Received May 16, 2019, accepted June 5, 2019, date of publication June 10, 2019, date of current version

July 3, 2019.
Digital Object Identifier 10.1109/ACCESS.2019.2921912

Anomaly Detection, Analysis and Prediction

Techniques in IoT Environment: A Systematic
Literature Review
MUHAMMAD FAHIM AND ALBERTO SILLITTI
Institute of Information Systems, Innopolis University, 420500 Innopolis, Russia
Corresponding author: Muhammad Fahim ([email protected])

ABSTRACT Anomaly detection has attracted considerable attention from the research community in the past
few years due to the advancement of sensor monitoring technologies, low-cost solutions, and high impact
in diverse application domains. Sensors generate a huge amount of data while monitoring the physical
spaces and objects. These huge collected data streams can be analyzed to identify unhealthy behaviors.
It may reduce functional risks, avoid unseen problems, and prevent downtime of the systems. Many research
methodologies have been designed and developed to determine such anomalous behaviors in security and
risk analysis domains. In this paper, we present the results of a systematic literature review about anomaly
detection techniques except for these dominant research areas. We focus on the studies published from
2000 to 2018 in the application areas of intelligent inhabitant environments, transportation systems, health
care systems, smart objects, and industrial systems. We have identified a number of research gaps related
to the data collection, the analysis of imbalanced large datasets, limitations of statistical methods to process
the huge sensory data, and few research articles in abnormal behavior prediction in real scenarios. Based
on our analysis, researchers and practitioners can acquaint themselves with the existing approaches, use
them to solve real problems, and/or further contribute to developing novel techniques for anomaly detection,
prediction, and analysis.

INDEX TERMS Statistical learning, machine learning, intelligent environments, smart objects, intelligent
transportation systems, industrial systems.

I. INTRODUCTION normal flights whereas data with anomalous behaviors are

Today’s world is surrounded by a huge number of Internet very rare. At the same time, in many applications, it is very
of Things (IoT) that are generating a huge amount of data difficult to generate the anomalous behaviors because of the
and anomalies are an integral part of almost every system. waste of resources or even sometimes it is not possible due
These anomalies can be an indicator of wasting the resources to system constrains. In anomaly detection methods, most
in an industrial system, a critical situation at avionics platform models are trained on time series patterns of normal behavior.
to avoid the unexpected problems, or detecting an abnormal Every event that does not conform to it is considered as
behavior of the medical instruments etc. Consequently, being anomalous behavior [1]. The research community has already
able to recognize the anomalies can have enormous impact developed solid methods to detect anomalies inside historical
on the overall performance of any observed system. The key data, real-time analysis and prediction of unusual behaviors
challenges in recognizing anomalies include defining the in IoT environment. Our focus is to study the developed sta-
precise boundaries between normal/abnormal behaviors. The tistical and machine learning methods for anomaly detection,
availability of abnormal observations to train the models is analysis, and prediction in IoT environment. The challenges
scarce. In real-life scenarios, abnormal behavioral patterns include the concise information about the developed methods,
are very few compared to normal behaviors. For instance, suitability for specific application domain and requirements
in avionics systems, we can have plenty of aircraft data about of learning process for recognizing the anomalous behavior.
Furthermore, we have investigated the context where these
The associate editor coordinating the review of this manuscript and methods are used and achieved performance in real case
approving it for publication was Md. Abdur Razzaque. studies.
2169-3536 2019 IEEE. Translations and content mining are permitted for academic research only.
81664 Personal use is also permitted, but republication/redistribution requires IEEE permission. VOLUME 7, 2019
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
There are several survey papers about anomaly detec-
tion and analysis with focus on security and risk anal-
ysis (e.g., intrusion detection for computer network
system [2], [3], fraud detections [4], and credit risk analy-
sis [5]). In this systematic literature review, a special focus
is made to investigate and analyze the existing approaches to
detect anomalous behavior for areas such as smart environ-
ments, transportation networks, health care systems, smart
objects, and industrial systems. The reason to investigate
these selected areas is to provide compact information about
the developed methods since these areas have gained less
attention in anomaly detection domain as compared to the
intrusion detection in networks and fraud detection. To select
and apply appropriate anomaly detection technique, a number
of factors including the nature of generated sensory data
stream, type of anomaly, and availability of training data
should be considered. We present a systematic flow-chart of
anomaly detection system in Figure 1.
FIGURE 1. The flow-chart of anomaly detection systems.
In anomaly detection system (as shown in Figure 1),
the first step is to know the nature of the collected data
stream. It can be binary, continuous, or discrete along with a
relationship structure. This relationship structure shows that it
is either time series data, spatial data, or graph data. Such rela-
tionship helps to choose the correct technique for the anomaly
detection, analysis, or prediction. The second step is to iden-
tify the type of anomaly from a predefined set (i.e. point
anomaly, contextual anomaly, and collective anomaly [1]).
The third step is to know the availability of training data
to build an anomaly detection system. Depending on the
VOLUME 7, 2019
availability of the data and its annotation, we may describe it
as a supervised, unsupervised or semi-supervised. Such infor-
mation assists the engineers to choose appropriate anomaly
detection technique. In supervised training, we have the avail-
ability of the data with class labels and its simplest form
of learning to detect the anomalous behavior of the system.
In case of unsupervised learning, we have data but without
any concrete output (i.e. class labels). Similarly, in case
of semi-supervised learning we have limited examples with
class labels while the rest of the data is unlabeled. We pro-
vide the details in our results section which method can be
beneficial in the above-mentioned data availability scenarios
to build the anomaly detection system. The details of each
anomaly type is as follows.
A. POINT ANOMALY
Point anomaly is an observation point in the data stream
that is far from the rest of the data. It is also known as an
‘‘outlier’’ [6]. For Example, a satellite transmits the data to
its base station. This data has a regular shape with certain
raise/fall in the value. At some point, a high raise or low fall in
the data can be abnormal behavior that is known as anomaly.
Such anomalies need to be recognized before processing or
doing further analysis on the data. Similarly, a temperature
data of a building have a regular shape and certain raise/fall in
the value can be an abnormal value from the sensor. Figure 2
illustrates a point anomaly.
FIGURE 2. Hourly temperature of a building with point anomaly.
In Figure 2, the vertical axis shows the temperature in
Celsius scale while horizontal axis explains the hour of the
day. At 17 o’clock on horizontal-axis a temperature rise to
50◦ C that is anomalous behavior known as a point anomaly.
It may rise due to some abnormal behavior or fault in the
sensor reading. Furthermore, real-world applications have
high dimensionality and cannot be easily represented in two
dimensional space [7]. In order to process the data streams for
finding the point anomalies, dimensions of the observations
is decreased using dimensionality reduction techniques.
B. CONTEXTUAL ANOMALY
The contextual anomaly is an observation point that is normal
in one scenario, while abnormal in another. Such anomaly
requires knowledge of context and also known as conditional
anomalies [8]. This type of anomalies are common in time-
series data streams. For instance, a heavy traffic on a highway
during office hours is normal, but after midnight it is contex-
tually anomalous behavior of the traffic. Such situation may
arise due to an accident, low visibility due to foggy weather
81665
 M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
FIGURE 3. Number of cars on the road at different times of the day with
contextual anomaly.
or some other reasons. In this type of anomaly, we need to
analyze other dependent parameters as well to consider it
anomaly or normal routine behavior. Figure 3 provides an
example of contextual anomaly.
In Figure 3, vertical-axis presents the number of cars on
the highway and horizontal-axis presents the hour of the day.
The first two peaks are normal in the context while the third
peak is contextually abnormal by applying the condition of
time.
C. COLLECTIVE ANOMALY
A sequence of observations are analyzed to know the col-
lective behavior of the data stream. Any deviation from the
normal pattern may lead to collective anomaly with respect
to entire data patterns over consecutive time intervals. For
example, a single time interval observation is not sufficient to
determine the heart behavior [5], whereas collective signals
may determine the normal or abnormal behavior, as shown
in Figure 4.
FIGURE 4. Heart rate monitoring signal with the entire data patterns over
a consecutive time intervals.
In Figure 4, it can be seen that observation pattern is
anomalous around 3 and 4 interval as compared to the rest
of the signals. All kind of anomalies are associated with a
time unit and it is possible to have seasonal trends in data
streams [9]. For instance, the heart rate signal can be abnor-
mal due to the reading right after the running or gym activity.
Similarly, the sales of air condition increase during the sum-
mer and decline at the end of summer season. This seasonality
effect can also be observed in the electricity consumption
during the hot days. To apply an anomaly detection method,
some approaches remove the seasonality trends during the
analysis, while others have specific process for seasonalities
patterns [10], [11].
The rest of the paper is organized as follows: Section II
introduces developed protocol for systematic literature
review. Section III provides the search keywords used to
find the relevant literature. Section IV describes the inclu-
sion and exclusion criteria to identified the relevant articles.
Section V provide the quality assessment details followed
by Section VI to provide the details of our contribution.
81666
Section VII reports the obtained results. Section VIII dis-
cusses them while research gaps are presented in Section IX.
