Received April 19, 2021, accepted May 16, 2021, date of publication May 24, 2021, date of current

version June 4, 2021.

Digital Object Identifier 10.1109/ACCESS.2021.3083060

Machine Learning for Anomaly Detection: A

Systematic Review
ALI BOU NASSIF 1 , (Member, IEEE), MANAR ABU TALIB 2 , (Senior Member, IEEE),
QASSIM NASIR3 , AND FATIMA MOHAMAD DAKALBAB 2
1 Department of Computer Engineering, University of Sharjah, Sharjah, United Arab Emirates
2 Department of Computer Science, University of Sharjah, Sharjah, United Arab Emirates
3 Department of Electrical Engineering, University of Sharjah, Sharjah, United Arab Emirates

Corresponding author: Ali Bou Nassif ([email protected])

This work was supported by the Open UAE research group, University of Sharjah.

ABSTRACT Anomaly detection has been used for decades to identify and extract anomalous components
from data. Many techniques have been used to detect anomalies. One of the increasingly significant
techniques is Machine Learning (ML), which plays an important role in this area. In this research paper,
we conduct a Systematic Literature Review (SLR) which analyzes ML models that detect anomalies in their
application. Our review analyzes the models from four perspectives; the applications of anomaly detection,
ML techniques, performance metrics for ML models, and the classification of anomaly detection. In our
review, we have identified 290 research articles, written from 2000-2020, that discuss ML techniques for
anomaly detection. After analyzing the selected research articles, we present 43 different applications of
anomaly detection found in the selected research articles. Moreover, we identify 29 distinct ML models used
in the identification of anomalies. Finally, we present 22 different datasets that are applied in experiments
on anomaly detection, as well as many other general datasets. In addition, we observe that unsupervised
anomaly detection has been adopted by researchers more than other classification anomaly detection systems.
Detection of anomalies using ML models is a promising area of research, and there are a lot of ML models
that have been implemented by researchers. Therefore, we provide researchers with recommendations and
guidelines based on this review.

INDEX TERMS Anomaly detection, machine learning, security and privacy protection.

I. INTRODUCTION tected data may represent significant, critical, and actionable

Detecting anomalies is a major issue that has been studied
for centuries. Numerous distinct methods have been devel-
oped and used to detect anomalies for different applications.
Anomaly detection refers to ‘‘the problem of finding patterns
in data that do not conform to expected behavior’’ [1], [2].
The detection of anomalies is widely used in a broad variety
of applications. Examples of these include fraud detection,
loan application processing, and monitoring of medical con-
ditions, An example of a medical application is heart rate
monitors [3]. Other widely used applications of detecting
anomalies include cyber security intrusion detection [4]–[6],
fault detection for aviation safety study, streaming, and hyper-
spectral imagery, etc. The importance of detecting anomalies
in various application domains concerns the risk that unpro-
The associate editor coordinating the review of this manuscript and
approving it for publication was Mehul S. Raval . a contextual anomaly. There are two attributes of contextual
information. For instance, detecting an anomalous computer
network traffic pattern may expose an attack from a hacked
computer [7]. Another example would be the detection of
anomalies in the transaction data of a credit card, which may
indicate theft [8]. Besides, detecting an anomaly from an
airplane sensor may result in the detection of a fault in some
of the components of the aircraft.
Anomaly is defined at an abstract level as a pattern, not
in line with the ordinary anticipated behavior. Anomalies are
classified into three main categories [1], [9], [10]:
1. Point Anomalies: If a single data instance can be con-
sidered anomalous for the remainder of the data, the instance
is called a point anomaly and is regarded as the simplest
anomaly form.
2. Contextual Anomalies: If in a particular context a data
instance is anomalous, but not in another context, it is called

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
78658 VOLUME 9, 2021
A. B. Nassif et al.: Machine Learning for Anomaly Detection
anomalies: contextual attributes and behavioral attributes.
The first attribute is applied to determine an instance’s context
(or neighborhood). For example, the longitude and latitude
of a location are contextual attributes in spatial datasets.
Moreover, time is a contextual attribute in time series data
that determines an instance’s position on the entire sequence.
The second attribute is considered as attributes of behavior
where it defines an instance’s noncontextual features. For
example, the amount of rainfall that occurs at any location
in a spatial dataset describing the world’s average rainfall is
a behavioral attribute.
The preference for using the technique of contextual
anomaly detection is determined by the significance of the
contextual abnormalities in the target area. The availability
of qualitative attributes is another significant aspect. In some
instances, it is easy to identify a context, and thus it makes
sense to apply a contextual detection technique. In other
instances, it is not possible to establish a sense such that
certain methods are difficult to use.
3. Collective anomalies: If a set of associated data
instances is anomalous for the entire dataset, it is called a
collective anomaly.
Statistical anomaly detection techniques are some of the
oldest algorithms used to detect anomalies [10]. Statistical
methods build a statistical model for the ordinary behavior
of the data provided. A statistical inference test may then be
carried out to detect whether or not an instance belongs to
this model. Several methods are used to conduct statistical
anomaly detection [11]. This includes proximity based, para-
metric, non-parametric, and semi-parametric methods.
Machine learning (ML) techniques are increasingly being
used as one of the approaches to detect anomalies. ML is
the effort to ‘‘automate the process of knowledge acquisition
from examples’’ [12]. The technique is used to build a model
that distinguishes between ordinary and abnormal classes.
Anomaly detection can therefore be split into three broad
categories based on the training data function used to build
the model. The three broad classes are [1], [13]:
• Supervised anomaly detection: In this class, both the
normal and anomalous training datasets contain labeled
instances. In this model, the approach is to build a predictive
model for both anomaly and normal classes and then com-
pare these two models. However, in this mode, two issues
occur. First, the number of anomalies in the training set is
much lower when compared with normal instances. Second,
precise and representative labels are challenging to identify,
particularly for the anomaly class.
• Semi-supervised anomaly detection: Training here
includes only ordinary class cases. Therefore, anything that
cannot be classified as ordinary is marked as anomalous.
Semi-supervised techniques presume that training data have
labeled instances for the normal class alone. Since they do
not need anomaly class labels, they are more common than
supervised methods.
• Unsupervised anomaly detection: In this case, training
datasets are not required for the methods. Therefore, those
VOLUME 9, 2021
methods imply that normal instances are much more common
than anomalies in test datasets. However, if the assumption
fails, it leads to a high false alarm rate for this technique.
Many semi-supervised techniques can be adapted to oper-
ate in an unsupervised mode by using unlabeled dataset sam-
ples as training data. Such adaptation assumes that there are
very few anomalies in the test data and these few anomalies
are robust to the model learning during training.
This study’s primary objective is to conduct a systematic
review that represents a comprehensive study of ML tech-
niques for anomaly detection and their applications. More-
over, this review studies the accuracy of the ML models and
the percentage of research papers that apply supervised, semi-
supervised, or unsupervised anomaly detection classification.
We believe that this review will enable researchers to have
a better understanding of the different anomaly detection
methods and guide them in reviewing the recent research
done on this subject.
To the best of our knowledge, there are very few Systematic
Literature Reviews (SLR) on detecting anomalies through
machine learning techniques, which has motivated this work.
Research articles were read thoughtfully and were selected,
based on Kitchenham and Charter’s methodology [14]., with
regards to (i) the main prediction research work done in
anomaly detection, (ii) the ML algorithms used in anomaly
detection, (iii) the estimation and accuracy of ML models
proposed, and (iv) the strength and weaknesses of the ML
technique used.
The remainder of this paper is divided into six
sections: Section 2 provides information on related
work. Section 3 describes the methodology used in this
research. Section 4 lists the results and discussions.
Section 5 addresses the limitations of this review. Finally,
Section 6 contains a discussion and suggestions for future
work.
A. LITERATURE REVIEW
Detection of anomalies is an important issue that has been
investigated in various fields of study and implementation.
Many detection methods for anomalies have been created
specifically for certain applications, while others are more
generic. For example, Chandola et al. [1] provided an exten-
sive survey of anomaly detection techniques and applications.
A board review of different techniques of Machine learn-
ing as well as non-machine learning, such as statistical and
spectral detection methods, was discussed in detail. More-
over, the survey presents several applications of anomaly
detection. Examples include cyber intrusion detection, fraud
detection, medical anomaly detection, industrial damage
detection, image processing detection, textual anomaly detec-
tion, and sensor networks. The same authors introduced
another survey [10] on the topic of anomaly detection for
discrete sequence. The authors provided a comprehensive
and structured overview of the existing research on the prob-
lem of detecting anomalies in discrete/symbolic sequences.
In addition, Hodge and Austin [15] presented an overall
78659

FIGURE 1. Research methodology.
TABLE 1. Inclusion & exclusion criteria.
study of machine learning and statistical anomaly detection
methodologies. Also, the authors discussed comparatively
the advantages and disadvantages of each method. On the
other hand, Agrawal and Agrawal [8] proposed a survey on
anomaly detection using data mining techniques.
Several surveys were mainly focused on detecting anoma-
lies in specific domains and applications, such as [16] where
the authors presented an overall survey of wide clustering
78660
A. B. Nassif et al.: Machine Learning for Anomaly Detection
based fraud detection and also compared those techniques
from several perspectives. In addition, Sodemann et al. [17]
presented anomaly detection in automated surveillance,
where they provided different models and classification algo-
rithms. The authors examined research studies according
to the problem domain, approach, and method. Moreover,
Zuo [18], provided a survey of the three most widely used
techniques of anomaly detection in the field of geochemical
data processing; Fractal/multi-fractal models, compositional
data analysis, and machine learning (ML), but the author
focuses mainly on machine learning techniques. On the other
hand, He et al. [19] surveyed the framework of log based
anomaly detection. The authors reviewed six representative
anomaly detection methods and evaluated each one. The
authors also compared and contrasted the precision and effec-
tiveness of two representative datasets of the production log.
Furthermore, Ibidunmoye et al. [20] provided an overview
of anomaly detection and bottleneck identification as they
related to the performance of computing systems. The authors
identified the fundamental elements of the problem and then
classified the existing solutions.
Anomaly intrusion detection was the focus of many
researchers. For instance, Yu [21] presented a comprehensive
study on anomaly intrusion detection techniques such as sta-
tistical, machine learning, neural networks, and data mining
detection techniques. Also, Tsai et al. [22] reviewed intrusion
detection, but the authors focused on machine learning tech-
niques. They provided an overview of machine learning tech-
niques designed to solve intrusion detection problems written
between 2000 and 2007. Moreover, the authors compared
related work based on the types of classifier design, dataset,
and other metrics. Similarly, Patcha and Park [23] pre-
sented an extensive study of anomaly detection and intrusion
detection techniques, and Buczak and Guven [24] surveyed
machine learning and data mining methods for cyber intru-
sion detection. They provided a description of each method
and addressed the challenges of using machine learning and
data mining in cyber security. Finally, Satpute et al. [25] pre-
sented a combination of various machine learning techniques
with particle swarm optimization to improve the efficiency of
detecting anomalies in network intrusion systems.
The detection of network anomalies has been an important
area of research [26], [27] Therefore, many surveys focused
on that topic. For example, Bhuyan et al. [11] presented a
comprehensive study of network anomaly detection. They
identified the kinds of attacks that are usually encountered by
intrusion detection systems and then described and compared
the effectiveness of different anomaly detection methods.
In addition, the authors discussed network defenders’ tools.
Similarly, Gogoi et al. [7] surveyed an extensive study of
well-known distance based, density based techniques as well
as supervised and unsupervised learning in network anomaly
detection. On the other hand, Kwon et al. [28] mainly focused
on deep learning techniques, such as restricted Boltzmann
machine based deep belief networks, deep recurrent neural
networks, as well as machine learning methods appropriate to
VOLUME 9, 2021
A. B. Nassif et al.: Machine Learning for Anomaly Detection
network anomaly detection. In addition, the authors presented
experiments that demonstrated the practicality of using deep
learning techniques in network traffic analysis.
Our systematic review is different from those described
above, as we are presenting an extensive research study on
detecting anomalies through machine learning techniques.
Table 6 in Appendix A summarizes the related work and
displays the differences between it and our work.
Our study differs from the related work in various aspects,
such as:
1. Machine learning techniques are included, and the
model types of techniques include supervised, semi-
supervised, or unsupervised anomaly detection.
2. Precision comparison of each technique
3. A comprehensive approach is presented which includes
the advantages and disadvantages of each technique.
4. Covers the period from 2000 to 2020, which is quite
recent.
II. METHODOLOGY
In this study, we conducted a Systematic Literature
Review (SLR) based on Kitchenham and Charters method-
ology [14]. The method includes the stages of planning and
conducting research, and reporting. There are several phases
in each stage. The planning phase is divided into six dif-
ferent stages. The first stage is to identify study questions
that are based on the review’s objectives. The second stage,
in relation to specifying the proper search terms, is developing
the search strategy, for collecting research papers related to
the topic that fulfill the research questions. The third stage
is to identify the study selection procedures, which include
the exclusion and inclusion rules. In the fourth stage, rules
are identified for quality assessment to be used to filter the
collected study papers. The fifth stage involves detailing an
extraction strategy to answer the research questions that were
specified before. Finally, the sixth stage involves synthesizing
the data obtained. We followed the review protocol, and this
is demonstrated in the following subsections.
Error! Reference source not found. below illustrates this
research methodology.
A. RESEARCH QUESTIONS
This SLR intends to summarize, clarify and examine the ML
techniques and implementations that were applied in anomaly
detection from 2000 through 2020
inclusive. The following four research questions (RQs) are
raised for this purpose:
1.RQ1: What is the main prediction about research
work done in anomaly detection?
RQ1 aims to identify the prediction research work that is
done in anomaly detection, whether the prediction is an ML.
2.RQ2: What kinds of ML algorithms are being applied
in anomaly detection?
RQ2 aims at specifying the ML methods that have been
applied in the detection of anomalies.
VOLUME 9, 2021
3.RQ3: What is the overall estimation and accuracy of
machine learning models?
RQ3 is concerned with ML model estimation. Estimation
accuracy is the main performance metric for models of ML.
This question focuses on the following three elements of
estimation accuracy: dataset building, performance metric,
and accuracy value.
4.RQ4: What is the percentage of papers that address
unsupervised, semi-supervised, or supervised anomaly
detection?
RQ4 aims to present the percentage of collected research
papers that use unsupervised, semi- supervised, or supervised
anomaly detection techniques.
B. SEARCH STRATEGY
We followed the following procedure to construct the search
term:
1) Main search terms are identified from the research
questions.
2) New terms were defined to replace main terms such as
intrusion, outliers, and synonyms.
3) Boolean operators (ANDs and ORs) are used to limit the
search results.
4) The search terms that are used in this review are related
to anomaly detection and machine learning.
Below are the digital libraries that we used in this search
(journals and conference papers):
• Google Scholar
• ACM Digital Library
• Springer
• Elsevier
• IEEE Explorer
According to our inclusion/exclusion criteria, 290 papers
were used in this review. They include 95 journal papers and
195 conference papers.
C. STUDY SELECTION
In the beginning, we collected 350 papers based on the search
terms mentioned earlier. Later, we filtered those papers to
verify that only papers related to the topic were included in
our review. The filtration process was discussed among the
co-authors at planned periodic meetings. The filtration and
selection processes are explained below:
Step 1: Remove all the duplicated articles that were col-
lected from the different digital libraries.
Step 2: Apply inclusion and exclusion criteria to avoid any
irrelevant papers.
Step 3: Remove review papers from the collected papers.
Step 4: Apply quality assessment rules to include only the
qualified papers that ensure the best answer for our research
questions.
Step 5: Search for additional related papers from refer-
ences in the collected papers from step 4 and repeat step 4 on
the new added articles.
78661
 A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 2. Selected papers’ quality assessment results.

TABLE 3. Anomaly detection applications among articles.

The applied inclusion and exclusion criteria in this review D. QUALITY ASSESSMENT RULES (QARs)
are discussed in Table 1. In the end, after conducting The QARs were the final step in the identification of the
the filtration steps, 290 papers were observed for this final list of papers to be included in this review. The QARs
review. are essential to guaranteeing and assessing the quality of the

78662 VOLUME 9, 2021

A. B. Nassif et al.: Machine Learning for Anomaly Detection

FIGURE 2. Anomaly detection applications iteration per year.

FIGURE 3. Machine learning techniques observed.

