Anomaly Detection using Clustered Deep One-Class Classification

Younghwan Kim; Huy Kang Kim

doi:10.1109/AsiaJCIS50894.2020.00034

Anomaly Detection using Clustered Deep One-Class Classification

Younghwan Kim
, Huy Kang Kim

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

12 Citations (Scopus)

Abstract

Anomalies on Cyber-Physical System (CPS) can have a devastating effect on the entire system of complex CPS. Thus, it is important to detect anomalies quickly. Since CPS can collect sensor data in near real-time throughout the process, many attempts have been made to solve this problem from the perspective of data-driven security based on the collected data. However, since the CPS datasets are big data and most of the data are normal data, it has always been a great challenge to analyze the data and implement the anomaly detection model. In this paper, we propose and evaluate the Clustered Deep One-Class Classification (CD-OCC) model that combines the clustering algorithm and deep learning (DL) models using only a normal dataset for anomaly detection. We classify normal data into optimal cluster size using the K-means clustering algorithm. DL models train to classify each cluster based on clustered normal data, and we can obtain the softmax values in the process of predicting the cluster. We use the softmax values as a dataset with distilled knowledge of the DL model for anomaly detection. We transfer the softmax values to one-class classification (OCC) models to detect anomalies. As a result of the experiment, the F1-score of the proposed model shows performance close to 0.8 and performance improvement of about 0.5 compared to the encoded OCC model, which has reduced-dimensionality through auto-encoder as well as the basic OCC model.

Original language	English
Title of host publication	Proceedings - 2020 15th Asia Joint Conference on Information Security, AsiaJCIS 2020
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	151-157
Number of pages	7
ISBN (Electronic)	9781728199221
DOIs	https://doi.org/10.1109/AsiaJCIS50894.2020.00034
Publication status	Published - 2020 Aug
Event	15th Annual Asia Joint Conference on Information Security, AsiaJCIS 2020 - Taipei, Taiwan, Province of China Duration: 2020 Aug 20 → 2020 Aug 21

Publication series

Name	Proceedings - 2020 15th Asia Joint Conference on Information Security, AsiaJCIS 2020

Conference

Conference	15th Annual Asia Joint Conference on Information Security, AsiaJCIS 2020
Country/Territory	Taiwan, Province of China
City	Taipei
Period	20/8/20 → 20/8/21

Bibliographical note

Funding Information:
This work was supported by Institute of Information communications Technology Planning Evaluation (IITP) grant funded by the Korea government (MSIT) (No.2018-0-00232, Cloud-based IoT Threat Autonomic Analysis and Response Technology)

Publisher Copyright:
© 2020 IEEE.

Keywords

anomaly detection
clustering
deep learning
knowledge distillation

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Computer Networks and Communications
Information Systems
Information Systems and Management

Access to Document

10.1109/AsiaJCIS50894.2020.00034

Cite this

Kim, Y., & Kim, H. K. (2020). Anomaly Detection using Clustered Deep One-Class Classification. In Proceedings - 2020 15th Asia Joint Conference on Information Security, AsiaJCIS 2020 (pp. 151-157). Article 9194140 (Proceedings - 2020 15th Asia Joint Conference on Information Security, AsiaJCIS 2020). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/AsiaJCIS50894.2020.00034

Anomaly Detection using Clustered Deep One-Class Classification. / Kim, Younghwan; Kim, Huy Kang.
Proceedings - 2020 15th Asia Joint Conference on Information Security, AsiaJCIS 2020. Institute of Electrical and Electronics Engineers Inc., 2020. p. 151-157 9194140 (Proceedings - 2020 15th Asia Joint Conference on Information Security, AsiaJCIS 2020).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kim, Y & Kim, HK 2020, Anomaly Detection using Clustered Deep One-Class Classification. in Proceedings - 2020 15th Asia Joint Conference on Information Security, AsiaJCIS 2020., 9194140, Proceedings - 2020 15th Asia Joint Conference on Information Security, AsiaJCIS 2020, Institute of Electrical and Electronics Engineers Inc., pp. 151-157, 15th Annual Asia Joint Conference on Information Security, AsiaJCIS 2020, Taipei, Taiwan, Province of China, 20/8/20. https://doi.org/10.1109/AsiaJCIS50894.2020.00034

Kim Y, Kim HK. Anomaly Detection using Clustered Deep One-Class Classification. In Proceedings - 2020 15th Asia Joint Conference on Information Security, AsiaJCIS 2020. Institute of Electrical and Electronics Engineers Inc. 2020. p. 151-157. 9194140. (Proceedings - 2020 15th Asia Joint Conference on Information Security, AsiaJCIS 2020). doi: 10.1109/AsiaJCIS50894.2020.00034

