ieee transactions on knowledge and data engineering, … · miner3, and oracle datamine4. the...

IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 25, NO. 1, JANUARY 2014 1

Outlier Detection for Temporal Data: A SurveyManish Gupta, Jing Gao, Member, IEEE, Charu C. Aggarwal, Fellow, IEEE,

and Jiawei Han, Fellow, IEEE

Abstract—In the statistics community, outlier detection for time series data has been studied for decades. Recently, withadvances in hardware and software technology, there has been a large body of work on temporal outlier detection from acomputational perspective within the computer science community. In particular, advances in hardware technology have enabledthe availability of various forms of temporal data collection mechanisms, and advances in software technology have enabled avariety of data management mechanisms. This has fueled the growth of different kinds of data sets such as data streams, spatio-temporal data, distributed streams, temporal networks, and time series data, generated by a multitude of applications. Therearises a need for an organized and detailed study of the work done in the area of outlier detection with respect to such temporaldatasets. In this survey, we provide a comprehensive and structured overview of a large set of interesting outlier definitions forvarious forms of temporal data, novel techniques, and application scenarios in which specific definitions and techniques havebeen widely used.

Index Terms—temporal outlier detection, time series data, data streams, distributed data streams, temporal networks, spatio-temporal outliers, applications of temporal outlier detection, network outliers

F

1 INTRODUCTION

OUTLIER detection is a broad field, which hasbeen studied in the context of a large number

of application domains. Aggarwal [1], Chandola etal. [2], Hodge et al. [3] and Zhang et al. [4] providean extensive overview of outlier detection techniques.Outlier detection has been studied in a variety ofdata domains including high-dimensional data [5],uncertain data [6], streaming data [7], [8], [9], networkdata [9], [10], [11], [12], [13] and time series data [14],[15]. Outlier detection is very popular in industrialapplications, and therefore many software tools havebeen built for efficient outlier detection, such as R(packages ‘outliers’1 and ‘outlierD’ [16]), SAS2, Rapid-Miner3, and Oracle datamine4.

The different data domains in outlier analysis typ-ically require dedicated techniques of different types.Temporal outlier analysis examines anomalies in thebehavior of the data across time. Some motivatingexamples are as follows.• Financial Markets: An abrupt change in the stock

market, or an unusual pattern within a specific

• M. Gupta is with Microsoft, Gachibowli, Hyderabad 500032, India.E-mail: [email protected].

• J. Gao is with University at Buffalo, The State University of New York,338 Davis Hall, Buffalo, NY 14260. E-mail: [email protected].

• C. C. Aggarwal is with IBM T.J. Watson Research Center, 1101Kitchawan Rd, Yorktown, NY 10598. E-mail: [email protected].

• J. Han is with University of Illinois, Urbana-Champaign, 201 NGoodwin Ave, Urbana, IL 61801. E-mail: [email protected].

1http://cran.r-project.org/web/packages/outliers/outliers.pdf

2http://www.nesug.org/Proceedings/nesug10/ad/ad07.pdf3http://www.youtube.com/watch?v=C1KNb1Kw-As4http://docs.oracle.com/cd/B28359 01/datamine.111/

b28129/anomalies.htm

window such as the flash crash of May 6, 2010 isan anomalous event which needs to be detectedearly in order to avoid and prevent extensivedisruption of markets because of possible weak-nesses in trading systems.

• System Diagnosis: A significant amount of datagenerated about the system state is discrete innature. This could correspond to UNIX systemcalls, aircraft system states, mechanical systems,or host-based intrusion detection systems. Thelast case is particularly common, and is an im-portant research area in its own right. Anomaliesprovide information about potentially threaten-ing and failure events in such systems.

• Biological Data: While biological data is not tem-poral in nature, the placement of individualamino-acids is analogous to positions in temporalsequences. Therefore, temporal methods can bedirectly used for biological data.

• User-action Sequences: A variety of sequencesabound in daily life, which are created byuser actions in different domains. These includeweb browsing patterns, customer transactions,or RFID sequences. Anomalies provide an ideaof user-behavior which is deviant for specificreasons (e.g., an attempt to crack a password willcontain a sequence of login and password actions).

This broad diversity in applications is also reflectedin the diverse formulations and data types relevantto outlier detection. A common characteristic of alltemporal outlier analysis is that temporal continuityplays a key role in all these formulations, and unusualchanges, sequences, or temporal patterns in the data areused in order to model outliers. In this sense, timeforms the contextual variable with respect to which

http://cran.r-project.org/web/packages/outliers/outliers.pdf

http://cran.r-project.org/web/packages/outliers/outliers.pdf

http://www.nesug.org/Proceedings/nesug10/ad/ad07.pdf

http://www.youtube.com/watch?v=C1KNb1Kw-As

http://docs.oracle.com/cd/B28359_01/datamine.111/b28129/anomalies.htm

http://docs.oracle.com/cd/B28359_01/datamine.111/b28129/anomalies.htm

2 IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 25, NO. 1, JANUARY 2014

Outlier Detection for Temporal Data

Time Series

Data

Data

Streams

Distributed

Data

Spatio-Temporal

Data

Network

Data

Time

Series

Database

Single

Time

Series

Direct Detection

Time Series Outliers

Window based Detection

Time Series Outliers

Outlier

Subsequences

Point

Outliers

Subsequence

Outliers

Evolving

Prediction

Models

Distance

Based

Outliers

High

Dimensional

Data

Streams

Global

Outliers

Local

Outliers

Other

Variants

Temporal

Distributed

Data

Spatial

Sensor

Data

ST Outlier

Detection

ST Outlier

Tracking

Trajectory

Outlier

Detection

Graph

Similarity

Outliers

Online

Graph

Outliers

Community

Based

Outliers

Fig. 1. Organization of the Survey

all analysis is performed. Temporal outlier analysisis closely related to change point detection, and eventdetection, since these problems represent two instan-tiations of a much broader field. The problem offorecasting is closely related to many forms of temporaloutlier analysis, since outliers are often defined asdeviations from expected values (or forecasts). Never-theless, while forecasting is a useful tool for manyforms of outlier analysis, the broader area seems tobe much richer and multi-faceted.Different Facets of Temporal Outlier Analysis: Out-lier analysis problems in temporal data may be cate-gorized in a wide variety of ways, which representdifferent facets of the analysis. The area is so richthat no single type of abstract categorization canfully capture the complexity of the problems in thearea, since these different facets may be present inan arbitrary combination. Some of these facets are asfollows.

• Time-series vs Multidimensional Data Facet: In time-series data (e.g., sensor readings) the importanceof temporal continuity is paramount, and all anal-ysis is performed with careful use of reasonablysmall windows of time (the contextual variable).On the other hand, in a multi-dimensional datastream such as a text newswire stream, an ap-plication such as first-story detection, might notrely heavily on the temporal aspect, and thusthe methods are much closer to standard multi-dimensional outlier analysis.

• The Point vs Window Facet: Are we looking foran unusual data point in a temporal series (e.g.,sudden jump in heart rate in ECG reading),or are we looking for an unusual pattern ofchanges (contiguous ECG pattern indicative ofarrythmia)? The latter scenario is usually far morechallenging than the former. Even in the contextof a multi-dimensional data stream, a single pointdeviant (e.g., first story in a newswire stream)may be considered a different kind of outlierthan an aggregate change point (e.g., suddenchange in the aggregate distribution of stories

over successive windows).• The Data Type Facet: Different kinds of data such

as continuous series (e.g., sensors), discrete series(e.g., web logs), multi-dimensional streams (e.g.,text streams), or network data (e.g., graph and so-cial streams) require different kinds of dedicatedmethods for analysis.

• The supervision facet: Are previous examples ofanomalies available? This facet is of course com-mon to all forms of outlier analysis, and is notspecific to the temporal scenario.

These different facets are largely independent of oneanother, and a large number of problem formulationsare possible with the use of a combination of thesedifferent facets. Therefore, this paper is largely orga-nized by the facet of data type, and examines differentkinds of scenarios along this broad organization.Specific Challenges for Outlier Detection for Tem-poral Data: While temporal outlier detection aims tofind rare and interesting instances, as in the case oftraditional outlier detection, new challenges arise dueto the nature of temporal data. We list them below.• A wide variety of anomaly models are possible

depending upon the specific data type and sce-nario. This leads to diverse formulations, whichneed to be designed for the specific problem.For arbitrary applications, it may often not bepossible to use off-the-shelf models, because ofthe wide variations in problem formulations. Thisis one of the motivating reasons for this survey toprovide an overview of the most common com-binations of facets explored in temporal outlieranalysis.

• Since new data arrives at every time instant, thescale of the data is very large. This often leadsto processing and resource-constraint challenges.In the streaming scenario, only a single scanis allowed. Traditional outlier detection is mucheasier, since it is typically an offline task.

• Outlier detection for temporal data in distributedscenarios poses significant challenges of minimiz-ing communication overhead and computational

GUPTA et al.: OUTLIER DETECTION FOR TEMPORAL DATA: A SURVEY 3

load in resource-constrained environments.In this work, we aim to provide a comprehensive

and structured overview of outlier detection tech-niques for temporal data. Figure 1 shows the or-ganization of the survey with respect to the datatype facet. For each data type, we discuss specificproblem classes in various subsections. We begin withthe easiest scenario for temporal data – discrete timeseries data (Section 2). However a lot of data getssampled over very short time intervals, and keepsflowing in infinitely leading to data streams. Wewill study techniques for outlier detection in streamsin Section 3. Often times, data is distributed acrossmultiple locations. We study how to extract globaloutliers in such distributed scenarios in Section 4. Forsome applications like environmental data analysis,data is available over a continuum of both spaceand time dimensions. We will study techniques tohandle such data in Section 5. Finally, networks cancapture very rich semantics for almost every domain.Hence, we will discuss outlier detection mechanismsfor network data in Section 6. We will also present afew applications where such temporal outlier detec-tion techniques have been successfully employed inSection 7. The conclusions are presented in Section 8.

2 TIME SERIES OUTLIER DETECTION

A significant amount of work has been performed inthe area of time series outliers. Parametric models fortime series outliers [15] represents the first work onoutlier detection for time series data. Several modelswere subsequently proposed in the statistics literature,including autoregressive moving average (ARMA),autoregressive integrated moving average (ARIMA),vector autoregression (VARMA), CUmulative SUMStatistics (CUSUM), exponentially weighted movingaverage, etc. While a detailed exposition is beyond thescope of this survey, we will provide an overview ofthe key ideas in this topic, especially from a computerscience perspective. We direct the reader to [17], [18],[19] for further reading from the statistics point ofview. In this section, we will focus on two main typesof outlier detection techniques for time series studiedin the data mining community. The first part concernstechniques to detect outliers over a database of timeseries, whereas the second part deals with outlierswithin a single time series.

2.1 Outliers in Time Series Databases

Given a time series database, we will discuss methodsto identify a few time series sequences as outliers,or to identify a subsequence in a test sequence asan outlier. An outlier score for a time series can becomputed directly, or by first computing scores foroverlapping fixed size windows and then aggregatingthem. We discuss these techniques in this subsection.

2.1.1 Direct Detection of Outlier Time SeriesGiven: A database of time seriesFind: All anomalous time series

It is assumed that most of the time series in thedatabase are normal while a few are anomalous. Sim-ilar to traditional outlier detection, the usual recipe forsolving such problems is to first learn a model basedon all the time series sequences in the database, andthen compute an outlier score for each sequence withrespect to the model. The model could be supervised orunsupervised depending on the availability of trainingdata.Unsupervised Discriminative Approaches

Discriminative approaches rely on the definitionof a similarity function that measures the similaritybetween two sequences. Once a similarity function isdefined, such approaches cluster the sequences, suchthat within-cluster similarity is maximized, whilebetween-cluster similarity is minimized. The anomalyscore of a test time series sequence is defined as thedistance to the centroid (or medoid) of the closestcluster. The primary variation across such approaches,are the choice of the similarity measure, and theclustering mechanism.Similarity Measures: The most popular sequencesimilarity measures are the simple match count basedsequence similarity [20], and the normalized length ofthe longest common subsequence (LCS) [21], [22],[23], [24]. The advantage of the former is its greatercomputational efficiency, whereas the latter can adjustto segments in the sequences containing noise, but ismore expensive because of its dynamic programmingmethodology.Clustering Methods: Popular clustering methods in-clude k-Means [25], EM [26], phased k-Means [27],dynamic clustering [24], k-medoids [21], [22], single-linkage clustering [28], clustering of multi-variate timeseries in the principal components space [29], one-class SVM [30], [31], [32], [33] and self-organizingmaps [34]. The choice of the clustering methodis application-specific, because different clusteringmethods have different complexity, with varyingadaptability to clusters of different numbers, shapesand sizes.Unsupervised Parametric Approaches

In unsupervised parametric approaches, anomalousinstances are not specified, and a summary model isconstructed on the base data. A test sequence is thenmarked anomalous if the probability of generation ofthe sequence from the model is very low. The anomalyscore for the entire time series is computed in termsof the probability of each element. Popular modelsinclude Finite state automata (FSA), Markov modelsand Hidden Markov Models (HMMs).

FSA can be learned from length l subsequencesin normal training data. During testing, all length lsubsequences can be extracted from a test time seriesand fed into the FSA. An anomaly is then detected


if the FSA reaches a state from where there is nooutgoing edge corresponding to the last symbol of thecurrent subsequence. FSAs have been used for outlierdetection in [23], [35], [36], [37]. The methods to gen-erate the state transition rules depend on particularapplication domains.

Some Markov methods store conditional informa-tion for a fixed history size=k, while others use avariable history size to capture richer temporal depen-dencies. Ye [38] proposes a technique where a Markovmodel with k=1 is used. In [39], [40], the conditionalprobability distribution (CPD) are stored in proba-bilistic suffix trees (PSTs) for efficient computations.Sparse Markovian techniques estimate the conditionalprobability of an element based on symbols within theprevious k symbols, which may not be contiguous orimmediately preceding to the element [41], [42].