FIGURE 4. Feature selection/extraction techniques observed in the literature.

research papers. Therefore 10 QARs are identified and each selected as follows: ‘‘fully answered’’ = 1, ‘‘above average’’
is given a value of 1 mark out of 10. The score of each QAR is = 0.75, ‘‘average’’ = 0.5, ‘‘below average’’ = 0.25, ‘‘not

VOLUME 9, 2021 78663


FIGURE 5. Utilized datasets in collected research articles.
FIGURE 6. Percentage of anomaly detection type.
answered’’ = 0. The summation of the marks obtained for
the 10 QARs is the score of the article. Moreover, if the result
is 5 or higher, we consider the article; otherwise, we exclude
it. Moreover, we choose the score 5 as it represents the middle
point of the good quality articles and it answers our intended
research questions.
QAR1: Are the study objectives clearly recognized?
78664
A. B. Nassif et al.: Machine Learning for Anomaly Detection
FIGURE 7. Frequency of performance metrics among.
QAR2: Are the anomaly detection techniques well defined
and deliberated?
QAR3: Is the specific application of anomaly detection
clearly defined?
QAR4: Does the paper cover practical experiments using
the proposed technique?
QAR5: Are the experiments well designed and justifiable?
QAR6: Are the experiments applied on sufficient datasets?
QAR7: Are estimation accuracy criteria reported?
VOLUME 9, 2021
A. B. Nassif et al.: Machine Learning for Anomaly Detection
TABLE 4. Machine learning techniques among research articles.
QAR8: Is the proposed estimation method compared with
other methods?
QAR9: Are the techniques of analyzing the outcomes suit-
able?
QAR10: Overall, does the study enrich the academic com-
munity or industry?
VOLUME 9, 2021
E. DATA EXTRACTION STRATEGY
In this step, our aim was to analyze the final list of papers
to extract the required information for answering the four
research questions. Consequently, we extracted the following
information from each paper: paper number, title of the paper,
publication year of the paper, publication type, anomaly
78665

FIGURE 8. Anomaly detection classification type per year.
application type, RQ1, RQ2, RQ3, and RQ4. Due to the
unstructured nature of information, extraction was challeng-
ing. For instance, for associated methods such as ‘‘J48’’ or
‘‘C4.5,’’ researchers would use distinct terminologies. It is
essential to note that the four research questions were not
answered by all papers.
F. SYNTHESIS OF EXTRACTED DATA
In order to synthesize the information obtained from the cho-
sen papers, we used various processes to aggregate evidence
to answer the RQs. The following describes in detail the
method of synthesis we followed: We used the technique of
narrative synthesis to tabulate the information obtained in
accordance with RQ1 and RQ2. We use binary outcomes to
analyses the results for the information obtained (quantita-
tive) in RQ3 and RQ4, which came from different papers with
distinct accuracy calculation methods that are presented in a
comparable way.
III. RESULTS AND DISCUSSIONS
In this section, we address the outcomes of this review. This
subsection gives an overview of the selected papers of this
review. The results of each research question are addressed
in detail in the following five sections. A total of 290 stud-
ies were chosen which implemented machine learning for
anomaly detection. These research articles were published
between 2000 and 2020. The list of these papers is included
in Table 7 in Appendix A. As explained earlier, a quality
assessment criterion is used to stream the articles on the basis
of the marks obtained. Research articles of grade 5 or higher
(out of 10) have been taken into consideration. Moreover,
the frequency of the QAR score of the selected paper is listed
in Table 2.
78666
A. B. Nassif et al.: Machine Learning for Anomaly Detection
A. ANOMALY DETECTION APPLICATIONS
In this section, we address RQ1 which aims to identify the
prediction research work that has been done in anomaly
detection.
Anomaly detection techniques are mainly divided into two
classifications: machine learning based, and non-machine
learning based. The non-machine learning based techniques
can be classified into statistical and knowledge based.
Regarding this review, there are 274 articles that discuss
the detection of anomalies through machine learning tech-
niques. On the other hand, there are 16 articles that focus on
non-machine learning based techniques.
Detection of anomalies can be used in a wide variety of
applications. In this review, we identified 43 different appli-
cations in the selected papers. The list of these applications
appears in Table 3.
As shown in Table 3, the review indicates that intru-
sion detection, network anomaly detection, general anomaly
detection, and data applications are the studies applied most
often in the anomaly detection area. In addition, the table
contains comprehensive information on the frequency with
which anomaly detection application is used by the selected
articles.
Moreover, the review shows that researchers began to adopt
more applications of anomaly detection between 2011 and
2020. For further information on results, Figure 2 illustrates
the distribution of anomaly detection application per year
during the period considered.
B. TYPES OF MACHINE LEARNING TECHNIQUES
In this section, we address RQ2, which aims at specifying
the machine learning techniques that have been used to detect
anomalies between 2000 and 2020.
VOLUME 9, 2021
A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 5. Machine learning techniques strength and weakness. TABLE 5. (Continued.) Machine learning techniques strength and
weakness.

As a fundamental point of this review, the most frequently

used ML methods in anomaly detection are identified along methods considers all the phases of the method’s experiment,
with an evaluation of these methods. The evaluation of the such as the feature selection phase, extraction phase, etc.

VOLUME 9, 2021 78667

 A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 5. (Continued.) Machine learning techniques strength and TABLE 5. (Continued.) Machine learning techniques strength and
weakness. weakness.

78668 VOLUME 9, 2021

A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 5. (Continued.) Machine learning techniques strength and TABLE 6. Related work summary.
weakness.

As shown in Figure 3, we identified 28 ML techniques that

had been applied by researchers in the development of models
to detect anomalies on their application. These techniques
can be divided into six categories: classification, ensemble,
optimization, rule system, clustering, and regression. Those
ML techniques are used in two forms: standalone or hybrid
models. Hybrid models are obtained by combining two or
more ML techniques. Table 4 represents the frequency of ML
techniques among the collected research articles. Accord-
ing to Table 4 in Appendix A, it can be seen that a lot of
researchers used to combine more than one ML technique.
This includes A2 (DBN with one class SVM), A23 (SVM
with GA), and A14 (SVM with K-Medoids clustering). More-
over, SVM is the most used technique as either standalone or
in hybrid models.
Feature selection/extraction has been discovered exten-
sively in the literature and it is a significant move towards dis-
carding irrelevant data, which helps to enhance and improve
the precision and computational efficiency of the suggested
models. Figure 4 demonstrates 21 different feature selec-

VOLUME 9, 2021 78669

 A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 6. (Continued.) Related work summary. TABLE 6. (Continued.) Related work summary.

tion/extraction techniques that are being applied. Moreover,

we notice that PCA and CFS are the feature selection tech-
niques being used most often in anomaly detection. Even
though this step is very important, most of the research arti-
cles did not include it. While some research articles did apply
this step, the techniques were not discussed.
Table 5 in Appendix A represents some of the research
articles that mentioned the strength or weakness of their
proposed machine learning model. Therefore, Table 5 shows
the research article number, the machine learning technique,
and the strength or weakness if mentioned.

C. OVERALL ESTIMATION AND ACCURACY OF ML

MODELS
In this section, we address RQ3 which is concerned with the
estimation of ML models. Estimation accuracy is the pri-
mary performance metric for machine learning models. This
question focuses on the following four aspects of estimation

78670 VOLUME 9, 2021

A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 7. Selected research article.

VOLUME 9, 2021 78671

 A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 7. (Continued.) Selected research article.

78672 VOLUME 9, 2021

A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 7. (Continued.) Selected research article.

VOLUME 9, 2021 78673

 A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 7. (Continued.) Selected research article.

78674 VOLUME 9, 2021

A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 7. (Continued.) Selected research article.

VOLUME 9, 2021 78675

 A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 7. (Continued.) Selected research article.

78676 VOLUME 9, 2021

A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 7. (Continued.) Selected research article.

VOLUME 9, 2021 78677

 A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 8. Performance metrics among selected papers.

78678 VOLUME 9, 2021

A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 8. (Continued.) Performance metrics among selected papers.

VOLUME 9, 2021 78679

 A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 8. (Continued.) Performance metrics among selected papers.

78680 VOLUME 9, 2021

A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 8. (Continued.) Performance metrics among selected papers.

VOLUME 9, 2021 78681

 A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 8. (Continued.) Performance metrics among selected papers.

78682 VOLUME 9, 2021

A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 8. (Continued.) Performance metrics among selected papers.

VOLUME 9, 2021 78683

 A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 8. (Continued.) Performance metrics among selected papers.

78684 VOLUME 9, 2021

A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 8. (Continued.) Performance metrics among selected papers.

VOLUME 9, 2021 78685

 A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 8. (Continued.) Performance metrics among selected papers.

78686 VOLUME 9, 2021

A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 8. (Continued.) Performance metrics among selected papers.

VOLUME 9, 2021 78687

 A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 8. (Continued.) Performance metrics among selected papers.

78688 VOLUME 9, 2021

A. B. Nassif et al.: Machine Learning for Anomaly Detection

TABLE 8. (Continued.) Performance metrics among selected papers.

VOLUME 9, 2021 78689


TABLE 8. (Continued.) Performance metrics among selected papers.
accuracy: performance metric, accuracy value, dataset for
construction, and model validation methods.
Since building a ML model relies on the dataset,
we reviewed the data source of ML models for anomaly
detection utilized in the selected research articles. Moreover,
we identified 22 different datasets that have been used in
the experiments of related articles and many other general
datasets. The datasets can be classified as synthetic data,
real life data, and virtualized data. Figure 5 demonstrates
the frequency of utilized datasets in the collected research
articles. As shown in Figure 5, the most frequently used
dataset in the selected research papers was real life dataset,
according to anomaly detection application. In addition,
48 research papers utilized KDD Cup 1999 virtualized dataset
and 38 research papers adopted benchmark datasets.
In addition to datasets, ML models should also be evaluated
with performance metrics. We found 276 papers that clearly
presented the performance metrics of their proposed models.
Figure 6 shows that the performance metric used most was
True Positive Rate (TPR), which is also known as detection
date, sensitivity, and recall. It measures the anomalies that are
correctly classified. Moreover, 116 papers used False Positive
Rate (FPR) as a performance metric. This metric measures
anomalies that are falsely classified, and it can be known
as false alarm rate as well. Furthermore, Accuracy (Acc),
precision, and were F-score applied often by researchers as
a performance metric. Acc is the percentage of anomalies
that were correctly classified. Adding more, AUC measures
the whole two dimensional area under the entire ROC curve.
ROC curve is one of the strongest metrics used to efficiently
78690
A. B. Nassif et al.: Machine Learning for Anomaly Detection
assess intrusion detection systems performance, and it is a
graphical tool that illustrates accuracy across FPS. On the
other hand, Precision is usually associated with F-score and
recall, and it measures the ratio of anomalies that are correctly
classified as an attack. In addition, we find that 64 of the
290 papers used only one performance metric, and most of
those papers used only accuracy or AUC, which is not suffi-
cient to determine the quality performance of the ML model.
On the other hand, papers like A10 and A69 used 7 to 9 per-
formance metrics to represent the performance of their ML
models. Furthermore, a lot of papers present computational
performance metrics in addition to performance metrics, such
as CPU utilization, execution time, training time, testing time,
and computational time. Table 8 in appendix A presents
each paper ID and the proposed ML model along with the
performance and computational metrics applied. Moreover,
it presents anomaly detection types whether it is supervised,
unsupervised, and semi-supervised. As well as the dataset
used for that model.
D. PERCENTAGE OF UNSUPERVISED, SEMI-SUPERVISED
OR SUPERVISED ANOMALY DETECTION TECHNIQUES
In this section, we address RQ4, which aims to present the
percentage of collected research papers that use supervised,
semi-supervised, or unsupervised anomaly detection meth-
ods.
As previously mentioned, anomaly detection can be
divided into three broad classes depending on the feature
of the training data that is applied to construct the model.
The three broad classes are unsupervised anomaly detection,
VOLUME 9, 2021
A. B. Nassif et al.: Machine Learning for Anomaly Detection
semi-supervised anomaly detection, and supervised anomaly
detection. For this RQ we reviewed the classification type
of anomaly detection techniques used in research articles.
According to Figure 7, 27% of the selected papers applied
unsupervised anomaly detection type, making it the most
used technique among the research articles. On the other
hand, 18% applied supervised anomaly detection, while
7% applied both supervised and unsupervised anomaly
detection classification. In contrast, 5% of research articles
adopted semi-supervised learning. Furthermore, 1% applied
semi-supervised with unsupervised anomaly detection. Sur-
prisingly, 42% of the research articles did not mention the
classification type of the anomaly detection they applied.
According to Figure 8, the unsupervised anomaly detection
type has been applied from 2002 until 2020. As for super-
vised anomaly detection type, it was adopted by researchers
in 2002 and has been used until the present time. Supervised
and unsupervised anomaly detection types were utilized from
2005 to 2019. In contrast, supervised and semi-supervised
anomaly detection types were adopted only in 2013 and 2018.
Similarly, unsupervised and semi-supervised anomaly detec-
tion types have only been used twice, in 2011 and 2016. It can
be seen then, that combining semi-supervised learning with
either supervised or unsupervised learning was not adopted
by many researchers compared to the supervised anomaly
detection type or unsupervised anomaly detection type. For
further information on results, Table 8 in Appendix A present
the anomaly detection type of each research article.
IV. LIMITATION OF THIS REVIEW
This systematic literature review is limited to journal and
conference papers related to ML in the field of anomaly
detection. We excluded several non-relevant research papers
by implementing our search approach in the first stages of
the review. This ensured that the research papers chosen
met the research requirements. However, we believe that this
review would have been further enhanced by drawing on
additional sources. Moreover, the same concept applies to
quality assessment since we applied a strict QAR.
V. CONCLUSION
This systematic literature review studied anomaly detection
through machine learning techniques (ML). It reviewed ML
models from four perspectives: the application of anomaly
detection type, the type of ML technique, the ML model
accuracy estimation, and the type of anomaly detection
(supervised, semi-supervised, and unsupervised). The review
investigated the relevant studies that were published from
2000-2020. We queried 290 research articles that answered
the four research questions (RQs) raised in this review.
The findings of RQ1 were that we identified 43 different
applications of anomaly detection in the selected papers.
We observed that intrusion detection, network anomaly detec-
tion, general anomaly detection, and data applications are
the studies most often applied in the anomaly detection area.
Furthermore, between 2011 and 2019 researchers started to
VOLUME 9, 2021
adopt more applications for anomaly detection. As for RQ2,
we demonstrated 29 different ML models that have been
applied by researchers, with the most commonly used being
SVM. Moreover, we noted an interest in building hybrid
models. In addition, we identified that PCA and CFS are the
most commonly used among 21 feature selection/extraction
techniques. In RQ3 we presented the performance metrics
applied by each research paper, and we found that 64 of
the 290 papers used accuracy or AUC as their main perfor-
mance metric, which is not efficient enough. Furthermore,
we identified 22 different datasets that have been used in the
experiments of related articles as well as many other general
datasets, and most of the experiments used real life dataset as
training or testing datasets for their models. Lastly, in RQ4 we
counted the classification type of anomaly detection used in
selected research articles. We found that 27% of the selected
papers applied unsupervised anomaly detection type, making
it the most used approach among the research articles. The
next most utilized approach was applied supervised anomaly
detection, at 18%, followed by 7% of the papers which
applied both supervised and unsupervised anomaly detection
classification.
Based on this review, we recommend that researchers con-
duct more research on ML studies of anomaly detection to
gain more evidence on ML model performance and effi-
ciency. Moreover, researchers are also encouraged to create
a general structure for introducing experiments on ML mod-
els. Moreover, since we found research papers that did not
mention feature selection/extraction type, this field is impor-
tant for improvement. Furthermore, some of the research
papers reported their results using one performance metric,
such as accuracy, which needs more improvement and more
consideration. We also noticed that several researchers used
old databases in conducting their research. We recommend
researchers use more recent datasets.
APPENDIX
See Tables 4–8.
ACKNOWLEDGMENT
The authors would like to thank the University of Sharjah and
OpenUAE Research and Development Group for funding this
research study. They are also grateful to their research assis-
tants who helped in collecting, summarizing, and analyzing
the research articles for this SLR study.
‘‘Conflict of Interest: The authors declare that they have
no competing interests’’.
‘‘Informed consent: This study does not involve any
experiments on animals or humans’’.
REFERENCES
[1] V. Chandola, A. Banerjee, and V. Kumar, ‘‘Anomaly detection: A sur-
vey,’’ ACM Comput. Surv., vol. 41, no. 3, pp. 71–97, 2009, doi:
10.1145/1541880.1541882.
[2] M. Injadat, F. Salo, A. B. Nassif, A. Essex, and A. Shami, ‘‘Bayesian
optimization with machine learning algorithms towards anomaly detec-
tion,’’ in Proc. IEEE Global Commun. Conf. (GLOBECOM), Dec. 2018,
pp. 1–6, doi: 10.1109/GLOCOM.2018.8647714.
78691

