Skip to main content
SpringerLink
Log in

Efficient anomaly detection through surrogate neural networks

  • S.I. : Cybersecurity Applications of Computational Intelligence
  • Published:
Neural Computing and Applications Aims and scope Submit manuscript

Abstract

Anomaly Detection can be viewed as an open problem despite the growing plethora of known anomaly detection techniques. The applicability of various anomaly detectors can vary depending on the application area and problem settings. Especially in the Big Data industrial setting, an important problem is inference speed, which may render even a highly accurate anomaly detector useless. In this paper, we propose to address this problem by training a surrogate neural network based on an auxiliary training set approximating the source anomaly detector output. We show that existing anomaly detectors can be approximated with high accuracy and with application-enabling inference speed. We compare our approach to a number of state-of-the-art algorithms: one class k-nearest-neighbors (kNN), local outlier factor, isolation forest, auto-encoder and two types of generative adversarial networks. We perform this comparison in the context of an important problem in cyber-security—the discovery of outlying (and thus suspicious) events in large-scale computer network traffic. Our results show that the proposed approach can successfully replace the most accurate but prohibitively slow kNN. Moreover, we observe that the surrogate neural network may even improve the kNN accuracy. Finally, we discuss various implications that the proposed approach can have while reducing the complexity of applied anomaly detection systems.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

References

  1. Akcay S, Atapour-Abarghouei A, Breckon TP (2019) Ganomaly: semi-supervised anomaly detection via adversarial training. In: Jawahar CV, Li H, Mori G, Schindler K (eds) Computer vision—ACCV 2018. Springer, Cham, pp 622–637

    Chapter  Google Scholar 

  2. Aleskerov E, Freisleben B, Rao B (1997) Cardwatch: a neural network based database mining system for credit card fraud detection. In: Proceedings of the IEEE/IAFE 1997 computational intelligence for financial engineering, pp 220–226. https://doi.org/10.1109/CIFER.1997.618940

  3. Altman D, Machin D, Bryant T, Gardner M (2013) Statistics with confidence: confidence intervals and statistical guidelines. Wiley

  4. An J, Cho S (2015) Variational autoencoder based anomaly detection using reconstruction probability. Technical report

  5. Angiulli F, Pizzuti C (2002) Fast outlier detection in high dimensional spaces. In: European conference on principles of data mining and knowledge discovery, pp 15–27. Springer

  6. Bentley JL (1975) Multidimensional binary search trees used for associative searching. Commun ACM 18(9):509–517

    Article  MATH  Google Scholar 

  7. Bergman L, Cohen N, Hoshen Y (2020) Deep nearest neighbor anomaly detection. arXiv preprint arXiv:2002.10445

  8. Beygelzimer A, Kakade S, Langford J (2006) Cover trees for nearest neighbor. In: Proceedings of the 23rd international conference on Machine learning, pp 97–104. ACM

  9. Breunig MM, Kriegel HP, Ng RT, Sander J (2000) Lof: identifying density-based local outliers. In: Proceedings of the 2000 ACM SIGMOD international conference on Management of data, pp 93–104

  10. Brown CD, Davis HT (2006) Receiver operating characteristics curves and related decision measures: a tutorial. Chem. Intel. Lab. Syst. 80(1):24–38

    Article  Google Scholar 

  11. Cannady J (1998) Artificial neural networks for misuse detection. In: National information systems security conference, pp 368–81

  12. Chalapathy R, Chawla S (2019) Deep learning for anomaly detection: a survey

  13. Chandola V, Banerjee A, Kumar V (2009) Anomaly detection: a survey. ACM Comput Surv (CSUR) 41(3):15

    Article  Google Scholar 

  14. Chiang A, Yeh YR (2015) Anomaly detection ensembles: In defense of the average. In: 2015 IEEE/WIC/ACM international conference on web intelligence and intelligent agent technology (WI-IAT), vol 3, pp 207–210. IEEE