HMMs can be viewed as temporal dependency-oriented mixture models, where hidden states andtransitions are used to model temporal dependenciesamong mixture components. HMMs do not scale wellto real life datasets. The training process may requirejudicious selection of the model, the parameters, andinitialization values of the parameters. On the otherhand, HMMs are interpretable and theoretically wellmotivated. Approaches that use HMMs for outlierdetection include [23], [43], [44], [45], [46].Unsupervised OLAP based Approach

Besides traditional uni-variate time series data,richer time series are quite popular. For example, atime series database may contain a set of time series,each of which are associated with multi-dimensionalattributes. Thus, the database can be representedusing an OLAP cube, where the time series couldbe associated with each cell as a measure. Li etal. [47] define anomalies in such a setting, where givena probe cell c, a descendant cell is considered ananomaly if the trend, magnitude or the phase of itsassociated time series are significantly different fromthe expected value, using the time series for the probecell c.Supervised Approaches

In the presence of labeled training data, the fol-lowing supervised approaches have been proposed inthe literature: positional system calls features with theRIPPER classifier [48], subsequences of positive andnegative strings of behavior as features with stringmatching classifier [34], [49], neural networks [50],[51], [52], [53], [54], Elman network [53], motion fea-tures with SVMs [55], bag of system calls featureswith decision tree, Naıve Bayes, SVMs [56]. Slidingwindow subsequences have also been used as featureswith SVMs [57], [58], rule based classifiers [59], andHMMs [44].

2.1.2 Window based Detection of Outlier Time Series

Given: A database of time series

Normal

or Abnormal

Windows

Database

Test Sequence s

Win

do

ws

�� !�

��"�

Train Sequences

Optional Processing like DWT

Processed Sequence Processed Sequences

Normal

Samples

Detectors

Length-w

windows

Fig. 2. Window Based Time Series Outlier Detection

Find: All anomalous time windows, and henceanomalous time series

Compared to the techniques in the previous sub-section, the test sequence is broken into multipleoverlapping subsequences (windows). The anomalyscore is computed for each window, and then theanomaly score (AS) for the entire test sequence iscomputed in terms of that of the individual windows.Window-based techniques can perform better local-ization of anomalies, compared to the techniques thatoutput the entire time series as outliers directly. Thesetechniques need the window length as a parameter.Windows are called fingerprints, pattern fragments,detectors, sliding windows, motifs, and n-grams invarious contexts. In this methodology, the techniquesusually maintain a normal pattern database, but someapproaches also maintain a negative pattern or amixed pattern database. Figure 2 shows a generalsketch of the method.Normal Pattern Database Approach

In this approach, normal sequences are divided intosize w overlapping windows. Each such window sub-sequence is stored in a database with its frequency. Fora test sequence, subsequences of size w are obtained,and those subsequences that do not occur in normaldatabase are considered mismatches. If a test sequencehas a large number of mismatches, it is marked asan anomaly [44], [49], [51], [53], [60]. Rather thanlooking for exact matches, if a subsequence is notin the database, soft mismatch scores can also becomputed [20], [61], [62], [63].

Besides contiguous window subsequences, a looka-head based method can also be used for buildinga normal database [64]. For every element in everynormal sequence, the elements occurring at distance1,2,. . ., k in the sequence are noted. A normal databaseof such occurrences is created. Given a new testsequence, a lookahead of the same size k is used. Eachpair of element occurrence is checked with the normaldatabase, and the number of mismatches is computed.Negative and Mixed Pattern Database Approaches

Besides the dictionaries for normal sequences,anomaly dictionaries can also be created [34], [50],[65], [66], [67]. All normal subsequences of length w


are obtained from the input string. Next, all sequencesof size w not in the set are considered detectors ornegative subsequences. Detectors can be generatedrandomly or by using some domain knowledge ofsituations that are not expected to occur in normalsequences. A test sequence is then monitored forpresence of any detector. If any detector matches, thesequence can be considered an outlier.

2.1.3 Outlier Subsequences in a Test Time SeriesGiven: A database of time series D and a test timeseries tFind: An outlier subsequence (or a pattern) p in t

The anomaly score for a pattern p can be computedas the difference between the frequency of patternp in test time series and the expected frequency indatabase D. Keogh et al. [68] define a soft matchversion of the problem where the frequency of patternp in the database D is defined using the largestnumber l such that every subsequence of p of lengthl occurs at least once in D. Another form of softmatching is defined in [69], where rather than anexact match of pattern p, any permutation of p isalso considered a match. To make the computationsefficient, the TARZAN algorithm was proposed whichexploits suffix trees [68], [70], [71]. Also Gwaderaet al. [72], [73] have proposed Interpolated MarkovModels (IMM) to efficiently compute the match scoreof a pattern or its permutations within any time series.

2.2 Outliers Within a Given Time SeriesGiven a single time series, one can find particularelements (or time points) within the time series asoutliers, or one can also find subsequence outliers. Inthis subsection, we will discuss techniques for boththese cases.

2.2.1 Points as OutliersGiven: A time series tFind: Outlier points in t

Various methodologies have been proposed to findoutlier points for a time series. A large number ofprediction models and profile based models havebeen proposed. An information-theoretic compressionbased technique has also been proposed to find “de-viants”. We will discuss these techniques below. Apartfrom these, a number of clustering and classificationapproaches described in Section 2.1.1, can also be usedto detect point outliers.Prediction Models

The outlier score for a point in the time series iscomputed as its deviation from the predicted valueby a summary prediction model. The primary variationacross models, is in terms of the particular predictionmodel used.

Given a time series, one can predict the value attime t as a median of the values in the size-2k window

from t−k to t+k [74], or as an average of all the pointsin the cluster that the value at time t maps to [75], orusing regression models. Single-layer linear networkpredictor (or AR model) has been used in a large num-ber of studies including [75]. Other prediction modelsinclude Multilayer perceptron (MLP) predictor [75]and support vector regression [76]. Mixture transitiondistribution (MTD) have been proposed for outlierdetection for general non-Gaussian time series [77].Tsay et al. [78] propose a vector ARIMA model toidentify additive outliers, innovation outliers, levelshifts, and temporary changes from multi-variate timeseries. Besides individual points, multiple outliers canalso be discovered using prediction models, e.g., usingre-weighted maximum likelihood estimates [79] orusing Gibbs sampling and block interpolation [80].

There are many variants of this technique. Outlier-aware variants of these prediction models estimatemodel parameters and outliers together [81], [82], [83],[84]. In multi-variate time series, prediction couldbe made for all constituent time series. In [85], tocompute outliers for multi-variate time series, testingfor outliers is done only in some smartly selected pro-jection directions rather than testing the multivariateseries directly to compute outliers.Profile Similarity based Approaches

These approaches maintain a normal profile andthen compare a new time point against this profileto decide whether it is an outlier. For example, formultiple OS performance metric time series, the Tire-sias system [86] maintains a normal profile and alsoa variance vector. Any new data point is comparedboth with the normal profile and the variance vectorto compute its anomaly score. Here the profile isthe actual smoothed time series data from past data.In [87], a neural network is used to maintain thenormal profile and an estimation is made for the nextvalue in the sensor stream based on this profile. Wewill discuss more profile based techniques in Section 3in the context of data streams.Deviants

Deviants are outlier points in time series froma minimum description length (MDL) point ofview [88]. If the removal of a point P from the timesequence results in a sequence that can be representedsignificantly more succinctly than the original one,then the point P is a deviant. These information-theoretic models explore the space-deviation tradeoffby fixing the deviation, rather than fixing the space,as in conventional models. Thus the problem is tofind points whose removal results in a histogramrepresentation with a lower error bound than theoriginal, even after the number of buckets has beenreduced to account for the separate storage of thesedeviant points. Jagadish et al. [88] propose a dy-namic programming mechanism to solve the problem.Muthukrishnan et al. [89] make the observation thatfor any bucket, the optimal set of k deviants within


the bin always consists of the l highest and remainingk− l lowest values for some l ≤ k. Then, they proposean approximation to the dynamic programming-basedsolution, that maintains a partial solution only for afew interspersed indexes of the time series rather thanfor each value.

2.2.2 Subsequences as OutliersGiven: A time series tFind: Outlier subsequences in t

In the previous subsection, we looked at techniquesto identify point outliers. In this subsection, we willvisit mechanisms to identify outlier subsequences intime series.

Given a time series T , the subsequence D of lengthn beginning at position l is said to be the discord (oroutlier) of T if D has the largest distance to its nearestnon-overlapping match [90]. The brute force solutionis to consider all possible subsequences s ∈ S oflength n in T and compute the distance of each such swith each other non-overlapping s′ ∈ S. Top-K prun-ing can be used to make this computation efficient.Subsequence comparisons can be smartly ordered foreffective pruning using various methods like heuristicreordering of candidate subsequences [91], localitysensitive hashing [92], Haar wavelet and augmentedtries [93], [94], and SAX with augmented trie [95].To compute the distance between subsequences, mostmethods use Euclidean distance while Compressionbased Dissimilarity Measure (CDM) is used as a dis-tance measure in [96]. Yankov et al. [97] solve theproblem for a large time series stored on the disk.

Chen et al. [98] define the subsequence outlierdetection problem for an unequal interval time serieswhich is a time series with values sampled at unequaltime intervals. For such a time series, a pattern isdefined as a subsequence of two consecutive points.A pattern p is called an anomaly, if there are veryfew other patterns with the same slope and the samelength. To identify anomalies at multiple scales, theHaar transform is used. Haar transform is also usedin [99] to identify multi-level trends and anomalies.

Besides the aforementioned definitions of outliersubsequences, some more variants have also beendiscussed in the literature. For example, in [100] alead and a lag window are defined as adjacent sub-sequences. The two windows could be of any length.The subsequence represented by the lead window isan anomaly, if its similarity with the lag window isvery low. They measure the similarity using chaosbitmaps. As another example, Zhu et al. [101] com-pute subsequences of length w with a very high aggre-gate value as outliers. They use a novel data structurecalled Shifted Wavelet Tree to solve the problem.

3 OUTLIER DETECTION FOR STREAM DATACompared to static data, streaming data does nothave a fixed length. Streams can be a time-series or

Compute

Outlier ScoreModel

Update Model Parameters

xtxt+1

Data Stream

Fig. 3. Stream Anomaly Detection

multidimensional. Temporal dependencies for mul-tidimensional streams, are used differently than intime-series. Rather than using time-series forecastingmethods, these methods are closer to conventionalmultidimensional models, but with a temporal com-ponent, which accounts for temporal drift, and devi-ations.

3.1 Evolving Prediction ModelsGiven: A multidimensional data stream sFind: Outlier points in s

Evolving prediction models are models in which theparameters or components of the model are updatedas new data arrives in order to better capture thenormal trends in the data. In this subsection, we willdiscuss a few such models.Online Sequential Discounting

Yamanishi et al. [102], [103] present SmartSifterwhich employs an online discounting learning algo-rithm to incrementally learn the probabilistic mix-ture model, with a decay factor to account for drift.The outlier score for a data point is computed interms of the probabilistic fit value to the learnedmixture model. Such mixture models are used forconventional multidimensional data, but without theadjustments for incremental updates and temporaldecay. Figure 3 shows an illustration of the method.

For categorical variables, they propose the Sequen-tially Discounting Laplace Estimation (SDLE) algo-rithm. In SDLE, cells are created by partitioning thespace of all values of all categorical variables. Theprobability of a symbol in a cell is the number ofoccurrences of that symbol in that cell divided by thetotal data points with the Laplace smoothing. When anew data point arrives, the count for all the cells areadjusted with temporal discounting and appropriateLaplace smoothing is applied.

For continuous variables, they propose two models:an independent model and a time series model. Theindependent model is a Gaussian mixture model inthe parametric case and a kernel mixture model inthe non-parametric case. For learning the Gaussianmixture model (GMM), they provide the SequentiallyDiscounting EM (SDEM) algorithm which is essen-tially an incremental EM algorithm with discountingof effect of past examples. For learning the kernelmixture model, Yamanishi et al. provide SequentiallyDiscounting Prototype Updating (SDPU) algorithmwhere the coefficients of the mixture and the variance


matrix are fixed and so it iteratively learns only themeans of the kernels or the prototypes. For learningthe time series model, they provide the SequentiallyDiscounting AR (SDAR) algorithm which learns theAR model parameters iteratively with time discount-ing.

