Fine-grained Anomaly Detection in Sequential Data via Counterfactual Explanations He Cheng Depeng Xuy Shuhan Yuan Xintao Wuz

2025-04-27 0 0 1.66MB 10 页 10玖币

侵权投诉

Fine-grained Anomaly Detection in Sequential Data

via Counterfactual Explanations

He Cheng∗, Depeng Xu†, Shuhan Yuan∗, Xintao Wu‡

∗Utah State University, Logan, USA, †University of North Carolina at Charlotte, Charlotte, USA,

‡University of Arkansas, Fayetteville, AR

Email: {he.cheng,shuhan.yuan}@usu.edu, depeng.xu@uncc.edu, xintaowu@uark.edu

Abstract—Anomaly detection in sequential data has been

studied for a long time because of its potential in various

applications, such as detecting abnormal system behaviors from

log data. Although many approaches can achieve good perfor-

mance on anomalous sequence detection, how to identify the

anomalous entries in sequences is still challenging due to a lack

of information at the entry-level. In this work, we propose a

novel framework called CFDet for ﬁne-grained anomalous entry

detection. CFDet leverages the idea of interpretable machine

learning. Given a sequence that is detected as anomalous, we

can consider anomalous entry detection as an interpretable

machine learning task because identifying anomalous entries in

the sequence is to provide an interpretation to the detection result.

We make use of the deep support vector data description (Deep

SVDD) approach to detect anomalous sequences and propose

a novel counterfactual interpretation-based approach to identify

anomalous entries in the sequences. Experimental results on three

datasets show that CFDet can correctly detect anomalous entries.

Index Terms—anomaly detection, counterfactual explanations,

sequential data

I. INTRODUCTION

Anomalous sequence detection has received a lot of atten-

tion recently because of wide applications, such as detecting

anomalous log sequences or user activity sequences [1, 2, 3, 4,

5, 6, 7]. For example, log messages generated by computing

systems are critical resources for debugging the abnormal

patterns of systems or detecting novel attacks. Identifying the

anomalous log sequences generated by computing systems in a

timely manner is important to build stable systems [1, 2, 3, 7].

However, the current approaches usually focus on anoma-

lous sequence detection while no much work targets the ﬁne-

grained anomalous entry detection. In practice, given detected

anomalous sequences, it is critical for the domain users to

understand why the detection model made such predictions.

Identifying the anomalous entries in the sequence can help

the domain users locate the exact issues. For example, if a

user activity sequence is labeled as anomalous, it is important

to know which activities in the sequences are anomalous that

lead to an anomalous outcome. On the other hand, due to the

limited information at the entry-level, it is not straightforward

to detect anomalous entries from the sequences. Especially, for

the anomalies like group anomalies (consisting of a collection

of two or more anomalous points) or contextual anomalies (be-

ing abnormal because of their contexts), the traditional point

anomaly detection approaches are not suitable for identifying

the anomalous entries in sequences.

In this work, we propose to leverage the idea of interpretable

machine learning to achieve ﬁne-grained anomalous entry

detection. This is because identifying anomalous entries from

a detected anomalous sequence is to explain why the given

sequence is labeled as anomalous. Specially, we propose a

counterfactual explanation approach, called CFDet, to detect

anomalous entries via searching for counterfactual samples.

The idea of counterfactual explanation is to identify the

“smallest change” to anomalous sequences that could change

the prediction to normal. Here, the changes indicate anomalous

entries, because by removing the anomalous entries, we can

“change” a sequence from anomalous to normal. Then, we can

achieve ﬁne-grained anomalous entry detection.

One challenge of leveraging interpretable machine learning

techniques is that current interpretable models are usually

developed for supervised learning models [8]. For the coun-

terfactual explanation approach, a classiﬁer is usually trained

to distinguish the original samples from the counterfactual

samples. However, in the anomaly detection scenario, due to

limited anomalous samples, it is hard to train a supervised

classiﬁcation model, and most anomaly detection approaches

are unsupervised or one-class classiﬁcation models [1, 9, 10].