  15. Dau HA, Ciesielski V, Song A (2014) Anomaly detection using replicator neural networks trained on examples of one class. In: Asia-Pacific conference on simulated evolution and learning, pp 311–322. Springer

  16. Demuth HB, Beale MH, De Jess O, Hagan MT (2014) Neural network design. Martin Hagan

  17. Demšar J (2006) Statistical comparisons of classifiers over multiple data sets. J Mach Learn Res 7, 1–30. http://dl.acm.org/citation.cfm?id=1248547.1248548

  18. Dua D, Graff C (2017) UCI machine learning repository. http://archive.ics.uci.edu/ml

  19. Emmott AF, Das S, Dietterich T, Fern A, Wong WK (2013) Systematic construction of anomaly detection benchmarks from real data. In: Proceedings of the ACM SIGKDD workshop on outlier detection and description, ODD ’13, pp 16–21. ACM, New York, NY, USA. https://doi.org/10.1145/2500853.2500858

  20. Flusser M, Pevný T, Somol P (2018) Density-approximating neural network models for anomaly detection. In: ACM SIGKDD workshop on outlier detection de-constructed. London, United Kingdom

  21. Flusser M, Somol P (2021) Adaptive approach for density-approximating neural network models for anomaly detection. In: Herrero Á, Cambra C, Urda D, Sedano J, Quintián H, Corchado E (eds) 13th international conference on computational intelligence in security for information systems (CISIS 2020). Springer, Cham, pp 415–425

  22. Friedman JH, Bentley JL, Finkel RA (1977) An algorithm for finding best matches in logarithmic expected time. ACM Trans Math Softw (TOMS) 3(3):209–226

    Article  MATH  Google Scholar 

  23. Garcia S, Derrac J, Cano J, Herrera F (2012) Prototype selection for nearest neighbor classification: taxonomy and empirical study. IEEE Trans Pattern Anal Mach Intel 34(3):417–435. https://doi.org/10.1109/TPAMI.2011.142

    Article  Google Scholar 

  24. Goodfellow I, Bengio Y, Courville A (2016) Deep larning. MIT Press. http://www.deeplearningbook.org

  25. Goyal S, Raghunathan A, Jain M, Simhadri HV, Jain P (2020) Drocc: deep robust one-class classification. In: International conference on machine learning, pp 3711–3721. PMLR

  26. Grill M, Pevnỳ T (2016) Learning combination of anomaly detectors for security domain. Comput Networks 107:55–63

    Article  Google Scholar 

  27. Grim J, Somol P, Haindl M, Danes J (2009) Computer-aided evaluation of screening mammograms based on local texture models. IEEE Trans Image Process 18(4):765–773. https://doi.org/10.1109/TIP.2008.2011168

    Article  MathSciNet  MATH  Google Scholar 

  28. Gu X, Akoglu L, Rinaldo A (2019) Statistical analysis of nearest neighbor methods for anomaly detection. arXiv preprint arXiv:1907.03813

  29. Hariri S, Carrasco Kind M, Brunner RJ (2019) Extended isolation forest. IEEE Trans Knowl Data Eng, p 1–1. https://doi.org/10.1109/tkde.2019.2947676

  30. Hendrycks D, Mazeika M, Dietterich T (2018) Deep anomaly detection with outlier exposure. arXiv preprint arXiv:1812.04606

  31. Jiang W, Hong Y, Zhou B, He X, Cheng C (2019) A gan-based anomaly detection approach for imbalanced industrial time series. IEEE Access 7:143608–143619. https://doi.org/10.1109/ACCESS.2019.2944689

    Article  Google Scholar 

  32. Kim J, Scott CD (2012) Robust kernel density estimation. J Mach Learn Res 13(Sep), 2529–2565

  33. Kingma DP, Ba J (2014) Adam: a method for stochastic optimization. arXiv preprint arXiv:1412.6980

  34. Kohout J, et al. (2016) Detection of malicious network connections. https://patents.google.com/patent/US9344441B2/. Cisco Technology, Inc., San Jose, CA (US), US Patent 9,344,441 B2