We conclude our paper in Section X.
II. PROTOCOL DEVELOPMENT
This systematic literature review is based on the guidelines
proposed by David Budgen [12]. The following steps are
adopted during the development of protocol.
A. RESEARCH QUESTIONS
The specific research questions addressed by this literature
review are:
Q1. What kind of sensors along with generated data
streams are used to detect anomalies?
Q2. What kind of methods are used in different IoT envi-
ronment for detecting an anomalous behavior?
Q3. What sort of evaluation criteria is applied to measure
the performance of the system?
Q4. What are the existing challenges to recognize the
anomalous behavior in considered domains?
B. SEARCH PROCESS
The literature review search from 2000 until 2018. This litera-
ture review was conducted by an initial search of the selected
databases and listed in Table 1.
TABLE 1. The electronic databases search.
TABLE 2. The list of search keywords.
III. SEARCH KEYWORDS
We obtained the search keywords from our research questions
to find the relevant literature. The following Table 2 lists our
search keywords.
IV. INCLUSION AND EXCLUSION CRITERIA
The following criteria is defined to include the identified
relevant articles in this review.
• The articles published in the mentioned databases in
Section II-B to maintain and ensure the quality.
VOLUME 7, 2019
M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
• The articles focusing on anomaly detection, analy-
sis, and prediction in intelligent inhabitant environ-
ments, transportation systems, healthcare systems, smart
objects, and industrial systems.
• The developed methods are evaluated on real datasets.
• All articles should be online to ensure the paper
accessibility.
• All articles should be written in English language.
• Peer reviewed papers.
The following papers were excluded
• All articles that do not meet the inclusion criteria.
• All articles that are related to anomaly detection in the
security and risk management domain because it is not
the focus of this literature survey.
V. QUALITY ASSESSMENT
The quality of the search results are ensured after extracting
the information from selected digital libraries. Both authors
read the abstracts of the papers from the search lists and
decided which paper should be included or excluded to
proceed. It has been found that most of the research stud-
ies are evaluated on synthetic datasets, while our selec-
tion criteria are based on the real datasets in a real-system
environment to assure the engineering practicability. Total
70 articles passed the criteria and are included in our liter-
ature review. The selected papers from both authors were
synchronized together and conflicting views upon the articles
have been resolved followed by discussion. After finalizing
the list, the papers are divided into two groups and analyzed.
These two groups categorization is based on the technical
approaches from the domain of statistical learning as well
as machine learning. The technical insight is constructed for
providing compact information to the reader about the devel-
oped methods. Our contributions and findings are reported in
the following section.
VI. OUR CONTRIBUTIONS
In the past, the research community has conducted several
anomaly detection reviews ranging from comprehensive to
certain application domains [1], [13], [14]. We found credible
literature review papers [13], [14], that discuss the available
techniques with challenges to detect different kinds of anoma-
lies. This systematic literature review is built upon these two
works by significantly expanding them in several directions.
The new directions in our systematic literature review include
recently developed approaches in the last decades such as the
categorization of developed methods into statistical, machine
learning, and deep learning in different domains. An informa-
tive prospective to choose the appropriate technique based on
our provided analysis. Furthermore, this literature survey pro-
vides up-to-date information and identified the research gaps.
It can provide the details for detecting anomalies more effi-
ciently and where to invest energy to overcome the existing
challenges. According to the best of our knowledge, we could
not find a systematic literature survey including emerging
fields in intelligent environment, intelligent transport system,
VOLUME 7, 2019
smart objects, healthcare system, and industrial system in the
context of anomalies detection, analysis and prediction.
VII. RESULTS
In this section, the reported results are based on the developed
protocol. Each subsection explains about the domain with
a developed set of techniques in the area of statistical, and
machine learning domain.
A. ANOMALOUS BEHAVIOR IN INTELLIGENT
INHABITANT ENVIRONMENT
In intelligent inhabitant environment, embedded sensor tech-
nology plays a major role to monitor the occupants’ behav-
ior. The embedded sensors are one of the best solutions for
elderly population to provide a level of independence and
comfort in their homes rather than requiring them to reside
at health care centers [15]. The inhabitant interacts with
the household objects and the embedded sensors generate
the time-series data to recognize the performed activities.
Generated sensor data is very sparse because sensor val-
ues change when the inhabitant interacts with objects. The
need for a robust anomaly detection model is essential in
any intelligent environment [16], to deal with the abnormal
situations properly. Anomalous behavior is relatively new in
intelligent environment and is currently being explored in the
research community. The following literature is found and
characterized according to defined research questions.
1) STATISTICAL METHODS
In the statistical methods, the dissimilarity-based model is
developed [17], where an index is used to measure the degree
of resemblance between the normal and abnormal behav-
ior. They performed the experiments on the two different
datasets with single inhabitants at home. In the literature,
we can find several dissimilarity measurements such as ham-
ming distance measure, Manhattan distance measures, cosine
similarity etc. The selection of distance measures plays an
important role and can be selected based on the nature of
the data. In intelligent environment, the sensors are mostly
sending binary information about the objects which are either
in a functional or rest state. For such kinds of binary data,
suitable distance measure can be selected from a list of 76 dis-
tances that are described in [23]. All these distance measures
can be used for binary data. The statistical measure per-
centile based method is developed to extract the parameters
of the normal behavior of user interaction over the labeled
available data (i.e. supervised learning) [18]. Any deviation
from these interactions is considered as anomalous behavior.
The reported study is based on four smart homes of senior
citizens. The smart homes are equipped with motion and
door sensors to recognize the behavior of the inhabitants.
The developed method is evaluated over the monitoring data
of 650 days. The probabilistic models Gaussian Mixture
Model (GMM) [19], is trained over the historical data to learn
the normal patterns of each activity to provide an opinion of
normal activity or abnormal. Such approaches have a primary
81667
 M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
TABLE 3. The statistical methods in intelligent inhabitant environment.
advantage to detect the abnormality, even when such patterns
are not seen previously. The experiments were carried out
on the commercial system of lifestyle reassurance data for
12 months. The Markov models are successful to predict
the sequential data. A hierarchical hidden Markov model
(HMM) [20], is proposed for predicting the abnormal human
behavior in a smart home setting. A meal preparation activity
was considered for up to 14 days. The system was trained
on the normal patterns of the occupants and any deviation
is considered as abnormal behavior. Another variation of
Markov model [21], is developed by introducing the con-
cept of switching hidden semi-Markov model (S-HSMM).
They consider the six household activities and trained the
model on normal behavior of the activities. If an activity
duration is long in comparison to the trained model, then it is
declared as abnormal. Furthermore, system provide a signal
to an alert generation system. Another approach, based on the
Bayesian model [22], is also developed for anomaly detection
and estimated probabilistic features in terms of likelihood.
A real-time sensory data stream of three smart homes were
collected for 14, 25, and 21 days. In Table 3, we present our
findings based on statistical methods in intelligent inhabitant
environment.
2) MACHINE LEARNING METHODS
Machine learning methods are designed and developed to
detect the anomalies. One of the most popular and effective
methods in anomaly detection is one class Support Vector
Machine (SVM) [16]. One class SVM has the capability to
separate the positive data points from anomalous data points
in the features space. The best characteristics of once class
SVM is that it can be trained over the data of single class.
Upon the absence of anomalous data, it still has a minimum
distance from the presented class. Consequently, everything
81668
outside the positive class boundary in the feature space is
considered as an anomaly. The one class SVM approach is
validated using real-world sensor data captured from three
publicly available smart home datasets. The variations of
SVM classifier [24], [25], also contribute to recognize the
anomalous behavior of the inhabitant in smart environments
and evaluated on the real-life collected datasets. A support
vector description (SVD) [25], based approach is developed
to detect abnormal behavior for elderly people living home
alone. SVD belongs to the family of dimensionality reduction
techniques and ability to include regularization terms. These
regularization terms consequently eliminate the problem of
overfitting. A novel scheme is constructed to represent human
activities in a form of a state transition table and classified by
multi-class SVM [24]. By nature, SVM is binary classifier
while it can be utilized in multi-class setting by considering
two approaches.(i.e., one vs Rest/All or one vs one). Multi-
class SVM is able to recognize the collective anomalies.
They performed the experiments over the wearable gadgets
collected data stream to detect the abnormal behavior. A non-
linear regression method [27], was developed to reduce the
false positive rate. They trained their model using one class
support vector machine over the normal activities to filter out
most of the normal instances and suspicious instances are
passed to kernel non-linear regression for further detection.
The evaluation is based on real-world data consisting of 431
traces of normal daily activities and 112 anomalous traces.
We also found feature reduction method principal component
analysis (PCA) with fuzzy rule-based system [26], [29], that
is successfully applied to recognize the anomalous behav-
ior of the user inside the home environment. Fuzzy rule-
based system is based on three steps. First it check the
inputs and observe the confidence limits. In second phase
rules are fired according the confidence limits of inputs.
VOLUME 7, 2019
M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
TABLE 4. The machine learning methods in intelligent inhabitant environment.