[3] T. Schlegl, P. Seeböck, S. M. Waldstein, U. Schmidt-Erfurth, and
G. Langs, Unsupervised Anomaly Detection With Generative Adversar-
ial Networks to Guide Marker Discovery, vol. 10265, no. 2. Cham,
Switzerland: Springer, 2017.
[4] F. Salo, M. Injadat, A. B. Nassif, A. Shami, and A. Essex, ‘‘Data
mining techniques in intrusion detection systems: A systematic lit-
erature review,’’ IEEE Access, vol. 6, pp. 56046–56058, 2018, doi:
10.1109/ACCESS.2018.2872784.
[5] F. Salo, M. N. Injadat, A. Moubayed, A. B. Nassif, and A. Essex,
‘‘Clustering enabled classification using ensemble feature selection for
intrusion detection,’’ in Proc. Int. Conf. Comput., Netw. Commun. (ICNC),
2019, pp. 276–281, doi: 10.1109/ICCNC.2019.8685636.
[6] F. Salo, A. B. Nassif, and A. Essex, ‘‘Dimensionality reduction
with IG-PCA and ensemble classifier for network intrusion
detection,’’ Comput. Netw., vol. 148, pp. 164–175, Jan. 2019, doi:
10.1016/J.COMNET.2018.11.010.
[7] P. Gogoi, D. K. Bhattacharyya, B. Borah, and J. K. Kalita, ‘‘A survey of
outlier detection methods in network anomaly identification,’’ Comput.
J., vol. 54, no. 4, pp. 570–588, Apr. 2011, doi: 10.1093/comjnl/bxr026.
[8] S. Agrawal and J. Agrawal, ‘‘Survey on anomaly detection using data
mining techniques,’’ Procedia Comput. Sci., vol. 60, no. 1, pp. 708–713,
2015, doi: 10.1016/j.procs.2015.08.220.
[9] R. A. A. Habeeb, F. Nasaruddin, A. Gani, I. A. T. Hashem, E. Ahmed,
and M. Imran, ‘‘Real-time big data processing for anomaly detection:
A survey,’’ Int. J. Inf. Manage., vol. 45, pp. 289–307, Apr. 2019, doi:
10.1016/j.ijinfomgt.2018.08.006.
[10] V. Chandola, A. Banerjee, and V. Kumar, ‘‘Anomaly detection for discrete
sequences: A survey,’’ IEEE Trans. Knowl. Data Eng., vol. 24, no. 5,
pp. 823–839, Nov. 2012.
[11] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, ‘‘Network anomaly
detection: Methods, systems and tools,’’ IEEE Commun. Surveys Tuts.,
vol. 16, no. 1, pp. 303–336, 1st Quart., 2013. [Online]. Available:
http://ieeexplore.ieee.org/document/6524462/
[12] I. Bose and R. K. Mahapatra, ‘‘Business data mining—A machine learn-
ing perspective,’’ Inf. Manage., vol. 39, no. 3, pp. 211–225, 2001, doi:
10.1016/S0378-7206(01)00091-X.
[13] U. Fiore, F. Palmieri, A. Castiglione, and A. De Santis, ‘‘Network
anomaly detection with the restricted Boltzmann machine,’’ Neurocom-
puting, vol. 122, pp. 13–23, Dec. 2013, doi: 10.1016/j.neucom.2012.
11.050.
[14] B. Kitchenham and S. Charters, ‘‘Guidelines for performing systematic
literature reviews in software engineering version 2.3,’’ Engineering,
vol. 45, no. 4, p. 1051, 2007, doi: 10.1145/1134285.1134500.
[15] V. Hodge and J. Austin, ‘‘A survey of outlier detection methodolo-
gies,’’ Artif. Intell. Rev., vol. 22, no. 2, pp. 85–126, Oct. 2004, doi:
10.1023/b:aire.0000045502.10941.a9.
[16] M. Ahmed, A. N. Mahmood, and M. R. Islam, ‘‘A survey of anomaly
detection techniques in financial domain,’’ Future Gener. Comput. Syst.,
vol. 55, pp. 278–288, Feb. 2016, doi: 10.1016/j.future.2015.01.001.
[17] A. A. Sodemann, M. P. Ross, and B. J. Borghetti, ‘‘A review of
anomaly detection in automated surveillance,’’ IEEE Trans. Syst., Man,
Cybern. C, Appl. Rev., vol. 42, no. 6, pp. 1257–1272, Nov. 2012, doi:
10.1109/TSMCC.2012.2215319.
[18] R. Zuo, ‘‘Machine learning of mineralization-related geochemical
anomalies: A review of potential methods,’’ Natural Resour. Res., vol. 26,
no. 4, pp. 457–464, Oct. 2017, doi: 10.1007/s11053-017-9345-4.
[19] S. He, J. Zhu, P. He, and M. R. Lyu, ‘‘Experience report: Sys-
tem log analysis for anomaly detection,’’ in Proc. IEEE 27th Int.
Symp. Softw. Rel. Eng. (ISSRE), Oct. 2016, pp. 207–218, doi: 10.1109/
ISSRE.2016.21.
[20] O. Ibidunmoye, F. Hernández-Rodriguez, and E. Elmroth, ‘‘Performance
anomaly detection and bottleneck identification,’’ ACM Comput. Surv.,
vol. 48, no. 1, pp. 1–35, Sep. 2015, doi: 10.1145/2791120.
[21] Y. Yu, ‘‘A survey of anomaly intrusion detection techniques,’’ J. Com-
put. Sci. Coll., vol. 28, no. 1, pp. 9–17, 2012. [Online]. Available:
http://dl.acm.org/citation.cfm?id=2379707
[22] C.-F. Tsai, Y.-F. Hsu, C.-Y. Lin, and W.-Y. Lin, ‘‘Intrusion detection
by machine learning: A review,’’ Expert Syst. Appl., vol. 36, no. 10,
pp. 11994–12000, Dec. 2009, doi: 10.1016/j.eswa.2009.05.029.
[23] A. Patcha and J.-M. Park, ‘‘An overview of anomaly detection tech-
niques: Existing solutions and latest technological trends,’’ Comput.
Netw., vol. 51, no. 12, pp. 3448–3470, Aug. 2007, doi: 10.1016/j.
comnet.2007.02.001.
78692
A. B. Nassif et al.: Machine Learning for Anomaly Detection
[24] A. L. Buczak and E. Guven, ‘‘A survey of data mining and machine
learning methods for cyber security intrusion detection,’’ IEEE Commun.
Surveys Tuts., vol. 18, no. 2, pp. 1153–1176, 2nd Quart., 2016, doi:
10.1109/COMST.2015.2494502.
[25] K. Satpute, S. Agrawal, J. Agrawal, and S. Sharma, ‘‘A survey on anomaly
detection in network intrusion detection system using swarm optimization
based machine learning techniques,’’ in Proc. Int. Conf. Frontiers Intell.
Comput., vol. 199, 2013, pp. 441–452, doi: 10.1007/978-3-642-35314-7.
[26] V. Sharma, R. Kumar, W.-H. Cheng, M. Atiquzzaman, K. Srinivasan, and
A. Zomaya, ‘‘NHAD: Neuro-fuzzy based horizontal anomaly detection in
online social networks,’’ IEEE Trans. Knowl. Data Eng., vol. 30, no. 11,
pp. 2171–2184, Nov. 2018, doi: 10.1109/TKDE.2018.2818163.
[27] P. Zhao, Y. Zhang, M. Wu, S. C. H. Hoi, M. Tan, and J. Huang,
‘‘Adaptive cost-sensitive online classification,’’ IEEE Trans. Knowl.
Data Eng., vol. 31, no. 2, pp. 214–228, Feb. 2019, doi: 10.1109/
TKDE.2018.2826011.
[28] D. Kwon, H. Kim, J. Kim, S. C. Suh, I. Kim, and K. J. Kim, ‘‘A survey
of deep learning-based network anomaly detection,’’ Cluster Comput.,
vol. 22, pp. 1–13, Sep. 2017, doi: 10.1007/s10586-017-1117-8.
[29] G. Fernandes, J. J. P. C. Rodrigues, L. F. Carvalho, J. F. Al-Muhtadi, and
M. L. Proença, ‘‘A comprehensive survey on network anomaly detec-
tion,’’ Telecommun. Syst., vol. 70, no. 3, pp. 447–489, Mar. 2019, doi:
10.1007/s11235-018-0475-8.
[30] G. K. Rajbahadur, A. J. Malton, A. Walenstein, and A. E. Hassan, ‘‘A sur-
vey of anomaly detection for connected vehicle cybersecurity and safety,’’
in Proc. IEEE Intell. Vehicles Symp. (IV), Jun. 2018, pp. 421–426, doi:
10.1109/IVS.2018.8500383.
[31] T. Shon and J. Moon, ‘‘A hybrid machine learning approach to network
anomaly detection,’’ Inf. Sci., vol. 177, no. 18, pp. 3799–3821, Sep. 2007,
doi: 10.1016/j.ins.2007.03.025.
[32] S. M. Erfani, S. Rajasegarar, S. Karunasekera, and C. Leckie, ‘‘High-
dimensional and large-scale anomaly detection using a linear one-class
SVM with deep learning,’’ Pattern Recognit., vol. 58, pp. 121–134,
Oct. 2016, doi: 10.1016/j.patcog.2016.03.028.
[33] M. Field, S. Das Bryanlmatthewsnasagov, N. C. Oza, B. L. Matthews, and
A. N. Srivastava, ‘‘Multiple kernel learning for heterogeneous anomaly
detection: Algorithm and aviation safety case study categories and subject
descriptors,’’ in Proc. Comput., Jul. 2010, pp. 47–56.
[34] M. Amer, M. Goldstein, and S. Abdennadher, ‘‘Enhancing one-class
support vector machines for unsupervised anomaly detection,’’ in Proc.
ACM SIGKDD Workshop Outlier Detection Description (ODD), 2013,
pp. 8–15, doi: 10.1145/2500853.2500857.
[35] Y.-X. Meng, ‘‘The practice on using machine learning for network
anomaly intrusion detection,’’ in Proc. Int. Conf. Mach. Learn. Cybern.,
Jul. 2011, pp. 576–581, doi: 10.1109/ICMLC.2011.6016798.
[36] A. P. Muniyandi, R. Rajeswari, and R. Rajaram, ‘‘Network anomaly
detection by cascading K-means clustering and C4.5 decision tree
algorithm,’’ Procedia Eng., vol. 30, pp. 174–182, Jan. 2012, doi:
10.1016/j.proeng.2012.01.849.
[37] S.-W. Lin, K.-C. Ying, C.-Y. Lee, and Z.-J. Lee, ‘‘An intelligent algorithm
with feature selection and decision rules applied to anomaly intrusion
detection,’’ Appl. Soft Comput., vol. 12, no. 10, pp. 3285–3290, Oct. 2012,
doi: 10.1016/j.asoc.2012.05.004.
[38] S. Thaseen and C. A. Kumar, ‘‘An analysis of supervised tree based
classifiers for intrusion detection system,’’ in Proc. Int. Conf. Pattern
Recognit., Informat. Mobile Eng. (PRIME), Feb. 2013, pp. 294–299, doi:
10.1109/ICPRIME.2013.6496489.
[39] G. Kim, S. Lee, and S. Kim, ‘‘A novel hybrid intrusion detec-
tion method integrating anomaly detection with misuse detection,’’
Expert Syst. Appl., vol. 41, no. 4, pp. 1690–1700, Mar. 2014, doi:
10.1016/j.eswa.2013.08.066.
[40] S. Fu, ‘‘Performance metric selection for autonomic anomaly detec-
tion on cloud computing systems,’’ in Proc. IEEE Global Telecom-
mun. Conf. (GLOBECOM), Dec. 2011, pp. 1–5, doi: 10.1109/GLO-
COM.2011.6134532.
[41] Y. Yasami and S. P. Mozaffari, ‘‘A novel unsupervised classification
approach for network anomaly detection by k-means clustering and
ID3 decision tree learning methods,’’ J. Supercomput., vol. 53, no. 1,
pp. 231–245, Jul. 2010, doi: 10.1007/s11227-009-0338-x.
[42] R. Chitrakar and H. Chuanhe, ‘‘Anomaly detection using support
vector machine classification with k-medoids clustering,’’ in Proc.
3rd Asian Himalayas Int. Conf. Internet, Nov. 2012, pp. 1–5, doi:
10.1109/AHICI.2012.6408446.
VOLUME 9, 2021
A. B. Nassif et al.: Machine Learning for Anomaly Detection
[43] N. Chand, P. Mishra, C. R. Krishna, E. S. Pilli, and M. C. Govil,
‘‘A comparative analysis of SVM and its stacking with other clas-
sification algorithm for intrusion detection,’’ in Proc. Int. Conf. Adv.
Comput., Commun., Automat. (ICACCA), Apr. 2016, pp. 1–6, doi:
10.1109/ICACCA.2016.7578859.
[44] K. Noto, C. Brodley, and D. Slonim, ‘‘FRaC: A feature-modeling
approach for semi-supervised and unsupervised anomaly detection,’’
Data Mining Knowl. Discovery, vol. 25, no. 1, pp. 109–133, Jul. 2012,
doi: 10.1007/s10618-011-0234-x.
[45] I. Assent, P. Kranen, C. Baldauf, and T. Seidl, ‘‘AnyOut: Anytime outlier
detection on streaming data,’’ in Proc. Int. Conf. Database Syst. Adv.
Appl., in Lecture Notes in Computer Science: Including Subseries Lecture
Notes in Artificial Intelligence and Lecture Notes in Bioinformatics,
vol. 7238, 2012, pp. 228–242, doi: 10.1007/978-3-642-29038-1_18.
[46] A. Kulkarni, Y. Pino, M. French, and T. Mohsenin, ‘‘Real-time anomaly
detection framework for many-core router through machine-learning
techniques,’’ ACM J. Emerg. Technol. Comput. Syst., vol. 13, no. 1,
pp. 1–22, Dec. 2016, doi: 10.1145/2827699.
[47] J. Vanerio and P. Casas, ‘‘Ensemble-learning approaches for net-
work security and anomaly detection,’’ in Proc. Workshop Big Data
Anal. Mach. Learn. Data Commun. Netw., Aug. 2017, pp. 1–6, doi:
10.1145/3098593.3098594.
[48] K. Noto, C. Brodley, and D. Slonim, ‘‘Anomaly detection using an ensem-
ble of feature models,’’ in Proc. IEEE Int. Conf. Data Mining (ICDM),
Dec. 2010, pp. 953–958, doi: 10.1109/ICDM.2010.140.
[49] P. Jongsuebsuk, N. Wattanapongsakorn, and C. Charnsripinyo, ‘‘Net-
work intrusion detection with fuzzy genetic algorithm for unknown
attacks,’’ in Proc. Int. Conf. Inf. Netw. (ICOIN), Jan. 2013, pp. 1–5, doi:
10.1109/ICOIN.2013.6496342.
[50] L. A. Maglaras and J. Jiang, ‘‘Intrusion detection in SCADA sys-
tems using machine learning techniques,’’ in Proc. Sci. Inf. Conf. SAI,
Aug. 2014, pp. 626–631, doi: 10.1109/SAI.2014.6918252.
[51] T. Shon, Y. Kim, C. Lee, and J. Moon, ‘‘A machine learning frame-
work for network anomaly detection using SVM and GA,’’ in Proc. 6th
Annu. IEEE SMC Inf. Assurance Workshop, Jun. 2005, pp. 176–183, doi:
10.1109/IAW.2005.1495950.
[52] P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, and E. Vázquez,
‘‘Anomaly-based network intrusion detection: Techniques, systems and
challenges,’’ Comput. Secur., vol. 28, nos. 1–2, pp. 18–28, Feb. 2009, doi:
10.1016/j.cose.2008.08.003.
[53] S.-J. Han and S.-B. Cho, ‘‘Evolutionary neural networks for anomaly
detection based on the behavior of a program,’’ IEEE Trans. Syst.
Man, Cybern. B, Cybern., vol. 36, no. 3, pp. 559–570, Jun. 2006, doi:
10.1109/tsmcb.2005.860136.
[54] A. Nanduri and L. Sherry, ‘‘Anomaly detection in aircraft data
using recurrent neural networks (RNN),’’ in Proc. Integr. Commun.
Navigat. Surveill. (ICNS), Apr. 2016, pp. 1–8, doi: 10.1109/ICN-
SURV.2016.7486356.
[55] S. Rajasegarar, C. Leckie, J. C. Bezdek, and M. Palaniswami, ‘‘Cen-
tered hyperspherical and hyperellipsoidal one-class support vector
machines for anomaly detection in sensor networks,’’ IEEE Trans.
Inf. Forensics Security, vol. 5, no. 3, pp. 518–533, Sep. 2010, doi:
10.1109/TIFS.2010.2051543.
[56] Distribution Restriction Statement Approved for Public Release, USACE,
Washington, DC, USA, 1994, vol. 2.
[57] B. Agarwal and N. Mittal, ‘‘Hybrid approach for detection of anomaly
network traffic using data mining techniques,’’ Procedia Technol., vol. 6,
pp. 996–1003, Jan. 2012, doi: 10.1016/j.protcy.2012.10.121.
[58] J. Jabez and B. Muthukumar, ‘‘Intrusion detection system (IDS):
Anomaly detection using outlier detection approach,’’ Procedia Comput.
Sci., vol. 48, pp. 338–346, Jan. 2015, doi: 10.1016/j.procs.2015.04.191.
[59] M. Sheikhan and Z. Jadidi, ‘‘Flow-based anomaly detection in high-speed
links using modified GSA-optimized neural network,’’ Neural Comput.
Appl., vol. 24, nos. 3–4, pp. 599–611, Mar. 2014, doi: 10.1007/s00521-
012-1263-0.
[60] S. Mascaro, A. E. Nicholso, and K. B. Korb, ‘‘Anomaly detection in vessel
tracks using Bayesian networks,’’ Int. J. Approx. Reasoning, vol. 55, no. 1,
pp. 84–98, Jan. 2014, doi: 10.1016/j.ijar.2013.03.012.
[61] D. Liu, Y. Zhao, H. Xu, Y. Sun, D. Pei, J. Luo, X. Jing, and M. Feng,
‘‘Opprentice: Towards practical and automatic anomaly detection through
machine learning,’’ in Proc. Internet Meas. Conf., Oct. 2015, pp. 51–78,
doi: 10.1145/2815675.2815679.
VOLUME 9, 2021
[62] I. Syarif, A. Prugel-Bennett, and G. Wills, ‘‘Unsupervised clustering
approach for network anomaly detection,’’ in Proc. Int. Conf. Netw. Digit.
Technol., 2012, pp. 135–145.
[63] O. Linda, M. Manic, T. Vollmer, and J. Wright, ‘‘Fuzzy logic based
anomaly detection for embedded network security cyber sensor,’’ in
Proc. IEEE Symp. Comput. Intell. Cyber Secur. (CICS), Apr. 2011,
pp. 202–209, doi: 10.1109/CICYBS.2011.5949392.
[64] X. Xu, ‘‘Sequential anomaly detection based on temporal-difference
learning: Principles, models and case studies,’’ Appl. Soft Comput.,
vol. 10, no. 3, pp. 859–867, Jun. 2010, doi: 10.1016/j.asoc.2009.10.003.
[65] F. Iglesias and T. Zseby, ‘‘Analysis of network traffic features for anomaly
detection,’’ Mach. Learn., vol. 101, nos. 1–3, pp. 59–84, Oct. 2015, doi:
10.1007/s10994-014-5473-9.
[66] N. Pandeeswari and G. Kumar, ‘‘Anomaly detection system in cloud
environment using fuzzy clustering based ANN,’’ Mobile Netw.
Appl., vol. 21, no. 3, pp. 494–505, Jun. 2016, doi: 10.1007/s11036-
015-0644-x.
[67] K. Demertzis and I. Lazaros, ‘‘A hybrid network anomaly and intrusion
detection approach based on evolving spiking neural network classifica-
tion,’’ in Proc. Int. Conf. E-Democracy, vol. 441, Dec. 2014, pp. 11–23,
doi: 10.1007/978-3-319-11710-2.
[68] K. Alrawashdeh and C. Purdy, ‘‘Toward an online anomaly intru-
sion detection system based on deep learning,’’ in Proc. 15th IEEE
Int. Conf. Mach. Learn. Appl. (ICMLA), Dec. 2016, pp. 195–200, doi:
10.1109/ICMLA.2016.0040.
[69] S. Ahmad, A. Lavin, S. Purdy, and Z. Agha, ‘‘Unsupervised real-
time anomaly detection for streaming data,’’ Neurocomputing, vol. 262,
pp. 134–147, Nov. 2017, doi: 10.1016/j.neucom.2017.04.070.
[70] S. Aljawarneh, M. Aldwairi, and M. B. Yassein, ‘‘Anomaly-based intru-
sion detection system through feature selection analysis and building
hybrid efficient model,’’ J. Comput. Sci., vol. 25, pp. 152–160, Mar. 2018,
doi: 10.1016/j.jocs.2017.03.006.
[71] G. Dini, F. Martinelli, A. Saracino, and D. Sgandurra, ‘‘MADAM:
A multi-level anomaly detector for Android malware,’’ in Proc. Int. Conf.
Math. Methods, Models, Archit. Comput. Netw. Secur., in Lecture Notes in
Computer Science: Including Subseries Lecture Notes in Artificial Intelli-
gence and Lecture Notes in Bioinformatics, vol. 7531, 2012, pp. 240–253,
doi: 10.1007/978-3-642-33704-8_21.
[72] V. A. Sotiris, P. W. Tse, and M. G. Pecht, ‘‘Anomaly detection through
a Bayesian support vector machine,’’ IEEE Trans. Rel., vol. 59, no. 2,
pp. 277–286, Jun. 2010.
[73] M. Längkvist, L. Karlsson, and A. Loutfi, ‘‘Sleep stage classification
using unsupervised feature learning,’’ Adv. Artif. Neural Syst., vol. 2012,
pp. 1–9, Jul. 2012, doi: 10.1155/2012/107046.
[74] J. Song, H. Takakura, Y. Okabe, and K. Nakao, ‘‘Toward a more practical
unsupervised anomaly detection system,’’ Inf. Sci., vol. 231, pp. 4–14,
May 2013, doi: 10.1016/j.ins.2011.08.011.
[75] C. Yin, Y. Zhu, J. Fei, and X. He, ‘‘A deep learning approach for intru-
sion detection using recurrent neural networks,’’ IEEE Access, vol. 5,
pp. 21954–21961, 2017, doi: 10.1109/ACCESS.2017.2762418.
[76] C. A. Catania, F. Bromberg, and C. G. Garino, ‘‘An autonomous label-
ing approach to support vector machines algorithms for network traffic
anomaly detection,’’ Expert Syst. Appl., vol. 39, no. 2, pp. 1822–1829,
Feb. 2012, doi: 10.1016/j.eswa.2011.08.068.
[77] Z. Liao, Y. Yu, and B. Chen, ‘‘Anomaly detection in GPS data based
on visual analytics,’’ in Proc. IEEE Symp. Vis. Analytics Sci. Technol.,
Oct. 2010, pp. 51–58, doi: 10.1109/VAST.2010.5652467.
[78] A. Purarjomandlangrudi, A. H. Ghapanchi, and M. Esmalifalak, ‘‘A data
mining approach for fault diagnosis: An application of anomaly detec-
tion algorithm,’’ Measurement, vol. 55, pp. 343–352, Sep. 2014, doi:
10.1016/j.measurement.2014.05.029.
[79] A. F. Emmott, S. Das, T. Dietterich, A. Fern, and W.-K. Wong, ‘‘Sys-
tematic construction of anomaly detection benchmarks from real data,’’
in Proc. ACM SIGKDD Workshop Outlier Detection Description (ODD),
2013, pp. 16–21, doi: 10.1145/2500853.2500858.
[80] D. J. Hill and B. S. Minsker, ‘‘Anomaly detection in streaming
environmental sensor data: A data-driven modeling approach,’’ Env-
iron. Model. Softw., vol. 25, no. 9, pp. 1014–1022, Sep. 2010, doi:
10.1016/j.envsoft.2009.08.010.
[81] G. Pachauri and S. Sharma, ‘‘Anomaly detection in medical wire-
less sensor networks using machine learning algorithms,’’ Procedia
Comput. Sci., vol. 70, pp. 325–333, Jan. 2015, doi: 10.1016/j.procs.
2015.10.026.
78693