The online discounting behavior is also used toupdate the “normal” distribution in SRI’s Emeraldsystem [104], by giving more weight to recent data.Online discounting has also been used for mixedattribute data streams, to maintain the frequency of anitemset (a set of attribute values) [11], where a point iscalled an outlier if it shares the attribute values withnone or very few other points. Exponentially greaterimportance (another form of online discounting) isgiven to the recent points to learn a polynomial func-tion in StreamEvent [8] which is an algorithm to ef-ficiently compute outliers from multiple synchronousstreams, though this model is based on the time-seriesscenario.Dynamic Cluster Maintenance

Other than the online discounting methods, largenumber of methods use dynamically maintained clus-ter models for computing outliers from data streams.For example, normalized length of the longest com-mon subsequence (LCS) has been used as the se-quence similarity measure for dynamic clustering bySequeira et al. [24]. In the text domain, online cluster-ing methods were proposed in [105] to detect outliers.Dynamic Bayesian Networks

Sometimes updating the parameters of the modelis not enough. The model can be modified by it-self to incorporate drifts in the data stream. Hillet al. [106] present an approach that uses DynamicBayesian networks which are Bayesian networks withnetwork topology that evolves over time, addingnew state variables to represent the system state atthe current time t. They present two strategies fordetecting anomalous data: Bayesian credible interval(BCI) and maximum a posteriori measurement status(MAP-ms). The first method uses an HMM model,where Kalman filtering is used to sequentially inferthe posterior distributions of hidden and observedstates as new measurements become available fromthe sensors. The posterior distribution of the observedstate variables is then used to construct a Bayesiancredible interval for the most recent set of measure-ments. Any measurements that fall outside of the p%Bayesian credible interval can be classified as anoma-lous. In the second method, a 2-layered DBN is used.The status (e.g., normal/anomalous) of each sensormeasurement is also modeled as a hidden state. Themaximum a posteriori estimate, (i.e., the most likelyvalue given the posterior distribution) of the hiddenstate variable, indicating the measurement status, canbe used to classify the sensor measurements as normalor anomalous.

o6

t1 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t13 t15t14 t16 t17 t18 t19 t20 t21 t22

R

R

R

R

o1

o2

o3 o4

o7

o8

o9

o10

o11

o12

o13

o14

o15

o16

o17

o18

o19

o20

o21

o22

time

value

o5

t2

Fig. 4. Distance based Outliers for Sliding Win-dows [108]

3.2 Distance based Outliers for Sliding Windows

Given: A data stream sFind: Distance based outliers in any time window ofs

Besides defining outliers for data streams usingprediction models, one can also compute distancebased outliers for data streams at any time instant.Given a set of points, a point o is called a DB(k,R)distance outlier if there are less than k points withindistance R from o [107]. Given a data stream, at anytime point, one can discover outliers from the setof points lying within the current sliding window.Distance based outliers can be discovered both in aglobal as well as in a local sense on points withinthe current sliding window. Figure 4 shows a 1-dimensional stream dataset with two time windows(t3 to t18 and t7 to t22). Consider the window at timet18. If we consider a point with k < 4 points withindistance R as outliers, o9 (with k=4 neighbors o5, o10,o14 and o15) and o11 (with k=4 neighbors o3, o4, o6and o13) are examples of inliers, while o8 (with only 2neighbors o7 and o16) and o17 (with only 1 neighboro18) are examples of outliers.

3.2.1 Distance based Global Outliers

As the sliding window for a stream moves, old ob-jects expire and new objects come in. Since objectsexpire over time, the number of preceding neighborsof any object decreases. Therefore, if the number ofsucceeding neighbors of an object is less than k, theobject could become an outlier depending on thestream evolution. Conversely, since any object willexpire before its succeeding neighbors, inliers havingat least k succeeding neighbors will be inliers for anystream evolution. Such inliers are called safe inliers(e.g., in Figure 4, for k=3, o9 is a safe inlier as it has 3succeeding neighbors (o10, o14, o15) while o11 is not,as it has only 1 succeeding neighbor (o13)).

Angiulli et al. [108] propose an exact algorithm toefficiently compute distance outliers using a new data


structure called Indexed Stream Buffer (ISB) whichsupports a range query. Further, they also propose anapproximate algorithm which uses two heuristics: (a)It is sufficient to retain in ISB only a fraction of safeinliers, (b) Rather than storing the list of k most recentpreceding neighbors, it is enough to store only thefraction of preceding neighbors, which are safe inliersto the total number of safe inliers.

Yang et al. [109] propose that maintaining all neigh-bor relationships across time may be very expensive.Therefore, abstracted neighbor relationships can bemaintained. However, maintaining such cluster ab-stractions is expensive too. Hence, they exploit an im-portant characteristic of sliding windows, namely the“predictability” of the expiration of existing objects.In particular, given the objects in the current window,the pattern structures that will persist in subsequentwindows can be predicted by considering the objects(in the current window) that will participate in eachof these windows only. These predicted pattern struc-tures can be abstracted into “predicted views” of eachfuture window. They propose an efficient algorithmwhich makes use of the predicted views to computedistance based outliers.

The problem of distance-based outlier detection forstream data can also be solved using dynamic clustermaintenance, as has been done for similar problemsin [110], [111].

3.2.2 Distance based Local OutliersLocal Outlier Factor (LOF) is an algorithm for findinganomalous data points by measuring the local devi-ation of a given data point with respect to its neigh-bours [112]. The LOF algorithm developed for staticdata can be adapted to the incremental LOF problem(i.e., the stream setting) in three ways: (a) periodicLOF, i.e., apply LOF on entire data set periodically, oras (b) supervised LOF, i.e., compute the k-distances,local reachability density (LRD) and LOF values usingtraining data and use them to find outliers in test dataor as (c) iterated LOF where the static LOF algorithmcan be re-applied every time a new data record isinserted into the data set. A better approach is pro-posed in [113], where the incremental LOF algorithmcomputes LOF value for each data record insertedinto the data set and instantly determines whetherthe inserted data record is an outlier. In addition, LOFvalues for existing data records are updated if needed.Thus, in the insertion part, the algorithm performstwo steps: (a) insertion of new record, when it com-putes the reachability distance, LRD and LOF valuesof a new point; (b) maintenance, when it updates k-distances, reachability distance, LRD and LOF valuesfor affected existing points.

3.3 Outliers in High-dimensional Data StreamsZhang et al. [114] present Stream Projected OutlierdeTector (SPOT), to deal with outlier detection prob-

Sensor1 Sensor3

Sensor2

Fig. 5. Distributed Data Streams Scenario

lem in high-dimensional data streams. SPOT employsa window based time model and decaying cell sum-maries to capture statistics like Relative Density andInverse Relative Standard Deviation of data pointsin the cell from the data stream. Sparse SubspaceTemplate (SST), a set of top sparse subspaces ob-tained by unsupervised and/or supervised learningprocesses, is constructed in SPOT. These SSTs arethe subspaces which are explored to find projectedoutliers effectively. Multi-Objective Genetic Algorithm(MOGA) is employed as an effective search method inunsupervised learning for finding outlying subspacesfrom training data. SPOT is also capable of online self-evolution, to cope with evolving dynamics of datastreams.

4 OUTLIER DETECTION FOR STREAM DATAIN DISTRIBUTED SCENARIOS

Zhang et al. [4] provide a detailed survey for outlierdetection techniques on wireless sensor networks. Themain challenges for outlier detection in a distributedsetting are as follows.• Resource constraints: Energy, memory, computa-

tional capacity and communication bandwidthare all scarce.

• High communication cost: Communication costis orders of magnitude greater than the compu-tation costs.

• Distributed streaming data: Processing data on-line coming at different rates from multiple dis-tributed sensors is non-trivial.

• Dynamics: Dynamic network topology, frequentcommunication failures, mobility and hetero-geneity of nodes are a few dynamic features ofsuch datasets which are challenging to handle.

• Large-scale deployment: Traditional outlier detec-tion algorithms are not easily scalable.

• Identifying outlier sources: It is important tomake distinctions between errors, events and ma-licious attacks.

In a distributed stream setting, points are distributedacross various nodes (sensors). Each sensor has anassociated stream of incoming points and the aim isto find top few distance based outliers based on theglobal data (Figure 5). In a distributed spatio-temporalsetting, the position of sensors is also important whencomputing outliers. We discuss both settings in thissection.


4.1 Distributed Temporal Data

Given: A set of sensors each with an associated datastreamFind: Distance/density based outliers based on globaldataSharing Local Outliers and Other Data Points: Let usfirst discuss an algorithm [115] for a distributed staticsetting, where each sensor holds a set of points andtries to compute the set of the global top-K outliers.An outlier detection algorithm A is available whichoutputs a ranking function R. R is anti-monotonic wrtdata and R should be smooth, e.g., the distance tothe kth nearest neighbor, the average distance to thek nearest neighbors, etc. Consider a point x in datasetP . Consider a subset P0 of P . If P0 is the smallestsubset such that R(x, P ) = R(x, P0) then P0 is calledthe support set of x over P .

Based on the above basic concepts, we discuss thealgorithm flow as follows. Each sensor exchangesmessages with its neighbors. Each sensor can applyA to compute top-K outliers for its knowledge wherethe knowledge of the sensor is its own points plus thepoints received in messages. Sensor pi should sendto pj all of pi’s current outliers and their supports.If, for any of these points x, pi cannot be certain thatpj has x (i.e. neither previous messages from pi to pjnor messages from pj to pi contain x), then x must besent to pj . Second, pi may have points which wouldeffect outliers previously sent by pj , but these maynot be accounted for in the first part. It suffices for pito send the support of all of the outliers in messagefrom pj to pi which were not in that message. In astreaming setting, when a new point is sampled, datachanges at the local sensor itself. This requires that thesame calculation is made as in the case of a change inknowledge of the sensor due to receiving a message.If the algorithm needs to only consider points whichwere sampled recently (i.e. employ a sliding window),this can be implemented by adding a time-stamp toeach point when it is sampled. Each node can retireold points regardless of where they were sampled andat no communication cost at all.Sharing Local Outliers Only: Since transmitting theentire data or even the model to every node couldbe expensive, Otey et al. [116] propose that onlythe local outliers be exchanged between nodes. If allnodes agree that a point is an outlier, then we canassume that the point is a global outlier. The sites onlycommunicate when some user-specified event occurs.Examples of such events include a user’s query forthe global outliers, when a node finishes processing afixed number of points, or when a node finds a fixednumber of outliers. Clearly, since there is no globalcomputation, this is an approximate algorithm.Sharing Local Outliers and Data Distributions: Inthis approach, data distributions are also shared alongwith the local outliers. The sensor network is orga-

nized in the form of a hierarchy. Kernel density esti-mators are used to approximate the sensor data dis-tribution. Once the data distributions are estimated,the density of the data space around each value canbe computed, and thus outliers can be determined.For distance based outliers, the goal is to identify,among all the sensor readings in a sliding window,those values that have very few close neighbors. Theglobal distance based outliers are computed by send-ing the local model and the local outliers to the parentnodes. For density based method, Subramaniam etal. [117] propose the Multi Granularity DeviationFactor (MDEF) metric. A value is flagged as an outlier,if its MDEF is statistically significantly different fromthat of the local averages. To estimate global MDEFbased outliers, each node sends the new observationsto its parent with a probability f , and then the parentnode communicates the new model to the lowest levelof nodes through the intermediate nodes. The hierar-chical architecture of a sensor network has also beenproposed by Palpanas et al. [118]. The distribution ofthe sensed data is assumed to be the kernel densityestimators. When the observed data points do not fitthis model, they are considered as outliers.

4.2 Distributed Sensor Data Streams with SpatialConsiderations

For some applications, the location of the sensorsis also important. In such settings where data isavailable across space and time, one can find faultysensors.Given: A set of sensors each with (x,y) coordinatesand an associated data streamFind: Outlier sensors and outlier regions

In this setting, each sensor is associated with a datastream based on a part of a source signal received atits location. Each sensor thus receives data which isa combination of the source signal plus some noisewhere a part of the noise component captures theoutlierness in the signal. The outlier detection processthen consists of four phases: clustering, temporal out-lier detection, removal of the spatial variation, andspatial outlier detection. In the beginning, sensorsform a cluster and elect their cluster-head. After that,the cluster-head receives data from sensors, carries outmost of the computation tasks, and broadcasts resultsto sensors. In the next phase, each sensor detectsand recognizes any existing temporal outliers. Thistask can be realized by making all sensors operatesimultaneously in parallel. In the third phase, it isimportant to remove any geometrical effect caused bythe sensor distribution. The signal power reduces inproportion to the distance from the source. If this biasis not accounted for properly, sensors near the sourcethat receive more energy might be falsely regardedas outliers, even though they are not. If the data hassome bias, the distribution might be heavily tailed


Spatio-Temporal Data Find Spatial Objects Find Spatial Outliers

Verify/Track Temporal OutliersST-Outliers

Fig. 6. ST-Outlier Detection Framework

with outliers located near the tail of the distribution.In that case, the min and max values are removedas outliers iteratively using the property of α-stabledistributions. The last phase is the spatial outlierdetection using the variogram method [119, p. 69-83].Since this method generally shows the spatial variancebetween sensors, outliers can be considered as thoseones that deviate remarkably from the majority of thedata. Note that this method [120] assumes that theoutliers are uncorrelated in time and space, and canbe modeled as an α-stable distribution.

Yet another way to use the location of sensors is toconsider neighbors within distance r. Given spatio-temporal data from a sensor network, a sensor s canbe considered as an outlier for a time window w, ifthe value at sensor s at the end of the window hasless than k measurements from all sensors within win-dow w, within a distance r. Once outlier sensors arediscovered, Franke et al. [121], [122] propose modelsto compute polygonal outlier regions in the sensornetwork.

5 OUTLIER DETECTION FORSPATIO-TEMPORAL DATA

Some studies find outliers considering only their tem-poral neighbors, while other work concerns outlierswith respect to their spatial neighbors only. Com-bining these two notions, a spatio-temporal outlier(ST-Outlier) is a spatio-temporal object whose be-havioral/thematic (non-spatial and non-temporal) at-tributes are significantly different from those of theother objects in its spatial and temporal neighbor-hoods. Figure 6 shows a typical ST-Outlier detectionpipeline.

5.1 Techniques for ST-Outlier DetectionGiven: A spatio-temporal datasetFind: ST-Outliers, i.e., spatio-temporal objects whosebehavioral (non-spatial and non-temporal) attributesare significantly different from those of the otherobjects in its spatial and temporal neighborhoods

Most of the ST-Outlier detection techniques firstfind spatial outliers and then verify their temporalneighborhood. The techniques differ in the way spa-tial outliers are computed. We discuss these tech-niques below.

Birant et al. [123] propose a density-based ST-Outlier detection mechanism. First, they run a modi-fied DBSCAN [124] clustering algorithm on the datawith two main modifications: (1) To support the tem-poral aspect, a tree is traversed to find both spatial

and temporal neighbors of any object within a givenradius. (2) To find outliers, when clusters have differ-ent densities, the algorithm assigns a density factorto each cluster and compares the average value of acluster with the new coming value. After clustering,potential outliers are detected. This is followed bychecking the spatial neighbors to verify whether theseobjects are actually spatial outliers. The next stepchecks the temporal neighbors of the spatial outliersidentified in the previous step. If the characteristicvalue of a spatial outlier does not have significantdifferences from its temporal neighbors, this is not anST-Outlier. Otherwise, it is confirmed as an ST-Outlier.

