Machine learning for anomaly

detection
December 2024
 1. Understanding techniques, applications, and best practices
Agenda

2. Case studies

3. Points to remember

4. Resources and further reading

5. Questions and discussion

 01
UNDERSTANDING TECHNIQUES, APPLICATIONS, AND
BEST PRACTICES
Artificial Intelligence vs Machine Learning

AI vs ML?

Artificial intelligence (AI) is a Machine learning (ML) is a

broad concept that describes specific application of AI that
a machine's ability to mimic teaches machines to perform
human intelligence. tasks by learning from data.
WHAT IS MACHINE LEARNING?

Machine Learning Overview

• Machine Learning is a subset of AI that .

enables systems to learn and improve from
experience without explicit programming.

• Key Focus Patterns, predictions, and decision-

making
Process
WHAT IS ANOMALY DETECTION?

Anomaly detection refers to

identifying patterns in data that do
not conform to expected behavior.

Significant in applications like

fraud detection, network security,
and predictive maintenance.

Helps mitigate risks and improve

decision- making processes.

Anomaly detection identifies suspicious activity that falls outside of your established normal
patterns of behavior. A solution protects your system in real-time from instances that could result
in significant financial losses, data breaches, and other harmful events
TYPES OF ANOMALIES

Point Anomalies
Data points significantly
different from the majority (e.g., Contextual Anomalies
a sudden spike in network
traffic). Unusual only within a specific
context (e.g., high temperature
during winter).

Collective Anomalies
A collection of related data
points that deviate as a group
(e.g., a distributed denial- of-
service attack).
SUPERVISED ANOMALY DETECTION UNSUPERVISED ANOMALY DETECTION
• Supervised machine learning builds a • Unsupervised methods do not demand
predictive model using a labeled training manual labeling of training data. Instead,
set with normal and anomalous samples they operate based on the presumption

• The most common supervised methods • The most popular unsupervised anomaly
include Bayesian networks, k-nearest detection algorithms include Autoencoders,
neighbors, decision trees, supervised neural K-means, GMMs, hypothesis tests-based
networks, and SVMs analysis, and PCAs.

• The advantage of supervised models is that • These techniques thus assume collections
they may offer a higher rate of detection of frequent, similar instances are normal
and flag infrequent data groups as
malicious.

SEMI SUPERVISED ANOMALY DETECTION

• Semi-supervised anomaly detection may refer to an approach to creating a model for normal data
based on a data set that contains both normal and anomalous data, but is unlabelled

• The most common semi supervised methods include Linear regression, Outlier detection,Graph-
based.

• A semi-supervised anomaly detection algorithm might also work with a data set that is partially
flagged. It will then build a classification algorithm on just that flagged subset of data, and use that
model to predict the status of the remaining data.
WHY USE MACHINE LEARNING FOR ANOMALY DETECTION?
Advantages of ML
• Handles complex and
large datasets effectively.
• . Learns from data to
adapt to new patterns
dynamically
• Provides superior
accuracy compared to
traditional statistical
methods.
Challenges
• Data imbalance Anomalies are
rare compared to normal data
• Dynamic and non- stationary
data.Data evolves over time,
requiring adaptive models
• High dimensionality Complex
data structures make anomalies
harder to detect
COMMON ALGORITHMS IN ANOMALY DETECTION
Algorithm Types
• Supervised Random Forest, SVM for
binary classification.
• Unsupervised: PCA, k- Means,
Isolation Forest for detecting
patterns.
• Deep Learning: Autoencoders, RNNs
for complex data types like time
series.
Anomaly Detection Algorithm Techniques To Know
• Isolation Forest
• Local Outlier Factor (LOF)
• Robust Covariance
• One- class support vector machine
(SVM)
• One- class SVM with stochastic
gradient descent (SGD)
• K- means clustering
• Long short- term memory (LSTM)
• Angle- based outlier detection
 Techniques
Isolation Forest
Isolation Forest isolates
anomalies by creating random
partitions in the data. Anomalies
are isolated faster than normal
points due to their distinct
properties.
One-Class SVM with SGD
This method optimizes One-
Class SVM using Stochastic
Gradient Descent to handle
large-scale datasets efficiently.
Local Outlier Factor
LOF identifies anomalies by
comparing the local density of a
point to its neighbors. Points with
significantly lower density than
their neighbors are flagged as
outliers
K-Means Clustering
K-Means groups data into
clusters, and points far from any
cluster center are considered
anomalies.
. anomalies by analyzing
Robust Covariance
Robust covariance is a statistical
method that computes the
covariance matrix to identify
data points deviating from the
multivariate distribution.
.
Long Short-Term Memory
(LSTM)
LSTMs are a type of recurrent
neural network that learns
temporal dependencies in
sequential data. They identify
deviations from learned patterns.
One-Class Support Vector
Machine (SVM)
A One-Class SVM creates a
boundary around normal data
points in a high-dimensional
space, classifying points outside
the boundary as anomalies.
Angle-Based Outlier
Detection
This method calculates the
angle between points in high-
dimensional space to detect
anomalies. Anomalies are
identified based on deviations
from expected angular
distributions.
 One-Class Support Vector
Isolation Forest Local Outlier Factor(LOF) Machine (SVM)

Long Short-Term Memory (LSTM)

K-Means Clustering
 EXAMPLES OF ALGORITHM APPLICATIONS
Isolation Forest Example
Detecting fraudulent
transactions in credit card data
using an Isolation Forest
algorithm.
One-Class SVM with SGD Example
Detecting outliers in massive
customer behavior datasets in
e- commerce.
Local Outlier Factor (LOF) Example
Identifying unusual behavior in
user activity logs for
cybersecurity.
K-Means Clustering Example
Identifying rare diseases in
patient medical records by
analyzing cluster distances.
Robust Covariance Example
Detecting unusual patterns in
multivariate sensor data in
manufacturing processes.
Long Short-Term Memory (LSTM)
Example
Detecting anomalies in time-
series data, such as server logs
or stock market fluctuations.
One-Class Support Vector Machine
(SVM) Example
Detecting abnormal network
traffic in IT infrastructure.
Angle-Based Outlier Detection
Example
Detecting outliers in large, high-
dimensional datasets like gene
expression data.
INFERENCE

Key Inference

Anomaly detection techniques are vital for

uncovering irregularities in various domains.
Choosing the right algorithm depends on the

1. Dataset
2. Scale,
3. Application requirements.
PRACTICAL WORKFLOW FOR ANOMALY DETECTION

Step 1 Data preprocessing: Handle

missing data, outliers, and normalization.

Step 2Algorithm selection based on the

data and problem type.

Workflow
Step 3 Model evaluation using key metrics
like F1- score.

Step 4 Deploy the model and monitor its

performance.
 02
CASE STUDIES
03 Resources and Further Reading

1. Books: 'Anomaly Detection Principles and Algorithms' by Aggarwal.

2. Courses: 'Machine Learning for All’, AL/ML at IIT
3. Datasets: UCI Machine Learning Repository
Q&A
Thank you