[82] X.-S. Gan, J.-S. Duanmu, J.-F. Wang, and W. Cong, ‘‘Anomaly
intrusion detection based on PLS feature extraction and core vec-
tor machine,’’ Knowl.-Based Syst., vol. 40, pp. 1–6, Mar. 2013, doi:
10.1016/j.knosys.2012.09.004.
[83] W. Li, G. Wu, and Q. Du, ‘‘Transferred deep learning for anomaly detec-
tion in hyperspectral imagery,’’ IEEE Geosci. Remote Sens. Lett., vol. 14,
no. 5, pp. 597–601, May 2017, doi: 10.1109/LGRS.2017.2657818.
[84] C. Wressnegger, G. Schwenk, D. Arp, and K. Rieck, ‘‘A close look on n -
grams in intrusion detection,’’ in Proc. ACM Workshop Artif. Intell. Secur.
(AISec), Nov. 2013, pp. 67–76, doi: 10.1145/2517312.2517316.
[85] J. Li, G. Han, J. Wen, and X. Gao, ‘‘Robust tensor subspace learning for
anomaly detection,’’ Int. J. Mach. Learn. Cybern., vol. 2, no. 2, pp. 89–98,
Jun. 2011, doi: 10.1007/s13042-011-0017-0.
[86] C. Zhou and R. C. Paffenroth, ‘‘Anomaly detection with robust deep
autoencoders,’’ in Proc. 23rd ACM SIGKDD Int. Conf. Knowl. Discovery
Data Mining, 2017, pp. 665–674, doi: 10.1145/3097983.3098052.
[87] D. J. Dean, H. Nguyen, and X. Gu, ‘‘UBL: Unsupervised behavior learn-
ing for predicting performance anomalies in virtualized cloud systems,’’
in Proc. 9th Int. Conf. Auton. Comput. (ICAC), 2012, pp. 191–200, doi:
10.1145/2371536.2371572.
[88] L. Xiong, X. Chen, and J. Schneider, ‘‘Direct robust matrix factorizatoin
for anomaly detection,’’ in Proc. IEEE 11th Int. Conf. Data Mining
(ICDM), Dec. 2011, pp. 844–853, doi: 10.1109/ICDM.2011.52.
[89] Y.-J. Lee, Y.-R. Yeh, and Y.-C.-F. Wang, ‘‘Anomaly detection via
online oversampling principal component analysis,’’ IEEE Trans.
Knowl. Data Eng., vol. 25, no. 7, pp. 1460–1470, Jul. 2013, doi:
10.1109/TKDE.2012.99.
[90] N. Laptev, S. Amizadeh, and I. Flint, ‘‘Generic and scalable frame-
work for automated time-series anomaly detection,’’ in Proc. 21th
ACM SIGKDD Int. Conf. Knowl. Discovery Data Mining, Aug. 2015,
pp. 1939–1947, doi: 10.1145/2783258.2788611.
[91] O. Salem, A. Guerassimov, A. Mehaoua, A. Marcus, and B. Furht,
‘‘Sensor fault and patient anomaly detection and classification in medical
wireless sensor networks,’’ in Proc. IEEE Int. Conf. Commun. (ICC),
Jun. 2013, vol. 7, no. 4, pp. 272–284, doi: 10.1109/icc.2013.6655254.
[92] L. Ma, M. M. Crawford, and J. Tian, ‘‘Anomaly detection for hyperspec-
tral images based on robust locally linear embedding,’’ J. Infr., Millim.,
THz Waves, vol. 31, no. 6, pp. 753–762, Mar. 2010, doi: 10.1007/s10762-
010-9630-3.
[93] R. Zhao, B. Du, and L. Zhang, ‘‘A robust nonlinear hyperspec-
tral anomaly detection approach,’’ IEEE J. Sel. Topics Appl. Earth
Observ. Remote Sens., vol. 7, no. 4, pp. 1227–1234, Apr. 2014, doi:
10.1109/JSTARS.2014.2311995.
[94] P. Angelov, ‘‘Anomaly detection based on eccentricity analysis,’’ in Proc.
IEEE Symp. Evolving Auton. Learn. Syst. (EALS), Dec. 2014, pp. 1–8,
doi: 10.1109/EALS.2014.7009497.
[95] P. H. dos Santos Teixeira and R. L. Milidiú, ‘‘Data stream anomaly
detection through principal subspace tracking,’’ in Proc. ACM Symp.
Appl. Comput., 2010, p. 1609, doi: 10.1145/1774088.1774434.
[96] S. T. F. Al-Janabi and H. A. Saeed, ‘‘A neural network based anomaly
intrusion detection system,’’ in Proc. Develop. E-Syst. Eng. (DeSE),
Dec. 2011, pp. 221–226, doi: 10.1109/DeSE.2011.19.
[97] F. Palmieri and U. Fiore, ‘‘Network anomaly detection through nonlinear
analysis,’’ Comput. Secur., vol. 29, no. 7, pp. 737–755, Oct. 2010, doi:
10.1016/j.cose.2010.05.002.
[98] A. Taylor, N. Japkowicz, and S. Leblanc, ‘‘Frequency-based anomaly
detection for the automotive CAN bus,’’ in Proc. World Congr. Ind.
Control Syst. Secur. (WCICSS), Dec. 2015, pp. 45–49, doi: 10.1109/WCI-
CSS.2015.7420322.
[99] Y. Zhu, N. M. Nayak, and A. K. Roy-Chowdhury, ‘‘Context-aware
activity recognition and anomaly detection in video,’’ IEEE J. Sel.
Topics Signal Process., vol. 7, no. 1, pp. 91–101, Feb. 2013, doi:
10.1109/JSTSP.2012.2234722.
[100] D. Smith, Q. Guan, and S. Fu, ‘‘An anomaly detection framework for
autonomic management of compute cloud systems,’’ in Proc. IEEE 34th
Annu. Comput. Softw. Appl. Conf. Workshops, Jul. 2010, pp. 376–381,
doi: 10.1109/COMPSACW.2010.72.
[101] M. Teng, ‘‘Anomaly detection on time series,’’ in Proc. IEEE Int. Conf.
Prog. Informat. Comput., Dec. 2010, pp. 603–608. [Online]. Available:
http://arxiv.org/abs/1708.02975.
[102] S. Lee, G. Kim, and S. Kim, ‘‘Self-adaptive and dynamic clustering
for online anomaly detection,’’ Expert Syst. Appl., vol. 38, no. 12,
pp. 14891–14898, Nov. 2011, doi: 10.1016/j.eswa.2011.05.058.
78694
A. B. Nassif et al.: Machine Learning for Anomaly Detection
[103] S. Arshad, M. Abbaspour, M. Kharrazi, and H. Sanatkar, ‘‘An anomaly-
based botnet detection approach for identifying stealthy botnets,’’ in Proc.
IEEE Int. Conf. Comput. Appl. Ind. Electron. (ICCAIE), Dec. 2011,
pp. 564–569, doi: 10.1109/ICCAIE.2011.6162198.
[104] S. Chauhan and L. Vig, ‘‘Anomaly detection in ECG time sig-
nals via deep long short-term memory networks,’’ in Proc. IEEE
Int. Conf. Data Sci. Adv. Anal. (DSAA), Oct. 2015, pp. 1–7, doi:
10.1109/DSAA.2015.7344872.
[105] S. Calderara, U. Heinemann, A. Prati, R. Cucchiara, and N. Tishby,
‘‘Detecting anomalies in people’s trajectories using spectral graph anal-
ysis,’’ Comput. Vis. Image Understand., vol. 115, no. 8, pp. 1099–1111,
Aug. 2011, doi: 10.1016/j.cviu.2011.03.003.
[106] S. Garg, K. Kaur, N. Kumar, and J. J. P. C. Rodrigues, ‘‘Hybrid deep-
learning-based anomaly detection scheme for suspicious flow detection in
SDN: A social multimedia perspective,’’ IEEE Trans. Multimedia, vol. 21,
no. 3, pp. 566–578, Mar. 2019, doi: 10.1109/TMM.2019.2893549.
[107] O. Depren, M. Topallar, E. Anarim, and M. K. Ciliz, ‘‘An intelligent
intrusion detection system (IDS) for anomaly and misuse detection in
computer networks,’’ Expert Syst. Appl., vol. 29, no. 4, pp. 713–722,
Nov. 2005, doi: 10.1016/j.eswa.2005.05.002.
[108] D. Kang, D. Fuller, and V. Honavar, ‘‘Learning classifiers for misuse
detection using a bag of system calls representation,’’ in Proc. Int. Conf.
Intell. Secur. Inform., 2005, pp. 511–516.
[109] E. Leon, O. Nasraoui, and J. Gomez, ‘‘Anomaly detection based on
unsupervised niche clustering with application to network intrusion
detection,’’ in Proc. Congr. Evol. Comput., 2004, pp. 502–508, doi:
10.1109/cec.2004.1330898.
[110] A. Del Giorno, J. A. Bagnell, and M. Hebert, ‘‘A discriminative frame-
work for anomaly detection in large videos,’’ in Computer Vision—
ECCV, vol. 9905. Cham, Switzerland: Springer, 2016, pp. 334–349, doi:
10.1007/978-3-319-46454-1_21.
[111] J. Jabez, S. Gowri, S. Vigneshwari, J. A. Mayan, and S. Srinivasulu,
‘‘Anomaly detection by using CFS subset and neural network with
WEKA tools,’’ in Information and Communication Technology for Intel-
ligent Systems, vol. 106. 2019, pp. 675–682, doi: 10.1007/978-981-
13-1742-2.
[112] R. Laxhammar and G. Falkman, ‘‘Online learning and sequential anomaly
detection in trajectories,’’ IEEE Trans. Pattern Anal. Mach. Intell., vol. 36,
no. 6, pp. 1158–1173, Jun. 2014, doi: 10.1109/TPAMI.2013.172.
[113] M. Schneider, W. Ertel, and F. Ramos, ‘‘Expected similarity estimation
for large-scale batch and streaming anomaly detection,’’ Mach. Learn.,
vol. 105, no. 3, pp. 305–333, Dec. 2016, doi: 10.1007/s10994-016-5567-
7.
[114] X. Chen, B. Li, R. Proietti, Z. Zhu, and S. J. B. Yoo, ‘‘Self-taught
anomaly detection with hybrid unsupervised/supervised machine learning
in optical networks,’’ J. Lightw. Technol., vol. 37, no. 7, pp. 1742–1749,
Apr. 1, 2019.
[115] H. H. Pajouh, G. Dastghaibyfard, and S. Hashemi, ‘‘Two-tier network
anomaly detection model: A machine learning approach,’’ J. Intell.
Inf. Syst., vol. 48, no. 1, pp. 61–74, Feb. 2017, doi: 10.1007/s10844-
015-0388-x.
[116] S. Zhao, M. Chandrashekar, Y. Lee, and D. Medhi, ‘‘Real-time network
anomaly detection system using machine learning,’’ in Proc. 11th Int.
Conf. Design Reliable Commun. Netw. (DRCN), Mar. 2015, pp. 267–270.
[117] Y. K. Takehisa Yairi, ‘‘Telemetry-mining: A machine learning approach
to anomaly detection and fault diagnosis for space systems,’’ in Proc.
2nd IEEE Int. Conf. Space Mission Challenges Inf. Technol. (SMC-IT),
Jul. 2006, pp. 466–473, doi: 10.1109/SMC-IT.2006.79.
[118] A. DeOrio, Q. Li, M. Burgess, and V. Bertacco, ‘‘Machine learning-
based anomaly detection for post-silicon bug diagnosis,’’ in Proc. Design,
Automat. Test Eur. Conf. Exhib. (DATE), 2013, pp. 491–496.
[119] K.-L. Li, H.-K. Huang, S.-F. Tian, and W. Xu, ‘‘Improving one-class SVM
for anomaly detection,’’ in Proc. Int. Conf. Mach. Learn. Cybern., vol. 5,
2003, pp. 3077–3081, doi: 10.1109/icmlc.2003.1260106.
[120] C. Wagner, J. François, R. State, and T. Engel, ‘‘Machine learning
approach for IP-flow record anomaly detection,’’ in Proc. Int. Conf. Res.
Netw., in Lecture Notes in Computer Science: Including Subseries Lec-
ture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics,
vol. 6640, 2011, pp. 28–39, doi: 10.1007/978-3-642-20757-0_3.
[121] J. Inoue, Y. Yamagata, Y. Chen, C. M. Poskitt, and J. Sun, ‘‘Anomaly
detection for a water treatment system using unsupervised machine