  35. Kriegel HP, Kröger P, Schubert E, Zimek A (2009) Loop: local outlier probabilities. In: Proceedings of the 18th ACM conference on information and knowledge management, pp 1649–1652

  36. Liu FT, Ting KM, Zhou ZH (2008) Isolation forest. In: 2008 eighth IEEE international conference on data mining, pp 413–422. IEEE

  37. Loader CR (1996) Local likelihood density estimation. Ann Statist 24(4):1602–1618. https://doi.org/10.1214/aos/1032298287

    Article  MathSciNet  MATH  Google Scholar 

  38. Mika S, Schölkopf B, Smola AJ, Müller KR, Scholz M, Rätsch G (1999) Kernel PCA and de-noising in feature spaces. In: Advances in neural information processing systems, pp 536–542

  39. Mittal S (2019) A survey on optimized implementation of deep learning models on the nvidia jetson platform. J Syst Arch 97:428–442. https://doi.org/10.1016/j.sysarc.2019.01.011. https://www.sciencedirect.com/science/article/pii/S1383762118306404

  40. Mukkamala S, Janoski G, Sung A (2002) Intrusion detection using neural networks and support vector machines. In: Neural Networks, 2002. IJCNN’02. Proceedings of the 2002 International Joint Conference on, vol 2, pp 1702–1707. IEEE

  41. Perini L, Vercruyssen V, Davis J (2020) Quantifying the confidence of anomaly detectors in their example-wise predictions. In: The European conference on machine learning and principles and practice of knowledge discovery in databases. Springer

  42. Pevný T (2016) Loda: lightweight on-line detector of anomalies. Mach Learn 102(2):275–304

    Article  MathSciNet  MATH  Google Scholar 

  43. Platt J et al (1999) Probabilistic outputs for support vector machines and comparisons to regularized likelihood methods. Adv Large Margin Class 10(3):61–74

    Google Scholar 

  44. Russel SJ, Norvig P (2014) Artificial intelligence: a modern approach. Pearson Education Limited, UK

    Google Scholar 

  45. Ryan J, Lin MJ, Miikkulainen R (1998) Intrusion detection with neural networks. In: Advances in neural information processing systems, pp 943–949

  46. Sakurada M, Yairi T (2014) Anomaly detection using autoencoders with nonlinear dimensionality reduction. In: Proceedings of the MLSDA 2014 2nd workshop on machine learning for sensory data analysis, MLSDA’14, pp 4:4–4:11. ACM, NY, USA. https://doi.org/10.1145/2689746.2689747

  47. Sarasamma ST, Zhu QA, Huff J (2005) Hierarchical kohonenen net for anomaly detection in network security. IEEE Tran Syst Man Cybern Part B 35(2):302–312

    Article  Google Scholar 

  48. Schlegl T, Seeböck P, Waldstein SM, Langs G, Schmidt-Erfurth U (2019) f-anogan: fast unsupervised anomaly detection with generative adversarial networks. Med Image Anal 54:30–44. https://doi.org/10.1016/j.media.2019.01.010

    Article  Google Scholar 

  49. Schölkopf B, Platt JC, Shawe-Taylor J, Smola AJ, Williamson RC (2001) Estimating the support of a high-dimensional distribution. Neural comput 13(7):1443–1471

    Article  MATH  Google Scholar 

  50. Shoemaker L, Hall LO (2011) Anomaly detection using ensembles. In: International workshop on multiple classifier systems, pp 6–15. Springer

  51. Škvára V, Franců J, Zorek M, Pevný T, Šmídl V (2021) Comparison of anomaly detectors: context matters. IEEE Trans Neural Networks Learn Syst 33(6):2494–2507. https://doi.org/10.1109/TNNLS.2021.3116269

    Article  MathSciNet  Google Scholar 

  52. Škvára V, Pevný T, Šmídl V (2018) Are generative deep models for novelty detection truly better?

