Abstract
We consider the problem of feature selection for unsupervised anomaly detection (AD) in time-series, where only normal examples are available for training. We develop a method based on exchangeability martingales that only keeps features that exhibit the same pattern (i.e., are i.i.d.) under normal conditions of the observed phenomenon. We apply this to the problem of monitoring a Windows service and detecting anomalies it exhibits if compromised; results show that our method: i) strongly improves the AD system’s performance, and ii) it reduces its computational complexity. Furthermore, it gives results that are easy to interpret for analysts, and it potentially increases robustness against AD evasion attacks.
Original language | English |
---|---|
Pages | 157-170 |
Number of pages | 14 |
Publication status | Published - Jun 2018 |
Event | The 7th Symposium on Conformal and Probabilistic Prediction with Applications: COPA 2018 - Maastricht, Netherlands Duration: 11 Jun 2018 → 13 Jun 2018 http://www.clrc.rhul.ac.uk/copa2018/index.html |
Conference
Conference | The 7th Symposium on Conformal and Probabilistic Prediction with Applications |
---|---|
Country/Territory | Netherlands |
City | Maastricht |
Period | 11/06/18 → 13/06/18 |
Internet address |
Keywords
- plug-in martingales
- exchangeability
- anomaly detection
- feature selection
- anomaly detection
- conformal prediction
- information security