Finally, values are defuzzified to rank the data point with
a degree of abnormal behavior or not. They performed the
experiments over the three case studies to evaluate the perfor-
mance of developed model. During our defined search period,
we find couple of deep learning model in intelligent inhabi-
tant domain to detect the anomalous behavior. Most of them
are working on synthetic dataset. A Convolutional Neural
Network (CNN) in a combinational scheme with Recurrent
Neural Network (RNN) and SVM [28], is developed over a
small real dataset to find the anomalous behavior of residents.
They train the CNN model over the raw signals with activity
class and do prediction with SVM. They also transformed
the raw data stream to spectogram and utilize the RNN.
They reported both models in their proposed scheme good
enough to detect anomalous behavior. Table 4 presents our
findings in the literature based on machine learning methods
in intelligent inhabitant environment.
B. ANOMALOUS BEHAVIOR IN INTELLIGENT
TRANSPORTATION SYSTEM
The applications area of intelligent transportation systems
cover a wide and diverse area. During the search process
of systematic literature review, the following methods were
found to detect the anomalies.
1) STATISTICAL METHODS
In intelligent transportation systems, a huge amount of
multi-dimensional time-series data is generated from a num-
ber of components and attached sensors. Due to the high-
dimensional feature spaces, linear models are unable to model
VOLUME 7, 2019
the complex association. The research community success-
fully applied Principal Component Analysis (PCA) to reduce
the feature space and developed kernel feature space to
detect the anomalous behavior of the system [30]. They per-
formed the experiments to detect the anomalies on teleme-
try data obtained from international space station. In kernel
tricks, most of the time it is utilized in machine learning
methods while it comes from statistical methods. In kernel
trick, feature space is transformed into higher dimensional
space where data points are linearly separable. Such meth-
ods are applicable for collective anomalies where multiple
sources generate a complete picture to detect the anomalous
behavior of the system. The k-means clustering with GMM
model [31], was developed to detect the anomalies in road
traffic data. The authors provide a rich model that is capable
to learn a high-dimensional feature space over the normal
behavior of the vehicles and detect any deviation from it as
abnormal situation. Furthermore, they also provide a visual
analytics to understand the behavior and explanation about
the abnormal behavior events. Visual analytics based methods
provide a transparent way to analyze the data. During their
research, the authors also consider the feedback provided by
expert analysts from Volvo group trucks technology. This
feedback includes information to understand the normal and
abnormal behaviors. For this purpose, they analyzed the
behavior of the driver 3 to 10 seconds before the crash as
well as online and offline queries posed to detect the abnor-
mal behavior. A structured sparse subspace learning algo-
rithm [32], is developed to detect the anomalous behavior.
In this method, a structured norm is imposed on the projection
81669
 M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
TABLE 5. The statistical learning methods in intelligent transportation systems.
coefficients matrix to achieve structured sparsity and help
identify anomaly sources. They performed the experiments
over the two real-world flight datasets from UAV Labora-
tories at the University of Minnesota. For the experiments,
only part of flight data from takeoff to landing is used while
developed method out-performed as compared to state of the
art algorithsm. In Table 5, we present our findings in the
literature based on statistical methods in intelligent transport
system.
2) MACHINE LEARNING METHODS
Machine learning models are playing an important role to
detect and predict the abnormal behavior in intelligent trans-
port system. In the literature, we found that appropriate data
selection from the databases is an important step because
these databases have been acquiring the data over several
years. A decision tree algorithm (i.e. C4.5 from decision
tree family) [33], is applied to the new representation of the
unstructured data streams in the form of reports. The new
representation is named as feature space and utilized a fusion
model to define an abnormal behavior. They extracted a new
representation over the 5 years of historical operational data
of A-320. They also talk about the semantic meaning of
the extracted model and its implications. A Proper labeling
would allow them to predict problems in advance before
they happen. Furthermore, It may help to generate alerts for
dangerous situations when any important parameters indicate
abnormal behavior. It has been found that another research
study by developing kernel learning mechanisms based on
two kernels [34]. One is designed over the discrete sequences
while the other is designed for continuous time series of
data. They evaluated their study on synthetic as well as four
real-world datasets to detect the anomalous behavior of the
aircrafts. In recent days, an effective breakthrough of Extreme
Learning Mechanism (ELM) is introduced by the research
community [35]. This approach solves the challenge of high
computational time of training over the large datasets. It also
provides a good generalization to develop a scalable anomaly
detection mechanism for very large datasets. They performed
the experiments over a real aviation safety benchmark prob-
lem that contains 43000 flights data about the information
of radar, flight trajectories, and distance of nearby aircraft.
81670
Deep learning models have significant improvement in many
application areas, specifically image recognition, speech
classification, and natural language processing. Such models
have the potential to detect anomalies and researchers have
already designed and developed solutions based on deep
learning methods. A reinforcement learning method [36], was
developed to detect the motor anomaly of unmanned aerial
vehicle over the temperature data stream. A reinforcement
learning algorithms are based on reward mechanism. They
controlled the motor temperature in a way by increasing
the speed if the temperature range is appropriate. While the
temperature range increase they deaccelarte to avoid motor
malfunction that is one of the major cause of drone crash.
A regression based model [37], is developed to find the
correlation between events and resource metrics in logs files
to find the contextual anomalies in air traffic control sys-
tem. Furthermore, they also provide the details of actionable
improvement by including the change detection algorithm
and use of time windows on contextual anomalies. They
performed the experiments over three failure settings. First
consider the system seems working but services are unre-
sponsive. Second system is running but unresponsive due
indefinitely waiting for an event to occur. Third it crash and
terminates unexpectedly. A support vector machine (SVM)
algorithm [38], is successfully applied to provide real-time
warning and instructions to the drivers about the road anoma-
lies. Deep Convolutional Neural Network (CNN) is devel-
oped and trained over the images of railway track to detect
the anomalies [39]. CNN based methods can distinguish by
network architecture, activation function and weight update
mechanism. They performed the experiments over the real
data set of 85 miles of continuous tracked images under
the supervised training mechanism. In [40], the designed
autoencoder is based on unsupervised deep learning model.
They built a stacked denoising autoencoder model to learn the
robust feature space in an unsupervised fashion. Then, they
used output of autoencoder as an input to anomaly detection
algorithm based on Gaussian distribution. They performed
the experiments on turbofan gas turbine engine of a civil
plane to detect the anomalous behavior of the engine. Table 6
presents our findings based on machine learning methods in
intelligent transport systems.
VOLUME 7, 2019
M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
TABLE 6. The machine learning methods in intelligent transportation systems.
C. ANOMALOUS BEHAVIOR IN SMART OBJECTS
The smart objects is a fast growing area to connect the
multiple objects together and enable communication between
them. It collects a valuable data that can be a source of
information and knowledge for a wide range of applications.
During our research survey, we found the following statistical
and machine learning literature that is aligned according to
our research questions and search criteria.
1) STATISTICAL METHODS
The statistical methods are successfully applied to discover
the anomalous behavior in many application domains. One
of the simplest methods is thresholding [41], that specifies
the behavior of the objects when a certain threshold is crossed
during the monitoring phase of the smart objects. The experi-
ments are performed on an intelligent trash bin equipped with
gas sensor to detect the state of the food. Such methods are
easy to implement and require very low computation power to
associate abnormal behavior of the objects. Similarly, another
simple and powerful method ANOVA is developed to find the
anomalous behavior. ANVOA is based on the analysis of vari-
ance to determine the variations between the groups in such
a way that they are significantly different from each other.
In [42], the authors developed ANOVA-based technique to
recognize the abnormal behavior of a vehicle. Researchers
also reported that when anomalous behavior exists, it affects
VOLUME 7, 2019
multiple monitoring data series and correlation-based meth-
ods are developed to detect the abnormal behavior of the
system. In [43], latent correlation based method is developed
to detect the anomalous behavior of the concrete pump truck.
Such method is capable to detect anomalies efficiently over
the monitoring data. The experiments were performed on
270 concrete pump trucks in supervised learning fashion to
detect the anomalous behavior. Another elegant approach
to develop an unsupervised learning method can reduce
the annotation burden of the data into normal or abnormal
behavior. In this domain, an unsupervised expectation max-
imization method is developed to identify the anomalous
behavior [44]. The developed method placed the constrain
to reduce the high variances of the mixture model to make
the correct prediction. The experiments were performed over
a smart nursing home with light switches. Table 7 presents
our findings based on statistical methods in the area of smart
objects.
2) MACHINE LEARNING METHODS
In machine learning approaches, rule based and clus-
tering approaches are developed for anomaly detection
and prediction for smart object systems. In case of rule
based approaches, the researchers have developed hybrid
approaches with a combination of fuzzy logic [45]. They
calculated the degree of belief to handle the ambiguities
81671
 M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
TABLE 7. The statistical learning methods in smart objects.
TABLE 8. The machine learning methods in smart objects.
imprecision, and vagueness. They predict anomalous behav-
ior by monitoring the water level through temperature and
rain gauge sensors. In [46], rules are considered with a novel
approach to verify the correctness of the rules based on the
domain knowledge. A school building is considered with cou-
ple of sensors to recognize the anomalous patterns in energy
consumption with an objective of a comfortable life with less
energy consumption. One of the most prominent advantages
of rule-based models is the human understandable output.