Cheng et al. [125], [126] propose a four step ap-proach. (1) Clustering: Form some regions that havesignificant semantic meanings, i.e. the spatio-temporalobjects of interest. (2) Aggregation: Spatial resolution(scale) of the data is reduced for clustering. It is alsocalled filtering since the outliers (noise) will be filteredafter the spatial scale change. (3) Comparison: Resultsobtained at the two spatial scales are compared todetect the potential spatial outliers. The objects thatare found in Step 1 and are missed (or filtered) in Step2 are potential ST-Outliers. The comparison can berealized either by exploratory visualization analysisor visual data mining. (4) Verification: Check the tem-poral neighbors of the suspected ST-Outliers detectedin the previous step to detect ST-Outliers.

Adam et al. [127] studied distance based outlierdetection for a spatio-temporal dataset. Voronoi di-agrams are used to establish spatial clusters calledmicro-clusters. Based on the spatial and semanticsimilarity (computed using the corresponding time se-ries) between two micro-clusters they can be mergedto get macro-clusters. Spatial similarity for micro-cluster computation uses two measures: the Jaccardcoefficient that represents similarity and the Silhouettecoefficient that represents quality of clustering. Anydatum that differs sufficiently from other points in themacro neighborhood is then marked as an ST-Outlier.

5.2 Tracking of ST-Outliers

Given: A spatio-temporal datasetFind: ST-Outlier solids, i.e., a region across time

While previous techniques consider an ST-Outlieras a point in space and time, an ST-Outlier could beconsidered as a solid with its base in the XY spacedimension and volume across the time dimension.Wu et al. [128] propose an ST-Outlier detection algo-rithm called Outstretch, which discovers the outliermovement patterns of the top-K spatial outliers overseveral time periods. The top-K spatial outliers arefound using the Exact-Grid Top-K and Approx-GridTop-K algorithms (popular spatial outlier detectionalgorithms) with a well-known spatial scan statisticknown as Kulldorff’s scan statistic. An ST-Outlier mayexist over more than one time period. For example,


if there is higher than average precipitation in Peruover the years 1998-2002, then the solid in threedimensional (X, Y and time) space is an outlier. Usingthe top-K spatial outliers for each time period, theyfind all the sequences of outliers over time and storeinto a tree. The Outstretch algorithm takes as inputthe top-K values for each year period under analysis,and a variable r, the region stretch, which is thenumber of grids to ‘stretch’ by, on each side of anoutlier. Outstretch then examines the top-K valuesof the second to last available year periods. For allthe years, each of the outliers from the current yearare examined to see if they are framed by any ofthe stretched regions from the previous year. If theyare, the item is added to the end of the previousyear’s child list. As a result, all possible sequencesover all years get stored into the outlier tree and canbe retrieved for analysis.

Similarly, Lu et al. [129] propose a wavelet fuzzyclassification approach to detect and track region out-liers in meteorological data. First, wavelet transformis applied to meteorological data to bring up distinctpatterns that might be hidden within the originaldata. Then, a powerful image processing technique,edge detection with competitive fuzzy classifier, isextended to identify the boundary of region outlier.After that, to determine the center of the regionoutlier, the fuzzy-weighted average of the longitudesand latitudes of the boundary locations is computed.By linking the centers of the outlier regions withinconsecutive frames, the movement of a region outliercan be captured and traced.

5.3 Trajectory Outliers

Given: A set of trajectoriesFind: Anomalous trajectories

Most of the techniques are based on distance, di-rection and density of trajectories. However, classifi-cation and historical similarity based techniques havealso been proposed. We discuss these below.Distance Between Trajectories: Lee et al. [130] pro-pose TRAjectory Outlier Detection (TRAOD) algo-rithm which consists of two phases: (1) PartitioningPhase and (2) Detection Phase. In the first phase,each trajectory is split into partitions using a 2-levelpartitioning. Distance between trajectory partitions iscalculated as a weighted sum of three components:perpendicular distance, parallel distance and angledistance. In the second phase, a trajectory partitionis considered outlying if it does not have sufficientnumber of similar neighbors (with appropriate con-siderations of local density). A trajectory is an outlierif the sum of the length of its outlying partitions is atleast F times the sum of lengths of all of its partitions.Direction and Density of Trajectories: Ge et al. [131]consider two types of outlying trajectories: outliers interms of direction and outliers in terms of density.

The continuous space is discretized into small gridsand a probabilistic model is used to turn the directioninformation of trajectories in a grid into a vector witheight values to indicate the probabilities of moving to-wards eight directions within this grid. The directiontrend is thus generated within a fixed area by sum-marizing the moving directions from large amountsof trajectories for a period of time. Then, once someobjects move across this area along the completelydifferent directions from the summarized directions,they can be labeled as outliers in a real-time fashionby measuring the similarity between the directions ofthe observed objects and the summarized directions.Also, with this discretized space, the density of tra-jectories can be computed in each grid conveniently.The trajectory density within each grid is estimatedas the number of trajectories across this grid. Thetrajectory density distribution can be obtained withsufficient historical trajectory data. The outlying scoreof a new trajectory can then be measured based on thedensity of trajectories in the grids where this trajectoryactually passes.Historical Similarity: While the above techniquesstress on the spatial continuity to define outliers, Liet al. [132] propose a method for detecting tempo-ral outliers with an emphasis on historical similaritytrends between data points. At each time step, eachroad segment checks its similarity with the otherroad segments, and the historical similarity values arerecorded in a temporal neighborhood vector at eachroad segment. Outliers are calculated from drasticchanges in these vectors. Given a road segment witha historically stable set of neighbors (in feature space,not physical space), an outlier is loosely defined asa drastic change in the membership of this set. Achange is noted heavily for a pair of road segmentsif the two road segments are historically similar butdissimilar at this time instant, or if the two roadsegments are not historically similar but similar atthis time instant. Based on this, each road segmentis given an exponential reward or penalty each day.The outlier score of an road segment on a particularday is then equal to the sum of rewards and penalties.The power of this method compared with a methodthat measures only the singular road segment is thatit is robust to population shifts.Trajectory Motifs: Li et al. [55] propose a motion-classifier for trajectory outlier detection, which con-sists of the following three steps. (a) Object movementfeatures, called motifs, are extracted from the objectpaths. Each path consists of a sequence of motifexpressions, associated with the values related totime and location. (b) To discover anomalies in objectmovements, motif based generalization is performedto cluster similar object movement fragments and gen-eralize the movements based on the associated motifs.(c) With motif based generalization, objects are putinto a multi-level feature space and are classified by


a classifier that can handle high-dimensional featurespaces to discriminate anomalous trajectories fromnormal ones.

6 OUTLIER DETECTION FOR TEMPORALNETWORKS

Given a stream of graphs, how does one identifyan outlier graph? Given a temporal network withcommunity distributions for each of its nodes, howdoes one track community evolution, and therebydefine community outliers? In this section, we willstudy techniques that help us answer these questions.

6.1 Graph Similarity based Outlier Detection Al-gorithms

Given: A series of graph snapshotsFind: Outlier graph snapshots

Various graph distance metrics can be used to cre-ate time series of network changes by sequentiallycomparing graphs from adjacent periods. These timeseries are individually modeled as univariate autore-gressive moving average (ARMA) processes and thenoutliers can be detected.

Let V be the set of nodes when both the graphsnapshots G and H contain the same set of nodes,else VG and VH are used to denote the respectivevertex sets of the two graphs. EG and EH are edgesin graphs G and H . Let wG(u, v) and wH(u, v) denotethe edge weights for edge (u, v) in the graphs G andH respectively. The distance/similarity measures tocompute distances between two graphs G and H arementioned below.

(1) Weight Distance [133]: It is a function of thedifference between the edge weights of the graphsG and H normalized by the maximum of the edgeweights in G or H .

(2) MCS Weight Distance [133]: It computes weightdistance based on the edges in MCS where the maxi-mum common subgraph (MCS) F of G and H is thecommon subgraph with the most vertices.

(3) MCS Edge Distance [133]: It is defined in termsof the number of edges in the MCS as follows.d(G,H) = 1− |mcs(EG,EH)|

max(|EG|,|EH |) .(4) MCS Vertex Distance [133]: It is defined in a

similar way as in the MCS edge distance, but vertexsets of the two graphs rather than edge sets are usedin the distance computation.

(5) Graph Edit Distance [133], [134], [135]: Thesimplest form of graph edit distance is given byd(G,H) = |VG|+|VH |−2|VG∩VH |+|EG|+|EH |−2|EG∩EH |. This captures the sequence of edit operationsrequired to make graph G isomorphic to graph H .Graph edit distance can be expressed in other wayswhere the costs of inserting/deleting/substituting anode/edge are different [136]. Further, node edits andedge edits can be given different importance levels.

(6) Median Graph Edit Distance [133], [137]: Mediangraph can be computed for a fixed window of graphsusing graph edit distance. Median graph edit distanceis the edit distance of the graph from the mediangraph.

(7) Modality Distance [133]: The Modality distancebetween graphs G and H is the absolute value of thedifference between the Perron vectors of these graphs.Perron vector is the eigen vector corresponding to thelargest eigen value for the adjacency matrix of thecorresponding graph.

(8) Diameter Distance [133], [138]: The Diameterdistance between graphs G and H is the differencein the diameters for each graph.

(9) Entropy Distance [133], [138]: The Entropy dis-tance between graphs G and H is defined usingentropy-like measures associated with edge weightsfor the corresponding graphs.

(10) Spectral Distance [133], [138]: The Spectral dis-tance between graphs G and H is defined in termsof the k largest eigenvalues of the Laplacian for thegraphs G and H respectively.

(11) Umeyama graph distance [139]: The Umeyamagraph distance is defined as the sum of the squaresof the differences between edge weights for the corre-sponding edges of the graphs G and H respectively.

(12) Vector Similarity [134]: This is computed as theEuclidean distance between the principal eigenvectorsof the graph adjacency matrices of the two graphs.

(13) Spearman’s correlation coefficient [134]: This iscalculated as the rank correlation between sorted listsof vertices of the two graphs. Vertices are sorted basedon the PageRank or some other properties.

(14) Sequence similarity [140], [134]: It is the similar-ity of vertex sequences of the graphs that are obtainedthrough a graph serialization algorithm. Such an algo-rithm creates a serial ordering of graph vertices whichis maximally edge connected. That means that itmaximizes the number of vertices that are consecutivein the ordering and are edge connected in the graph.

(15) Signature similarity [140], [134]: It is computedas the Hamming distance between the fingerprints oftwo graphs. To get such fingerprints, a similarity hashfunction is applied to the graphs being compared.

(16) Vertex/edge overlap (VEO) [140]: Two graphsare similar if they share many vertices and/or edges.The Jaccard index is one way to compute the overlapbetween two graphs. It is defined as the length ofintersections of vertices/edges divided by that of theunion.

(17) Vertex ranking (VR) [140]: Two graphs aresimilar if the rankings of their vertices are similar. Thevertices can be ranked using their qualities, and thesimilarity of rankings can be computed using a rankcorrelation method such as Spearman’s correlationcoefficient.

For TCP/IP traffic data, it was observed that timeseries based on the MCS edge, MCS vertex, edit, me-


dian and entropy metrics had no false positives. How-ever, the time series based on the spectral, modalityand diameter distance metrics are considerably morecomputationally intensive and also did not lend them-selves to accurate ARMA modelling [133]. Amongstvertex ranking, vector similarity, vertex/edge over-lap, sequence similarity, and signature similarity, Pa-padimitriou et al. [134] observed that signature simi-larity and vector similarity were the best at detectinganomalies from web crawl graphs while not yieldingfalse positives.

Another measure to define outliers on a pair ofgraph snapshots is the shortest path distance betweenany pair of nodes. Given two snapshots of a temporalgraph, Gupta et al. [141] study the problem of findingnode pair outliers which are node pairs with maxi-mum change in shortest path distance across the twograph snapshots.

6.2 Online Graph Outlier Detection Algorithms

Given: A stream of graphsFind: Outlier graph snapshots or outlier localizedregions

The techniques in the previous subsection are usu-ally applied over a fixed length time series of graphs.Next, we will discuss an eigenvector based approachand a structural outlier detection approach for graphstreams.

Ide et al. [142] proposed an eigenvector-basedmethod for anomaly detection over graph streams.The principal eigenvector of the graph weight matrixat time t is called activity vector u(t). Activity vectorsover time interval h are stored in the matrix U(t) =[u(t), u(t− 1), . . ., u(t−h+1)]. Then the “typical pat-tern” is defined to be the left singular vector of U(t).For any new data point at time t, this U(t− 1) matrixis constructed, the typical pattern is extracted andthen the typical pattern vector is compared againstthe activity vector at time t. The angle between thevectors gives similarity between the activity vectorand the typical pattern of the data in the last h timesnapshots. The authors provide an online algorithm tocalculate the threshold for the angle as well. A similarmethod is also proposed by Akoglu et al. [143] to spotanomalous points in time at which many agents in anagent network change their behavior in a way suchthat it deviates from the norm.

While Ide et al. take a spectral approach, Aggarwalet al. [9] propose the problem of structural outlierdetection in massive network streams. They use astructural connectivity model to define outliers ingraph streams as those graph objects which containsuch unusual bridging edges. To handle the sparsityproblem of massive networks, the network is dy-namically partitioned to construct statistically robustmodels of the connectivity behavior. These models aremaintained using an innovative reservoir sampling

…

Co

mm

un

ity

De

tect

ion

Co

mm

un

ity

Ch

an

ge

/Tre

nd

Pa

tte

rn D

isco

ve

ry

Co

mm

un

ity

Ou

tlie

r D

ete

ctio

n

Graph

SnapshotsCommunities

…

Fig. 7. A Framework for Community Outlier Detection

approach for efficient structural compression of theunderlying graph stream. Using these models, edgegeneration probability is defined and then graph ob-ject likelihood fit is defined as the geometric meanof the likelihood fits of its constituent edges. Thoseobjects for which this fit is t standard deviationsbelow the average of the likelihood probabilities of allobjects received so far are reported as outliers. Further,in [162], the authors maintain the information aboutthe changes in the different neighborhoods of the net-work using a localized principal component analysisalgorithm. Localized regions of sudden change in theunderlying network are then reported as outliers.