learning,’’ in Proc. IEEE Int. Conf. Data Mining Workshops (ICDMW),
Nov. 2017, pp. 1058–1065.
VOLUME 9, 2021
A. B. Nassif et al.: Machine Learning for Anomaly Detection
[122] Y. Li, B. Fang, L. Guo, and Y. Chen, ‘‘Network anomaly detec-
tion based on TCM-KNN algorithm,’’ in Proc. 2nd ACM Symp.
Inf., Comput. Commun. Secur. (ASIACCS), 2007, pp. 13–19, doi:
10.1145/1229285.1229292.
[123] F. Maggi, S. Zanero, and V. Iozzo, ‘‘Seeing the invisible: Forensic uses of
anomaly detection and machine learning,’’ ACM SIGOPS Oper. Syst. Rev.,
vol. 42, no. 3, pp. 51–58, Apr. 2008, doi: 10.1145/1368506.1368514.
[124] H. H. W. J. Bosman, A. Liotta, G. Iacca, and H. J. Wortche, ‘‘Anomaly
detection in sensor systems using lightweight machine learning,’’ in Proc.
IEEE Int. Conf. Syst., Man, Cybern. (SMC), Oct. 2013, pp. 7–13, doi:
10.1109/SMC.2013.9.
[125] S. Shriram and E. Sivasankar, ‘‘Anomaly detection on shuttle data
using unsupervised learning techniques,’’ in Proc. Int. Conf. Com-
put. Intell. Knowl. Economy (ICCIKE), Dec. 2019, pp. 221–225, doi:
10.1109/ICCIKE47802.2019.9004325.
[126] K. Limthong, K. Fukuda, Y. Ji, and S. Yamada, ‘‘Weighting technique on
multi-timeline for machine learning-based anomaly detection system,’’ in
Proc. Int. Conf. Comput., Commun. Secur. (ICCCS), Dec. 2015, pp. 1–6,
doi: 10.1109/CCCS.2015.7374168.
[127] J. Shi, G. He, and X. Liu, ‘‘Anomaly detection for key perfor-
mance indicators through machine learning,’’ in Proc. Int. Conf.
Netw. Infrastruct. Digit. Content (IC-NIDC), Aug. 2018, pp. 1–5, doi:
10.1109/ICNIDC.2018.8525714.
[128] O. I. Provotar, Y. M. Linder, and M. M. Veres, ‘‘Unsupervised anomaly
detection in time series using LSTM-based autoencoders,’’ in Proc. IEEE
Int. Conf. Adv. Trends Inf. Theory (ATIT), Dec. 2019, pp. 513–517, doi:
10.1109/ATIT49449.2019.9030505.
[129] S. Kumar, S. Nandi, and S. Biswas, ‘‘Research and application of one-
class small hypersphere support vector machine for network anomaly
detection,’’ in Proc. 3rd Int. Conf. Commun. Syst. Netw. (COMSNETS),
Jan. 2011, pp. 1–4, doi: 10.1109/COMSNETS.2011.5716425.
[130] Y. Imamverdiyev and L. Sukhostat, ‘‘Anomaly detection in network
traffic using extreme learning machine,’’ in Proc. IEEE 10th Int.
Conf. Appl. Inf. Commun. Technol. (AICT), Oct. 2016, pp. 1–4, doi:
10.1109/ICAICT.2016.7991732.
[131] A. Dawoud, S. Shahristani, and C. Raun, ‘‘Deep learning for net-
work anomalies detection,’’ in Proc. Int. Conf. Mach. Learn. Data
Eng. (iCMLDE), Dec. 2018, pp. 117–120, doi: 10.1109/iCMLDE.
2018.00035.
[132] H.-G. Zhou and C.-D. Yang, ‘‘Using immune algorithm to optimize
anomaly detection based on SVM,’’ in Proc. Int. Conf. Mach. Learn.
Cybern., 2006, pp. 4257–4261, doi: 10.1109/ICMLC.2006.259008.
[133] Y. Shi and K. Miao, ‘‘Detecting anomalies in application performance
management system with machine learning algorihms,’’ in Proc. 3rd
Int. Conf. Electron. Inf. Technol. Comput. Eng. (EITCE), Oct. 2019,
pp. 1797–1800, doi: 10.1109/EITCE47263.2019.9094916.
[134] P. K. Chan, M. V. Mahoney, and M. H. Arshad, ‘‘Learning rules
and clusters for anomaly detection in network traffic,’’ in Man-
aging Cyber Threats. Boston, MA, USA: Springer-Verlag, 2005,
pp. 81–99.
[135] T. Salman, D. Bhamare, A. Erbad, R. Jain, and M. Samaka, ‘‘Machine
learning for anomaly detection and categorization in multi-cloud envi-
ronments,’’ in Proc. IEEE 4th Int. Conf. Cyber Secur. Cloud Comput.
(CSCloud), 3rd IEEE Int. Conf. Scalable Smart Cloud (SSC), Jun. 2017,
pp. 97–103, doi: 10.1109/CSCloud.2017.15.
[136] Z. Xiao, C. Liu, and C. Chen, ‘‘An anomaly detection scheme based on
machine learning for WSN,’’ in Proc. 1st Int. Conf. Inf. Sci. Eng. (ICISE),
2009, pp. 3959–3962, doi: 10.1109/ICISE.2009.235.
[137] S. Naseer, Y. Saleem, S. Khalid, M. K. Bashir, J. Han, M. M. Iqbal,
and K. Han, ‘‘Enhanced network anomaly detection based on deep
neural networks,’’ IEEE Access, vol. 6, pp. 48231–48246, 2018, doi:
10.1109/ACCESS.2018.2863036.
[138] S. Rajasegarar, C. Leckie, and M. Palaniswami, ‘‘CESVM: Centered
hyperellipsoidal support vector machine based anomaly detection,’’
in Proc. IEEE Int. Conf. Commun., May 2008, pp. 1610–1614, doi:
10.1109/ICC.2008.311.
[139] A. Valdes, R. Macwan, and M. Backes, ‘‘Anomaly detection in electrical
substation circuits via unsupervised machine learning,’’ in Proc. IEEE
17th Int. Conf. Inf. Reuse Integr. (IRI), Jul. 2016, pp. 500–505, doi:
10.1109/IRI.2016.74.
[140] L. Kuang and M. Zulkernine, ‘‘An anomaly intrusion detection method
using the CSI-KNN algorithm,’’ in Proc. ACM Symp. Appl. Comput.
(SAC), 2008, pp. 921–926, doi: 10.1145/1363686.1363897.
VOLUME 9, 2021
[141] S. R. Gaddam, V. V. Phoha, and K. S. Balagani, ‘‘K-means+ID3:
A novel method for supervised anomaly detection by cascading K-
means clustering and ID3 decision tree learning methods,’’ IEEE
Trans. Knowl. Data Eng., vol. 19, no. 3, pp. 345–354, Mar. 2007, doi:
10.1109/TKDE.2007.44.
[142] E. K. Viegas, A. O. Santin, and L. S. Oliveira, ‘‘Toward a reli-
able anomaly-based intrusion detection in real-world environments,’’
Comput. Netw., vol. 127, pp. 200–216, Nov. 2017, doi: 10.1016/j.
comnet.2017.08.013.
[143] Y. Wang, J. Wong, and A. Miner, ‘‘Anomaly intrusion detec-
tion using one class SVM,’’ in Proc. 5th Annu. IEEE Syst., Man
Cybern. Inf. Assurance Workshop (SMC), Jun. 2004, pp. 358–364, doi:
10.1109/iaw.2004.1437839.
[144] B. I. P. Rubinstein, B. Nelson, L. Huang, A. D. Joseph, S.-H. Lau,
S. Rao, N. Taft, and J. D. Tygar, ‘‘ANTIDOTE: Understanding and
defending against poisoning of anomaly detectors,’’ in Proc. 9th ACM
SIGCOMM Conf. Internet Meas. Conf. (IMC), 2009, pp. 1–14, doi:
10.1145/1644893.1644895.
[145] D. Liu, C.-H. Lung, I. Lambadaris, and N. Seddigh, ‘‘Network traffic
anomaly detection using clustering techniques and performance compar-
ison,’’ in Proc. 26th IEEE Can. Conf. Electr. Comput. Eng. (CCECE),
May 2013, pp. 1–4, doi: 10.1109/CCECE.2013.6567739.
[146] W. Chimphlee, A. H. Abdullah, M. N. M. Sap, S. Srinoy, and
S. Chimphlee, ‘‘Anomaly-based intrusion detection using fuzzy rough
clustering,’’ in Proc. Int. Conf. Hybrid Inf. Technol., Nov. 2006,
pp. 329–334.
[147] T. M. Thang and J. Kim, ‘‘The anomaly detection by using DBSCAN
clustering with multiple parameters,’’ in Proc. Int. Conf. Inf. Sci. Appl.,
Apr. 2011, pp. 1–5, doi: 10.1109/ICISA.2011.5772437.
[148] Y. Wang, D. Li, Y. Du, and Z. Pan, ‘‘Anomaly detection in traffic using
L1-norm minimization extreme learning machine,’’ Neurocomputing,
vol. 149, pp. 415–425, Feb. 2015, doi: 10.1016/j.neucom.2014.04.073.
[149] J. Zhang and M. Zulkernine, ‘‘Anomaly based network intrusion detection
with unsupervised outlier detection,’’ in Proc. IEEE Int. Conf. Commun.,
Jun. 2006, pp. 2388–2393.
[150] T.-Y. Kim and S.-B. Cho, ‘‘Web traffic anomaly detection using C-LSTM
neural networks,’’ Expert Syst. Appl., vol. 106, pp. 66–76, Sep. 2018, doi:
10.1016/j.eswa.2018.04.004.
[151] C.-H. Lin, J.-C. Liu, and C.-H. Ho, ‘‘Anomaly detection using LibSVM
training tools,’’ in Proc. Int. Conf. Inf. Secur. Assurance (ISA), Apr. 2008,
pp. 166–171, doi: 10.1109/ISA.2008.12.
[152] K. Li and G. Teng, ‘‘Unsupervised SVM based on p-kernels for anomaly
detection,’’ in Proc. 1st Int. Conf. Innov. Comput., Inf. Control (ICICIC),
2006, pp. 59–62, doi: 10.1109/icicic.2006.371.
[153] X. G. Tian, L. Z. Gao, C. L. Sun, M. Y. Duan, and E. Y. Zhang, ‘‘A method
for anomaly detection of user behaviors based on machine learning,’’
J. China Univ. Posts Telecommun., vol. 13, no. 2, pp. 61–78, 2006, doi:
10.1016/S1005-8885(07)60105-8.
[154] B. G. Atli, Y. Miche, A. Kalliola, I. Oliver, S. Holtmanns, and
A. Lendasse, ‘‘Anomaly-based intrusion detection using extreme learn-
ing machine and aggregation of network traffic statistics in probability
space,’’ Cognit. Comput., vol. 10, no. 5, pp. 848–863, Oct. 2018, doi:
10.1007/s12559-018-9564-y.
[155] Y. Tian, M. Mirzabagheri, S. M. H. Bamakan, H. Wang, and Q. Qu,
‘‘Ramp loss one-class support vector machine; a robust and effective
approach to anomaly detection problems,’’ Neurocomputing, vol. 310,
pp. 223–235, Oct. 2018, doi: 10.1016/j.neucom.2018.05.027.
[156] H. Su, X. Wu, X.-H. Yan, and A. Kidwell, ‘‘Estimation of subsurface
temperature anomaly in the indian ocean during recent global surface
warming hiatus from satellite measurements: A support vector machine
approach,’’ Remote Sens. Environ., vol. 160, pp. 63–71, Apr. 2015, doi:
10.1016/j.rse.2015.01.001.
[157] B. Cui and S. He, ‘‘Anomaly detection model based on Hadoop plat-
form and weka interface,’’ in Proc. 10th Int. Conf. Innov. Mobile Inter-
net Services Ubiquitous Comput. (IMIS), Jul. 2016, pp. 84–89, doi:
10.1109/IMIS.2016.50.
[158] M. Hasan, M. M. Islam, M. I. I. Zarif, and M. M. A. Hashem, ‘‘Attack
and anomaly detection in IoT sensors in IoT sites using machine learning
approaches,’’ Internet Things, vol. 7, Sep. 2019, Art. no. 100059, doi:
10.1016/j.iot.2019.100059.
[159] R. Abdulhammed, M. Faezipour, A. Abuzneid, and A. AbuMallouh,
‘‘Deep and machine learning approaches for anomaly-based intrusion
detection of imbalanced network traffic,’’ IEEE Sensors Lett., vol. 3, no. 1,
pp. 1–4, Jan. 2019, doi: 10.1109/LSENS.2018.2879990.
78695

