R Types of Outliers o Three kinds: global, contextual and collective outliers Global outlier (or point anomaly) Global outlier Object is Oa if it significantly deviates from the rest of the data set EX Intrusion detection in computer networks Issue: Find an appropriate measurement of deviation Contextual outlier (or conditionaloutlier Object is Oc if it deviates significantly based on a selected context EX 800 F in Urbana: outlier? (depending on summer or winter?) Attributes of data objects should be divided into two groups Contextual attributes defines the context, e.g., time location Behavioral attributes characteristics of the object, used in outlier evaluation, e.g., temperature Can be viewed as a generalization of local out/iers-whose density significantly deviates from its local area Issue: How to define or formulate meaningful context?
6 Types of Outliers (I) ◼ Three kinds: global, contextual and collective outliers ◼ Global outlier(or point anomaly) ◼ Object is Og if it significantly deviates from the rest of the data set ◼ Ex. Intrusion detection in computer networks ◼ Issue: Find an appropriate measurement of deviation ◼ Contextual outlier(or conditional outlier) ◼ Object is Oc if it deviates significantly based on a selected context ◼ Ex. 80o F in Urbana: outlier? (depending on summer or winter?) ◼ Attributes of data objects should be divided into two groups ◼ Contextual attributes: defines the context, e.g., time & location ◼ Behavioral attributes: characteristics of the object, used in outlier evaluation, e.g., temperature ◼ Can be viewed as a generalization of local outliers—whose density significantly deviates from its local area ◼ Issue: How to define or formulate meaningful context? Global Outlier
Types of Outliers (D) Collective Outliers A subset of data objects collectively deviate o OO significantly from the whole data set, even if the individual data objects may not be outliers Applications: E.g., intrusion detection Collective Outlier hen a number of computers keep sending denial-of-service packages to each other Detection of collective outliers Consider not only behavior of individual objects, but also that of groups of objects Need to have the background knowledge on the relationship among data objects, such as a distance or similarity measure on objects a data set may have multiple types of outlier One object may belong to more than one type of outlier
7 Types of Outliers (II) ◼ Collective Outliers ◼ A subset of data objects collectively deviate significantly from the whole data set, even if the individual data objects may not be outliers ◼ Applications: E.g., intrusion detection: ◼ When a number of computers keep sending denial-of-service packages to each other Collective Outlier ◼ Detection of collective outliers ◼ Consider not only behavior of individual objects, but also that of groups of objects ◼ Need to have the background knowledge on the relationship among data objects, such as a distance or similarity measure on objects. ◼ A data set may have multiple types of outlier ◼ One object may belong to more than one type of outlier
Challenges of Outlier Detection Modeling normal objects and outliers properly Hard to enumerate all possible normal behaviors in an application The border between normal and outlier objects is often a gray area Application-specific outlier detection Choice of distance measure among objects and the model of relationship among objects are often application-dependent E.g., clinic data: a small deviation could be an outlier; while in marketing analysis, larger fluctuations Handling noise in outlier detection Noise may distort the normal objects and blur the distinction between normal objects and outliers. It may help hide outliers and reduce the effectiveness of outlier detection Understandability Understand why these are outliers Justification of the detection Specify the degree of an outlier: the unlikelihood of the object being generated by a normal mechanism
8 Challenges of Outlier Detection ◼ Modeling normal objects and outliers properly ◼ Hard to enumerate all possible normal behaviors in an application ◼ The border between normal and outlier objects is often a gray area ◼ Application-specific outlier detection ◼ Choice of distance measure among objects and the model of relationship among objects are often application-dependent ◼ E.g., clinic data: a small deviation could be an outlier; while in marketing analysis, larger fluctuations ◼ Handling noise in outlier detection ◼ Noise may distort the normal objects and blur the distinction between normal objects and outliers. It may help hide outliers and reduce the effectiveness of outlier detection ◼ Understandability ◼ Understand why these are outliers: Justification of the detection ◼ Specify the degree of an outlier: the unlikelihood of the object being generated by a normal mechanism
Outlier Detection I: Supervised Methods Two ways to categorize outlier detection methods Based on whether user-labeled examples of outliers can be obtained Supervised, semi-supervised vS unsupervised methods Based on assumptions about normal data and outliers Statistical, proximity-based, and clustering-based methods Outlier Detection I: Supervised Methods Modeling outlier detection as a classification problem Samples examined by domain experts used for training& testing Methods for Learning a classifier for outlier detection effectively Model normal objects report those not matching the model as outliers, or Model outliers and treat those not matching the model as normal Challenges Imbalanced classes. i.e., outliers are rare: boost the outlier class and make up some artificial outliers Catch as many outliers as possible, i.e., recall is more important than accuracy(i.e, not mislabeling normal objects as outliers)
Outlier Detection I: Supervised Methods ◼ Two ways to categorize outlier detection methods: ◼ Based on whether user-labeled examples of outliers can be obtained: ◼ Supervised, semi-supervised vs. unsupervised methods ◼ Based on assumptions about normal data and outliers: ◼ Statistical, proximity-based, and clustering-based methods ◼ Outlier Detection I: Supervised Methods ◼ Modeling outlier detection as a classification problem ◼ Samples examined by domain experts used for training & testing ◼ Methods for Learning a classifier for outlier detection effectively: ◼ Model normal objects & report those not matching the model as outliers, or ◼ Model outliers and treat those not matching the model as normal ◼ Challenges ◼ Imbalanced classes, i.e., outliers are rare: Boost the outlier class and make up some artificial outliers ◼ Catch as many outliers as possible, i.e., recall is more important than accuracy (i.e., not mislabeling normal objects as outliers) 9
Outlier Detection I: Unsupervised Methods Assume the normal objects are somewhat clustered" into multiple groups, each having some distinct features An outlier is expected to be far away from any groups of normal objects Weakness: Cannot detect collective outlier effectively Normal objects may not share any strong patterns, but the collective outliers may share high similarity in a small area Ex. In some intrusion or virus detection normal activities are diverse Unsupervised methods may have a high false positive rate but still miss many real outliers Supervised methods can be more effective, e. g, identify attacking some key resources Many clustering methods can be adapted for unsupervised methods Find clusters, then outliers: not belonging to any cluster Problem 1: Hard to distinguish noise from outliers Problem 2: Costly since first clustering: but far less outliers than normal objects Newer methods: tackle outliers directly 10
Outlier Detection II: Unsupervised Methods ◼ Assume the normal objects are somewhat ``clustered'‘ into multiple groups, each having some distinct features ◼ An outlier is expected to be far away from any groups of normal objects ◼ Weakness: Cannot detect collective outlier effectively ◼ Normal objects may not share any strong patterns, but the collective outliers may share high similarity in a small area ◼ Ex. In some intrusion or virus detection, normal activities are diverse ◼ Unsupervised methods may have a high false positive rate but still miss many real outliers. ◼ Supervised methods can be more effective, e.g., identify attacking some key resources ◼ Many clustering methods can be adapted for unsupervised methods ◼ Find clusters, then outliers: not belonging to any cluster ◼ Problem 1: Hard to distinguish noise from outliers ◼ Problem 2: Costly since first clustering: but far less outliers than normal objects ◼ Newer methods: tackle outliers directly 10