This feature is more likely to be acceptable in the applica-
tion areas where practitioners want to get a human under-
standable format from machine learning methods. In [47],
the authors introduced temporal clustering approach to detect
the anomalous behavior in city parking of San Francisco over
8200 parking sensors data. Clustering methods associate the
81672
data points into groups in such a way that all data points
which contain similar characteristics is placed in one group.
In the recent days, a new cluster heat map approach [48],
is also developed to monitor the energy usage of devices
and user contexts in an indoor office environment. Their
study comprised on 127 sensors deployed in two floor build-
ings and measuring the total power, reactive power, phase
angle, voltage, current, light value, temperature and motion
readings. Similarly, temporal and spatial-temporal methods
are also developed to detect the abnormal behavior from
the environmental datasets [49]. The visualization technique
is also developed over the clustering methods to identify
and predict the anomalous behavior of the under-observation
system [48], [50]. In Table 8, we present our findings based
on machine learning methods in the area of smart objects.
VOLUME 7, 2019
M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
TABLE 9. The statistical learning methods in healthcare systems.
D. ANOMALOUS BEHAVIOR IN HEALTHCARE SYSTEMS
Anomaly detection, analysis and prediction is considered as a
revolution to redefined healthcare systems. In such systems,
a clear impact can be seen in healthcare management and
wellness to enhance quality of life and remote monitoring for
the chronic disease patients. Such systems imposed a huge
challenge to reduce the number of false alarms generation.
In our systematic literature survey, it has been found that
sufficient approaches and methods to identify the anomalous
behavior of the sensors, humans or machines in healthcare
environment.
1) STATISTICAL METHODS
In statistical methods, a large number of methods are devel-
oped ranging from simple root mean square [51], to complex
Markov chain models [52]. All developed methods depend on
the nature of the time-series data and availability of such data
with annotation of normal and abnormal behavior patterns.
A root mean square graph [51], was developed over the
accelerometer sensor data to find the Seizure complexities
in the form of contextual anomalies. To monitor the anoma-
lous cardiac behavior, dynamic time warping and density
functions [53], were developed over the Photoplethysmo-
gram (PPG) signals of real dataset. We also find ARIMA
models to detect the point anomalies in decision support
system over the electronic health records. In [52] and [54],
the authors developed methods for recognizing the anoma-
lous behavior in sleep patterns and blood glucose level using
the data of wearable technology (i.e. fitbit) and medical
devices (i.e., insulin tolerance test). A spectral coherence
analysis [55], is also developed to find the discrepancies
in the accelerometer sensory data. In Table 9, we present
our findings in the literature based on statistical methods in
healthcare systems.
2) MACHINE LEARNING METHODS
In machine learning found literature, most of the devel-
oped models are dependent on the domain knowledge.
VOLUME 7, 2019
Therefore, data-driven approaches [57], incremental learning
methods [58], graph based approaches [59], and transfer
learning [60], are successfully applied in real-life scenarios.
A data driven approach [57], is developed over binary data to
detect the contextual anomalies over the tap sensor in home
setting. In incremental learning method [58], the developed
model is always kept updating its learning on the arrival of
the new cases or data patterns. Applicability of incremental
learning model in health care domain plays an important role
when the whole data is not available at the time of training
machine learning models. Another prospective is that we
can by-pass the limited memory and processing power of
the system by learning the models in incremental phases.
Incremental learning methods based on regression and feed-
back mechanism was developed in the past for detecting
the anomalous patterns in the electronic health records [58].
In graph-based methods, we can assert the healthcare work
flows and dependencies for patient care. A patient flow-
based anomaly detection technique is developed [59], to find
the anomalous behavior in electronic medical health records.
Another approach is based on transfer learning with the
objective to classify the new instances in unsupervised fash-
ion while a model is trained on the data of other sources.
For instance, it has been found that such methods in the
literature [60], to monitor the ECG signal and detect the
anomalous behavior. Table 10 presents our findings based on
machine learning methods in healthcare systems.
E. ANOMALOUS BEHAVIOR IN INDUSTRIAL SYSTEM
In the industrial system, design and development of anomaly
detection methods are crucial to reduce the chance of unex-
pected failure of a system. It has been found that devel-
oped methods for anomaly detection are successfully applied
to predictive and proactive maintenance. Such methods are
widely used to improve the productivity performance, save
the downtime of the machines, and do the root cause analysis
of the faults.
81673
 M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
TABLE 10. The machine learning methods in healthcare systems.
TABLE 11. The statistical learning methods in industrial systems.
1) STATISTICAL METHODS
The time and frequency properties of sensory data provide
a valuable information to build the time frequency logic.
In time domain signals (for example: mean, standard devia-
tion or variance etc.) can depict certain information about the
behavior of the system. In complex scenarios, more advanced
properties of the signal are analyzed. For instance, frequency
based signal properties (for example, Fourier transforma-
tion, wavelet transformation etc.) can provide information
individually or in combination with time domain features to
understand the behavior of the system [62]. The industrial
systems are complex and wide, and a huge number of sensors
are placed to monitor the spaces and objects to provide a
better solution for abnormal behavior prediction. For such
scenarios, correlation based methods [63], are developed
and proved more effective way to find the anomalies. The
correlation based methods can reflect a true presentation of
the system because these correlations can physically reflect
the mechanisms and operating conditions. These methods
have several advantages, comparatively simple to implement,
and easy to perform real-time analysis. Similarly, a density-
based model [64], is also developed to find the anomalous
behavior in a solar power generation system by processing
81674
the electric data. In Table 11, we present our findings in the
literature based on statistical methods in industrial systems.
2) MACHINE LEARNING METHODS
In the industrial systems, it has been found that one-class
support vector machine [66], clustering and rule-based tech-
niques [67], probabilistic neural network [68], and exten-
sion of neural network in the form of extreme learning
machines [69]. One class support vector machine is a very
well-known method to detect the anomalous behavior of the
system in many application domains, as we discussed in
section VII-A (i.e., Intelligent inhabitant environment) about
the significance of its working. It has capability to place the
boundaries of the seen data and ability to distinguish all the
events or data points that are outside of the boundaries as an
anomalous behavior of the system. Clustering methodologies
are developed to make the group of similar characteristics of
objects under an unsupervised fashion. After such kind of
automatic grouping, if system could not place the new data
points into the predefined cluster then it generates alerts as
an anomalous case. Rule-based approaches are also devel-
oped with clustering approaches [67], to provide an excellent
coverage and low false alarm rate. Artificial neural networks
VOLUME 7, 2019
M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
TABLE 12. The machine learning methods in industrial systems.
are complex architecture which mimic the human brain in
solving diverse range of problems including anomaly detec-
tion. In the literature, it has been found that probabilistic
neural networks [68], that belong to stochastic neural net-
work group and provide excellent solutions to detect the
anomalies in thermal power plant. A conditional Gradient
Boosting Decision Tree (GBDT) [70], is developed to detect
early anomalies in wind turbine bolts breaking problem. It is
an ensemble learning classifier who generate multiple trees
and utilize them for making final decision. It also has the
characteristics to work in the huge amount of noise where
normal and abnormal conditions are unable to separate by
hyperplane. Table 12 present our findings based on machine
learning methods in industrial systems.
VIII. DISCUSSION
A. Q1. WHAT KIND OF SENSORS ALONG WITH
GENERATED DATA STREAMS ARE USED
TO DETECT ANOMALIES?
In the literature review, we find a large number of sen-
sors to detect the anomalous behavior in different applica-
tion domains. In intelligent inhabitant environments, state
changes sensors, environmental sensors, and wearable sen-
sors are used to avoid privacy issues. These sensors provide
a more comfortable level of privacy compared to video cam-
eras and collect data continuously, generating temporal data
streams. In intelligent transport systems, system logs with
sensor data are processed for anomalous behavior. In such
systems, both hardware sensory information and software
logs (i.e., soft sensor) are used to provide a complete picture
of the system. Smart objects has gained a lot of popularity in
the last decade and many everyday objects are tapped with
low-cost sensors to enable inter-object and over the Internet
communications. In this domain, data coming from both
VOLUME 7, 2019
hardware and soft sensors are used to predict the anomalous
behavior of such systems. In healthcare systems, different
kind of sensor are considered: from patients wearable sensors
to sensors embedded in healthcare instruments and electronic
health record. Industrial systems are considered as a complex
system and involve legacy software and equipment. We found
that sensors are tapped over the mechanical objects, sense the
environment, and measure the different parameters of running
machines to detect and predict the anomalous behavior. Most
of the provided dataset are cleaned and minimal preprocess-
ing is required. We present the different kind of sensors along
the domain knowledge in Table 13.
B. Q2. WHAT ARE THE METHODS USED IN DIFFERENT
DOMAINS FOR DETECTING ANOMALOUS BEHAVIOR?
We found different types of anomaly detection methods and
we extracted the information according to our developed
protocol. The detail information is presented as follows.