[160] S. J. Stolfo, S. Hershkop, L. H. Bui, R. Ferster, and K. Wang, ‘‘Anomaly
detection in computer security and an application to file system accesses,’’
in Proc. Int. Symp. Methodol. Intell. Syst., in Lecture Notes in Computer
Science: Including Subseries Lecture Notes in Artificial Intelligence
and Lecture Notes in Bioinformatics, vol. 3488, 2005, pp. 14–28, doi:
10.1007/11425274_2.
[161] K. Limthong and T. Tawsook, ‘‘Network traffic anomaly detection using
machine learning approaches,’’ in Proc. IEEE Netw. Oper. Manage.
Symp., Apr. 2012, pp. 542–545, doi: 10.1109/NOMS.2012.6211951.
[162] F. Barani and S. Gerami, ‘‘ManetSVM: Dynamic anomaly detection
using one-class support vector machine in MANETs,’’ in Proc. 10th
Int. ISC Conf. Inf. Secur. Cryptol. (ISCISC), Aug. 2013, pp. 1–6, doi:
10.1109/ISCISC.2013.6767325.
[163] D. Wulsin, J. Blanco, R. Mani, and B. Litt, ‘‘Semi-supervised anomaly
detection for EEG waveforms using deep belief nets,’’ in Proc.
9th Int. Conf. Mach. Learn. Appl., Dec. 2010, pp. 436–441, doi:
10.1109/ICMLA.2010.71.
[164] A. Adler, M. J. Mayhew, J. Cleveland, M. Atighetchi, and R. Greenstadt,
‘‘Using machine learning for behavior-based access control: Scalable
anomaly detection on TCP connections and HTTP requests,’’ in Proc.
IEEE Mil. Commun. Conf. (MILCOM), Nov. 2013, pp. 1880–1887.
[165] B. Amos, H. Turner, and J. White, ‘‘Applying machine learning classifiers
to dynamic Android malware detection at scale,’’ in Proc. 9th Int. Wireless
Commun. Mobile Comput. Conf. (IWCMC), Jul. 2013, pp. 1666–1671,
doi: 10.1109/IWCMC.2013.6583806.
[166] M. S. Parwez, D. B. Rawat, and M. Garuba, ‘‘Big data analytics for user-
activity analysis and user-anomaly detection in mobile wireless network,’’
IEEE Trans. Ind. Informat., vol. 13, no. 4, pp. 2058–2065, Aug. 2017, doi:
10.1109/TII.2017.2650206.
[167] G. Shah and A. Tiwari, ‘‘Anomaly detection in IIoT: A case study using
machine learning,’’ in Proc. ACM India Joint Int. Conf. Data Sci. Manage.
Data, Jan. 2018, pp. 295–300, doi: 10.1145/3152494.3156816.
[168] P. M. Mafra, V. Moll, J. da Silva Fraga, and A. O. Santin, ‘‘Octopus-
IIDS: An anomaly based intelligent intrusion detection system,’’ in
Proc. IEEE Symp. Comput. Commun., Jun. 2010, pp. 405–410, doi:
10.1109/ISCC.2010.5546735.
[169] S. Anil and R. Remya, ‘‘A hybrid method based on genetic algo-
rithm, self-organised feature map, and support vector machine for
better network anomaly detection,’’ in Proc. 4th Int. Conf. Comput.,
Commun. Netw. Technol. (ICCCNT), Jul. 2013, pp. 1–5, doi: 10.1109/
ICCCNT.2013.6726604.
[170] R. Fujimaki, ‘‘Anomaly detection support vector machine and its applica-
tion to fault diagnosis,’’ in Proc. 8th IEEE Int. Conf. Data Mining (ICDM),
Dec. 2008, pp. 797–802, doi: 10.1109/ICDM.2008.69.
[171] S. D. Anton, S. Kanoor, D. Fraunholz, and H. D. Schotten, ‘‘Evalu-
ation of machine learning-based anomaly detection algorithms on an
industrial modbus/TCP data set,’’ in Proc.13th Int. Conf. Availability,
Rel. Secur., Aug. 2018, vol. 41, no. 9, pp. 1–41, doi: 10.1145/3230833.
3232818.
[172] G. Yan, ‘‘Network anomaly traffic detection method based on support
vector machine,’’ in Proc. Int. Conf. Smart City Syst. Eng. (ICSCSE),
Nov. 2016, pp. 3–6, doi: 10.1109/ICSCSE.2016.0011.
[173] L. Xiong, H.-D. Ma, H.-Z. Fang, K.-X. Zou, and D.-W. Yi, ‘‘Anomaly
detection of spacecraft based on least squares support vector machine,’’
in Proc. Prognostics Syst. Health Managment Conf., May 2011, pp. 1–6,
doi: 10.1109/PHM.2011.5939470.
[174] F. Wang, Y. Qian, Y. Dai, and Z. Wang, ‘‘A model based on hybrid support
vector machine and self-organizing map for anomaly detection,’’ in Proc.
Int. Conf. Commun. Mobile Comput. (CMC), Apr. 2010, pp. 97–101, doi:
10.1109/CMC.2010.9.
[175] J. Zhang, R. Gardner, and I. Vukotic, ‘‘Anomaly detection in
wide area network meshes using two machine learning algorithms,’’
Future Gener. Comput. Syst., vol. 93, pp. 418–426, Apr. 2019, doi:
10.1016/j.future.2018.07.023.
[176] L. Deecke, R. Vandermeulen, L. Ruff, S. Mandt, and M. Kloft, ‘‘Image
anomaly detection with generative adversarial networks,’’ in Proc. Joint
Eur. Conf. Mach. Learn. Knowl. Discovery Databases, in Lecture Notes
in Computer Science: Including Subseries Lecture Notes in Artificial
Intelligence and Lecture Notes in Bioinformatics, vol. 11051, 2019,
pp. 3–17, doi: 10.1007/978-3-030-10925-7_1.
[177] M. Cosovic, S. Obradovic, and L. Trajkovic, ‘‘Performance evaluation
of BGP anomaly classifiers,’’ in Proc. 3rd Int. Conf. Digit. Inf., Netw.,
Wireless Commun. (DINWC), Feb. 2015, pp. 115–120.
78696
A. B. Nassif et al.: Machine Learning for Anomaly Detection
[178] G. D’angelo, F. Palmieri, M. Ficco, and S. Rampone, ‘‘An uncertainty-
managing batch relevance-based approach to network anomaly detec-
tion,’’ Appl. Soft Comput., vol. 36, pp. 408–418, Nov. 2015, doi:
10.1016/j.asoc.2015.07.029.
[179] D. A. Kumar and S. R. Venugopalan, ‘‘A novel algorithm for net-
work anomaly detection using adaptive machine learning,’’ in Progress
in Advanced Computing and Intelligent Engineering (Advances in
Intelligent Systems and Computing), vol. 564. 2018, pp. 59–69, doi:
10.1007/978-981-10-6875-1_7.
[180] M. Marwah, R. Sharma, and C. Bash, ‘‘Thermal anomaly prediction
in data centers,’’ in Proc. 12th IEEE Intersoc. Conf. Thermal Ther-
momechanical Phenomena Electron. Syst., Jun. 2010, pp. 1–7, doi:
10.1109/ITHERM.2010.5501330.
[181] N. Stakhanova, S. Basu, and J. Wong, ‘‘On the symbiosis of specification-
based and anomaly-based detection,’’ Comput. Secur., vol. 29, no. 2,
pp. 253–268, Mar. 2010, doi: 10.1016/j.cose.2009.08.007.
[182] J. Lundstrom, W. O. De Morais, and M. Cooney, ‘‘A holistic smart
home demonstrator for anomaly detection and response,’’ in Proc.
IEEE Int. Conf. Pervas. Comput. Commun. Workshops (PerCom
Workshops), Mar. 2015, pp. 330–335, doi: 10.1109/PERCOMW.2015.
7134058.
[183] Y. Yuan, J. Fang, and Q. Wang, ‘‘Online anomaly detection in crowd
scenes via structure analysis,’’ IEEE Trans. Cybern., vol. 45, no. 3,
pp. 548–561, Mar. 2015, doi: 10.1109/TCYB.2014.2330853.
[184] A. Barua, D. Muthirayan, P. P. Khargonekar, and M. A. Al Faruque,
‘‘Hierarchical temporal memory based machine learning for real-time,
unsupervised anomaly detection in smart grid: WiP abstract,’’ in Proc.
ACM/IEEE 11th Int. Conf. Cyber-Phys. Syst. (ICCPS), Apr. 2020,
pp. 188–189, doi: 10.1109/ICCPS48487.2020.00027.
[185] W. Yan, ‘‘One-class extreme learning machines for gas turbine combustor
anomaly detection,’’ in Proc. Int. Joint Conf. Neural Netw. (IJCNN),
Jul. 2016, pp. 2909–2914, doi: 10.1109/IJCNN.2016.7727567.
[186] A. Brown, A. Tuor, B. Hutchinson, and N. Nichols, ‘‘Recurrent neu-
ral network attention mechanisms for interpretable system log anomaly
detection,’’ in Proc. 1st Workshop Mach. Learn. Comput. Syst., Jun. 2018,
pp. 1–8, doi: 10.1145/3217871.3217872.
[187] K. Atefi, S. Yahya, A. Rezaei, and S. H. B. M. Hashim, ‘‘Anomaly
detection based on profile signature in network using machine learn-
ing technique,’’ in Proc. IEEE Region Symp. (TENSYMP), May 2016,
pp. 71–76, doi: 10.1109/TENCONSpring.2016.7519380.
[188] H. Suetani, A. M. Ideta, and J. Morimoto, ‘‘Nonlinear structure of
escape-times to falls for a passive dynamic walker on an irregular
slope: Anomaly detection using multi-class support vector machine
and latent state extraction by canonical correlation analysis,’’ in Proc.
IEEE/RSJ Int. Conf. Intell. Robots Syst., Sep. 2011, pp. 2715–2722, doi:
10.1109/IROS.2011.6048434.
[189] L. F. Maimo, A. L. P. Gomez, F. J. G. Clemente, M. G. Perez, and
G. M. Perez, ‘‘A self-adaptive deep learning-based system for anomaly
detection in 5G networks,’’ IEEE Access, vol. 6, pp. 7700–7712, 2018,
doi: 10.1109/ACCESS.2018.2803446.
[190] F. Seraj, J. Van Der Zwaag, P. Havinga, A. Dilo, and T. Luarasi,
‘‘RoADS: A road pavement monitoring system for anomaly detection
using smart phones,’’ in Proc. Int. Workshop Mach. Learn. Urban Sensor
Data, vol. 9546. Cham, Switzerland: Springer, 2016, pp. 128–146, doi:
10.1007/978-3-319-29009-6_7.
[191] M. Amar, I. Gondal, and C. Wilson, ‘‘Unitary anomaly detection for
ubiquitous safety in machine health monitoring,’’ in Proc. Int. Conf.
Neural Inf. Process., in Lecture Notes in Computer Science: Including
Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in
Bioinformatics, vol. 7667, 2012, pp. 361–368, doi: 10.1007/978-3-642-
34500-5_43.
[192] K. Stefanidis and A. G. Voyiatzis, ‘‘An HMM-based anomaly detection
approach for SCADA systems,’’ in Proc. IFIP Int. Conf. Inf. Secur. Theory
Pract., in Lecture Notes in Computer Science: Including Subseries Lec-
ture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics,
vol. 9895, 2016, pp. 85–99, doi: 10.1007/978-3-319-45931-8_6.
[193] S. C. Chin, A. Ray, and V. Rajagopalan, ‘‘Symbolic time series anal-
ysis for anomaly detection: A comparative evaluation,’’ Signal Pro-
cess., vol. 85, no. 9, pp. 1859–1868, Sep. 2005, doi: 10.1016/j.sigpro.
2005.03.014.
[194] F. A. González and D. Dasgupta, ‘‘Anomaly detection using real-valued
negative selection,’’ Genet. Program. Evolvable Mach., vol. 4, no. 4,
pp. 383–403, 2003, doi: 10.1023/A:1026195112518.
VOLUME 9, 2021
A. B. Nassif et al.: Machine Learning for Anomaly Detection
[195] E. H. M. Pena, L. F. Carvalho, S. Barbon, Jr., J. J. P. C. Rodrigues, and
M. L. Proença, Jr., ‘‘Anomaly detection using the correlational paracon-
sistent machine with digital signatures of network segment,’’ Inf. Sci.,
vol. 420, pp. 313–328, Dec. 2017, doi: 10.1016/j.ins.2017.08.074.
[196] F. Gonzalez, D. Dasgupta, and R. Kozma, ‘‘Combining negative
selection and classification techniques for anomaly detection,’’ in
Proc. Congr. Evol. Comput. (CEC), vol. 1, 2002, pp. 705–710, doi:
10.1109/CEC.2002.1007012.
[197] E. Eskin, A. Arnold, M. Prerau, L. Portnoy, and S. Stolfo, ‘‘A geometric
framework for unsupervised anomaly detection,’’ in Applications of Data
Mining in Computer Security. Springer, 2002, pp. 77–101.
[198] A.-D. Schmidt, F. Peters, F. Lamour, C. Scheel, S. A. Çamtepe, and
Ş. Albayrak, ‘‘Monitoring smartphones for anomaly detection,’’ Mobile
Netw. Appl., vol. 14, no. 1, pp. 92–106, Feb. 2009, doi: 10.1007/s11036-
008-0113-x.
[199] M. V. Mahoney and P. K. Chan, ‘‘Learning rules for anomaly detection
of hostile network traffic,’’ in Proc. 3rd IEEE Int. Conf. Data Mining
(ICDM), Nov. 2003, pp. 601–604, doi: 10.1109/icdm.2003.1250987.
[200] R. Winding, T. Wright, and M. Chapple, ‘‘System anomaly detection:
Mining firewall logs,’’ in Proc. Securecomm Workshops, Aug. 2006,
pp. 1–5, doi: 10.1109/SECCOMW.2006.359572.
[201] N. Duffield, P. Haffner, B. Krishnamurthy, and H. Ringberg, ‘‘Rule-
based anomaly detection on IP flows,’’ in Proc. IEEE 28th Conf. Com-
put. Commun. (INFOCOM), Apr. 2009, pp. 424–432, doi: 10.1109/
INFCOM.2009.5061947.
[202] T. Stibor, P. Mohr, J. Timmis, and C. Eckert, ‘‘Is negative selection
appropriate for anomaly detection?’’ in Proc. Conf. Genet. Evol. Comput.
(GECCO), 2005, pp. 321–328, doi: 10.1145/1068009.1068061.
[203] L. Scime and J. Beuth, ‘‘Anomaly detection and classification in a laser
powder bed additive manufacturing process using a trained computer
vision algorithm,’’ Additive Manuf., vol. 19, pp. 114–126, Jan. 2018, doi:
10.1016/j.addma.2017.11.009.
[204] B. I. P. Rubinstein, B. Nelson, L. Huang, A. D. Joseph, S.-H. Lau, S. Rao,
N. Taft, and J. D. Tygar, ‘‘Stealthy poisoning attacks on PCA-based
anomaly detectors,’’ ACM SIGMETRICS Perform. Eval. Rev., vol. 37,
no. 2, pp. 73–74, Oct. 2009, doi: 10.1145/1639562.1639592.
[205] D. S. Kim, H.-N. Nguyen, S.-Y. Ohn, and J. S. Park, ‘‘Fusions of GA
and SVM for anomaly detection in intrusion detection system,’’ in Proc.
Int. Symp. Neural Netw., in Lecture Notes in Computer Science, 2005,
vol. 3498, no. 3, pp. 415–420, doi: 10.1007/11427469_67.
[206] E. L. Paula, M. Ladeira, R. N. Carvalho, and T. Marzagão, ‘‘Deep
learning anomaly detection as support fraud investigation in Brazilian
exports and anti-money laundering,’’ in Proc. 15th IEEE Int. Conf.
Mach. Learn. Appl. (ICMLA), Dec. 2016, pp. 954–960, doi: 10.1109/
ICMLA.2016.0172.
[207] R. Fujimaki, T. Yairi, and K. Machida, ‘‘An anomaly detection method
for spacecraft using relevance vector learning,’’ in Proc. Pacific-Asia
Conf. Knowl. Discovery Data Mining, in Lecture Notes in Computer
Science: Including Subseries Lecture Notes in Artificial Intelligence and
Lecture Notes in Bioinformatics, vol. 3518, 2005, pp. 785–790, doi:
10.1007/11430919_92.
[208] S. Liu, Y. Chen, W. Trappe, and L. J. Greenstein, ‘‘ALDO: An anomaly
detection framework for dynamic spectrum access networks,’’ in
Proc. IEEE 28th Conf. Comput. Commun. (INFOCOM), Apr. 2009,
pp. 675–683.
[209] K. Sequeira and M. Zaki, ‘‘ADMIT: Anomaly-based data mining for
intrusions,’’ in Proc. 8th ACM SIGKDD Int. Conf. Knowl. Discovery Data
Mining (KDD), 2002, pp. 386–395.
[210] V. L. L. Thing, ‘‘IEEE 802.11 network anomaly detection and
attack classification: A deep learning approach,’’ in Proc. IEEE
Wireless Commun. Netw. Conf. (WCNC), Mar. 2017, pp. 1–6, doi:
10.1109/WCNC.2017.7925567.
[211] K. M. Ting, T. Washio, J. R. Wells, and S. Aryal, ‘‘Defying the gravity of
learning curve: A characteristic of nearest neighbour anomaly detectors,’’
Mach. Learn., vol. 106, no. 1, pp. 55–91, Jan. 2017, doi: 10.1007/s10994-
016-5586-4.
[212] Y. Zhou, S. Yan, and T. S. Huang, ‘‘Detecting anomaly in videos from
trajectory similarity analysis,’’ in Proc. IEEE Multimedia Expo Int. Conf.,
Jul. 2007, pp. 1087–1090.
[213] M. Du, F. Li, G. Zheng, and V. Srikumar, ‘‘DeepLog: Anomaly detection
and diagnosis from system logs through deep learning,’’ in Proc. ACM
SIGSAC Conf. Comput. Commun. Secur., Oct. 2017, pp. 1285–1298, doi:
10.1145/3133956.3134015.
VOLUME 9, 2021
[214] W. D. Fisher, T. K. Camp, and V. V. Krzhizhanovskaya, ‘‘Anomaly
detection in earth dam and levee passive seismic data using support
vector machines and automatic feature selection,’’ J. Comput. Sci., vol. 20,
pp. 143–153, May 2017, doi: 10.1016/j.jocs.2016.11.016.
[215] M. Cheng, Q. Li, J. Lv, W. Liu, and J. Wang, ‘‘Multi-scale LSTM model
for BGP anomaly classification,’’ IEEE Trans. Services Comput., early
access, Apr. 10, 2018, doi: 10.1109/TSC.2018.2824809.
[216] S. Cho and S. Cha, ‘‘SAD: Web session anomaly detection based on
parameter estimation,’’ Comput. Secur., vol. 23, no. 4, pp. 312–319,
Jun. 2004, doi: 10.1016/j.cose.2004.01.006.
[217] S. J. Han, K. J. Kim, and S. B. Cho, ‘‘Evolutionary learning program’s
behavior in neural networks for anomaly detection,’’ in Proc. Int. Conf.
Neural Inf. Process., in Lecture Notes in Computer Science: Including
Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in
Bioinformatics, vol. 3316, 2004, pp. 236–241, doi: 10.1007/978-3-540-
30499-9_35.
[218] Y. Zhao, B. Deng, C. Shen, Y. Liu, H. Lu, and X.-S. Hua,
‘‘Spatio-temporal AutoEncoder for video anomaly detection,’’ in Proc.
25th ACM Int. Conf. Multimedia, Oct. 2017, pp. 1933–1941, doi:
10.1145/3123266.3123451.
[219] C. Pascoal, M. R. de Oliveira, R. Valadas, P. Filzmoser, P. Salvador,
and A. Pacheco, ‘‘Robust feature selection and robust PCA for Inter-
net traffic anomaly detection,’’ in Proc. IEEE INFOCOM, Mar. 2012,
pp. 1755–1763.
[220] G. Pang, C. Shen, and A. van den Hengel, ‘‘Deep anomaly detec-
tion with deviation networks,’’ in Proc. 25th ACM SIGKDD Int.
Conf. Knowl. Discovery Data Mining, Jul. 2019, pp. 353–362, doi:
10.1145/3292500.3330871.
[221] J. Liu, J. Gu, H. Li, and K. H. Carlson, ‘‘Machine learning and transport
simulations for groundwater anomaly detection,’’ J. Comput. Appl. Math.,
vol. 380, Dec. 2020, Art. no. 112982, doi: 10.1016/j.cam.2020.112982.
[222] R. Bhatia, S. Benno, J. Esteban, T. V. Lakshman, and J. Grogan, ‘‘Unsu-
pervised machine learning for network-centric anomaly detection in
IoT,’’ in Proc. 3rd ACM CoNEXT Workshop Big DAta, Mach. Learn.
Artif. Intell. Data Commun. Netw. (Big-DAMA), 2019, pp. 42–48, doi:
10.1145/3359992.3366641.
[223] Z. Chkirbene, S. Eltanbouly, M. Bashendy, N. AlNaimi, and A. Erbad,
‘‘Hybrid machine learning for network anomaly intrusion detection,’’
in Proc. IEEE Int. Conf. Informat., IoT, Enabling Technol. (ICIoT),
Feb. 2020, pp. 163–170, doi: 10.1109/ICIoT48696.2020.9089575.
[224] J. Wang, J. Liu, J. Pu, Q. Yang, Z. Miao, J. Gao, and Y. Song, ‘‘An
anomaly prediction framework for financial IT systems using hybrid
machine learning methods,’’ J. Ambient Intell. Humanized Comput., vol.
2019, Dec. 2019, doi: 10.1007/s12652-019-01645-z.
[225] H. Goldberg, H. Kwon, and N. M. Nasrabadi, ‘‘Kernel eigenspace separa-
tion transform for subspace anomaly detection in hyperspectral imagery,’’
IEEE Geosci. Remote Sens. Lett., vol. 4, no. 4, pp. 581–585, Oct. 2007,
doi: 10.1109/LGRS.2007.903083.
[226] Y. Feng, Z.-F. Wu, K.-G. Wu, Z.-Y. Xiong, and Y. Zhou, ‘‘An unsu-
pervised anomaly intrusion detection algorithm based on swarm intel-
ligence,’’ in Proc. Int. Conf. Mach. Learn. Cybern. (ICMLC), 2005,
pp. 3965–3969, doi: 10.1109/icmlc.2005.1527630.
[227] H. Y. Shahir, U. Glasser, A. Y. Shahir, and H. Wehn, ‘‘Maritime situa-
tion analysis framework: Vessel interaction classification and anomaly
detection,’’ in Proc. IEEE Int. Conf. Big Data (Big Data), Oct. 2015,
pp. 1279–1289, doi: 10.1109/BigData.2015.7363883.
[228] D. B. Araya, K. Grolinger, H. F. ElYamany, M. A. M. Capretz, and
G. Bitsuamlak, ‘‘An ensemble learning framework for anomaly detec-
tion in building energy consumption,’’ Energy Buildings, vol. 144,
pp. 191–206, Jun. 2017, doi: 10.1016/j.enbuild.2017.02.058.
[229] J. B. D. Cabrera, C. Gutiérrez, and R. K. Mehra, ‘‘Ensemble methods
for anomaly detection and distributed intrusion detection in mobile ad-
hoc networks,’’ Inf. Fusion, vol. 9, no. 1, pp. 96–119, Jan. 2008, doi:
10.1016/j.inffus.2007.03.001.
[230] W. Fan, N. Bouguila, and D. Ziou, ‘‘Unsupervised anomaly intru-
sion detection via localized Bayesian feature selection,’’ in Proc. IEEE
11th Int. Conf. Data Mining (ICDM), Dec. 2011, pp. 1032–1037, doi:
10.1109/ICDM.2011.152.
[231] R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, and W. Lee, ‘‘McPAD: A mul-
tiple classifier system for accurate payload-based anomaly detection,’’
Comput. Netw., vol. 53, no. 6, pp. 864–881, Apr. 2009.
[232] E. Eskin, ‘‘Detecting errors within a corpus using anomaly detection,’’
in Proc. 1st Meeting North Amer. Chapter Assoc. Comput. Linguistics,
2000, pp. 1–6.
78697