@inproceedings{7bacfc2dc10940b1abecdf933a203356,

title = "Anomaly Detection using Clustered Deep One-Class Classification",

abstract = "Anomalies on Cyber-Physical System (CPS) can have a devastating effect on the entire system of complex CPS. Thus, it is important to detect anomalies quickly. Since CPS can collect sensor data in near real-time throughout the process, many attempts have been made to solve this problem from the perspective of data-driven security based on the collected data. However, since the CPS datasets are big data and most of the data are normal data, it has always been a great challenge to analyze the data and implement the anomaly detection model. In this paper, we propose and evaluate the Clustered Deep One-Class Classification (CD-OCC) model that combines the clustering algorithm and deep learning (DL) models using only a normal dataset for anomaly detection. We classify normal data into optimal cluster size using the K-means clustering algorithm. DL models train to classify each cluster based on clustered normal data, and we can obtain the softmax values in the process of predicting the cluster. We use the softmax values as a dataset with distilled knowledge of the DL model for anomaly detection. We transfer the softmax values to one-class classification (OCC) models to detect anomalies. As a result of the experiment, the F1-score of the proposed model shows performance close to 0.8 and performance improvement of about 0.5 compared to the encoded OCC model, which has reduced-dimensionality through auto-encoder as well as the basic OCC model. ",

keywords = "anomaly detection, clustering, deep learning, knowledge distillation",

author = "Younghwan Kim and Kim, \{Huy Kang\}",

note = "Funding Information: This work was supported by Institute of Information communications Technology Planning Evaluation (IITP) grant funded by the Korea government (MSIT) (No.2018-0-00232, Cloud-based IoT Threat Autonomic Analysis and Response Technology) Publisher Copyright: {\textcopyright} 2020 IEEE.; 15th Annual Asia Joint Conference on Information Security, AsiaJCIS 2020 ; Conference date: 20-08-2020 Through 21-08-2020",

year = "2020",

month = aug,

doi = "10.1109/AsiaJCIS50894.2020.00034",

language = "English",

series = "Proceedings - 2020 15th Asia Joint Conference on Information Security, AsiaJCIS 2020",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "151--157",

booktitle = "Proceedings - 2020 15th Asia Joint Conference on Information Security, AsiaJCIS 2020",

}

TY - GEN

T1 - Anomaly Detection using Clustered Deep One-Class Classification

AU - Kim, Younghwan

AU - Kim, Huy Kang

N1 - Funding Information: This work was supported by Institute of Information communications Technology Planning Evaluation (IITP) grant funded by the Korea government (MSIT) (No.2018-0-00232, Cloud-based IoT Threat Autonomic Analysis and Response Technology) Publisher Copyright: © 2020 IEEE.

PY - 2020/8

Y1 - 2020/8

N2 - Anomalies on Cyber-Physical System (CPS) can have a devastating effect on the entire system of complex CPS. Thus, it is important to detect anomalies quickly. Since CPS can collect sensor data in near real-time throughout the process, many attempts have been made to solve this problem from the perspective of data-driven security based on the collected data. However, since the CPS datasets are big data and most of the data are normal data, it has always been a great challenge to analyze the data and implement the anomaly detection model. In this paper, we propose and evaluate the Clustered Deep One-Class Classification (CD-OCC) model that combines the clustering algorithm and deep learning (DL) models using only a normal dataset for anomaly detection. We classify normal data into optimal cluster size using the K-means clustering algorithm. DL models train to classify each cluster based on clustered normal data, and we can obtain the softmax values in the process of predicting the cluster. We use the softmax values as a dataset with distilled knowledge of the DL model for anomaly detection. We transfer the softmax values to one-class classification (OCC) models to detect anomalies. As a result of the experiment, the F1-score of the proposed model shows performance close to 0.8 and performance improvement of about 0.5 compared to the encoded OCC model, which has reduced-dimensionality through auto-encoder as well as the basic OCC model.

AB - Anomalies on Cyber-Physical System (CPS) can have a devastating effect on the entire system of complex CPS. Thus, it is important to detect anomalies quickly. Since CPS can collect sensor data in near real-time throughout the process, many attempts have been made to solve this problem from the perspective of data-driven security based on the collected data. However, since the CPS datasets are big data and most of the data are normal data, it has always been a great challenge to analyze the data and implement the anomaly detection model. In this paper, we propose and evaluate the Clustered Deep One-Class Classification (CD-OCC) model that combines the clustering algorithm and deep learning (DL) models using only a normal dataset for anomaly detection. We classify normal data into optimal cluster size using the K-means clustering algorithm. DL models train to classify each cluster based on clustered normal data, and we can obtain the softmax values in the process of predicting the cluster. We use the softmax values as a dataset with distilled knowledge of the DL model for anomaly detection. We transfer the softmax values to one-class classification (OCC) models to detect anomalies. As a result of the experiment, the F1-score of the proposed model shows performance close to 0.8 and performance improvement of about 0.5 compared to the encoded OCC model, which has reduced-dimensionality through auto-encoder as well as the basic OCC model.

KW - anomaly detection

KW - clustering

KW - deep learning

KW - knowledge distillation

UR - https://www.scopus.com/pages/publications/85093358838

U2 - 10.1109/AsiaJCIS50894.2020.00034

DO - 10.1109/AsiaJCIS50894.2020.00034

M3 - Conference contribution

AN - SCOPUS:85093358838

T3 - Proceedings - 2020 15th Asia Joint Conference on Information Security, AsiaJCIS 2020

SP - 151

EP - 157

BT - Proceedings - 2020 15th Asia Joint Conference on Information Security, AsiaJCIS 2020

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 15th Annual Asia Joint Conference on Information Security, AsiaJCIS 2020

Y2 - 20 August 2020 through 21 August 2020

ER -

Anomaly Detection using Clustered Deep One-Class Classification

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this