1) STATISTICAL METHODS
To detect the anomalies, simple methods like setting up the
threshold based on the variance or calculating the percentile
also work well over the real-data. In statistical techniques,
correlation based methods are able to provide information
about the relationships among data sets. Such relationships
exhibit anomalous pattern in the dataset. A different kind
of variations are established in the literature that are based
on correlation-based anomaly detection. In these variations,
the most common is the dissimilarity measures that is based
on distance-based indexs to measure the dissimilarities. The
Gaussian mixture model based approaches are used to detect
the anomalies that are probabilistic and assumes that all
data points are generated from a mixture of a finite num-
ber of Gaussian distributions with unknown parameters.
81675
 M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
TABLE 13. The sensors used in different domains to detect the
anomalous behavior of the system. Where IIE = intelligent inhabitant
environment, ITS = intelligent transport system, smart objects = SO
HCS = health care system, IS = industrial system.
TABLE 14. The statistical learning methods founds during our systematic
literature review. Where IIE = intelligent inhabitant environment,
ITS = intelligent transport system, smart objects = SO, HCS = health care
system, IS = industrial system.
Expectation maximization algorithm is used for fitting the
mixture of Gaussian models. In case of large data streams,
the Principal Component Analysis (PCA) is utilized to reduce
the dimensions while keeping the important features in the
space to detect the anomalous behavior. In our search,
we found different types of statistical techniques to deal with
anomalies (Table 14).
In Table. 14, it can be seen that only few techniques are
adopted in cross domains. For instance, Gaussian Mixture
81676
Model is successfully applied in intelligent inhabitant envi-
ronment as well as in intelligent transport systems. Such sta-
tistical technique may be useful in industrial system because
we also have complex and enormous amount of data. It can
also observable dimensionality reduction techniques like
PCA and structured subspace learning is utilized in intelligent
transport system, while it can be beneficial to reduce the
dimension in different domains and combine with machine
learning methods. Such hybrid approaches can bring fruitful
results in the cross domains.
2) MACHINE LEARNING MODELS
Machine learning methods play an important role to train
models with capabilities of generalization and robustness in
anomalies detection and prediction. One of the most use-
ful methods is one class support vector machine. It learns
the behavior of the normal data patterns by setting up the
parameters during the training phase. Unusual data patterns
compared to the model, are considered as anomalous pat-
terns. Rule-based anomaly detection methods enable machine
learning algorithms to generate human understandable rules
and gain the confidence of analysts. Similarly, clustering
techniques are also used to build anomaly detection systems
in an unsupervised fashion. All the data patterns with similar
characteristics are grouped into a cluster and any deviation is
identified as an anomalous behavior of the system. In some
applications the anomalous behavior is dependent on the
inputs of several sensory streams and collectively represent
the anomaly. In this situations, graph-based approaches were
applied in the past to detect the anomalies. Nowadays, incre-
mental learning is frequently used to build a model in such
a way that it can learn from the available data and learn
more when additional learning data is available. During our
search, we also found transfer learning methods for anomaly
detection that are capable of building an off-the-shelf sys-
tem with small modifications to detect the anomalies in the
same domain under the same constrains. Lastly, we also
found reinforcement learning methods to detect the anoma-
lies that are capable of learning the patterns through payoffs
and rewards. A summary of machine learning methods is
presented in Table 15.
3) DEEP LEARNING MODELS
We also found limited deep learning models for anomaly
detection in the considered domains. Deep learning models
are computationally expensive and require a huge amount
of data. If there are enormous amount of data and it is
difficult to learn the patterns by manually extracting the
feature spaces, then deep learning models could be useful.
Deep learning models learn the feature space by transforming
the data representation into new feature space where they
can distinguish normal and anomalous behaviors. We found
out that the unsupervised learning technique autoencoder is
used. In transportation systems, it has been used due to its
ability to process spatial data through convolutional neural
to detect the anomalous behaviors. We present the results
VOLUME 7, 2019
M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
TABLE 15. The machine learning methods founds during our systematic
literature review. Where IIE = intelligent inhabitant environment,
ITS = intelligent transport system, smart objects = SO HCS = health care
system, IS = industrial system.
TABLE 16. The deep learning methods founds during our systematic
literature review. Where IIE = intelligent inhabitant environment,
ITS = intelligent transport system, smart objects = SO, HCS = health care
system, IS = industrial system.
in Table 16. The research on deep learning models has been
done in image processing, classification problems, and nat-
ural language processing which are not the scope of this
literature survey. At the moment, deep learning models to
find anomalies remains an unexplored area in the considered
domains.
C. Q3. WHAT KIND OF EVALUATION METRICS ARE
APPLIED TO MEASURE THE PERFORMANCE
OF THE SYSTEM?
We found the metric ‘‘accuracy’’ to measure the performance
of anomaly detection system. However, in case of imbalanced
datasets, the reported accuracy does not provide a correct
performance evaluation of the specific approach. To measure
the performance correctly, researchers measure the perfor-
mance based on True Positive (TP), True Negative (TN),
False Positive (FP), False Negative (FN), precision, recall,
and F1 scores. TP provide the information about how many
positive cases are correctly detected. TN gives the informa-
tion how many negative cases are correctly labeled as nega-
tive instances. FP provides the information about the falsely
corrected instance as a positive case. Similarly, FN gives us
VOLUME 7, 2019
information about the instances that are positive but falsely
considered as negative. Precision is defined as the number
of class members classified correctly over the total number
of instances classified as class members. Recall is defined
as the number of class members classified correctly over the
total number of class members. In anomaly detection system,
high precision and high recall are desired to build a good
system. In such a situation, F-measure is used to give an equal
importance to precision and recall [72].
TABLE 17. The evaluation metrics used in different domains to confirm
the applicability of the models. Where IIE = intelligent inhabitant
environment, ITS = intelligent transport system, smart objects = SO
HCS = health care system, IS = industrial system.
Recently, receiving operating characteristics such as Area
Under the Curve (AUC) metric is also gaining popular-
ity to measure the system performance. AUC is the two-
dimensional area underneath the curve and interpreted as a
probability that the model ranks a random positive example
more highly than a random negative example. It provides
robust evaluation in comparison to accuracy in case of imbal-
anced datasets, commonly used with machine learning and
deep learning models. Table 17 presents the evaluation met-
rics with applicability in the considered application domains.
D. Q4. WHAT ARE THE EXISTING CHALLENGES
TO APPLY ANOMALY DETECTION TECHNIQUES
IN DIFFERENT DOMAINS?
Anomalies detection techniques are domain specific and we
could not find any off-the-shelf method that works in all
situations. To develop an anomaly detection system, we need
to consider that it is highly dependent on the application area,
nature of the anomaly, and availability of the data. Our anal-
ysis and presented methods help the research community to
choose the most suitable method or technique for the specific
area. The following challenges are found in the considered
domains.
81677
 M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
1) INTELLIGENT INHABITANT ENVIRONMENT
An anomalous behavior is relatively new in intelligent
inhabitant environments and currently being explored in the
research community. Many challenges are ahead in detecting
abnormal behavior. For instance, we found many methods
that are dealing with the single inhabitant in smart environ-
ment. In real-life, many family members interact with the
objects at home. Robust techniques are required to assign
individual behavior with the right person. Another challenge
is the imbalanced data generation due to the fact that the
interaction with the some objects are frequent while are very
rare with others. An example of such interaction is a ‘cleaning
activity’ that may take place once per week as compared to
more frequent activity ‘preparing meal’. To find the abnormal
behavior during the home cleaning is difficult for a classifier.
Nevertheless, the developed methods for intelligent inhabi-
tant environments also provide promising results but working
in real-life scenarios require more powerful methods to deal
with these challenges.
2) INTELLIGENT TRANSPORT SYSTEM
In the literature, most of the work related to the detection
of anomalous behaviors was done for avionics systems. The
nature of the datasets are complex and high dimensional.
The data complexity makes the learning task difficult to dis-
tinguish between normal and abnormal behavior. Moreover,
high dimensional data is compute intensive and demands big-
data infrastructure to process it in defined time intervals.
Such complex data structures can be processed by deep learn-
ing models. Again such models require large computation
resources to train the model and pose a big challenge to
integrate them with existing running systems. To reduce the
dimensionality of the collected data, new representational
techniques are required to reduce the dimensions of the data
with minimum loss of information.
3) SMART OBJECTS
Today we are surrounded by smart objects to ensure the
proper working of many systems. It is a breakthrough in
technology and creates a possibility of the objects to com-
municate with humans as well as other system devices to
provide information about their working status. During our
search, we found simple and effective methods to recognize
the anomalous behavior. In a network of smart objects, a big
challenge is objects uncertainties factor of contextual and col-
lective behavior interpretation that demands new methods to
determine the abnormal behavior. Another foreseen challenge
is privacy and security of the such systems while storing and
sending data to the cloud infrastructure.