[233] J. Frery, A. Habrard, M. Sebban, O. Caelen, and L. He-Guelton, ‘‘Effi-
cient top rank optimization with gradient boosting for supervised anomaly
detection,’’ in Proc. Joint Eur. Conf. Mach. Learn. Knowl. Discovery
Databases, in Lecture Notes in Computer Science: Including Subseries
Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinfor-
matics, vol. 10534, 2017, pp. 20–35, doi: 10.1007/978-3-319-71249-9_2.
[234] B. Hussain, Q. Du, and P. Ren, ‘‘Semi-supervised learning based big data-
driven anomaly detection in mobile wireless networks,’’ China Commun.,
vol. 15, no. 4, pp. 41–57, Apr. 2018, doi: 10.1109/CC.2018.8357700.
[235] H. Alipour, Y. B. Al-Nashif, P. Satam, and S. Hariri, ‘‘Wireless anomaly
detection based on IEEE 802.11 behavior analysis,’’ IEEE Trans. Inf.
Forensics Security, vol. 10, no. 10, pp. 2158–2170, Oct. 2015, doi:
10.1109/TIFS.2015.2433898.
[236] H. H. Bosman, G. Iacca, A. Tejada, H. J. Wörtche, and A. Liotta,
‘‘Spatial anomaly detection in sensor networks using neighbor-
hood information,’’ Inf. Fusion, vol. 33, pp. 41–56, Jan. 2017, doi:
10.1016/j.inffus.2016.04.007.
[237] J. Goh, S. Adepu, M. Tan, and Z. S. Lee, ‘‘Anomaly detection in cyber
physical systems using recurrent neural networks,’’ in Proc. IEEE 18th
Int. Symp. High Assurance Syst. Eng. (HASE), Jan. 2017, pp. 140–145,
doi: 10.1109/HASE.2017.36.
[238] N. Erez and A. Wool, ‘‘Control variable classification, modeling
and anomaly detection in modbus/TCP SCADA systems,’’ Int. J.
Crit. Infrastruct. Protection, vol. 10, pp. 59–70, Sep. 2015, doi:
10.1016/j.ijcip.2015.05.001.
[239] T. F. Ghanem, W. S. Elkilani, and H. M. Abdul-Kader, ‘‘A hybrid
approach for efficient anomaly detection using metaheuristic methods,’’
J. Adv. Res., vol. 6, no. 4, pp. 609–619, Jul. 2015, doi: 10.1016/j.
jare.2014.02.009.
[240] F. Schuster, A. Paul, and H. König, ‘‘Towards learning normality for
anomaly detection in industrial control networks,’’ in Proc. IFIP Int.
Conf. Auton. Infrastruct., Manage. Secur., in Lecture Notes in Computer
Science: Including Subseries Lecture Notes in Artificial Intelligence
and Lecture Notes in Bioinformatics, vol. 7943, 2013, pp. 61–72, doi:
10.1007/978-3-642-38998-6_8.
[241] S. M. A. M. Gadal and R. A. Mokhtar, ‘‘Anomaly detection approach
using hybrid algorithm of data mining technique,’’ in Proc. Int. Conf.
Commun., Control, Comput. Electron. Eng. (ICCCCEE), Jan. 2017,
pp. 1–6, doi: 10.1109/ICCCCEE.2017.7867661.
[242] Q. Guan and S. Fu, ‘‘Adaptive anomaly identification by exploring
metric subspace in cloud computing infrastructures,’’ in Proc. IEEE
32nd Int. Symp. Reliable Distrib. Syst., Sep. 2013, pp. 205–214, doi:
10.1109/SRDS.2013.29.
[243] W. Haider, J. Hu, and M. Xie, ‘‘Towards reliable data feature retrieval
and decision engine in host-based anomaly detection systems,’’ in Proc.
IEEE 10th Conf. Ind. Electron. Appl. (ICIEA), Jun. 2015, pp. 513–517,
doi: 10.1109/ICIEA.2015.7334166.
[244] R. Perdisci, G. Gu, and W. Lee, ‘‘Using an ensemble of one-class SVM
classifiers to harden payload-based anomaly detection systems,’’ in Proc.
6th Int. Conf. Data Mining (ICDM), Dec. 2006, pp. 488–498.
[245] A. M. Vartouni, S. S. Kashi, and M. Teshnehlab, ‘‘An anomaly detection
method to detect Web attacks using stacked auto-encoder,’’ in Proc. 6th
Iranian Joint Congr. Fuzzy Intell. Syst. (CFIS), 2018, pp. 131–134.
[246] M. Fugate and J. R. Gattiker, ‘‘Anomaly detection enhanced classification
in computer intrusion detection,’’ in Proc. Int. Workshop Support Vector
Mach., in Lecture Notes in Computer Science: Including Subseries Lec-
ture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics,
vol. 2388, 2002, pp. 186–197, doi: 10.1007/3-540-45665-1_15.
[247] C. C. Michael and A. Ghosh, ‘‘Simple, state-based approaches to
program-based anomaly detection,’’ ACM Trans. Inf. Syst. Secur., vol. 5,
no. 3, pp. 203–237, Aug. 2002, doi: 10.1145/545186.545187.
[248] Y. Liao, V. R. Vemuri, and A. Pasos, ‘‘Adaptive anomaly detection with
evolving connectionist systems,’’ J. Netw. Comput. Appl., vol. 30, no. 1,
pp. 60–80, Jan. 2007, doi: 10.1016/j.jnca.2005.08.005.
[249] V. R. Jakkula, A. S. Crandall, and D. J. Cook, ‘‘Enhancing anomaly
detection using temporal pattern discovery,’’ in Advanced Intelligent
Environments. Boston, MA, USA: Springer, 2009, pp. 175–194.
[250] B. Vrat, N. Aggarwal, and S. Venkatesan, ‘‘Anomaly detection in
IPv4 and IPv6 networks using machine learning,’’ in Proc. Annu.
IEEE India Conf. (INDICON), Dec. 2015, pp. 1–6, doi: 10.1109/INDI-
CON.2015.7443752.
[251] S. Muller, J. Lancrenon, C. Harpes, Y. Le Traon, S. Gombault, and
J.-M. Bonnin, ‘‘A training-resistant anomaly detection system,’’ Comput.
Secur., vol. 76, pp. 1–11, Jul. 2018.
78698
A. B. Nassif et al.: Machine Learning for Anomaly Detection
[252] S. Xiuyao, W. Mingxi, C. Jermaine, and S. Ranka, ‘‘Conditional anomaly
detection,’’ IEEE Trans. Knowl. Data Eng., vol. 19, no. 5, pp. 631–644,
May 2007, doi: 10.1109/TKDE.2007.1009.
[253] R. Jain and H. Shah, ‘‘An anomaly detection in smart cities modeled
as wireless sensor network,’’ in Proc. Int. Conf. Signal Inf. Process.
(IConSIP), Oct. 2016, pp. 1–5, doi: 10.1109/ICONSIP.2016.7857445.
[254] X. R. Wang, J. T. Lizier, O. Obst, M. Prokopenko, and P. Wang, ‘‘Spa-
tiotemporal anomaly detection in gas monitoring sensor networks,’’ in
Proc. Eur. Conf. Wireless Sensor Netw., in Lecture Notes in Computer
Science: Including Subseries Lecture Notes in Artificial Intelligence
and Lecture Notes in Bioinformatics, vol. 4913, 2008, pp. 90–105, doi:
10.1007/978-3-540-77690-1_6.
[255] W. Li and Q. Li, ‘‘Using naive Bayes with AdaBoost to enhance network
anomaly intrusion detection,’’ in Proc. 3rd Int. Conf. Intell. Netw. Intell.
Syst. (ICINIS), Nov. 2010, pp. 486–489, doi: 10.1109/ICINIS.2010.133.
[256] X. Hang and H. Dai, ‘‘Applying both positive and negative selection to
supervised learning for anomaly detection,’’ in Proc. Conf. Genet. Evol.
Comput. (GECCO), 2005, pp. 345–352, doi: 10.1145/1068009.1068064.
[257] Y.-K. Wang, C.-T. Fan, K.-Y. Cheng, and P. S. Deng, ‘‘Real-time cam-
era anomaly detection for real-world video surveillance,’’ in Proc. Int.
Conf. Mach. Learn. Cybern., vol. 4, Jul. 2011, pp. 1520–1525, doi:
10.1109/ICMLC.2011.6017032.
[258] R. C. Aygun and A. G. Yavuz, ‘‘Network anomaly detection with stochas-
tically improved autoencoder based models,’’ in Proc. IEEE 4th Int. Conf.
Cyber Secur. Cloud Comput. (CSCloud), Jun. 2017, pp. 193–198, doi:
10.1109/CSCloud.2017.39.
[259] Y. Feng, Y. Yuan, and X. Lu, ‘‘Learning deep event models for crowd
anomaly detection,’’ Neurocomputing, vol. 219, pp. 548–556, Jan. 2017,
doi: 10.1016/j.neucom.2016.09.063.
[260] S. Akcay, A. Atapour-Abarghouei, and T. P. Breckon, ‘‘GANomaly:
Semi-supervised anomaly detection via adversarial training,’’ in Proc.
Asian Conf. Comput. Vis., in Lecture Notes in Computer Science: Includ-
ing Subseries Lecture Notes in Artificial Intelligence and Lecture Notes
in Bioinformatics, vol. 11363, 2019, pp. 622–637, doi: 10.1007/978-3-
030-20893-6_39.
[261] M. Chang, A. Terzis, and P. Bonnet, ‘‘Mote-based online anomaly detec-
tion using echo state networks,’’ in Proc. Int. Conf. Distrib. Comput.
Sensor Syst., in Lecture Notes in Computer Science: Including Subseries
Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinfor-
matics, vol. 5516, 2009, pp. 72–86, doi: 10.1007/978-3-642-02085-8_6.
[262] A. S. A. Aziz, A. T. Azar, M. A. Salama, A. E. Hassanien, and
S. E.-O. Hanafy, ‘‘Genetic algorithm with different feature selection tech-
niques for anomaly detectors generation,’’ in Proc. Federated Conf. Com-
put. Sci. Inf. Syst., Sep. 2013, pp. 769–774.
[263] G. Marín, P. Casas, and G. Capdehourat, ‘‘RawPower: Deep learning
based anomaly detection from raw network traffic measurements,’’ in
Proc. ACM SIGCOMM Conf. Posters Demos, Aug. 2018, pp. 75–77, doi:
10.1145/3234200.3234238.
[264] P. Casas, F. Soro, J. Vanerio, G. Settanni, and A. D’Alconzo, ‘‘Network
security and anomaly detection with big-DAMA, a big data analytics
framework,’’ in Proc. IEEE 6th Int. Conf. Cloud Netw. (CloudNet),
Sep. 2017, pp. 1–7, doi: 10.1109/CloudNet.2017.8071525.
[265] X. A. Hoang and J. Hu, ‘‘An efficient hidden Markov model training
scheme for anomaly intrusion detection of server applications based
on system calls,’’ in Proc. 12th IEEE Int. Conf. Netw. (ICON), vol. 4,
Nov. 2004, pp. 470–474, doi: 10.1109/ICON.2004.1409210.
[266] I. O. de Urbina Cazenave, E. Köşlük, and M. C. Ganiz, ‘‘An anomaly
detection framework for BGP,’’ in Proc. Int. Symp. Innov. Intell. Syst.
Appl., Jun. 2011, pp. 107–111, doi: 10.1109/INISTA.2011.5946083.
[267] O. Raz, P. Koopman, and M. Shaw, ‘‘Semantic anomaly detection in
online data sources,’’ in Proc. Int. Conf. Softw. Eng., 2002, pp. 302–312,
doi: 10.1145/581339.581378.
[268] H. M. Anwer, M. Farouk, and A. Abdel-Hamid, ‘‘A framework for
efficient network anomaly intrusion detection with features selection,’’ in
Proc. 9th Int. Conf. Inf. Commun. Syst. (ICICS), Apr. 2018, pp. 157–162,
doi: 10.1109/IACS.2018.8355459.
[269] X. Wang, J. S. Wong, F. Stanley, and S. Basu, ‘‘Cross-layer based anomaly
detection in wireless mesh networks,’’ in Proc. 9th Annu. Int. Symp. Appl.
Internet (SAINT), Jul. 2009, pp. 9–15, doi: 10.1109/SAINT.2009.11.
[270] K. Alrawashdeh and C. Purdy, ‘‘Reducing calculation requirements in
FPGA implementation of deep learning algorithms for online anomaly
intrusion detection,’’ in Proc. IEEE Nat. Aerosp. Electron. Conf. (NAE-
CON), Jun. 2017, pp. 57–62, doi: 10.1109/NAECON.2017.8268745.
VOLUME 9, 2021
A. B. Nassif et al.: Machine Learning for Anomaly Detection
[271] R. Kumari, Sheetanshu, M. K. Singh, R. Jha, and N. K. Singh, ‘‘Anomaly
detection in network traffic using K-mean clustering,’’ in Proc. 3rd Int.
Conf. Recent Adv. Inf. Technol. (RAIT), Mar. 2016, pp. 387–393, doi:
10.1109/RAIT.2016.7507933.
[272] P. Mulinka and P. Casas, ‘‘Stream-based machine learning for net-
work security and anomaly detection,’’ in Proc. Workshop Big Data
Anal. Mach. Learn. Data Commun. Netw., Aug. 2018, pp. 1–7, doi:
10.1145/3229607.3229612.
[273] T. Ahmed, M. Coates, and A. Lakhina, ‘‘Multivariate online anomaly
detection using kernel recursive least squares,’’ in Proc. 26th IEEE Int.
Conf. Comput. Commun. (INFOCOM), May 2007, pp. 625–633.
[274] V. L. Cao, M. Nicolau, and J. McDermott, ‘‘A hybrid autoencoder and
density estimation model for anomaly detection,’’ in Proc. Int. Conf.
Parallel Problem Solving From Nature, in Lecture Notes in Computer
Science: Including Subseries Lecture Notes in Artificial Intelligence and
Lecture Notes in Bioinformatics, vol. 9921, 2016, pp. 717–726, doi:
10.1007/978-3-319-45823-6_67.
[275] D. Narsingyani and O. Kale, ‘‘Optimizing false positive in anomaly
based intrusion detection using genetic algorithm,’’ in Proc. IEEE 3rd
Int. Conf. MOOCs, Innov. Technol. Educ. (MITE), Oct. 2015, pp. 72–77,
doi: 10.1109/MITE.2015.7375291.
[276] M. Sabokrou, M. Fayyaz, M. Fathy, Z. Moayed, and R. Klette, ‘‘Deep-
anomaly: Fully convolutional neural network for fast anomaly detec-
tion in crowded scenes,’’ Comput. Vis. Image Understand., vol. 172,
pp. 88–97, Jul. 2018, doi: 10.1016/j.cviu.2018.02.006.
[277] R. Chalapathy, E. Toth, and S. Chawla, ‘‘Group anomaly detection using
deep generative models,’’ in Proc. Joint Eur. Conf. Mach. Learn. Knowl.
Discovery Databases, in Lecture Notes in Computer Science: Including
Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in
Bioinformatics, vol. 11051, 2019, pp. 173–189, doi: 10.1007/978-3-030-
10925-7_11.
[278] F. Doelitzscher, M. Knahl, C. Reich, and N. Clarke, ‘‘Anomaly detection
in IaaS clouds,’’ in Proc. IEEE 5th Int. Conf. Cloud Comput. Technol.
Sci. (CloudCom), vol. 1, Dec. 2013, pp. 387–394, doi: 10.1109/Cloud-
Com.2013.57.
[279] N. F. Haq, A. R. Onik, and F. M. Shah, ‘‘An ensemble framework of
anomaly detection using hybridized feature selection approach (HFSA),’’
in Proc. SAI Intell. Syst. Conf. (IntelliSys), Nov. 2015, pp. 989–995, doi:
10.1109/IntelliSys.2015.7361264.
[280] J. Tian and H. Gu, ‘‘Anomaly detection combining one-class SVMs
and particle swarm optimization algorithms,’’ Nonlinear Dyn., vol. 61,
nos. 1–2, pp. 303–310, Jul. 2010, doi: 10.1007/s11071-009-9650-5.
[281] G. A. Susto, A. Beghi, and S. McLoone, ‘‘Anomaly detection through
on-line isolation forest: An application to plasma etching,’’ in Proc. 40th
Int. Conv. Inf. Commun. Technol., Electron. Microelectron. (MIPRO),
May 2017, pp. 89–94, doi: 10.23919/mipro.2017.7966552.
[282] I. Paredes-Oliva, I. Castell-Uroz, P. Barlet-Ros, X. Dimitropoulos, and
J. Sole-Pareta, ‘‘Practical anomaly detection based on classifying fre-
quent traffic patterns,’’ in Proc. IEEE INFOCOM Workshops, Mar. 2012,
pp. 49–54.
[283] I. Ullah and Q. H. Mahmoud, ‘‘A hybrid model for anomaly-based
intrusion detection in SCADA networks,’’ in Proc. IEEE Int. Conf.
Big Data (Big Data), Dec. 2017, pp. 2160–2167, doi: 10.1109/Big-
Data.2017.8258164.
[284] X.-Q. Zhang and C.-H. Gu, ‘‘CH-SVM based network anomaly detec-
tion,’’ in Proc. Int. Conf. Mach. Learn. Cybern. (ICMLC), vol. 6, 2007,
pp. 3261–3266, doi: 10.1109/ICMLC.2007.4370710.
[285] D. Li, D. Chen, B. Jin, L. Shi, J. Goh, and S.-K. Ng, ‘‘MAD-GAN:
Multivariate anomaly detection for time series data with generative adver-
sarial networks,’’ in Proc. Int. Conf. Artif. Neural Netw., in Lecture Notes
in Computer Science: Including Subseries Lecture Notes in Artificial
Intelligence and Lecture Notes in Bioinformatics, vol. 11730, 2019,
pp. 703–716, doi: 10.1007/978-3-030-30490-4_56.
[286] T. Sipola, A. Juvonen, and J. Lehtonen, ‘‘Anomaly detection from net-
work logs using diffusion maps,’’ in Proc. IFIP Int. Conf. Artif. Intell.
Appl. Innov., vol. 363, 2011, pp. 172–181, doi: 10.1007/978-3-642-
23957-1_20.
[287] M. Zhu, K. Ye, Y. Wang, and C. Z. Xu, ‘‘A deep learning approach for net-
work anomaly detection based on AMF-LSTM,’’ in Proc. IFIP Int. Conf.
Netw. Parallel Comput., in Lecture Notes in Computer Science: Including
Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in
Bioinformatics, vol. 11276, 2018, pp. 137–141, doi: 10.1007/978-3-030-
05677-3_13.
VOLUME 9, 2021
[288] B. Shah and B. H. Trivedi, ‘‘Reducing features of KDD CUP 1999 dataset
for anomaly detection using back propagation neural network,’’ in Proc.
5th Int. Conf. Adv. Comput. Commun. Technol., Feb. 2015, pp. 247–251,
doi: 10.1109/ACCT.2015.131.
[289] X. Gu and H. Wang, ‘‘Online anomaly prediction for robust clus-
ter systems,’’ in Proc. IEEE 25th Int. Conf. Data Eng., Mar. 2009,
pp. 1000–1011.
[290] A. Chiang, E. David, Y.-J. Lee, G. Leshem, and Y.-R. Yeh, ‘‘A study
on anomaly detection ensembles,’’ J. Appl. Log., vol. 21, pp. 1–13,
May 2017, doi: 10.1016/j.jal.2016.12.002.
[291] D. S. Terzi, R. Terzi, and S. Sagiroglu, ‘‘Big data analytics for
network anomaly detection from netflow data,’’ in Proc. Int.
Conf. Comput. Sci. Eng. (UBMK), Oct. 2017, pp. 592–597, doi:
10.1109/UBMK.2017.8093473.
[292] N. T. Van, T. N. Thinh, and L. T. Sach, ‘‘An anomaly-based
network intrusion detection system using deep learning,’’ in Proc.
Int. Conf. Syst. Sci. Eng. (ICSSE), Jul. 2017, pp. 210–214, doi:
10.1109/ICSSE.2017.8030867.
[293] R. K. Malaiya, D. Kwon, S. C. Suh, H. Kim, I. Kim, and J. Kim,
‘‘An empirical evaluation of deep learning for network anomaly
detection,’’ IEEE Access, vol. 7, pp. 140806–140817, 2019, doi:
10.1109/ACCESS.2019.2943249.
[294] D. Yao, M. Yin, J. Luo, and S. Zhang, ‘‘Network anomaly detection
using random forests and entropy of traffic features,’’ in Proc. 4th Int.
Conf. Multimedia Inf. Netw. Secur. (MINES), Nov. 2012, pp. 926–929,
doi: 10.1109/MINES.2012.146.
[295] S. Rajasegarar, C. Leckie, M. Palaniswami, and J. C. Bezdek, ‘‘Quarter
sphere based distributed anomaly detection in wireless sensor networks,’’
in Proc. IEEE Int. Conf. Commun., Jun. 2007, pp. 3864–3869, doi:
10.1109/ICC.2007.637.
[296] D. Boro, B. Nongpoh, and D. K. Bhattacharyya, ‘‘Anomaly based
intrusion detection using meta ensemble classifier,’’ in Proc.
5th Int. Conf. Secur. Inf. Netw. (SIN), 2012, pp. 143–147, doi:
10.1145/2388576.2388596.
[297] F. Yihunie, E. Abdelfattah, and A. Regmi, ‘‘Applying machine learning
to anomaly-based intrusion detection systems,’’ in Proc. IEEE Long
Island Syst., Appl. Technol. Conf. (LISAT), May 2019, pp. 1–5, doi:
10.1109/LISAT.2019.8817340.
[298] L. Bontemps, V. L. Cao, J. McDermott, and N. A. Le-Khac, ‘‘Collective
anomaly detection based on long short-term memory recurrent neural
networks,’’ in Proc. Int. Conf. Future Data Secur. Eng., in Lecture Notes
in Computer Science: Including Subseries Lecture Notes in Artificial
Intelligence and Lecture Notes in Bioinformatics, vol. 10018, 2016,
pp. 141–152, doi: 10.1007/978-3-319-48057-2_9.
[299] I. Alrashdi, A. Alqazzaz, E. Aloufi, R. Alharthi, M. Zohdy, and
H. Ming, ‘‘AD-IoT: Anomaly detection of IoT cyberattacks in smart
city using machine learning,’’ in Proc. IEEE 9th Annu. Comput.
Commun. Workshop Conf. (CCWC), Jan. 2019, pp. 305–310, doi:
10.1109/CCWC.2019.8666450.
[300] S. Rayana and L. Akoglu, ‘‘Less is more: Building selective anomaly
ensembles,’’ ACM Trans. Knowl. Discovery From Data, vol. 10, no. 4,
pp. 1–33, Jul. 2016, doi: 10.1145/2890508.
[301] D. Damopoulos, G. Kambourakis, and G. Portokalidis, ‘‘The best
of both worlds: A framework for the synergistic operation of
host and cloud anomaly-based IDS for smartphones,’’ in Proc. 7th
Eur. Workshop Syst. Secur., 2014, pp. 1–6, doi: 10.1145/2592791.
2592797.
[302] D. Ippoliti and X. Zhou, ‘‘A-GHSOM: An adaptive growing hierar-
chical self organizing map for network anomaly detection,’’ J. Paral-
lel Distrib. Comput., vol. 72, no. 12, pp. 1576–1590, Dec. 2012, doi:
10.1016/j.jpdc.2012.09.004.
[303] D. Cozzolino and L. Verdoliva, ‘‘Single-image splicing localization
through autoencoder-based anomaly detection,’’ in Proc. IEEE Int.
Workshop Inf. Forensics Secur. (WIFS), Dec. 2016, pp. 1–6, doi:
10.1109/WIFS.2016.7823921.
[304] M. Al-Subaie and M. Zulkernine, ‘‘Efficacy of hidden Markov models
over neural networks in anomaly intrusion detection,’’ in Proc. 30th Annu.
Int. Comput. Softw. Appl. Conf. (COMPSAC), Sep. 2006, pp. 325–332,
doi: 10.1109/COMPSAC.2006.40.
[305] R. Fujimaki, T. Yairi, and K. Machida, ‘‘An approach to spacecraft
anomaly detection problem using kernel feature space,’’ in Proc. 11th
ACM SIGKDD Int. Conf. Knowl. Discovery Data Mining (KDD), 2005,
pp. 401–410, doi: 10.1145/1081870.1081917.
78699