  53. Staerman G, Mozharovskyi P, Clémençon S, d’Alché Buc F (2019) Functional isolation forest

  54. Tama BA, Nkenyereye L, Islam SR, Kwak KS (2020) An enhanced anomaly detection in web traffic using a stack of classifier ensemble. IEEE Access 8:24120–24134

    Article  Google Scholar 

  55. Ting KM, Zhu Y, Zhou ZH (2018) Isolation kernel and its effect on svm. In: Proceedings of the 24th ACM SIGKDD international conference on knowledge discovery and data mining, pp 2329–2337

  56. Uhlmann JK (1991) Satisfying general proximity/similarity queries with metric trees. Inf Process Lett 40(4):175–179

    Article  MATH  Google Scholar 

  57. Vanerio J, Casas P (2017) Ensemble-learning approaches for network security and anomaly detection. In: Proceedings of the workshop on big data analytics and Machine learning for data communication networks, pp 1–6

  58. Vincent P, Larochelle H, Bengio Y, Manzagol PA (2008) Extracting and composing robust features with denoising autoencoders. In: Proceedings of the 25th international conference on machine learning, pp 1096–1103. ACM

  59. Vincent P, Larochelle H, Lajoie I, Bengio Y, Manzagol PA (2010) Stacked denoising autoencoders: Learning useful representations in a deep network with a local denoising criterion. J Mach Learn Res 11(Dec):3371–3408

  60. Yeung DY, Chow C (2002) Parzen-window network intrusion detectors. In: Object recognition supported by user interaction for service robots, vol 4, pp 385–388. IEEE

  61. Zenati H, Foo CS, Lecouat B, Manek G, Chandrasekhar VR (2018) Efficient gan-based anomaly detection. CoRR abs/1802.06222. arXiv:1802.06222

  62. Zhai S, Cheng Y, Lu W, Zhang Z (2016) Deep structured energy based models for anomaly detection. In: Proceedings of the 33rd international conference on international conference on machine learning, Vol 48, ICML’16, pp 1100–1109. JMLR.org. http://dl.acm.org/citation.cfm?id=3045390.3045507

  63. Zhao M, Saligrama V (2009) Anomaly detection with score functions based on nearest neighbor graphs. In: Advances in neural information processing systems, pp 2250–2258

  64. Zhao Z, Mehrotra KG, Mohan CK (2015) Ensemble algorithms for unsupervised anomaly detection. In: International conference on industrial, engineering and other applications of applied intelligent Systems, pp 514–525. Springer

Download references

Funding

This work has been supported by the Grant Agency of the Czech Technical University in Prague, Grant No. SGS20/188/OHK4/3T/14.

Author information

Authors and Affiliations

  1. Faculty of Nuclear Sciences and Physical Engineering, Czech Technical University in Prague, Prague, Czechia

    Martin Flusser

  2. Cognitive Intelligence, Cisco, Prague, Czechia

    Martin Flusser

  3. Institute of Information Theory and Automation, Czech Academy of Sciences, Prague, Czechia

    Petr Somol

Authors
  1. Martin Flusser
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Petr Somol
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Martin Flusser.

Ethics declarations

Conflicts of interest

The authors declare no conflicts of interest. All authors have seen the manuscript and approved the submission to the journal. We confirm that the content of the manuscript has not been published or submitted for publication elsewhere.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

We would like to thank Jan Brabec for consultations and for sharing expertise in the field. This work has been supported by the Grant Agency of the Czech Technical University in Prague, grant No.SGS20/188/OHK4/3T/14.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Flusser, M., Somol, P. Efficient anomaly detection through surrogate neural networks. Neural Comput & Applic 34, 20491–20505 (2022). https://doi.org/10.1007/s00521-022-07506-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00521-022-07506-9

Keywords

Search

Navigation