learning target pattern-of-life for wide-area anomaly detection

Introduction Methodology Results Conclusions and Future Work Bibliography

LEARNING TARGET PATTERN-OF-LIFE FOR

WIDE-AREA ANOMALY DETECTION

Tatiana López Guevara

June 2015


Participants

Supervisors

Dr. Rolf Baxter Dr. Neil Robertson


Contents

1 Introduction

2 Methodology

3 Results

4 Conclusions and Future Work

5 Bibliography


Section 1

Introduction


Definitions

What is Anomaly Detection?

Chandola et al. [1]: "Patterns in data that do not conform to a welldefined notion of normal behaviour"

Well defined notion?

Same Size?

Same Type?


Definitions

What is Anomaly Detection?

Hawkins et al. [2]: "An observation which deviates so much fromother observations as to arouse suspicions that it was generated bya different mechanism."


Definitions

Pattern-of-Life

Learn preferred behaviour from target’s daily interaction with itsenvironment


Definitions

Wide-Area

Not limited to a single/fixed scenario


Definitions

What kind of behaviour?

Human movement⇒ Trajectories


Definitions

Anomaly Detection

Detect behaviour not represented by the model⇒ General indicator of an interesting event!


Our observation

What other information could be useful?

Periodic modulation that characterise human nature


Why is it useful?

POL as a prior

Enhanced Tracking

Personalized/Proactive Systems

Anomalies detected

Raise alarms ⇒ elderly/cognitive impaired people

Other domains

Change single target’s traces ⇒ ships/cars/pedestrians

Other types of human behaviour

Indoor high level activities


Why is it challenging?

POL characteristics : Must have1 Unsupervised on-line learning

2 Partially observed trajectories

3 No external dependencies

4 Few ad-hoc thresholds / Low False Positive Rate (FPR)

No prior work use time-dependent POL for anomaly detection!


Summary of Objectives

Learn behaviour from movement

Single person’s GPS Tracks

Include temporal dependency

Time of the day

Day of the week

Detect Anomalies

Spatial

Spatio-Temporal


Section 2

Methodology


Hierarchical Model Learning

Temporal layerPreferred schedules

Spatial layerPreferred routes

Spati al Layer

Temporal Layer


Overview of Proposed Methodology

Update SpatialModel

SpatialAnomaly ?

TemporalAnomaly ?

Update TemporalModel

Point Anomaly Logger

Trajectory Point

Anomaly Processor

Temporal Layer

Spatial Layer

Anomaly Detection

Preprocessing


Spatial Layer


Spatial Layer: Model Learning

Adaptation of on-line method proposed by Piciarelli et al. [4]to work with wide-area data

1 2 3

4 5 6

c1

c2 c3

c4

c1

c4

c2 c3

c1

c2 c3

c4

c1

c2 c3

c4

c1

c2 c3

c4c5

c1

c2 c3

c4c5

c6

(Images adapted from [4]).


Temporal Layer

Two methods1 Kernel Density Estimation (KDE)

2 Conformal Anomaly Detection (CAD)


Temporal Layer - Kernel Density Estimator (KDE)

KDE Definition

f̂ (x;h) = 1

n

n∑i=1

Kh(x−xi) (1)

Which Kernel?

Circular data⇒ von-Misses Kernel

Advantages

Non parametric

Parameter-light


Temporal Layer

Two methods1 Kernel Density Estimation (KDE)

2 Conformal Anomaly Detection (CAD)


Temporal Layer - Conformal Anomaly Detector (CAD)

Proposed by Laxhammar et al. [3]

Advantages

Based on theory of confidence Interval

Completely on-line

Parameter-lightε is directly bounded to the FPR


Temporal Layer - CAD - Method

Input

Previous observations: B = {~z1, ..,zn−1}

New observation:~zn

Output

Ratio of samples in B that are at least asdifferent as~zn.pzn

Nonconformity Measure NCM

Sum of the distance of the K− nearestneighbours


Temporal Layer - CAD - Method

Input

Previous observations: B = {~z1, ..,zn−1}

New observation:~zn

Output

Ratio of samples in B that are at leastas different as~zn.pzn

Nonconformity Measure NCM

Sum of the distance of the K− nearestneighbours


Anomaly Detection

Spatial

No cluster match found

Match to a low density cluster < thrT

Temporal - KDE Method

Low density regions: less than 95% of the total density

Temporal - CAD Method

Fraction less than parameter: pzn < ε


Section 3

Results


Datasets

Heriot-Watt Dataset

Period: 7 months Dates: Oct 2014 - Apr 2015


Qualitative Results - Spatial Layer

Zoom in: Most Transited Area



Zoom out: Overall view


Quantitative Results - Spatial Layer

Quantitative result of spatial anomalies detected by the Spatial layer


Qualitative Results - Temporal Layer

0/24 1 2345

6

78

91011121314

1516

17

18

192021

22 23

+

KDE CAD

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 240

0.05

0.1

0.15

0.2

0.25

0.3

0.35Track: 758, Cluster: 1839 [-1]