4) HEALTHCARE SYSTEM
In the literature, we found the developed methods for cardiac
behavior monitoring, sleep monitoring, gait freezing, seizure
complexities, and decision support systems. Such system also
81678
pose a great challenge because sensors are not placed only
in fixed locations. They ranges from patient wearing sensors
or other devices that capture the values of vital parameters,
electronic medical records and medical tests. In this domain,
more effort is required to understand the nature and impor-
tance of the data before developing the anomaly detection
system. Furthermore, in data-driven approaches, researchers
have developed methods to detect the anomalies in electronic
medical records over the past patient cases. In data-driven
approaches, evaluation and development require a close inter-
action with the domain experts. Another challenge is the trust
on the developed method since they are not understandable
by healthcare experts. The health practitioners consider the
developed system as a black box. This area also demand
human understandaility to assure the correct behaviour of the
system.
5) INDUSTRIAL SYSTEM
In industrial systems, a robust development of anomaly detec-
tion methods is crucial to reduce the chance of a sudden
stop-working of the system. We found one of the most
noticeable ‘‘rule-based’’ approaches for industrial system to
detect the anomalous behavior. Such techniques generate
human understandable profile and is easily understandable by
industrial engineers. Current challenges in industrial systems
are (1) to develop the methods that can do root-cause analysis;
(2) to provide preventive solutions to detect the anomalous
behavior before it stops the industrial units.
IX. RESEARCH GAPS
In fact, research on the anomalous behavior detection outside
of the security and surveillance system need to solve many
existing challenges.
• It has been found that availability of the real system
data is hard to achieve and require a long procedure to
access the data of a running system. A big gap exists
to formalize a way to access the data logs and sensory
data stream, to build a model and validate it in real-life
settings.
• During the analysis, it has been found that a huge
amount of studies, most of them are related to the normal
behavior of the system. The most commonly developed
methods are based on the training of normal behavior
and deviation from these scenarios is considered as an
anomalous behavior. More accurate and robust models
are required to deal with complex real-scenarios. A close
relationship is required to explain the importance and
promising results to the concern management individ-
uals.
• The complexities of the data include imbalance datasets,
unexpected noise, and redundancy in the data. Well-
designed methods are needed to curate the datasets for
extracting the meaningful information and knowledge.
In this situation, a small system can be heavily compute
intensive to process the complex data. The existing cloud
VOLUME 7, 2019
M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
computing technology can be exploited for this work to
obtain the fruitful results on right time.
• Many statistical methods were well proven to detect the
anomalies in the past decades. At the moment, a big chal-
lenge is ahead to these developed methods, due to the
exponential increase in the deployment of tap sensor on
the objects. Currently, the working systems are equipped
with a lot of hardware and software sensors (i.e., system
logs) to monitor the systems/environment. To consider
all the source of information, a number of parameters is
increasing exponentially and statistical methods are not
able to deal with such data.
• Machine learning methods are developed to deal with
high dimensionality of the data and detect anomalous
behavior of the system. A subset of machine learning
domain known as deep learning has great success in
many areas (i.e. computer vision and speech processing)
to produce more accurate results of the complex prob-
lem. A gap exists to apply new models and assess the
ability in anomaly detection domain especially for intel-
ligent transport, industrial, and smart objects deployed
systems.
• Most of the research work done in the last decades is
about the detection of anomalies. Anomaly prediction
and prevention is an unexplored area in the research
community. It can contribute a lot to predict the anoma-
lies in advance. There is a need to develop and/or
adapt new methods that can prevent the systems in a
proactive way and have the ability to do root cause
analysis.
• It has been found that a gap in visualizing the anomalies
for analysis. New methods and approaches are needed
to present the system in intuitive way to analyze the
systems. Therefore, such gaps ought to be investigated
which could contribute to the fields of anomaly detection
system.
• Our analysis could not find any work based on fusion
techniques. Such techniques can provide a robust plat-
form to fuse the sensory data streams and assist the
analysis of anomalous behavior.
• The research community is putting of efforts to develop
accurate methods. We could not find any work based on
ensemble learning that can reduce the false positive rate
of the system.
X. CONCLUSIONS
Over the years, anomaly detection is an active area of research
and has gained a lot of interest of researchers from all appli-
cation areas. An anomalous behavior recognition can reduce
the functional risks, avoid unseen problems, and downtime
of the systems. In this paper, we provide the results of a sys-
tematic literature review with a prospective of statistical and
machine learning models. Our review provides a complete
overview of the developed approaches, their characteristics
and performance measures. Consequently, this information
VOLUME 7, 2019
can help the research community to obtain a detail informa-
tion about an up-to-date developed approaches and method-
ologies in anomaly detection domain. We also observe that
further development of the new methods and techniques are
required to process the diverse data streams generated from
IoT devices, healthcare system, intelligent environments and
complex industrial systems.
REFERENCES
[1] V. Chandola, A. Banerjee, and V. Kumar, ‘‘Anomaly detection for discrete
sequences: A survey,’’ IEEE Trans. Knowl. Data Eng., vol. 24, no. 5,
pp. 823–839, May 2012.
[2] I. Butun, S. D. Morgera, and R. Sankar, ‘‘A survey of intrusion detec-
tion systems in wireless sensor networks,’’ IEEE Commun. Surveys Tuts.,
vol. 16, no. 1, pp. 266–282, 1st Quart., 2014.
[3] P. Garcia-Teodoro, J. Diaz-Verdejo, G. Maciá-Fernández, and E. Vázquez,
‘‘Anomaly-based network intrusion detection: Techniques, systems and
challenges,’’ Comput. Secur., vol. 28, nos. 1–2, pp. 18–28, 2009.
[4] A. Abdallah, M. A. Maarof, and A. Zainal, ‘‘Fraud detection system:
A survey,’’ J. Netw. Comput. Appl., vol. 68, pp. 90–113, Jun. 2016.
[5] M. Ahmed, A. N. Mahmood, and M. R. Islam, ‘‘A survey of anomaly
detection techniques in financial domain,’’ Future Gener. Comput. Syst.,
vol. 55, pp. 278–288, Feb. 2016.
[6] C. C. Aggarwal, ‘‘Outlier analysis,’’ in Data Mining. Cham, Switzerland:
Springer, 2015, pp. 237–263.
[7] X. Ding, Y. Li, A. Belatreche, and L. P. Maguire, ‘‘Novelty detection using
level set methods,’’ IEEE Trans. Neural Netw. Learn. Syst., vol. 26, no. 3,
pp. 576–588, Mar. 2015.
[8] X. Song, M. Wu, C. Jermaine, and S. Ranka, ‘‘Conditional anomaly
detection,’’ IEEE Trans. Knowl. Data Eng., vol. 19, no. 5, pp. 631–645,
May 2007.
[9] A. V. Metcalfe and P. S. Cowpertwait, Introductory Time Series With R.
New York, NY, USA: Springer-Verlag, 2009.
[10] S. V. Kumar and L. Vanajakshi, ‘‘Short-term traffic flow prediction using
seasonal ARIMA model with limited input data,’’ Eur. Transp. Res. Rev.,
vol. 7, no. 3, p. 21, 2015.
[11] Q. Wang, X. Song, and R. Li, ‘‘A novel hybridization of nonlinear grey
model and linear ARIMA residual correction for forecasting US shale oil
production,’’ Energy, vol. 165, pp. 1320–1331, Dec. 2018.
[12] D. Budgen and P. Brereton, ‘‘Performing systematic literature reviews
in software engineering,’’ in Proc. 28th Int. Conf. Softw. Eng., 2006,
pp. 1051–1052.
[13] V. Chandola, A. Banerjee, and V. Kumar, ‘‘Anomaly detection: A survey,’’
ACM Comput. Surv., vol. 41, no. 3, p. 15, 2009.
[14] Z. Niu, S. Shi, J. Sun, and X. He, ‘‘A survey of outlier detection method-
ologies and their applications,’’ in Proc. Int. Conf. Artif. Intell. Comput.
Intell. Berlin, Germany: Springer, 2011, pp. 380–387.
[15] M. Fahim, I. Fatima, S. Lee, and Y.-K. Lee, ‘‘EEM: Evolutionary ensem-
bles model for activity recognition in smart homes,’’ Appl. Intell., vol. 38,
no. 1, pp. 88–98, 2013.
[16] V. R. Jakkula and D. J. Cook, ‘‘Detecting anomalous sensor events in
smart home data for enhancing the living experience,’’ in Proc. Artif. Intell.
Smarter Living, 2011, pp. 1–2.
[17] S. M. Mahmoud, A. Lotfi, and C. Langensiepen, ‘‘Abnormal behaviours
identification for an elder’s life activities using dissimilarity measure-
ments,’’ in Proc. 4th Int. Conf. Pervasive Technol. Rel. Assistive Environ.,
2011, p. 25.
[18] P. Cuddihy, J. Weisenberg, C. Graichen, and M. Ganesh, ‘‘Algorithm to
automatically detect abnormally long periods of inactivity in a home,’’
in Proc. 1st ACM SIGMOBILE Int. Workshop Syst. Netw. Support Health-
care Assist. Living Environ., 2007, pp. 89–94.
[19] F. Cardinaux, S. Brownsell, M. Hawley, and D. Bradley, ‘‘Modelling of
behavioural patterns for abnormality detection in the context of lifestyle
reassurance,’’ in Proc. Iberoamerican Congr. Pattern Recognit. Berlin,
Germany: Springer, 2008, pp. 243–251.