6.3 Community based Outlier Detection Algo-rithmsGiven: A series of graph snapshotsFind: Outlier nodes with anomalous temporal com-munity changes

Given two snapshots of a network, the commu-nities evolve across the two snapshots. While mostobjects follow the popular community distributionchange trends, some objects do not. Such rare objectsare called Evolutionary Community Outliers (ECOut-liers) [13]. Figure 7 shows a typical framework todiscover community outliers from network data. Tobegin with, communities can be discovered indepen-dently in both snapshots. To discover ECOutliers,it is important to first identify the usual transitiontrends of community evolution. A key problem indiscovering the community transition trends is com-puting matching communities across both snapshots.ECOutlier detection can then be performed usingthese patterns. However, community matching itselfsuffers from ECOutliers and hence must be donein an outlier-aware way. The framework discussedin [13] integrates outlier detection and communitymatching together in an iterative manner. Such anintegrated formulation performs much better thanperforming outlier detection after community match-ing separately.

Moreover, the authors investigated the task of out-lier detection in a general setting of multiple networksnapshots [12]. Such outliers are called Community


Trend Outliers (CTOutliers). This study exploits thesubtle temporal community evolution trends to per-form outlier detection. While ECOutliers [13] cap-ture the notion of anomalous community transi-tions, CTOutliers [12] capture anomalous communitychanges across multiple time snapshots, and in a moresubtle way. Two main challenges were (1) computingpatterns from a sequence of community membershipprobability distributions (soft sequences) associatedwith every object for a series of timestamps, and(2) computing the outlier score of individual softsequences based on such patterns. The authors pro-posed an effective two-step procedure to detect com-munity trend outliers. They first modeled the normalevolutionary behavior of communities across timeusing soft patterns discovered from the dataset. Inthe second step, they proposed effective measures toevaluate probability of an object deviating from thenormal evolutionary patterns.

Besides these, a variety of metrics have been pro-posed in [144], that can be used for communitybased temporal outlier detection in graphs. These in-clude consistency between two clusterings, snapshotclustering quality, social stability and sociability ofobjects. Though community based outlier detectionhas been studied for a static heterogeneous graphrecently [145], there is no technique yet for temporalheterogeneous graphs.

7 APPLICATIONS OF TEMPORAL OUTLIERDETECTION TECHNIQUES

In this section, we briefly discuss different environ-mental, industrial, surveillance, computer network,biological, astronomy, web, information network andeconomics applications, which are relevant to tempo-ral outlier detection.

7.1 Environmental Sensor Data

Hill et al. [75], [106] use dynamic Bayesian networksto identify measurement errors in a wind speed datastream from WATERS Network Corpus Christi Baytestbed. Angiulli et al. [108] extract distance outliersfrom the rain, sea surface temperature, relative hu-midity, precipitation time series obtained from thePacific Marine Environmental Laboratory of the U.S.National Oceanic and Atmospheric Administration(NOAA). Birant et al. [123] identify spatio-temporaloutliers from the wave height values of four seas: theBlack Sea, the Marmara Sea, the Aegean Sea, and theeast of the Mediterranean Sea. The outliers consist oflocations with significantly high wave height valueson a particular date compared to its spatio-temporalneighbors. Cheng et al. [126] compute spatio-temporaloutliers from the water height data obtained fromAmeland, a barrier island in the north of the Nether-lands. Sun et al. [146] explore the South China area

dataset from 1992 to 2002 with five variables: cloudcover percentage, diurnal temperature range, precipi-tation, temperature, vapor and pressure. They answeroutlier queries like “which locations always havedifferent temperature from their neighborhoods in therecent 10 years”. They can find droughts and floodoutliers like flood in Yangzi River Valley in 1998.Wu et al. [128] find extreme precipitation events fromSouth American precipitation data set obtained fromthe NOAA (Hydrology) for Peru over 1998-2002. Out-lier detection using rotated PCA has also been usedto discover drought areas, intense fertility loss ar-eas, hurricanes from Australian district rainfall [147],Sicily Island yearly Maximum Value Composit ofSPOT/VEGETATION NDVI [148] and NOAA/NCEP(National Centers of Environmental Prediction) globalreanalysis [129] data sets.

7.2 Industrial Sensor DataThe work in [74] predicts anomalies based on twodifferent signals obtained from a flight data recorder(FDR). These correspond to the altitude of the air-craft and roll angle. These have been used to findanomalous altitude changes and roll angle using de-viation from median-based prediction. Anomalies injet engines have been discovered by analyzing thehigh/low pressure shaft harmonic frequencies in jetengine vibration data [25] using k-Means clustering.Similarly, anomalies such as tool breakage detectionhave been discovered using cutting force data [149]with a neural network. Bu et al. [93] discover discordsfrom power consumption data for a Dutch researchfacility using Haar wavelets and augmented tries.

7.3 Surveillance and Trajectory DataLi et al. [132] discover anomalies from average dailyspeed and average daily load dataset for taxicabs inSan Francisco during July 2006. Ge et al. [131] findanomalies such as vehicle moving to the left side ofthe road (wrong way), vehicle taking a wrong shortcut, and people jaywalking. Yankov et al. [97] also finddiscords from trajectory data. Trajectory data can alsobe used for monitoring the movement of patients andsenior citizens. For example, it can be used to discoverevents such as taking a wrong bus, having a badfall, encountering a sudden slow-down and gettinglost [110]. They use dynamic cluster maintenance todiscover such outlier activities.

Surveillance data can be useful in smart homesto discover anomaly situations. An example wouldbe the situation where the resident has turned onthe bathwater, but has not turned it off before goingto bed [150]. Similarly, data from health and med-ical monitoring sensors attached to patients can beused to identify symptoms or diseases. Surveillancevideos can be explored to discover outliers, such asthe appearance of a new object, object zooming in


a camera and novel video content [113] using thedistance based local outliers for data streams. Pokrajacet al. [113] study trajectories from surveillance videosto identify anomalous behaviors such as people firstwalking right and then back left, or people walkingvery slowly.

7.4 Computer Networks DataTechniques for outlier detection from temporal datahave been widely used for intrusion detection [24],[61], [62], [63], [108], [151]. Lakhina et al. [152] usemultivariate timeseries of origin-destination flowsmeasuring the number of bytes, packets, and IP-levelflows to discover anomalies such as high rate point-to-point byte transfer, denial of service (DOS), dis-tributed denial of service (DDOS) attacks, flash crowd(large demand for a resource/service), host scanningfor a vulnerable port or network scanning for a tar-get port, WORM5, OUTAGE6, etc. They find outliersusing the subspace method which is borrowed fromthe multivariate statistical process control literature.Domain-specific features, such as duration, protocoltype, number of bytes transferred for TCP connectionwith Euclidean distance are used with a variant ofsingle-linkage clustering in [28]. Ye [38] uses Markovmodels on the audit data of a Sun Solaris systemfrom MIT Lincoln lab to detect intrusion scenarios,such as password guessing, root privileges accessthrough symbolic links, remote unauthorized accessattempt, etc. Sequences of Unix user commands areexamined in [33] using SVMs to discriminate betweennormal sequences and intrusion sequences. A variantof the online sequential discounting algorithm hasbeen used in [153] to characterize probabilistic corre-lation between flow-intensities measured at multiplepoints in a computer network using GMMs. An Au-toRegressive model with eXogenous inputs (ARX) hasbeen proposed in [154] to learn the relationship be-tween flow intensities measured at multiple points ina computer network, and thereby detect correlation-based faults.

7.5 Biological DataKeogh et al. [91] discover anomalous subsequences(discords) from electrocardiograms. Shape discords(unusual shapes) have been found to be useful in zo-ology, anthropology, and medicine [92]. Wei et al. [92]use shape discords to discover an odd butterfly, givena group of seemingly similar butterflies. Given adataset of red blood cells, they use their techniques todiscover teardrop shaped cells, or dacrocytes, whichis indicative of several blood disorders. A fungusdataset has been studied to discover spores that have

5A self propagating code that spreads across a network byexploiting security flaws

6Events causing decrease in traffic exchanged between a pairof nodes

sprouted an “appendage” known as a germ tube.Endangered species equipped with sensors have beenstudied to discover abnormal migration behaviors ofthe species.

7.6 Astronomy DataKeogh et al. [91] discover discords from Space teleme-try data. These discords correspond to manuallynoted errors, such as “Poppet pulled significantlyout of the solenoid before energizing”. Yankov etal. [97] find discords from star light-curve data. Zhu etal. [101] detect high gamma ray bursts from MilagroGamma Ray data stream.

7.7 Web DataGiven multiple crawls of the web graph, Papadim-itriou et al. [140], [134] find a crawl graph withanomalies. These anomalies refer either to failuresof the web hosts that do not allow the crawler toaccess their content or hardware/software problemsin the search engine infrastructure that can corruptparts of the crawled data. They use graph similaritymeasures like vertex/edge overlap, vertex ranking,vertex/edge vector similarity, sequence similarity andsignature similarity to derive respective time seriesand then detect outliers. Yankov et al. [97] study theMSN query logs to discover both anticipated bursts(e.g., “easter”, “hanukkah”) and unanticipated bursts(e.g., unexpected events like death of a celebrity) ofweb queries as discords. Lappas et al. [155] use thenotion of spatiotemporal term burstiness to computehighly spatiotemporally impactful events as outliers.Mathioudakis et al. [156] also propose efficient dy-namic programming algorithms for the similar taskof identifying notable geographically focused eventsfrom user generated content.

7.8 Information Network DataAggarwal et al. [9] discover graphs representing inter-disciplinary research papers as outliers from the DBLPdataset using structural outlier detection in massivenetwork streams. They also discover movies witha cast from multiple countries as outliers from theIMDB dataset. Gupta et al. [13] discover those authorsfrom DBLP co-authorship network as outliers whichshow a significant deviation in the changes of their re-search areas compared with other authors. This workexplores the difference across two network snapshotsusing temporal community outlier detection methods.Similarly, they discover actors from IMDB as outlierswhich show a very unusual change in their moviegenre distributions. Priebe et al. [157] study the com-munication graph of the Enron data with respect tothe maximum degree and digraph size scan statistics.Excessive communication outliers which can suggestinsider trading scenarios are discovered.


7.9 Economics Time Series Data

Various temporal economic datasets have been stud-ied with respect to outlier detection. Gupta et al. [12]identify country outliers based on the unusual changein the constituents of the GDP (Consumption, Invest-ment, Public Expenditure and Net Exports) acrosstime, using temporal community outlier detectionmethods. They also find US states as outliers from theBudget dataset with respect to anomalous change inthe distribution of spending with respect to differentcomponents. Otey et al. [116] study the US CensusBureau’s Income data set to detect outliers, on the ba-sis of unusual combinations of demographic attributevalues. They also studied the US Congressional VotingData to find outliers. An example is a Republicancongressman who voted significantly differently fromhis party on four bills. They use distance based outlierdetection for distributed temporal data to obtain suchoutliers. Zhu et al. [101] perform outlier subsequencedetection from the NYSE IBM stock time series datausing Shifted Wavelet Trees.

8 CONCLUSIONS AND LESSONS LEARNED

In this work, we presented an organized overview ofthe various techniques proposed for outlier detectionon temporal data. Modeling temporal data is a chal-lenging task due to the dynamic nature and complexevolutionary patterns in the data. In the past, thereare a wide variety of models developed to capturedifferent facets in temporal data outlier detection.This survey organized the discussion along differ-ent data types, presented various outlier definitions,and briefly introduced the corresponding techniques.Finally, we also discussed various applications forwhich these techniques have been successfully used.This survey provides a number of insights and lessonsas follows.• The methods for different data types are not easy

to generalize to one another, though some ofthem may have similarity in the framework atthe broader level. For example, change detectionin continuous time series and discrete time seriesboth require forecasting methods. However, thespecific kind of forecasting method is extremelydifferent in the two scenarios (regression modelsin one vs Markov Models in the other).

• Most window based models are currently offline,whereas online methods do exist for point basedmodels. Therefore, there is significant opportu-nity for research in the former.

• While the number of formulations of the tem-poral outlier detection problem are diverse, theyare generally motivated by the most commonapplications which are encountered in the liter-ature. Many recent applications, especially thosecorresponding to novel data types in the context

of web-based applications, may result in combi-nations of facets, which have not been exploredbefore.

• There are numerous formulations of temporaloutlier detection, which have not been sufficientlyexplored. This is because of the many differ-ent combinations of facets, which can be usedfor defining temporal outlier detection problems.Complex data types such as social streams inwhich two different data types are present incombination (text and structure) have also notbeen studied.

This comprehensive survey provides a good insightinto various techniques that have been applied onmultiple forms of temporal data and can be usedto identify problem settings that can be worked onin the future. Finally, for further reading, we directthe reader to a recent book on outlier analysis [1]and [158] for a tutorial version of this survey. Also,[159] present outlier detection techniques for timeseries data and [160], [161] discuss novelty detectiontechniques.

ACKNOWLEDGMENTThe work was supported in part by the U.S. Army Re-search Laboratory under Cooperative Agreement No.W911NF-11-2-0086 (Cyber-Security) and W911NF-09-2-0053 (NS-CTA), the U.S. Army Research Office un-der Cooperative Agreement No. W911NF-13-1-0193,and U.S. National Science Foundation grants CNS-0931975, IIS-1017362, and IIS-1320617.

