Exchangeability martingales for selecting features in anomaly detection

Giovanni Cherubin; Adrian Baldwin; Jonathan Griffin

Exchangeability martingales for selecting features in anomaly detection

Giovanni Cherubin, Adrian Baldwin, Jonathan Griffin

Research output: Contribution to conference › Paper › peer-review

Abstract

We consider the problem of feature selection for unsupervised anomaly detection (AD) in time-series, where only normal examples are available for training. We develop a method based on exchangeability martingales that only keeps features that exhibit the same pattern (i.e., are i.i.d.) under normal conditions of the observed phenomenon. We apply this to the problem of monitoring a Windows service and detecting anomalies it exhibits if compromised; results show that our method: i) strongly improves the AD system’s performance, and ii) it reduces its computational complexity. Furthermore, it gives results that are easy to interpret for analysts, and it potentially increases robustness against AD evasion attacks.

Original language	English
Pages	157-170
Number of pages	14
Publication status	Published - Jun 2018
Event	The 7th Symposium on Conformal and Probabilistic Prediction with Applications: COPA 2018 - Maastricht, Netherlands Duration: 11 Jun 2018 → 13 Jun 2018 http://www.clrc.rhul.ac.uk/copa2018/index.html

Conference

Conference	The 7th Symposium on Conformal and Probabilistic Prediction with Applications
Country/Territory	Netherlands
City	Maastricht
Period	11/06/18 → 13/06/18
Internet address	http://www.clrc.rhul.ac.uk/copa2018/index.html

Keywords

plug-in martingales
exchangeability
anomaly detection
feature selection
anomaly detection
conformal prediction
information security

Access to Document

http://proceedings.mlr.press/v91/cherubin18a/cherubin18a.pdf

Cite this

@conference{5e6489a2a1b044f4b23b49cf12b40e2f,

title = "Exchangeability martingales for selecting features in anomaly detection",

abstract = "We consider the problem of feature selection for unsupervised anomaly detection (AD) in time-series, where only normal examples are available for training. We develop a method based on exchangeability martingales that only keeps features that exhibit the same pattern (i.e., are i.i.d.) under normal conditions of the observed phenomenon. We apply this to the problem of monitoring a Windows service and detecting anomalies it exhibits if compromised; results show that our method: i) strongly improves the AD system{\textquoteright}s performance, and ii) it reduces its computational complexity. Furthermore, it gives results that are easy to interpret for analysts, and it potentially increases robustness against AD evasion attacks. ",

keywords = "plug-in martingales, exchangeability, anomaly detection, feature selection, anomaly detection, conformal prediction, information security",

author = "Giovanni Cherubin and Adrian Baldwin and Jonathan Griffin",

year = "2018",

month = jun,

language = "English",

pages = "157--170",

note = "The 7th Symposium on Conformal and Probabilistic Prediction with Applications : COPA 2018 ; Conference date: 11-06-2018 Through 13-06-2018",

url = "http://www.clrc.rhul.ac.uk/copa2018/index.html",

}

TY - CONF

T1 - Exchangeability martingales for selecting features in anomaly detection

AU - Cherubin, Giovanni

AU - Baldwin, Adrian

AU - Griffin, Jonathan

PY - 2018/6

Y1 - 2018/6

N2 - We consider the problem of feature selection for unsupervised anomaly detection (AD) in time-series, where only normal examples are available for training. We develop a method based on exchangeability martingales that only keeps features that exhibit the same pattern (i.e., are i.i.d.) under normal conditions of the observed phenomenon. We apply this to the problem of monitoring a Windows service and detecting anomalies it exhibits if compromised; results show that our method: i) strongly improves the AD system’s performance, and ii) it reduces its computational complexity. Furthermore, it gives results that are easy to interpret for analysts, and it potentially increases robustness against AD evasion attacks.

AB - We consider the problem of feature selection for unsupervised anomaly detection (AD) in time-series, where only normal examples are available for training. We develop a method based on exchangeability martingales that only keeps features that exhibit the same pattern (i.e., are i.i.d.) under normal conditions of the observed phenomenon. We apply this to the problem of monitoring a Windows service and detecting anomalies it exhibits if compromised; results show that our method: i) strongly improves the AD system’s performance, and ii) it reduces its computational complexity. Furthermore, it gives results that are easy to interpret for analysts, and it potentially increases robustness against AD evasion attacks.

KW - plug-in martingales

KW - exchangeability

KW - anomaly detection

KW - feature selection

KW - anomaly detection

KW - conformal prediction

KW - information security

UR - http://proceedings.mlr.press/v91/cherubin18a.html

M3 - Paper

SP - 157

EP - 170

T2 - The 7th Symposium on Conformal and Probabilistic Prediction with Applications

Y2 - 11 June 2018 through 13 June 2018

ER -

Exchangeability martingales for selecting features in anomaly detection

Abstract

Conference

Keywords

Access to Document

Other files and links

Cite this