基于融合学习的无监督多维时间序列异常检测

随着多云时代的到来,云际智能运维能够提前检测处理云平台的故障,从而确保其高可用性. 由于云系统的复杂性,运维数据在数据局部性和数据全局性上呈现出多样的时间依赖和维度间依赖,这给多维时间序列异常检测带来很大的挑战. 然而,现有的多维时间序列异常检测方法大多是从正常时序数据中学习到特征表示并基于重构误差或预测误差检测异常,这些方法无法同时捕获多维时间序列在局部性和全局性上的信息依赖,从而导致异常检测效果差. 针对上述问题,提出了一种基于融合学习的无监督多维时间序列异常检测方法,同时对多维时间序列的数据局部特征和数据全局特征进行建模,得到更加丰富的时序重构信息,并基于重构误差检测异常. 具体地,通过在时域卷积网络中引入自注意力机制使得模型在构建局部关联性的同时更加关注数据全局特征,并在时域卷积模块和自注意力模块间加入信息共享机制实现信息融合,从而能够更好地对多维时序的正常模式进行重构. 在多个多维时间序列真实数据集上的实验结果表明,相较于之前的多维时间序列异常检测,提出的方法在F1分数上提升了高达0.0882.

     

Wind turbine condition monitoring based on SCADA data using normal behavior models. Part 1: System description

This paper proposes a system for wind turbine condition monitoring using Adaptive Neuro-Fuzzy Interference Systems (ANFIS). For this purpose: (1) ANFIS normal behavior models for common Supervisory Control And Data Acquisition (SCADA) data are developed in order to detect abnormal behavior of the captured signals and indicate component malfunctions or faults using the prediction error. 33 different standard SCADA signals are used and described, for which 45 normal behavior models are developed. The performance of these models is evaluated in terms of the prediction error standard deviations to show the applicability of ANFIS models for monitoring wind turbine SCADA signals. The computational time needed for model training is compared to Neural Network (NN) models showing the strength of ANFIS in training speed. (2) For automation of fault diagnosis Fuzzy Interference Systems (FIS) are used to analyze the prediction errors for fault patterns. The outputs are both the condition of the component and a possible root cause for the anomaly. The output is generated by the aid of rules that capture the existing expert knowledge linking observed prediction error patterns to specific faults. The work is based on continuously measured wind turbine SCADA data from 18 turbines of the 2 MW class covering a period of 30 months.The system proposed in this paper shows a novelty approach with regard to the usage of ANFIS models in this context and the application of the proposed procedure to a wide range of SCADA signals. The applicability of the set up ANFIS models for anomaly detection is proved by the achieved performance of the models. In combination with the FIS the prediction errors can provide information about the condition of the monitored components.In this paper the condition monitoring system is described. Part two will entirely focus on application examples and further efficiency evaluation of the system.     

复杂路面小尺度行人检测综述

针对云平台中对应用程序的性能监控方法存在全流程收集分析异常能力不足的问题, 提出一种基于云平台服务组件的应用程序异常检测和瓶颈识别系统(AAD-PSC), 可对多层架构云平台上的应用程序提供可自定义指标值的监控分析能力. 系统首先在前端应用服务层收集云平台服务调用数据并与异常事件相关联; 然后为应用程序适配定制化的异常检测方法, 达到最优检测效果; 最后查明由非工作负载变化引起的性能异常, 并对其进行瓶颈识别. 实验结果表明, 监控系统可快速准确检测不同类别的异常事件并识别性能瓶颈, 能够满足云平台下对应用程序的性能监控需求.     

Fault detection and precedent-free localization in numerically discretized thermal–fluid systems

This paper uses the Growing Structure Multiple Model System (GSMMS) method for fault detection and precedent-free localization of unwanted heating anomalies in two different configurations of channel flow systems operated under dynamic conditions: (i) straight channel and (ii) straight channel with an internal flow disruptor. Unlike commonly used fault detection methods, the newly proposed approach does not require prior information regarding the fault location, fault severity or data emitted in the presence of a fault to build the model of that fault and recognize it. The new detection mechanism is based only on the models of normal behavior for various portions of the monitored system. The obtained results indicate that the detection and localization of the unwanted heating element (i.e., heat source) can be achieved through distributed GSMMS-based anomaly detection, with multiple anomaly detectors monitoring different parts of each configuration. The results also suggest that fault detection and localization are strongly related to a system’s configuration and operational conditions.     