[20] W. Kang, D. Shin, and D. Shin, ‘‘Detecting and predicting of abnor-
mal behavior using hierarchical Markov model in smart home net-
work,’’ in Proc. IEEE 17Th Int. Conf. Ind. Eng. Eng. Manage. (IE&EM),
Oct. 2010, pp. 410–414.
81679
 M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
[21] T. V. Duong, H. H. Bui, D. Q. Phung, and S. Venkatesh, ‘‘Activity recog-
nition and abnormality detection with the switching hidden semi-Markov
model,’’ in Proc. IEEE Comput. Soc. Conf. Comput. Vis. Pattern Recognit.
(CVPR), vol. 1, Jun. 2005, pp. 838–845.
[22] F. J. Ordóñez, P. de Toledo, and A. Sanchis, ‘‘Sensor-based Bayesian
detection of anomalous living patterns in a home setting,’’ Pers. Ubiquitous
Comput., vol. 19, no. 2, pp. 259–270, 2015.
[23] S.-S. Choi, S.-H. Cha, and C. C. Tappert, ‘‘A survey of binary similar-
ity and distance measures,’’ J. Syst., Inform., vol. 8, no. 1, pp. 43–48,
2010.
[24] A. Palaniappan, R. Bhargavi, and V. Vaidehi, ‘‘Abnormal human activity
recognition using SVM based approach,’’ in Proc. Int. Conf. Recent Trends
Inf. Technol. (ICRTIT), Apr. 2012, pp. 97–102.
[25] J. H. Shin, B. Lee, and K. S. Park, ‘‘Detection of abnormal living patterns
for elderly living alone using support vector data description,’’ IEEE Trans.
Inf. Technol. Biomed., vol. 15, no. 3, pp. 438–448, May 2011.
[26] S. M. Mahmoud, A. Lotfi, and C. Langensiepen, ‘‘User activities outlier
detection system using principal component analysis and fuzzy rule-based
system,’’ in Proc. 5th Int. Conf. Pervasive Technol. Rel. Assistive Environ.,
2012, p. 26.
[27] J. Yin, Q. Yang, and J. J. Pan, ‘‘Sensor-based abnormal human-activity
detection,’’ IEEE Trans. Knowl. Data Eng., vol. 20, no. 8, pp. 1082–1090,
Aug. 2008.
[28] N. Han, S. Gao, J. Li, X. Zhang, and J. Guo, ‘‘Anomaly detection in health
data based on deep learning,’’ in Proc. Int. Conf. Netw. Infrastruct. Digit.
Content (IC-NIDC), Aug. 2018, pp. 188–192.
[29] E. Hüllermeier, ‘‘Does machine learning need fuzzy logic?’’ Fuzzy Sets
Syst., vol. 281, pp. 292–299, Dec. 2015.
[30] R. Fujimaki, T. Yairi, and K. Machida, ‘‘An approach to space-
craft anomaly detection problem Using kernel feature space,’’ in Proc.
11th ACM SIGKDD Int. Conf. Knowl. Discovery Data Mining, 2005,
pp. 401–410.
[31] M. Riveiro, M. Lebram, and M. Elmer, ‘‘Anomaly detection for road traffic:
A visual analytics framework,’’ IEEE Trans. Intell. Transp. Syst., vol. 18,
no. 8, pp. 2260–2270, Aug. 2017.
[32] Y. F. He, Y. Peng, S. J. Wang, D. T. Liu, and P. H. W. Leong, ‘‘A struc-
tured sparse subspace learning algorithm for anomaly detection in UAV
flight data,’’ IEEE Trans. Instrum. Meas., vol. 67, no. 1, pp. 90–100,
Jan. 2018.
[33] J. M. Pena, F. Famili, and S. Létourneau, ‘‘Data mining to detect abnormal
behavior in aerospace data,’’ in Proc. 6th ACM SIGKDD Int. Conf. Knowl.
Discovery Data Mining, 2000, pp. 390–397.
[34] S. Das, B. L. Matthews, A. N. Srivastava, and N. C. Oza, ‘‘Multiple kernel
learning for heterogeneous anomaly detection: Algorithm and aviation
safety case study,’’ in Proc. 16th ACM SIGKDD Int. Conf. Knowl. Dis-
covery Data Mining, 2010, pp. 47–56.
[35] V. M. Janakiraman and D. Nielsen, ‘‘Anomaly detection in aviation data
using extreme learning machines,’’ in Proc. Int. Joint Conf. Neural Netw.
(IJCNN), Jul. 2016, pp. 1993–2000.
[36] H. Lu, Y. Li, S. Mu, D. Wang, H. Kim, and S. Serikawa, ‘‘Motor anomaly
detection for unmanned aerial vehicles using reinforcement learning,’’
IEEE Internet Things J., vol. 5, no. 4, pp. 2315–2322, Aug. 2017.
[37] M. Farshchi, I. Weber, R. Dellacorte, A. Pecchia, M. Cinque,
J.-G. Schneider, and J. Grundy, ‘‘Contextual anomaly detection for a
critical industrial system based on logs and metrics,’’ in Proc. 14th Eur.
Dependable Comput. Conf. (EDCC), Sep. 2018, pp. 140–143.
[38] B. Bose, J. Dutta, S. Ghosh, P. Pramanick, and S. Roy, ‘‘D&RSense:
Detection of driving patterns and road anomalies,’’ in Proc. 3rd Int. Conf.
Internet Things, Smart Innov. Usages (IoT-SIU), 2018, pp. 1–7.
[39] X. Gibert, V. M. Patel, and R. Chellappa, ‘‘Deep multitask learning for
railway track inspection,’’ IEEE Trans. Intell. Transp. Syst., vol. 18, no. 1,
pp. 153–164, Jan. 2017.
[40] H. Luo and S. Zhong, ‘‘Gas turbine engine gas path anomaly detection
using deep learning with Gaussian distribution,’’ in Proc. Prognostics Syst.
Health Manage. Conf. (PHM-Harbin), Feb. 2017, pp. 1–6.
[41] J. Amores, P. Maes, and J. Paradiso, ‘‘Bin-ary: Detecting the state of
organic trash to prevent insalubrity,’’ in Proc. ACM Int. Joint Conf. Per-
vasive Ubiquitous Comput. ACM Int. Symp. Wearable Comput., 2015,
pp. 313–316.
[42] M. L. Han, J. Lee, A. R. Kang, S. Kang, J. K. Park, and H. K. Kim,
‘‘A statistical-based anomaly detection method for connected cars in Inter-
net of Things environment,’’ in Proc. Int. Conf. Internet Vehicles. Cham,
Switzerland: Springer, 2015, pp. 89–97.
81680
[43] J. Ding, Y. Liu, L. Zhang, J. Wang, and Y. Liu, ‘‘An anomaly detec-
tion approach for multiple monitoring data series based on latent cor-
relation probabilistic model,’’ Appl. Intell., vol. 44, no. 2, pp. 340–361,
2016.
[44] C.-W. Ho, C.-T. Chou, Y.-C. Chien, and C.-F. Lee, ‘‘Unsupervised anomaly
detection using light switches for smart nursing homes,’’ in Proc. IEEE
14th Int. Conf. Pervasive Intell. Comput., 14th Int. Conf. Dependable,
Auton. Secure Comput. 2nd Int. Conf. Big Data Intell. Comput. Cyber
Sci. Technol. Congr. (DASC/PiCom/DataCom/CyberSciTech), Aug. 2016,
pp. 803–810.
[45] R. U. Islam, M. S. Hossain, and K. Andersson, ‘‘A novel anomaly detection
algorithm for sensor data under uncertainty,’’ Soft Comput., vol. 22, no. 5,
pp. 1623–1639, 2016.
[46] Y. Sun, T.-Y. Wu, X. Li, and M. Guizani, ‘‘A rule verification system
for smart buildings,’’ IEEE Trans. Emerg. Topics Comput., vol. 5, no. 3,
pp. 367–379, Feb. 2017.
[47] Y. Zheng, S. Rajasegarar, C. Leckie, and M. Palaniswami, ‘‘Smart car
parking: Temporal clustering and anomaly detection in urban car parking,’’
in Proc. Proc. IEEE 9th Int. Conf. Intell. Sensors, Sensor Netw. Inf. Process.
(ISSNIP), Apr. 2014, pp. 1–6.
[48] D. Kumar, J. C. Bezdek, S. Rajasegarar, M. Palaniswami, C. Leckie,
J. Chan, and J. Gubbi, ‘‘Adaptive cluster tendency visualization and
anomaly detection for streaming data,’’ ACM Trans. Knowl. Discovery
Data (TKDD), vol. 11, no. 2, p. 24, 2016.
[49] L.-J. Chen, Y.-H. Ho, H.-H. Hsieh, S.-T. Huang, H.-C. Lee, and
S. Mahajan, ‘‘ADF: An anomaly detection framework for large-scale
PM2.5 sensing systems,’’ IEEE Internet Things J., vol. 5, no. 2,
pp. 559–570, Apr. 2018.