REFERENCES[1] C. C. Aggarwal, Outlier Analysis. Springer, 2013.[2] V. Chandola, A. Banerjee, and V. Kumar, “Anomaly Detec-

tion: A Survey,” ACM Computing Surveys, vol. 41, no. 3, pp.15:1–15:58, 2009.

[3] V. J. Hodge and J. Austin, “A Survey of Outlier DetectionMethodologies,” Artificial Intelligence Review, vol. 22, no. 2,pp. 85–126, 2004.

[4] Y. Zhang, N. Meratnia, and P. J. M. Havinga, “Outlier Detec-tion Techniques For Wireless Sensor Networks: A Survey,”Centre for Telematics and Information Technology Universityof Twente, Tech. Rep. TR-CTIT-08-59, Oct 2008.

[5] C. C. Aggarwal and P. S. Yu, “Outlier Detection for HighDimensional Data,” SIGMOD Records, vol. 30, pp. 37–46, May2001.

[6] C. C. Aggarwal and P. S. Yu, “Outlier Detection with Uncer-tain Data,” in Proc. of the 2008 SIAM Intl. Conf. on Data Mining(SDM), 2008, pp. 483–493.

[7] C. Aggarwal and K. Subbian, “Event Detection in SocialStreams,” in Proc. of the 12th SIAM Intl. Conf. on Data Mining(SDM), 2012, pp. 624–635.

[8] C. C. Aggarwal, “On Abnormality Detection in SpuriouslyPopulated Data Streams,” in Proc. of the 2005 SIAM Intl. Conf.on Data Mining (SDM), 2005, pp. 80–91.

[9] C. C. Aggarwal, Y. Zhao, and P. S. Yu, “Outlier Detectionin Graph Streams,” in Proc. of the 27th Intl. Conf. on DataEngineering (ICDE). IEEE Computer Society, 2011, pp. 399–409.

[10] J. Gao, F. Liang, W. Fan, C. Wang, Y. Sun, and J. Han,“On Community Outliers and their Efficient Detection inInformation Networks,” in Proc. of the 16th ACM Intl. Conf. onKnowledge Discovery and Data Mining (KDD), 2010, pp. 813–822.


[11] A. Ghoting, M. E. Otey, and S. Parthasarathy, “LOADED:Link-Based Outlier and Anomaly Detection in Evolving DataSets,” in Proc. of the 4th IEEE Intl. Conf. on Data Mining(ICDM), 2004, pp. 387–390.

[12] M. Gupta, J. Gao, Y. Sun, and J. Han, “Community TrendOutlier Detection using Soft Temporal Pattern Mining,” inProc. of the 2012 European Conf. on Machine Learning andKnowledge Discovery in Databases (ECML PKDD), 2012, pp.692–708.

[13] M. Gupta, J. Gao, Y. Sun, and J. Han, “Integrating CommunityMatching and Outlier Detection for Mining EvolutionaryCommunity Outliers,” in Proc. of the 18th ACM Intl. Conf. onKnowledge Discovery and Data Mining (KDD), 2012, pp. 859–867.

[14] J. P. Burman and M. C. Otto, “Census Bureau ResearchProject: Outliers in Time Series,” 1988.

[15] A. J. Fox, “Outliers in Time Series,” Journal of the RoyalStatistical Society. Series B (Methodological), vol. 34, no. 3, pp.350–363, 1972.

[16] H. Cho, Y. jin Kim, H. J. Jung, S.-W. Lee, and J. W. Lee,“Outlierd: An r package for outlier detection using quantileregression on mass spectrometry data,” Bioinformatics, vol. 24,no. 6, pp. 882–884, 2008.

[17] V. Barnett and T. Lewis, Outliers in Statistical Data. JohnWiley & Sons Ltd., 1978.

[18] D. M. Hawkins, Identification of Outliers. Chapman and Hall,1980.

[19] P. J. Rousseeuw and A. M. Leroy, Robust Regression and OutlierDetection. John Wiley & Sons, Inc., 1987.

[20] T. Lane, C. Brodley et al., “Sequence Matching and Learningin Anomaly Detection for Computer Security,” in AAAI Work-shop: AI Approaches to Fraud Detection and Risk Management,1997, pp. 43–49.

[21] S. Budalakoti, A. Srivastava, R. Akella, and E. Turkov,“Anomaly Detection in Large Sets of High-dimensional Sym-bol Sequences,” NASA Ames Research Center, Tech. Rep. NASATM-2006-214553, 2006.

[22] S. Budalakoti, A. N. Srivastava, and M. E. Otey, “AnomalyDetection and Diagnosis Algorithms for Discrete SymbolSequences with Applications to Airline Safety,” IEEE Trans-actions on Systems, Man, and Cybernetics, Part C: Applications,vol. 39, no. 1, pp. 101–113, Jan 2009.

[23] V. Chandola, V. Mithal, and V. Kumar, “A ComparativeEvaluation of Anomaly Detection Techniques for SequenceData,” in Proc. of the 2008 8th IEEE Intl. Conf. on Data Mining(ICDM), 2008, pp. 743–748.

[24] K. Sequeira and M. Zaki, “ADMIT: Anomaly-based DataMining for Intrusions,” in Proc. of the 8th ACM Intl. Conf. onKnowledge Discovery and Data Mining (KDD), 2002, pp. 386–395.

[25] A. Nairac, N. Townsend, R. Carr, S. King, P. Cowley, andL. Tarassenko, “A System for the Analysis of Jet EngineVibration Data,” Integrated Computer-Aided Engineering, vol. 6,no. 1, pp. 53–66, Jan 1999.

[26] X. Pan, J. Tan, S. Kavulya, R. Gandhi, and P. Narasimhan,“Ganesha: BlackBox Diagnosis of MapReduce Systems,” SIG-METRICS Performance Evaluation Review, vol. 37, no. 3, pp.8–13, Jan 2010.

[27] U. Rebbapragada, P. Protopapas, C. E. Brodley, and C. Alcock,“Finding Anomalous Periodic Time Series,” Journal of MachineLearning, vol. 74, no. 3, pp. 281–313, Mar 2009.

[28] L. Portnoy, E. Eskin, and S. Stolfo, “Intrusion Detection withUnlabeled Data using Clustering,” in Proc. of the ACM CSSWorkshop on Data Mining Applied to Security (DMSA), 2001,pp. 5–8.

[29] M. Gupta, A. B. Sharma, H. Chen, and G. Jiang, “Context-Aware Time Series Anomaly Detection for Complex Sys-tems,” in Proc. of the SDM Workshop on Data Mining for Serviceand Maintenance, 2013.

[30] E. Eskin, A. Arnold, M. Prerau, L. Portnoy, and S. Stolfo, “AGeometric Framework for Unsupervised Anomaly Detection:Detecting Intrusions in Unlabeled Data,” in Proc. of Applica-tions of Data Mining in Computer Security, 2002.

[31] P. Evangelista, P. Bonnisone, M. Embrechts, and B. Szyman-ski, “Fuzzy ROC Curves for the 1 Class SVM: Application to

Intrusion Detection,” in Proc. of the 13th European Symposiumon Artificial Neural Networks, 2005, pp. 345–350.

[32] J. Ma and S. Perkins, “Time-series Novelty Detection usingOne-class Support Vector Machines,” in Proc. of the Intl. JointConf. on Neural Networks (IJCNN), vol. 3, Jul 2003, pp. 1741–1745.

[33] B. Szymanski and Y. Zhang, “Recursive Data Mining for Mas-querade Detection and Author Identification,” in Proc. of the5th Annual IEEE Systems, Man, and Cybernetics - InformationAssurance Workshop, 2004, pp. 424–431.

[34] F. A. Gonzalez and D. Dasgupta, “Anomaly Detection UsingReal-Valued Negative Selection,” Genetic Programming andEvolvable Machines, vol. 4, no. 4, pp. 383–403, Dec 2003.

[35] C. Marceau, “Characterizing the Behavior of a Program usingMultiple-length N-grams,” in Proc. of the 2000 Workshop onNew Security Paradigms (NSPW), 2000, pp. 101–110.

[36] C. C. Michael and A. Ghosh, “Two State-based Approachesto Program-based Anomaly Detection,” in Proc. of the 16th

Annual Computer Security Applications Conference (ACSAC),2000, pp. 21–30.

[37] S. Salvador and P. Chan, “Learning States and Rules forDetecting Anomalies in Time Series,” Applied Intelligence,vol. 23, no. 3, pp. 241–255, Dec 2005.

[38] N. Ye, “A Markov Chain Model of Temporal Behavior forAnomaly Detection,” in Proc. of the 2000 IEEE Systems, Man,and Cybernetics - Information Assurance and Security Workshop,vol. 166, 2000, pp. 171–174.

[39] J. Yang and W. Wang, “CLUSEQ: Efficient and EffectiveSequence Clustering,” in Proc. of the 19th Intl. Conf. on DataEngineering (ICDE), 2003, pp. 101–112.

[40] P. Sun, S. Chawla, and B. Arunasalam, “Mining for Outliersin Sequential Databases,” in Proc. of the 6th SIAM Intl. Conf.on Data Mining (SDM), 2006, pp. 94–105.

[41] E. Eskin, W. Lee, and S. Stolfo, “Modeling System Calls forIntrusion Detection with Dynamic Window Sizes,” in Proc.of the DARPA Information Survivability Conf & Exposition II(DISCEX), vol. 1, 2001, pp. 165–175.

[42] W. Lee, S. J. Stolfo, and P. K. Chan, “Learning Patterns fromUnix Process Execution Traces for Intrusion Detection,” in InAAAI Workshop on AI Approaches to Fraud Detection and RiskManagement, 1997, pp. 50–56.

[43] G. Florez-Larrahondo, S. M. Bridges, and R. Vaughn, “Ef-ficient Modeling of Discrete Events for Anomaly Detectionusing Hidden Markov Models,” in Proc. of the 8th Intl. Conf.on Information Security (ISC), 2005, pp. 506–514.

[44] B. Gao, H.-Y. Ma, and Y.-H. Yang, “HMMs (Hidden MarkovModels) based on Anomaly Intrusion Detection Method,” inProc. of the 2002 Intl. Conf. on Machine Learning and Cybernetics,vol. 1, 2002, pp. 381–385.

[45] Y. Qiao, X. Xin, Y. Bin, and S. Ge, “Anomaly IntrusionDetection Method based on HMM,” Electronics Letters, vol. 38,no. 13, pp. 663–664, Jun 2002.

[46] X. Zhang, P. Fan, and Z. Zhu, “A New Anomaly DetectionMethod based on Hierarchical HMM,” in Proc. of the 4th Intl.Conf. on Parallel and Distributed Computing, Applications andTechnologies (PDCAT), Aug 2003, pp. 249–252.

[47] X. Li and J. Han, “Mining Approximate Top-K SubspaceAnomalies in Multi-dimensional Time-series Data,” in Proc.of the 33rd Intl. Conf. on Very Large Data Bases (VLDB), 2007,pp. 447–458.

[48] W. Lee and S. J. Stolfo, “Data Mining Approaches for Intru-sion Detection,” in Proc. of the 7th Conf. on USENIX SecuritySymposium (SSYM), 1998, pp. 6–20.

[49] J. a. B. D. Cabrera, L. Lewis, and R. K. Mehra, “Detectionand Classification of Intrusions and Faults using Sequencesof System Calls,” SIGMOD Records, vol. 30, no. 4, pp. 25–34,Dec 2001.

[50] D. Dasgupta and F. Nino, “A Comparison of Negative andPositive Selection Algorithms in Novel Pattern Detection,”in Proc. of the 2000 IEEE Intl. Conf. on Systems, Man, andCybernetics, vol. 1, 2000, pp. 125–130.

[51] D. Endler, “Intrusion Detection Applying Machine Learningto Solaris Audit Data,” in Proc. of the 14th Annual ComputerSecurity Applications Conf. (ACSAC), 1998, pp. 268–279.

[52] A. K. Gosh, J. Wanken, and F. Charron, “Detecting Anoma-lous and Unknown Intrusions Against Programs,” in Proc. of


the 14th Annual Computer Security Applications Conf. (ACSAC),1998, pp. 259–267.

[53] A. Ghosh, A. Schwartzbard, and M. Schatz, “Learning Pro-gram Behavior Profiles for Intrusion Detection,” in Proc. ofthe 1st USENIX Workshop on Intrusion Detection and NetworkMonitoring, 1999, pp. 51–62.

[54] A. K. Ghosh and A. Schwartzbard, “A Study in using NeuralNetworks for Anomaly and Misuse Detection,” in Proc. of the8th Conf. on USENIX Security Symposium (SSYM), 1999, pp.12–23.

[55] X. Li, J. Han, and S. Kim, “Motion-Alert: Automatic AnomalyDetection in Massive Moving Objects,” in Proc. of the 4th IEEEIntl. Conf. on Intelligence and Security Informatics (ISI), 2006, pp.166–177.

[56] D.-K. Kang, D. Fuller, and V. Honavar, “Learning Classifiersfor Misuse Detection using a Bag of System Calls Represen-tation,” in Proc. of the 3rd IEEE Intl. Conf. on Intelligence andSecurity Informatics (ISI), 2005, pp. 511–516.

[57] S. Tian, S. Mu, and C. Yin, “Sequence-similarity Kernels forSVMs to Detect Anomalies in System Calls,” Neurocomputing,vol. 70, no. 4-6, pp. 859–866, Jan 2007.

[58] M. Wang, C. Zhang, and J. Yu, “Native API Based WindowsAnomaly Intrusion Detection Method Using SVM,” in Proc.of the IEEE Intl. Conf. on Sensor Networks, Ubiquitous, andTrustworthy Computing -Vol 1 (SUTC), 2006, pp. 514–519.

[59] X. Li, J. Han, S. Kim, and H. Gonzalez, “ROAM: Rule- andMotif-Based Anomaly Detection in Massive Moving ObjectData Sets,” in Proc. of the 7th SIAM Intl. Conf. on Data Mining(SDM), 2007, pp. 273–284.

