, doi: 10.1016/j.buildenv.2020.107212.
Communications, 2007, pp. 3864–3869, doi: [312] P. Tang et al., “Anomaly detection in electronic invoice systems
10.1109/ICC.2007.637. based on machine learning,” Inf. Sci. (Ny)., vol. 535, pp. 172–
[296] D. Boro, B. Nongpoh, and D. K. Bhattacharyya, “Anomaly 186, Oct. 2020, doi: 10.1016/j.ins.2020.03.089.
based intrusion detection using meta ensemble classifier,” in [313] I. G. A. Poornima and B. Paramasivan, “Anomaly detection in
Proceedings of the 5th International Conference on Security of wireless sensor network using machine learning algorithm,”
Information and Networks, SIN’12, 2012, pp. 143–147, doi: Comput. Commun., vol. 151, pp. 331–337, Feb. 2020, doi:
10.1145/2388576.2388596. 10.1016/j.comcom.2020.01.005.
[297] F. Yihunie, E. Abdelfattah, and A. Regmi, “Applying Machine [314] G. Pu, L. Wang, J. Shen, and F. Dong, “A hybrid unsupervised
Learning to Anomaly-Based Intrusion Detection Systems,” May clustering-based anomaly detection method,” Tsinghua Sci.
2019, doi: 10.1109/LISAT.2019.8817340. Technol., vol. 26, no. 2, pp. 146–153, Apr. 2021, doi:
[298] L. Bontemps, V. L. Cao, J. McDermott, and N. A. Le-Khac, 10.26599/TST.2019.9010051.
“Collective anomaly detection based on long short-term memory [315] A. N. Huy, V. N. Tam, I. K. Dong, and D. Choi, “Network
recurrent neural networks,” in Lecture Notes in Computer traffic anomalies detection and identification with flow
Science (including subseries Lecture Notes in Artificial monitoring,” 2008, doi: 10.1109/WOCN.2008.4542524.
Intelligence and Lecture Notes in Bioinformatics), 2016, vol. [316] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, Network
10018 LNCS, pp. 141–152, doi: 10.1007/978-3-319-48057-2_9. Traffic Anomaly Detection and Prevention. 2017.
[299] I. Alrashdi, A. Alqazzaz, E. Aloufi, R. Alharthi, M. Zohdy, and [317] X. Lu, P. Liu, and J. Lin, “Network traffic anomaly detection
H. Ming, “AD-IoT: Anomaly detection of IoT cyberattacks in based on information gain and deep learning,” in ACM
smart city using machine learning,” in 2019 IEEE 9th Annual International Conference Proceeding Series, Apr. 2019, pp. 11–
Computing and Communication Workshop and Conference, 15, doi: 10.1145/3325917.3325946.
CCWC 2019, 2019, pp. 305–310, doi: [318] Y. Gu, A. McCallum, and D. Towsley, “Detecting anomalies in
10.1109/CCWC.2019.8666450. network traffic using maximum entropy estimation,” 2005, doi:
[300] S. Rayana and L. Akoglu, “Less is more: Building selective 10.1145/1330107.1330148.
anomaly ensembles,” ACM Trans. Knowl. Discov. Data, vol. 10,
no. 4, May 2016, doi: 10.1145/2890508.
[301] D. Damopoulos, G. Kambourakis, and G. Portokalidis, “The best
of both worlds. A framework for the synergistic operation of
host and cloud anomaly-based IDS for smartphones,” 2014, doi:
10.1145/2592791.2592797.
[302] D. Ippoliti and X. Zhou, “A-GHSOM: An adaptive growing
hierarchical self organizing map for network anomaly
detection,” J. Parallel Distrib. Comput., vol. 72, no. 12, pp.
1576–1590, 2012, doi: 10.1016/j.jpdc.2012.09.004.
[303] D. Cozzolino and L. Verdoliva, “Single-image splicing
localization through autoencoder-based anomaly detection,”
2017, doi: 10.1109/WIFS.2016.7823921.
[304] M. Al-Subaie and M. Zulkernine, “Efficacy of Hidden Markov
Models over neural networks in anomaly intrusion detection,” in
Proceedings - International Computer Software and
Applications Conference, 2006, vol. 1, pp. 325–332, doi:
10.1109/COMPSAC.2006.40.
[305] R. Fujimaki, T. Yairi, and K. Machida, “An approach to
spacecraft anomaly detection problem using Kernel Feature
Space,” in Proceedings of the ACM SIGKDD International
Conference on Knowledge Discovery and Data Mining, 2005,
pp. 401–410, doi: 10.1145/1081870.1081917.
[306] I. Khokhlov, M. Perez, and L. Reznik, “Machine learning in
anomaly detection: Example of colluded applications attack in
android devices,” in Proceedings - 18th IEEE International
Conference on Machine Learning and Applications, ICMLA
2019, 2019, pp. 1328–1333, doi: 10.1109/ICMLA.2019.00216.
[307] A. Selvaraj, R. Patan, A. H. Gandomi, G. G. Deverajan, and M.
Pushparaj, “Optimal virtual machine selection for anomaly
detection using a swarm intelligence approach,” Appl. Soft
Comput. J., vol. 84, 2019, doi: 10.1016/j.asoc.2019.105686.
[308] R. Punmiya, O. Zyabkina, S. Choe, and J. Meyer, “Anomaly
detection in power quality measurements using proximity-based
unsupervised machine learning techniques,” 2019, doi:
10.1109/PQ.2019.8818236.
[309] Y. Li, X. Luo, Y. Qian, and X. Zhao, “Network-wide traffic
anomaly detection and localization based on robust multivariate
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/