[306] I. Khokhlov, M. Perez, and L. Reznik, ‘‘Machine learning in anomaly
detection: Example of colluded applications attack in Android devices,’’
in Proc. 18th IEEE Int. Conf. Mach. Learn. Appl. (ICMLA), Dec. 2019,
pp. 1328–1333, doi: 10.1109/ICMLA.2019.00216.
[307] A. Selvaraj, R. Patan, A. H. Gandomi, G. G. Deverajan, and M. Pushparaj,
‘‘Optimal virtual machine selection for anomaly detection using a
swarm intelligence approach,’’ Appl. Soft Comput., vol. 84, Nov. 2019,
Art. no. 105686, doi: 10.1016/j.asoc.2019.105686.
[308] R. Punmiya, O. Zyabkina, S. Choe, and J. Meyer, ‘‘Anomaly detec-
tion in power quality measurements using proximity-based unsupervised
machine learning techniques,’’ in Proc. Electr. Power Qual. Supply Rel.
Conf. (PQ), Symp. Electr. Eng. Mechatronics (SEEM), Jun. 2019, pp. 1–6,
doi: 10.1109/PQ.2019.8818236.
[309] Y. Li, X. Luo, Y. Qian, and X. Zhao, ‘‘Network-wide traffic anomaly
detection and localization based on robust multivariate probabilistic cal-
ibration model,’’ Math. Problems Eng., vol. 2015, pp. 1–26, Jan. 2015,
doi: 10.1155/2015/923792.
[310] E. Quatrini, F. Costantino, G. Di Gravio, and R. Patriarca, ‘‘Machine
learning for anomaly detection and process phase classification to
improve safety and maintenance activities,’’ J. Manuf. Syst., vol. 56,
pp. 117–132, Jul. 2020, doi: 10.1016/j.jmsy.2020.05.013.
[311] Y. Liu, Z. Pang, M. Karlsson, and S. Gong, ‘‘Anomaly detection based
on machine learning in IoT-based vertical plant wall for indoor climate
control,’’ Building Environ., vol. 183, Oct. 2020, Art. no. 107212, doi:
10.1016/j.buildenv.2020.107212.
[312] P. Tang, W. Qiu, Z. Huang, S. Chen, M. Yan, H. Lian, and Z. Li, ‘‘Anomaly
detection in electronic invoice systems based on machine learning,’’ Inf.
Sci., vol. 535, pp. 172–186, Oct. 2020, doi: 10.1016/j.ins.2020.03.089.
[313] I. G. A. Poornima and B. Paramasivan, ‘‘Anomaly detection in wireless
sensor network using machine learning algorithm,’’ Comput. Commun.,
vol. 151, pp. 331–337, Feb. 2020, doi: 10.1016/j.comcom.2020.01.005.
[314] G. Pu, L. Wang, J. Shen, and F. Dong, ‘‘A hybrid unsupervised clustering-
based anomaly detection method,’’ Tsinghua Sci. Technol., vol. 26, no. 2,
pp. 146–153, Apr. 2021, doi: 10.26599/TST.2019.9010051.
[315] H. A. Nguyen, T. Van Nguyen, D. I. Kim, and D. Choi, ‘‘Network traffic
anomalies detection and identification with flow monitoring,’’ in Proc.
5th IFIP Int. Conf. Wireless Opt. Commun. Netw. (WOCN), May 2008,
pp. 1–5, doi: 10.1109/WOCN.2008.4542524.
[316] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, Network Traffic
Anomaly Detection and Prevention. Springer, 2017.
[317] X. Lu, P. Liu, and J. Lin, ‘‘Network traffic anomaly detection based on
information gain and deep learning,’’ in Proc. 3rd Int. Conf. Inf. Syst. Data
Mining (ICISDM), 2019, pp. 11–15, doi: 10.1145/3325917.3325946.
[318] Y. Gu, A. McCallum, and D. Towsley, ‘‘Detecting anomalies in
network traffic using maximum entropy estimation,’’ in Proc. 5th
ACM SIGCOMM Conf. Internet Meas. (IMC), 2005, p. 32, doi:
10.1145/1330107.1330148.
ALI BOU NASSIF (Member, IEEE) received the
master’s degree in computer science and the Ph.D.
degree in electrical and computer engineering
from Western University, Canada, in 2009 and
2012, respectively. He is currently the Assistant
Dean of graduate studies with the University of
Sharjah, United Arab Emirates. He is also an Asso-
ciate Professor with the Department of Computer
Engineering and an Adjunct Research Professor
with Western University. He is also a registered
Professional Engineer (P.Eng.) in ON, Canada. He has published more than
65 refereed conference papers and journal articles. His research interests
include the applications of statistical and artificial intelligence models in dif-
ferent areas, such as software engineering, electrical engineering, e-learning,
security, networking, signal processing, and social media. He is a member of
IEEE Computer Society.
78700
A. B. Nassif et al.: Machine Learning for Anomaly Detection
MANAR ABU TALIB (Senior Member, IEEE) is
currently teaching with the University of Sharjah,
United Arab Emirates. She is also working on
ISO standards for measuring the functional size
of software and has been involved in developing
the Arabic version of ISO 19761 (COSMIC-FFP
measurement method). She published more than
50 refereed conferences, journals, manuals, and
technical reports. Her research interests include
software engineering with substantial experience
and knowledge in conducting research in software measurement, software
quality, software testing, ISO 27001 for information security, and open
source software. She is also the ArabWIC VP of Chapters with Arab Women
in Computing Association (ArabWIC), the Google Women Tech Maker
Lead, the Co-coordinator of OpenUAE Research and Development Group,
and the International Collaborator with the Software Engineering Research
Laboratory, Montreal, Canada.
QASSIM NASIR has been an Associate Profes-
sor with the University of Sharjah, since 2009,
and the Chairman of Scientific Publishing Unit.
Prior to joining the University of Sharjah, he was
with Nortel Networks, Canada, as a Senior System
Designer in the Network Management Group for
OC-192 SONET. He was a Visiting Professor with
the Helsinki University of Technology, Finland,
from Summer 2002 to Summer 2009, and the
GIPSA-lab, Grenoble, France, to work on a joint
research project on ‘‘MAC protocol and MIMO’’ and ‘‘Sensor Networks and
MIMO.’’ He is also a co-coordinator with the OpenUAE Research Group,
which focuses on blockchain performance and security and the use of artifi-
cial intelligence in security applications. He also conducts research in drone
and GPS jamming as well. He has published over 90 refereed conferences,
journals, book chapter, and technical reports. His current research interests
include telecommunication and network security, such as in CPS and the IoT.
FATIMA MOHAMAD DAKALBAB received the
bachelor’s degree in information technology mul-
timedia with a 3.92/4 GPA. She is currently
pursuing the M.Sc. degree in computer science
with the University of Sharjah, United Arab Emi-
rates. She is also a Graduate Research Assistant
with the University of Sharjah and the OpenUAE
Research and Development Group. Her research
interests include inter-blockchain communication,
the Internet of things (IoT), and machine learn-
ing in anomaly detection. Since 2016, she has been a member of the
Sharjah Google Developer Group (GDG) and Arab Women in Comput-
ing Association (ArabWIC). In addition to being a Events and Workshops
Co-Coordinator in the student chapter, United Arab Emirates, for the Asso-
ciation for Computing Machinery (ACM).
VOLUME 9, 2021