[60] A. Ghosh, A. Schwartzbard, M. Schatz et al., “Using ProgramBehavior Profiles for Intrusion Detection,” in Proc. of theSANS Intrusion Detection Workshop, 1999.

[61] S. A. Hofmeyr, S. Forrest, and A. Somayaji, “Intrusion De-tection using Sequences of System Calls,” Journal of ComputerSecurity, vol. 6, no. 3, pp. 151–180, Aug 1998.

[62] T. Lane and C. E. Brodley, “An Application of MachineLearning to Anomaly Detection,” in Proc. of the 20th NationalInformation Systems Security Conf. (NISSC), 1997, pp. 366–380.

[63] T. Lane and C. E. Brodley, “Temporal Sequence Learning andData Reduction for Anomaly Detection,” in Proc. of the 5th

ACM Conf. on Computer and Communications Security (CCS),1998, pp. 150–158.

[64] S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff,“A Sense of Self for Unix Processes,” in Proc. of the 1996 IEEESymposium on Security and Privacy, 1996, pp. 120–128.

[65] D. Dasgupta and N. Majumdar, “Anomaly Detection in Mul-tidimensional Data using Negative Selection Algorithm,” inProc. of the 2002 Congress on Evolutionary Computation (CEC),vol. 2, 2002, pp. 1039–1044.

[66] P. D’haeseleer, S. Forrest, and P. Helman, “An ImmunologicalApproach to Change Detection: Algorithms, Analysis andImplications,” in Proc. of the 1996 IEEE Symposium on Securityand Privacy, May 1996, pp. 110–119.

[67] S. Forrest, A. S. Perelson, L. Allen, and R. Cherukuri, “Self-Nonself Discrimination in a Computer,” in Proc. of the 1994IEEE Symposium on Security and Privacy, 1994, pp. 202–212.

[68] E. Keogh, S. Lonardi, and B. Y.-c. Chiu, “Finding SurprisingPatterns in a Time Series Database in Linear Time and Space,”in Proc. of the 8th ACM Intl. Conf. on Knowledge Discovery andData Mining (KDD), 2002, pp. 550–556.

[69] M. Atallah, R. Gwadera, and W. Szpankowski, “Detection ofSignificant Sets of Episodes in Event Sequences,” in Proc. ofthe 4th IEEE Intl. Conf. on Data Mining (ICDM), 2004, pp. 3–10.

[70] J. Lin, E. Keogh, S. Lonardi, and B. Chiu, “A Symbolic Rep-resentation of Time Series, with Implications for StreamingAlgorithms,” in Proc. of the 8th ACM SIGMOD Workshop onResearch Issues in Data Mining and Knowledge Discovery, 2003,pp. 2–11.

[71] J. Lin, E. Keogh, L. Wei, and S. Lonardi, “Experiencing SAX: ANovel Symbolic Representation of Time Series,” Data Miningand Knowledge Discovery (DMKD), vol. 15, no. 2, pp. 107–144,Oct 2007.

[72] R. Gwadera, M. J. Atallah, and W. Szpankowski, “MarkovModels for Identification of Significant Episodes,” in Proc. ofthe 5th SIAM Intl. Conf. on Data Mining (SDM), 2005, pp. 404–414.

[73] R. Gwadera, M. J. Atallah, and W. Szpankowski, “ReliableDetection of Episodes in Event Sequences,” Knowledge andInformation Systems (KAIS), vol. 7, no. 4, pp. 415–437, May2005.

[74] S. Basu and M. Meckesheimer, “Automatic Outlier Detectionfor Time Series: An Application to Sensor Data,” Knowledgeand Information Systems - Special Issue on Mining Low-QualityData, vol. 11, no. 2, pp. 137–154, Feb 2007.

[75] D. J. Hill and B. S. Minsker, “Anomaly Detection in StreamingEnvironmental Sensor Data: A Data-driven Modeling Ap-proach,” Environmental Modelling and Software, vol. 25, no. 9,pp. 1014–1022, Sep 2010.

[76] J. Ma and S. Perkins, “Online Novelty Detection on TemporalSequences,” in Proc. of the 9th ACM Intl. Conf on KnowledgeDiscovery and Data Mining (KDD), 2003, pp. 613–618.

[77] N. D. Le, R. D. Martin, and A. E. Raftery, “Modeling FlatStretches, Bursts, and Outliers in Time Series Using MixtureTransition Distribution Models,” Journal of the American Sta-tistical Association, vol. 91, no. 436, pp. 1504–1515, 1996.

[78] R. S. Tsay, D. Pena, and A. E. Pankratz, “Outliers in Multi-variate Time Series,” Biometrika, vol. 87, no. 4, pp. 789–804,2000.

[79] A. Luceno, “Detecting Possibly Non-Consecutive Outliers inIndustrial Time Series,” Journal of the Royal Statistical Society.Series B (Statistical Methodology), vol. 60, no. 2, pp. 295–310,1998.

[80] A. Justel, D. Pena, and R. S. Tsay, “Detection of OutlierPatches in Autoregressive Time Series,” Statistica Sinica,vol. 11, no. 3, pp. 651–674, 2001.

[81] A. M. Bianco, M. Garcıa Ben, E. J. Martnez, and V. J. Yohai,“Outlier Detection in Regression Models with ARIMA ErrorsUsing Robust Estimates,” Journal of Forecasting, vol. 20, no. 8,pp. 565–579, Dec 2001.

[82] I. Chang, G. C. Tiao, and C. Chen, “Estimation of Time SeriesParameters in the Presence of Outliers,” Technometrics, vol. 30,no. 2, pp. 193–204, 1988.

[83] C. Chen and L.-M. Liu, “Joint Estimation of Model Parame-ters and Outlier Effects in Time Series,” Journal of the AmericanStatistical Association, vol. 88, no. 421, pp. 284–297, 1993.

[84] R. S. Tsay, “Time Series Model Specification in the Presence ofOutliers,” Journal of the American Statistical Association, vol. 81,no. 393, pp. 132–141, 1986.

[85] P. Galeano, D. Pea, and R. S. Tsay, “Outlier Detection inMultivariate Time Series by Projection Pursuit,” Journal of theAmerican Statistical Association, vol. 101, no. 474, pp. 654–669,2006.

[86] A. W. Williams, S. M. Pertet, and P. Narasimhan, “Tiresias:Black-box Failure Prediction in Distributed Systems,” in Proc.of the 21st Intl. Parallel and Distributed Processing Symposium(IPDPS), 2007, pp. 1–8.

[87] G. Silvestri, F. Verona, M. Innocenti, and M. Napolitano,“Fault Detection using Neural Networks,” in Proc. of the 1994IEEE Intl. Conf. on Neural Networks, vol. 6, Jun 1994, pp. 3796–3799.

[88] H. V. Jagadish, N. Koudas, and S. Muthukrishnan, “MiningDeviants in a Time Series Database,” in Proc. of the 25th Intl.Conf. on Very Large Data Bases (VLDB), 1999, pp. 102–113.

[89] S. Muthukrishnan, R. Shah, and J. Vitter, “Mining Deviantsin Time Series Data Streams,” in Proc. of the 16th Intl. Conf.on Scientific and Statistical Database Management (SSDBM), Jun2004, pp. 41–50.

[90] E. Keogh, J. Lin, S.-H. Lee, and H. Van Herle, “Finding theMost Unusual Time Series Subsequence: Algorithms and Ap-plications,” Knowledge and Information Systems (KAIS), vol. 11,no. 1, pp. 1–27, Dec 2006.

[91] E. Keogh, J. Lin, and A. Fu, “HOT SAX: Efficiently Findingthe Most Unusual Time Series Subsequence,” in Proc. of the5th IEEE Intl. Conf. on Data Mining (ICDM), 2005, pp. 226–233.

[92] L. Wei, E. Keogh, and X. Xi, “SAXually Explicit Images:Finding Unusual Shapes,” in Proc. of the 6th Intl. Conf. onData Mining (ICDM), 2006, pp. 711–720.

[93] Y. Bu, O. T.-W. Leung, A. W.-C. Fu, E. J. Keogh, J. Pei, andS. Meshkin, “WAT: Finding Top-K Discords in Time SeriesDatabase,” in Proc. of the 7th SIAM Intl. Conf. on Data Mining(SDM), 2007, pp. 449–454.


[94] A. W.-c. Fu, O. T.-W. Leung, E. Keogh, and J. Lin, “FindingTime Series Discords based on Haar Transform,” in Proc. ofthe 2nd Intl. Conf. on Advanced Data Mining and Applications(ADMA), 2006, pp. 31–41.

[95] J. Lin, E. Keogh, A. Fu, and H. Van Herle, “Approximationsto Magic: Finding Unusual Medical Time Series,” in Proc. ofthe 18th IEEE Symposium on Computer-Based Medical Systems(CBMS), 2005, pp. 329–334.

[96] E. Keogh, S. Lonardi, and C. A. Ratanamahatana, “TowardsParameter-free Data Mining,” in Proc. of the 10th ACM Intl.Conf. on Knowledge Discovery and Data Mining (KDD), 2004,pp. 206–215.

[97] D. Yankov, E. Keogh, and U. Rebbapragada, “Disk AwareDiscord Discovery: Finding Unusual Time Series in TerabyteSized Datasets,” Knowledge and Information Systems (KAIS),vol. 17, no. 2, pp. 241–262, Nov 2008.

[98] X.-y. Chen and Y.-y. Zhan, “Multi-scale Anomaly DetectionAlgorithm based on Infrequent Pattern of Time Series,” Jour-nal of Computational and Applied Mathematics, vol. 214, no. 1,pp. 227–237, Apr 2008.

[99] C. Shahabi, X. Tian, and W. Zhao, “TSA-Tree: A Wavelet-Based Approach to Improve the Efficiency of Multi-LevelSurprise and Trend Queries on Time-Series Data,” in Proc.of the 12th Intl. Conf. on Scientific and Statistical DatabaseManagement (SSDBM), 2000, pp. 55–68.

[100] L. Wei, N. Kumar, V. Lolla, E. J. Keogh, S. Lonardi, andC. Ratanamahatana, “Assumption-free Anomaly Detection inTime Series,” in Proc. of the 17th Intl. Conf. on Scientific andStatistical Database Management (SSDBM), 2005, pp. 237–240.

[101] Y. Zhu and D. Shasha, “Efficient Elastic Burst Detection inData Streams,” in Proc. of the 9th ACM Intl. Conf on KnowledgeDiscovery and Data Mining (KDD), 2003, pp. 336–345.

[102] K. Yamanishi and J.-i. Takeuchi, “A Unifying Framework forDetecting Outliers and Change Points from Non-stationaryTime Series Data,” in Proc. of the 8th ACM Intl. Conf. onKnowledge Discovery and Data Mining (KDD), 2002, pp. 676–681.

[103] K. Yamanishi, J.-i. Takeuchi, G. Williams, and P. Milne, “On-Line Unsupervised Outlier Detection Using Finite Mixtureswith Discounting Learning Algorithms,” Data Mining andKnowledge Discovery, vol. 8, no. 3, pp. 275–300, May 2004.

[104] A. V. Harold S. Javitz, “The nides statistical componentdescription and justification,” SRI International, Tech. Rep.A010, Mar 1994.

[105] C. C. Aggarwal and P. S. Yu, “On clustering massive text andcategorical data streams,” Knowl. Inf. Syst., vol. 24, no. 2, pp.171–196, 2010.

[106] D. J. Hill, B. S. Minsker, and E. Amir, “Real-time BayesianAnomaly Detection for Environmental Sensor Data,” in Proc.of the 32nd Conf. of Intl. Association of Hydraulic Engineeringand Research (IAHR), 2007.

[107] E. M. Knorr and R. T. Ng, “Algorithms for Mining Distance-Based Outliers in Large Datasets,” in Proc. of the 24th Intl.Conf. on Very Large Data Bases (VLDB). Morgan Kaufmann,1998, pp. 392–403.

[108] F. Angiulli and F. Fassetti, “Detecting Distance-based Outliersin Streams of Data,” in Proc. of the 16th ACM Conf. onInformation and Knowledge Management (CIKM), 2007, pp. 811–820.

[109] D. Yang, E. A. Rundensteiner, and M. O. Ward, “Neighbor-based Pattern Detection for Windows over Streaming Data,”in Proc. of the 12th Intl. Conf. on Extending Database Technology:Advances in Database Technology (EDBT), 2009, pp. 529–540.

[110] Y. Bu, L. Chen, A. W.-C. Fu, and D. Liu, “Efficient AnomalyMonitoring over Moving Object Trajectory Streams,” in Proc.of the 15th ACM Intl. Conf. on Knowledge Discovery and DataMining (KDD), 2009, pp. 159–168.

[111] H. Cao, Y. Zhou, L. Shou, and G. Chen, “Attribute OutlierDetection over Data Streams,” in Proc. of the 15th Intl. Conf.on Database Systems for Advanced Applications - Volume Part II(DASFAA), 2010, pp. 216–230.

[112] M. M. Breunig, H.-P. Kriegel, R. T. Ng, and J. Sander, “LOF:Identifying Density-based Local Outliers,” in Proc. of the 2000ACM SIGMOD Intl. Conf. on Management of Data (SIGMOD),2000, pp. 93–104.

[113] D. Pokrajac, A. Lazarevic, and L. J. Latecki, “IncrementalLocal Outlier Detection for Data Streams,” in Proc. of theIEEE Symposium on Computational Intelligence and Data Mining(CIDM). IEEE, Apr 2007, pp. 504–515.

[114] J. Zhang, Q. Gao, and H. Wang, “SPOT: A System forDetecting Projected Outliers From High-dimensional DataStreams,” in Proc. of the 2008 IEEE 24th Intl. Conf. on DataEngineering (ICDE), 2008, pp. 1628–1631.