KDE CircularAnomaliesObservations

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 240

0.1

0.2

0.3

0.4

0.5

0.6

0.7Track: 758, Cluster: 1839 [-1]


0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 240

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 240

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

2Track: 715, Cluster: 2139 [-1]


0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 240

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1Track: 715, Cluster: 2139 [-1]


0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 240

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

2



0/24 1 2345

6

78

91011121314

1516

17

18

192021

22 23

+

KDE CAD0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35Track: 758, Cluster: 1839 [-1]


0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 240

0.1

0.2

0.3

0.4

0.5

0.6

0.7Track: 758, Cluster: 1839 [-1]


0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 240

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 240

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

2Track: 715, Cluster: 2139 [-1]


0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 240

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1Track: 715, Cluster: 2139 [-1]


0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 240

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

2


Quantitative Results - Temporal Layer

KDE CAD

Quantitative result of spatial anomalies detected by the Temporal layer


Datasets

Geolife Dataset

Microsoft Research

Area:75km2

Period:71 days

Dates:Feb 9 - Apr 27, 2009



GeoLife: Each color represents one cluster



KDE CAD

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 240

0.2

0.4

0.6

0.8

1

1.2

1.4Track: 405, Cluster: 239 [−1]


0 5 10 15 20 250

2

4

6

8NCM Track: 405, Cluster: 239 [−1]

Temporal Resolution

Alph

a0 5 10 15 20

0

0.5

1CAD Probability Track: 405, Cluster: 239 [−1]

Temporal Resolutionp

CAD method creates narrower normality regions (v 30m) than KDE


Section 4

Conclusions and Future Work


Conclusions

1 New hierarchical model incorporating time-dependence wasproposed

2 Two methods for modelling temporal information wereimplemented/compared

3 A CAD-NCM metric using circular distance for time wasproposed

4 KDE method showed an over-smoothing effect due to thebandwidth selection method.

5 Spatial and Spatio-Temporal anomalies quantitatively andqualitatively assessed against 2 datasets


Future Work

1 Proper way to forget!

2 Test other CAD-NCM’s: Entropy-based / Local Outlier Factor(LOF)

3 Efficient on-line Kernel Density Estimation

4 Anomaly prediction using Long Short-Term Memory Networks


Thank youAny questions ?


Section 5

Bibliography


Bibliography

Varun Chandola, Arindam Banerjee, and Vipin Kumar.

Anomaly detection.ACM Computing Surveys, 41(3):1–58, 2009.

Douglas M Hawkins.

Identification of outliers, volume 11.Springer, 1980.

Rikard Laxhammar and Goran Falkman.

Online learning and sequential anomaly detection in trajectories.IEEE Transactions on Pattern Analysis and Machine Intelligence, 36(6):1158–1173, 2014.

C. Piciarelli and G. L. Foresti.

On-line trajectory clustering for anomalous events detection.Pattern Recognition Letters, 27:1835–1842, 2006.


Spatial Model Learning

Matching

Match Found?

Create Cluster Update Cluster

Exiting Cluster?

Near End? Split

no yes

yes

no

Concatenate Roots

Prune Dead Clusters

Merge Clusters

Model Learning: Left image show the cluster building process (Modified from [4]) executed every time a new trajectory pointis observed. Right image the maintenance process executed in batch. Developed in the VisionLab.

Distance Function

d(~zi,C) = minj

(dist(~zi,cj)p

σ2

)∀j ∈ 1, ..,M (2)


Temporal Layer - Kernel Density Estimator

KDE Definition

f̂ (x;h) = 1

n

n∑i=1

Kh(x−xi) (3)

KDE using von-Misses Kernel

f̂ (θ;v) = 1

n(2π)Ir(v)

n∑i=1

ev cos(θ−θi) (4)

0/24 1 2345

6

78

91011121314

1516

17

18

192021

22 23

+

0/24 1 2345

6

78

91011121314

1516

17

18

192021

22 23

+

learning target pattern-of-life for wide-area anomaly detection

Software

preferred behaviour

targets daily interaction

singlexed scenario

different mechanism

rolf baxter

neil robertson