Ellipsoidal neighbourhood outlier factor for distributed anomaly detection in resource constrained networks

Anomaly detection in resource constrained wireless networks is an important challenge for tasks such as intrusion detection, quality assurance and event monitoring applications. The challenge is to detect these interesting events or anomalies in a timely manner, while minimising energy consumption in the network. We propose a distributed anomaly detection architecture, which uses multiple hyperellipsoidal clusters to model the data at each sensor node, and identify global and local anomalies in the network. In particular, a novel anomaly scoring method is proposed to provide a score for each hyperellipsoidal model, based on how remote the ellipsoid is relative to their neighbours. We demonstrate using several synthetic and real datasets that our proposed scheme achieves a higher detection performance with a significant reduction in communication overhead in the network compared to centralised and existing schemes.     

云工作流中基于多任务时序卷积网络的异常检测方法

云计算数据中心在日常部署和运行过程中产生的大量日志可以帮助系统运维人员进行异常分析。路径异常和时延异常是云工作流中常见的异常。针对传统的异常检测方法分别对两种异常检测任务训练相应的学习模型,而忽略了两种异常检测任务之间的关联性,导致异常检测准确率下降的问题,提出了一种基于多任务时序卷积网络的日志异常检测方法。首先,基于日志流的事件模板,生成事件序列和时间序列;然后,训练基于多任务时序卷积网络的深度学习模型,该模型通过共享时序卷积网络中的浅层部分来从系统正常执行的流程中并行地学习事件和时间特征;最后,对云计算工作流中的异常进行分析,并设计了相关异常检测逻辑。在OpenStack数据集上的实验结果表明,与日志异常检测的领先算法DeepLog和基于主成分分析（PCA）的方法比较,所提方法的异常检测准确率至少提升了7.7个百分点。     

Anomaly detection via a combination model in time series data

Since the time series data have the characteristics of a large amount of data and non-stationarity, we usually cannot obtain a satisfactory result by a single-model-based method to detect anomalies in time series data. To overcome this problem, in this paper, a combination-model-based approach is proposed by combining a similarity-measurement-based method and a model-based method for anomaly detection. First, the process of data representation is performed to generate a new data form to arrive at the purpose of reducing data volume. Furthermore, due to the anomalies being generally caused by changes in amplitude and shape, we take both the original time series data and their amplitude change data into consideration of the process of data representation to capture the shape and morphological features. Then, the results of data representation are employed to establish a model for anomaly detection. Compared with the state-of-the-art methods, experimental studies on a large number of datasets show that the proposed method can significantly improve the performance of anomaly detection with higher data anomaly resolution.

     

Anomaly detection of defects on concrete structures with the convolutional autoencoder

This paper reports the application of deep learning for implementing the anomaly detection of defects on concrete structures, so as to facilitate the visual inspection of civil infrastructure. A convolutional autoencoder was trained as a reconstruction-based model, with the defect-free images, to rapidly and reliably detect defects from the large volume of image datasets. This training process was in the unsupervised mode, with no label needed, thereby requiring no prior knowledge and saving an enormous amount of time for label preparation. The built anomaly detector favors minimizing the reconstruction errors of defect-free images, which renders high reconstruction errors of defects, in turn, detecting the location of defects. The assessment shows that the proposed anomaly detection technique is robust and adaptable to defects on wide ranges of scales. Comparison was also made with the segmentation results produced by other automatic classical methods, revealing that the results made by the anomaly map outperform other segmentation methods, in terms of precision, recall, F₁ measure and F₂ measure, without severe under- and over-segmentation. Further, instead of merely being a binary map, each pixel of the anomaly map is represented by the anomaly score, which acts as a risk indicator for alerting inspectors, wherever defects on concrete structures are detected.     