[115] J. Branch, B. Szymanski, C. Giannella, R. Wolff, and H. Kar-gupta, “In-Network Outlier Detection in Wireless SensorNetworks,” in Proc. of the 26th IEEE Intl. Conf. on DistributedComputing Systems (ICDCS), 2006, pp. 51–81.

[116] M. E. Otey, A. Ghoting, and S. Parthasarathy, “Fast Dis-tributed Outlier Detection in Mixed-Attribute Data Sets,”Data Mining and Knowledge Discovery (DMKD), vol. 12, no.2-3, pp. 203–228, May 2006.

[117] S. Subramaniam, T. Palpanas, D. Papadopoulos, V. Kaloger-aki, and D. Gunopulos, “Online Outlier Detection in SensorData using Non-parametric Models,” in Proc. of the 32nd Intl.Conf. on Very Large Data Bases (VLDB), 2006, pp. 187–198.

[118] T. Palpanas, D. Papadopoulos, V. Kalogeraki, and D. Gunop-ulos, “Distributed Deviation Detection in Sensor Networks,”SIGMOD Records, vol. 32, no. 4, pp. 77–82, Dec 2003.

[119] N. A. C. Cressie, Statistics for Spatial Data. Wiley, Jan 1993.[120] M. Jun, H. Jeong, and C. Kuo, “Distributed Spatio-temporal

Outlier Detection in Sensor Networks,” in Society of Photo-Optical Instrumentation Engineers (SPIE), 2005, pp. 760–763.

[121] C. Franke and M. Gertz, “Detection and Exploration ofOutlier Regions in Sensor Data Streams,” in Proc. of the 2008IEEE Intl. Conf. on Data Mining Workshops (ICDMW), 2008,pp. 375–384.

[122] C. Franke and M. Gertz, “ORDEN: Outlier Region Detectionand Exploration in Sensor Networks,” in Proc. of the 2009ACM SIGMOD Intl. Conf. on Management of data (SIGMOD),2009, pp. 1075–1078.

[123] D. Birant and A. Kut, “Spatio-Temporal Outlier Detectionin Large Databases,” Journal of Computing and InformationTechnology (CIT), vol. 14, no. 4, pp. 291–297, 2006.

[124] M. Ester, H.-P. Kriegel, J. Sander, and X. Xu, “A Density-Based Algorithm for Discovering Clusters in Large SpatialDatabases with Noise,” in Proc. of the 2nd ACM Intl. Conf onKnowledge Discovery and Data Mining (KDD), 1996, pp. 226–231.

[125] T. Cheng and Z. Li, “A Hybrid Approach to Detect Spatial-Temporal Outliers,” in Proc. of the 12th Intl. Conf. on Geoin-formatics Geospatial Information Research, 2004, pp. 173–178.

[126] T. Cheng and Z. Li, “A Multiscale Approach for Spatio-Temporal Outlier Detection,” Transactions in Geographic Infor-mation Systems (T. GIS), vol. 10, no. 2, pp. 253–263, 2006.

[127] N. R. Adam, V. P. Janeja, and V. Atluri, “Neighborhood BasedDetection of Anomalies in High Dimensional Spatio-temporalSensor Datasets,” in Proc. of the 2004 ACM Symposium onApplied Computing (SAC), 2004, pp. 576–583.

[128] E. Wu, W. Liu, and S. Chawla, “Spatio-Temporal OutlierDetection in Precipitation Data,” in Proc. of the 2nd Intl. Conf.on Knowledge Discovery from Sensor Data (Sensor-KDD), 2010,pp. 115–133.

[129] C.-T. Lu and L. R. Liang, “Wavelet Fuzzy Classification forDetecting and Tracking Region Outliers in MeteorologicalData,” in Proc. of the 12th Annual ACM Intl. Workshop onGeographic Information Systems (GIS), 2004, pp. 258–265.

[130] J.-G. Lee, J. Han, and X. Li, “Trajectory Outlier Detection:A Partition-and-Detect Framework,” in Proc. of the 2008 IEEE24th Intl. Conf. on Data Engineering (ICDE), 2008, pp. 140–149.

[131] Y. Ge, H. Xiong, Z.-h. Zhou, H. Ozdemir, J. Yu, and K. C. Lee,“Top-Eye: Top-K Evolving Trajectory Outlier Detection,” inProc. of the 19th ACM Intl. Conf. on Information and KnowledgeManagement (CIKM), 2010, pp. 1733–1736.

[132] X. Li, Z. Li, J. Han, and J.-G. Lee, “Temporal Outlier Detectionin Vehicle Traffic Data,” in Proc. of the 2009 IEEE Intl. Conf.on Data Engineering (ICDE), 2009, pp. 1319–1322.

[133] B. Pincombe, “Anomaly Detection in Time Series of Graphsusing ARMA Processes,” ASOR Bulletin, vol. 24, no. 4, pp.2–10, 2005.

[134] P. Papadimitriou, A. Dasdan, and H. Garcia-Molina, “Web


Graph Similarity for Anomaly Detection,” in Proc. of the 17thIntl. Conf. on World Wide Web (WWW), 2008, pp. 1167–1168.

[135] P. Shoubridge, M. Kraetzl, and D. Ray, “Detection of Abnor-mal Change in Dynamic Networks,” in Proc. of the Intl. Conf.on Information, Decision and Control, 1999, pp. 557–562.

[136] K. M. Kapsabelis, P. J. Dickinson, and K. Dogancay, “Inves-tigation of Graph Edit Distance Cost Functions for Detectionof Network Anomalies,” in Proc. of the 13th Biennial Compu-tational Techniques and Applications Conf. (CTAC), vol. 48, Oct2007, pp. C436–C449.

[137] P. Dickinson, H. Bunke, A. Dadej, and M. Kraetzl, “MedianGraphs and Anomalous Change Detection in CommunicationNetworks,” in Proc. of the Intl. Conf. on Information, Decisionand Control, Feb 2002, pp. 59–64.

[138] M. Gaston, M. Kraetzl, and W. Wallis, “Graph Diameter as aPseudo-metric for Change Detection in Dynamic Networks,”Australasian Journal of Combinatorics, vol. 35, pp. 299–312,2006.

[139] P. Dickinson and M. Kraetzl, “Novel Approaches in Mod-elling Dynamics of Networked Surveillance Environment,”in Proc. of the 6th Intl. Conf. of Information Fusion, vol. 1, 2003,pp. 302–309.

[140] P. Papadimitriou, A. Dasdan, and H. Garcia-Molina, “WebGraph Similarity for Anomaly Detection,” Journal of InternetServices and Applications, vol. 1, no. 1, pp. 19–30, 2010.

[141] M. Gupta, C. C. Aggarwal, and J. Han, “Finding Top-K Short-est Path Distance Changes in an Evolutionary Network,” inProc. of the 12th Intl. Conf. on Advances in Spatial and TemporalDatabases (SSTD), 2011, pp. 130–148.

[142] T. Ide and H. Kashima, “Eigenspace-based Anomaly Detec-tion in Computer Systems,” in Proc. of the 10th ACM Intl.Conf. on Knowledge Discovery and Data Mining (KDD), 2004,pp. 440–449.

[143] L. Akoglu and C. Faloutsos, “Event Detection in Time Seriesof Mobile Communication Graphs,” in Proc. of the ArmyScience Conf., 2010.

[144] M. Gupta, C. C. Aggarwal, J. Han, and Y. Sun, “EvolutionaryClustering and Analysis of Bibliographic Networks,” in Proc.of the 2011 Intl. Conf. on Advances in Social Networks Analysisand Mining (ASONAM), 2011, pp. 63–70.

[145] M. Gupta, J. Gao, and J. Han, “Community DistributionOutlier Detection in Heterogeneous Information Networks,”in Proc. of the 2013 European Conf. on Machine Learning andKnowledge Discovery in Databases (ECML PKDD), 2013, pp.557–573.

[146] Y. Sun, K. Xie, X. Ma, X. Jin, W. Pu, and X. Gao, “Detect-ing Spatio-Temporal Outliers in Climate Dataset: A MethodStudy,” in Proc. of the 2005 IEEE Intl. Geoscience and RemoteSensing Symposium (IGARSS), 2005, pp. 760–763.

[147] W. Drosdowsky, “An Analysis of Australian Seasonal RainfallAnomalies: 19501987,” Intl. Journal of Climatology, vol. 13,no. 1, pp. 1–30, 1993.

[148] R. Lasaponara, “On the Use of Principal Component Anal-ysis (PCA) for Evaluating Interannual Vegetation Anomaliesfrom SPOT/VEGETATION NDVI Temporal Series,” Ecologi-cal Modelling, vol. 194, no. 4, pp. 429–434, 2006.

[149] D. Dasgupta and S. Forrest, “Novelty Detection in TimeSeries Data using Ideas from Immunology,” in Proc. of the5th Intl. Conf. on Intelligent Systems, 1996.

[150] V. Jakkula and D. J. Cook, “Anomaly Detection using Tem-poral Data Mining in a Smart Home Environment,” Methodsof Information in Medicine, vol. 47, no. 1, pp. 70–75, 2008.

[151] C. Warrender, S. Forrest, and B. Pearlmutter, “DetectingIntrusions using System Calls: Alternative Data Models,” inProc. of the 1999 IEEE Symposium on Security and Privacy, 1999,pp. 133–145.

[152] A. Lakhina, M. Crovella, and C. Diot, “Characterization ofNetwork-wide Anomalies in Traffic Flows,” in Proc. of the 4thACM SIGCOMM Conf. on Internet Measurement (IMC), 2004,pp. 201–206.

[153] Z. Guo, G. Jiang, H. Chen, and K. Yoshihira, “Tracking Prob-abilistic Correlation of Monitoring Data for Fault Detectionin Complex Systems,” in Proc. of the Intl. Conf. on DependableSystems and Networks (ICDSN), 2006, pp. 259–268.

[154] G. Jiang, H. Chen, and K. Yoshihira, “Modeling and Trackingof Transaction Flow Dynamics for Fault Detection in Complex

Systems,” IEEE Transactions on Dependable and Secure Comput-ing, vol. 3, pp. 312–326, Oct 2006.

[155] T. Lappas, M. R. Vieira, D. Gunopulos, and V. J. Tsotras, “OnThe Spatiotemporal Burstiness of Terms,” Proc. of the VeryLarge Databases (PVLDB), vol. 5, no. 9, pp. 836–847, 2012.

[156] M. Mathioudakis, N. Bansal, and N. Koudas, “Identifying,Attributing and Describing Spatial Bursts,” Proc. of the VeryLarge Databases (PVLDB), vol. 3, no. 1, pp. 1091–1102, 2010.

[157] C. E. Priebe, J. M. Conroy, D. J. Marchette, and Y. Park, “ScanStatistics on Enron Graphs,” Computational & MathematicalOrganization Theory, vol. 11, no. 3, pp. 229–247, Oct 2005.

[158] M. Gupta, J. Gao, C. C. Aggarwal, and J. Han, “OutlierDetection for Temporal Data,” in Proc. of the 13th SIAM Intl.Conf. on Data Mining (SDM), 2013.

[159] V. Chandola, A. Banerjee, and V. Kumar, “Anomaly Detec-tion for Discrete Sequences: A Survey,” IEEE Transactions onKnowledge and Data Engineering (TKDE), vol. 24, no. 5, pp.823–839, May 2012.

[160] M. Markou and S. Singh, “Novelty Detection: A Review - Part1: Statistical Approaches,” Signal Processing, vol. 83, no. 12,pp. 2481–2497, 2003.

[161] M. Markou and S. Singh, “Novelty Detection: A Review -Part 2: Neural Network Based Approaches,” Signal Processing,vol. 83, no. 12, pp. 2499–2521, 2003.

[162] W. Yu, C. C. Aggarwal, S. Ma and H. Wang, “On AnomalousHotspot Discovery in Graph Streams,” Proc. of the 2013 IEEEIntl. Conf. on Data Mining (ICDM), 2003.

Manish Gupta is an applied researcher atMicrosoft Bing, India and also a visiting fac-ulty at IIIT-Hyderabad, India. He received hisMasters in Computer Science from IIT Bom-bay in 2007 and his PhD in Computer Sci-ence from Univ of Illinois at Urbana Cham-paign in 2013. He worked for Yahoo! Banga-lore from 2007 to 2009. His research inter-ests are in the areas of data mining, informa-tion retrieval and web mining.

Jing Gao received the Ph.D. degree fromUniversity of Illinois at Urbana Champaign in2011. She is an assistant professor in theComputer Science and Engineering Depart-ment of the State University of New Yorkat Buffalo. She was a recipient of an IBMPhD fellowship. She is broadly interested indata and information analysis with a focuson information integration, ensemble meth-ods, transfer learning, anomaly detection,and mining data streams. She is a member

of the IEEE.Charu C. Aggarwal is a Research Scientistat the IBM T. J. Watson Research Center inYorktown Heights, New York. He completedhis Ph.D. from Massachusetts Institute ofTechnology in 1996. He has since worked inthe field of performance analysis, databases,and data mining. He has published over 200papers in refereed conferences and journals,and has applied for or been granted over80 patents. He has received IBM CorporateAward (2003), IBM Outstanding Innovation

Award (2008), IBM Research Division Award (2008) and MasterInventor at IBM thrice. He is a fellow of the ACM and the IEEE.

Jiawei Han is Abel Bliss Professor in the De-partment of Computer Science at the Univer-sity of Illinois. He has been researching intodata mining, information network analysis,and database systems, with more than 500publications. He received the ACM SIGKDDInnovation Award (2004), the IEEE Com-puter Society Technical Achievement Award(2005), and the IEEE W. Wallace McDowellAward (2009). His book Data Mining: Con-cepts and Techniques (Morgan Kaufmann)

has been used worldwide as a textbook. He is a fellow of the ACMand the IEEE.

ieee transactions on knowledge and data engineering, … · miner3, and oracle datamine4. the...

Documents