[50] M. Bobin, M. Boukallel, M. Anastassova, and M. Ammi, ‘‘Study of a
smart cup for home monitoring of the arm and hand of stroke patients,’’
in Proc. 18th Int. ACM SIGACCESS Conf. Comput. Accessibility, 2016,
pp. 305–306.
[51] T. R. Burchfield and S. Venkatesan, ‘‘Accelerometer-based human abnor-
mal movement detection in wireless sensor networks,’’ in Proc. 1st ACM
SIGMOBILE Int. Workshop Syst. Netw. Support Healthcare Assist. Living
Environ., 2007, pp. 67–69.
[52] Y. Zhu, ‘‘Automatic detection of anomalies in blood glucose using
a machine learning approach,’’ J. Commun. Netw., vol. 13, no. 2,
pp. 125–131, 2011.
[53] C. Puri, A. Ukil, S. Bandyopadhyay, R. Singh, A. Pal, and K. Mandana,
‘‘iCarMa: Inexpensive cardiac arrhythmia management—An IoT health-
care analytics solution,’’ in Proc. 1st Workshop IoT-Enabled Healthcare
Wellness Technol. Syst., 2016, pp. 3–8.
[54] K. Tonchev, P. Koleva, A. Manolova, G. Tsenov, and V. Poulkov, ‘‘Non-
intrusive sleep analyzer for real time detection of sleep anomalies,’’
in Proc. 39th Int. Conf. Telecommun. Signal Process. (TSP), Jun. 2016,
pp. 400–404.
[55] T. T. Pham, D. N. Nguyen, E. Dutkiewicz, A. L. McEwan, and
P. H. Leong, ‘‘Wearable healthcare systems: A single channel accelerom-
eter based anomaly detector for studies of gait freezing in Parkinson’s
disease,’’ in Proc. IEEE Int. Conf. Commun. (ICC), May 2017,
pp. 1–5.
[56] S. Ray and A. Wright, ‘‘Detecting anomalies in alert firing within clinical
decision support systems using anomaly/outlier detection techniques,’’
in Proc. 7th ACM Int. Conf. Bioinf., Comput. Biol., Health Inform., 2016,
pp. 185–190.
[57] A. Manashty, J. Light, and U. Yadav, ‘‘Healthcare event aggregation lab
(HEAL), a knowledge sharing platform for anomaly detection and predic-
tion,’’ in Proc. 17th Int. Conf. E-Health Netw., Appl. Services (HealthCom),
Oct. 2015, pp. 648–652.
[58] K. Raghuraman, M. Senthurpandian, M. Shanmugasundaram, Bhargavi,
and V. Vaidehi, ‘‘Online incremental learning algorithm for anomaly detec-
tion and prediction in health care,’’ in Proc. Int. Conf. Recent Trends Inf.
Technol. (ICRTIT), 2014, pp. 1–6.
[59] H. Zhang, S. Mehotra, D. Liebovitz, C. A. Gunter, and B. Malin, ‘‘Mining
deviations from patient care pathways via electronic medical record system
audits,’’ ACM Trans. Manage. Inf. Syst., vol. 4, no. 4, p. 17, 2013.
[60] K. Li, N. Du, and A. Zhang, ‘‘Detecting ECG abnormalities via transduc-
tive transfer learning,’’ in Proc. ACM Conf. Bioinf., Comput. Biol. Biomed.,
2012, pp. 210–217.
[61] M. Hauskrecht, I. Batal, M. Valko, S. Visweswaran, G. F. Cooper, and
G. Clermont, ‘‘Outlier detection for patient monitoring and alerting,’’
J. Biomed. Inform., vol. 46, pp. 47–55, Feb. 2013.
VOLUME 7, 2019
M. Fahim, A. Sillitti: Anomaly Detection, Analysis and Prediction Techniques in IoT Environment
[62] L. V. Nguyen, J. Kapinski, X. Jin, J. V. Deshmukh, K. Butts, and
T. T. Johnson, ‘‘Abnormal data classification using time-frequency tem-
poral logic,’’ in Proc. 20th Int. Conf. Hybrid Syst., Comput. Control, 2017,
pp. 237–242.
[63] P. Zhao, M. Kurihara, J. Tanaka, T. Noda, S. Chikuma, and T. Suzuki,
‘‘Advanced correlation-based anomaly detection method for predictive
maintenance,’’ in Proc. IEEE Int. Conf. Prognostics Health Manage.
(ICPHM), Jun. 2017, pp. 78–83.
[64] Y. Akiyama, Y. Kasai, M. Iwata, E. Takahashi, F. Sato, and M. Murakawa,
‘‘Anomaly detection of solar power generation systems based on
the normalization of the amount of generated electricity,’’ in Proc.
IEEE 29th Int. Conf. Adv. Inf. Netw. Appl. (AINA), Mar. 2015,
pp. 294–301.
[65] D. Zang, J. Liu, and H. Wang, ‘‘Markov chain-based feature extraction for
anomaly detection in time series and its industrial application,’’ in Proc.
Chin. Control Decis. Conf. (CCDC), Jun. 2018, pp. 1059–1063.
[66] J. Carino, D. Zurita, A. Picot, M. Delgado, J. Ortega, and
R. Romero-Troncoso, ‘‘Novelty detection methodology based on
multi-modal one-class support vector machine,’’ in Proc. IEEE 10th
Int. Symp. Diag. Electr. Mach., Power Electron. Drives (SDEMPED),
Sep. 2015, pp. 184–190.
[67] B. Narayanaswamy, B. Balaji, R. Gupta, and Y. Agarwal, ‘‘Data driven
investigation of faults in HVAC systems with model, cluster and compare
(MCC),’’ in Proc. 1st ACM Conf. Embedded Syst. Energy-Efficient Build-
ings, 2014, pp. 50–59.
[68] A. Hajdarevic, I. Dzananovic, L. Banjanovic-Mehmedovic, and
F. Mehmedovic, ‘‘Anomaly detection in thermal power plant using
probabilistic neural network,’’ in Proc. Proc. 38th Int. Conv. Inf.
Commun. Technol., Electron. Microelectron. (MIPRO), May 2015,
pp. 1118–1123.
[69] W. Yan, ‘‘One-class extreme learning machines for gas turbine combus-
tor anomaly detection,’’ in Proc. Int. Joint Conf. Neural Netw. (IJCNN),
Jul. 2016, pp. 2909–2914.
[70] C.-W. Wu and M. Chen, ‘‘Early anomaly detection in wind turbine bolts
breaking problem—Methodology and application,’’ in Proc. IEEE 3rd Int.
Conf. Big Data Anal. (ICBDA), Mar. 2018, pp. 402–406.
[71] M. A. Hayes and M. A. Capretz, ‘‘Contextual anomaly detection in big sen-
sor data,’’ in Proc. IEEE Int. Congr. Big Data (BigData Congr.), Jun. 2014,
pp. 64–71.
[72] C. Goutte and E. Gaussier, ‘‘A probabilistic interpretation of precision,
recall and f-score, with implication for evaluation,’’ in Proc. Eur. Conf.
Inf. Retr. Berlin, Germany: Springer, 2005, pp. 345–359.
VOLUME 7, 2019
MUHAMMAD FAHIM received the B.S. degree
(Hons.) from Gomal University, Pakistan, in 2007,
the M.S. degree from the National University
of Computer and Emerging Sciences (NUCES),
Pakistan, in 2009, and the Ph.D. degree from
Kyung Hee University, South Korea, in 2014,
where he was a Postdoctoral Fellow with the
Department of Computer Engineering. He served
as an Assistant Professor with the Department of
Computer and Software Engineering, Faculty of
Engineering and Natural Sciences, Istanbul Sabahattin Zaim University,
Istanbul, Turkey, for three years, where he also leads the Machine Learning
Research Laboratory. He is currently with the Institute of Information Sys-
tems, Innopolis University, Russia, as an Assistant Professor. His research
interests include activity recognition in smart homes and smartphone, wear-
able computing, digital signal processing, machine learning, and abnormal
behavior recognition in intelligent environments.
ALBERTO SILLITTI received the Ph.D. degree
in electrical and computer engineering from the
University of Genoa, Italy, in 2005. He has been
involved in several EU funded projects related to
open source software, services architectures, and
agile methods in which he applies noninvasive
measurement approaches. He is currently a Full
Professor with the Faculty of Computer Science
and Engineering, Innopolis University, Russia,
where he leads the Cyber-Physical Systems Lab
and is also the Director of the Institute of Information Systems. He is
also an Associate Dean for consulting activities. He has authored more
than 200 papers published in international conferences and journals. His
research interests include open source development, agile methods, empirical
software engineering, noninvasive measurement, software quality, cyber-
physical systems, and mobile and web services, with a focus on mobile
and energy-aware software development and quality for cyber-physical sys-
tems. He has served as a member for the program committee of several
international conferences, as a Program Chair for OSS in 2007 and 2019,
XP in 2010 and 2011, SEDA in 2012, 2013, and 2014, and a General Chair
for SEDA in 2018.
81681