Digital Twin-driven online anomaly detection for an automation system based on edge intelligence

Accurate anomaly detection is critical to the early detection of potential failures of industrial systems and proactive maintenance schedule management. There are some existing challenges to achieve efficient and reliable anomaly detection of an automation system: (1) transmitting large amounts of data collected from the system to data processing components; (2) applying both historical data and real-time data for anomaly detection. This paper proposes a novel Digital Twin-driven anomaly detection framework that enables real-time health monitoring of industrial systems and anomaly prediction. Our framework, adopting the visionary edge AI or edge intelligence (EI) philosophy, provides a feasible approach to ensuring high-performance anomaly detection via implementing Digital Twin technologies in a dynamic industrial edge/cloud network. Edge-based Digital Twin allows efficient data processing by providing computing and storage capabilities on edge devices. A proof-of-concept prototype is developed on a LiBr absorption chiller to demonstrate the framework and technologies' feasibility. The case study shows that the proposed method can detect anomalies at an early stage.     

一种利用不完整数据检测交通异常的方法

城市化进程的加快带来了严重的交通问题,检测交通异常成为数据挖掘领域的热点之一。传统道路管理主要是应用视频监控,使得处理交通问题的效率受限。鉴于上述原因,提出了一种利用不完整数据检测交通异常的方法(Traffic Anomaly Detection,TAD)。首先,利用相关性聚类从手机数据中获取车辆密度信息,降低处理不完整数据的计算开销;然后,设计一个自适应无参数检测算法,根据手机呼叫量变化率捕捉车辆的分散式动态异常,以解决道路状况不确定性难题;最后,提出异常轨迹算法来追踪异常分布路线并预测影响范围,提高异常检测效率。实验结果表明,TAD方法在不同的实验环境下能够有效地检测交通异常,与现有算法相比,所提算法在有效性和伸缩性上效果更好。     

Self-adaptive statistical process control for anomaly detection in time series

Anomaly detection in time series has become a widespread problem in the areas such as intrusion detection and industrial process monitoring. Major challenges in anomaly detection systems include unknown data distribution, control limit determination, multiple parameters, training data and fuzziness of ‘anomaly’. Motivated by these considerations, a novel model is developed, whose salient feature is a synergistic combination of statistical and fuzzy set-based techniques. We view anomaly detection problem as a certain statistical hypothesis testing. Meanwhile, ‘anomaly’ itself includes fuzziness, therefore, can be described with fuzzy sets, which bring a facet of robustness to the overall scheme. Intensive fuzzification is engaged and plays an important role in the successive step of hypothesis testing. Because of intensive fuzzification, the proposed algorithm is distribution-free and self-adaptive, which solves the limitation of control limit and multiple parameters. The framework is realized in an unsupervised mode, leading to great portability and scalability. The performance is assessed in terms of ROC curve on university of California Riverside repository. A series of experiments show that the proposed approach can significantly increase the AUC, while the false alarm rate is improved. In particular, it is capable of detecting anomalies at the earliest possible time.     

基于模糊聚类的CO2数据流时空异常模式研究*

传统的异常检测算法不能区分CO2数据流的异常类型,为了有效识别因泄漏造成CO2数据流的异常,提出了基于模糊聚类的CO2数据流时空异常模式检测算法。该算法首先利用3 规则实现自适应阈值的异常点检测,其次提取待检测滑动窗口的特征值（均值）,构建指定区间内邻居节点间的时空关系矩阵,采用模糊聚类分析相邻节点特征值的时空相关性并对其进行分类,根据分类结果确定泄漏异常概率,最后利用真实观测数据对算法进行验证并对参数的选取进行分析。实验结果表明该算法能有效的识别因泄漏造成的事件异常,具有较高的检测率和较低的误警率。     

一种资源敏感的Web应用性能诊断方法

提出一种资源敏感的性能诊断方法.对于Web应用事务,该方法利用资源服务时间对于不同负载特征相对稳定的特点建立性能特征链,并依据运行时资源服务时间异常实现性能异常的有效检测、定位和诊断.实验结果表明,该方法可适应系统负载特征变化,诊断各种资源使用相关的性能异常.     

基于iForest和LOF的流量异常检测

异常检测在现代大规模分布式系统的安全管理中起着重要作用,而网络流量异常检测则是组成异常检测系统的重要工具。网络流量异常检测的目的是找到和大多数流量数据不同的流量,并将这些离群点视为异常。由于现有的基于树分离的孤立森林(iForest)检测方法存在不能检测出局部异常的缺陷,为了克服这个缺陷,提出一种基于iForest和局部离群因子(LOF)近邻集成的无监督的流量异常检测方法。首先,改进原始的iForest与LOF算法,在提升检测精度的同时控制算法时间;然后分别使用两种改进算法进行检测,并将结果进行融合以得到最终的检测结果;最后在自制数据集上对所提方法进行有效性验证。实验结果表明,所提方法能够有效地隔离出异常,获得良好的流量异常检测效果。     

Unsupervised learning clustering and self-organized agents applied to help network management

Traffic monitoring and anomaly detection are essential activities for computer network management, since they provide relevant information about its current performance and contribute to network control. Although there are several studies in this area, diagnosis and resolution of anomalies are still challenging issues. From an expert system point of view, current solutions have not been sufficient to meet the requirements demanded for use in large-scale network environments, and thus a significant portion of budgets on the workforce are spent to network management. Based on this context, the focus of this paper consists of the development of a system able to proactively monitor the network and detect anomalous events, reducing manual intervention and the probability of errors in decision-making, regarding network management. The proposed approach characterizes the normal pattern of the network traffic and detects anomalous behavior, outage events and attacks by deviations from this pattern. For this purpose, an unsupervised learning methodology is used to extract features of traffic through IP flows attributes, collected from a network structure. Aiming to improve its efficiency, a modification of the Ant Colony Optimization metaheuristic is proposed, which through self-organized agents optimizes the analysis of multidimensional flows attributes and allows it to be completed in time to mitigate the impact on large-scale networks. In addition to notify the network manager about the anomalies, the system provides necessary information to identify and take action against them. The resulting detection system was tested with real and simulated data, achieving high detection rates while the false alarm rate remains low.     

基于图自编码器的无监督多变量时间序列异常检测

针对多变量时间序列复杂的时间相关性和高维度使得异常检测性能较差的问题,以对抗训练框架为基础提出基于图自编码的无监督多变量时间序列异常检测模型.首先,将特征转换为嵌入向量来表示;其次,将划分好的时间序列结合嵌入向量转换为图结构数据;然后,用两个图自编码器模拟对抗训练重构数据样本;最后,根据测试数据在模型训练下的重构误差进行异常判定.将提出的方法与5种基线异常检测方法进行比较.实验结果表明,提出的模型在测试数据集获得了最高的F1分数,总体性能分F1分数比最新的异常检测模型USAD提高了28.4%.可见提出的模型有效提高异常检测性能.     

融合自编码器和one-class SVM的异常事件检测

目的 在自动化和智能化的现代生产制造过程中,视频异常事件检测技术扮演着越来越重要的角色,但由于实际生产制造中异常事件的复杂性及无关生产背景的干扰,使其成为一项非常具有挑战性的任务。很多传统方法采用手工设计的低级特征对视频的局部区域进行特征提取,然而此特征很难同时表示运动与外观特征。此外,一些基于深度学习的视频异常事件检测方法直接通过自编码器的重构误差大小来判定测试样本是否为正常或异常事件,然而实际情况往往会出现一些原本为异常的测试样本经过自编码得到的重构误差也小于设定阈值,从而将其错误地判定为正常事件,出现异常事件漏检的情形。针对此不足,本文提出一种融合自编码器和one-class支持向量机（support vector machine,SVM）的异常事件检测模型。方法 通过高斯混合模型（Gaussian mixture model,GMM）提取固定大小的时空兴趣块（region of interest,ROI）;通过预训练的3维卷积神经网络（3D convolutional neural network,C3D）对ROI进行高层次的特征提取;利用提取的高维特征训练一个堆叠的降噪自编码器,通过比较重构误差与设定阈值的大小,将测试样本判定为正常、异常和可疑3种情况之一;对自编码器降维后的特征训练一个one-class SVM模型,用于对可疑测试样本进行二次检测,进一步排除异常事件。结果 本文对实际生产制造环境下的机器人工作场景进行实验,采用AUC （area under ROC）和等错误率（equal error rate,EER）两个常用指标进行评估。在设定合适的误差阈值时,结果显示受试者工作特征（receiver operating characteristic,ROC）曲线下AUC达到91.7%,EER为13.8%。同时,在公共数据特征集USCD （University of California,San Diego） Ped1和USCD Ped2上进行了模型评估,并与一些常用方法进行了比较,在USCD Ped1数据集中,相比于性能第2的方法,AUC在帧级别和像素级别分别提高了2.6%和22.3%;在USCD Ped2数据集中,相比于性能第2的方法,AUC在帧级别提高了6.7%,从而验证了所提检测方法的有效性与准确性。结论 本文提出的视频异常事件检测模型,结合了传统模型与深度学习模型,使视频异常事件检测结果更加准确。     

基于机器学习的移动自组织网络入侵检测方法

移动自组织网络是由无线移动节点组成的复杂分布式通信系统。研究了移动自组织网络的入侵检测问题,采用了一种新型的基于机器学习算法的异常入侵检测方法。该方法获取正常事件的内部特征的相互关系模式,并将该模式作为轮廓检测异常事件。在Ad hoc 按需距离向量协议上实现了该方法,并在网络仿真软件QualNet中对其进行了评估。     

Sequential anomaly detection based on temporal-difference learning: Principles,models and case studies

Anomaly detection is an important problem that has been popularly researched within diverse research areas and application domains. One of the open problems in anomaly detection is the modeling and prediction of complex sequential data, which consist of a series of temporally related behavior patterns. In this paper, a novel sequential anomaly detection method based on temporal-difference (TD) learning is proposed, where the anomaly detection problem of multi-stage cyber attacks is considered as an application case. A Markov reward process model is presented for the anomaly detection and alarming process of sequential data and it is verified that when the reward function is properly defined, the anomaly probabilities of sequential behaviors are equivalent to the value functions of the Markov reward process. Therefore, TD learning algorithms in the reinforcement learning literature can be used to efficiently construct anomaly detection models of complex sequential behaviors by estimating the value functions of the Markov reward process. Compared with other machine learning methods for anomaly detection, the proposed approach has the advantage of simplified labeling process using delayed evaluative signals and the prediction accuracy can be improved even if labeled training data are limited. Based on the experimental results on intrusion detection of host computers using system call data, it was shown that the proposed anomaly detection method can achieve higher or at least comparable detection accuracies than other approaches including SVMs, and HMMs.     

Classification and regression models of audio and vibration signals for machine state monitoring in precision machining systems

We present a data-driven method for monitoring machine status in manufacturing processes. Audio and vibration data from precision machining are used for inference in two operating scenarios: (a) variable machine health states (anomaly detection); and (b) settings of machine operation (state estimation). Audio and vibration signals are first processed through Fast Fourier Transform and Principal Component Analysis to extract transformed and informative features. These features are then used in the training of classification and regression models for machine state monitoring. Specifically, three classifiers (K-nearest neighbors, convolutional neural networks and support vector machines) and two regressors (support vector regression and neural network regression) were explored, in terms of their accuracy in machine state prediction. It is shown that the audio and vibration signals are sufficiently rich in information about the machine that 100% state classification accuracy could be accomplished. Data fusion was also explored, showing overall superior accuracy of data-driven regression models.