To tackle this challenge, we propose a framework only using

the normal samples, where the counterfactuals are generated

based on the distances to normal samples. In particular, we can

divide an anomalous sequence into two parts, a subsequence

with normal entries and a subsequence with anomalous entries.

We consider the subsequence with normal entries as the

counterfactual sample of the original anomalous sequence

by imagining that the anomalous entries had not occurred.

Inspired by the deep support vector data description (Deep

SVDD) [9], where the basic assumption is that the normal

samples enclose to the center of a hypersphere, we aim at

identifying the subsequence with anomalous entries having a

large distance to the center while the counterfactual is close

to the center.

The main contributions of this paper are as follows. First, we

propose CFDet, a novel anomalous sequence and ﬁne-grained

entry detection framework only using normal sequences for

training. Considering the normal sequences are usually easy

to obtain, our framework meets the requirements of real-

world scenarios. Second, we develop a novel anomalous

arXiv:2210.04145v1 [cs.LG] 9 Oct 2022

entry detection approach based on the idea of counterfactual

explanations, which considers anomalous entry detection as

a task of providing interpretations to the detected anomalous

sequences. Third, the experimental results on three datasets

show that CFDet can detect anomalous sequences as well as

ﬁne-grained anomalous entries with high accuracy.

II. RELATED WORK

Anomaly Detection in Sequential Data. As sequential data

become more and more ubiquitous, such as time series, video

frames, or event data, sequential anomaly detection plays an

important role in a wide spectrum of application scenarios

[11, 12, 13, 14]. Currently, due to a limited number of

anomalies, many unsupervised or one-class deep learning ap-

proaches are proposed to detect anomalous sequences by iden-

tifying the differences between normal and anomalous patterns

[1, 2, 3, 15]. A typical idea is to make use of recurrent neural

networks (RNNs) to capture the normal patterns from normal

sequences. Then, an anomalous sequence can be detected with

deviate patterns [1, 3]. For example, DeepLog [1] is trained

to predict the log entry by an RNN model based on a large

number of normal sequences so that RNN is able to capture

the normal patterns of sequences. The anomalous sequence can

then be detected when the RNN cannot correctly predict the

log entries, meaning the sequence does not follow the normal

patterns. However, the majority of approaches proposed so far

only focus on detecting the anomalous sequences and cannot

point out ﬁne-grained subsequences or entries in the sequences

that actually lead to the anomalous outcomes.

Interpretable Anomaly Detection. Interpretability in ma-

chine learning is crucial for high-stakes decisions and trou-

bleshooting [8]. Interpretable machine learning techniques can

be categorized into two types, intrinsic interpretability and

post-hoc interpretability [16]. Intrinsic interpretability indi-

cates self-explanatory models that achieve interpretability di-

rectly based on their structures, while post-hoc interpretability

means the interpretability is achieved by applying another

model to provide explanations. There are two typical ap-

proaches to achieve the post-hoc interpretability, perturbation-

based and gradient-based approaches. The perturbation-based

approaches ﬁnd the important features based on their impact

on the decision outcome by perturbation functions, such as

LIME and SHAP [17, 18], while the gradient-based ap-

proaches identify the important features based on the gradient

magnitudes, such as Grad-CAM and Integrated Gradients

[19, 20]. Many sequential anomaly detection models are

deployed on safety-critical systems. Hence, once anomalous

behaviors are detected, understanding them is imperative for

the domain users to locate the problems.

Only a few studies target interpretable anomaly detection

[21, 22]. To achieve intrinsic interpretation, the explainable

deep one-class classiﬁcation model [22] provides intrinsic

interpretability for anomaly detection on image data but

cannot identify the discrete anomalous entries in sequences.

Meanwhile, the attention mechanism, which also provide

intrinsic interpretation based on the attention weights, is also

adopted fdetecting anomalous events from sequential data

[21]. However, the attention scores derived in the proposed

approach indicate the contributions to predicting the next

event in the sequence and are not strictly related to the

anomalous outcome. Some studies also achieve the post-hoc

interpretation based on the perturbation-based or gradient-

based interpretation approaches. Research in [23] develops

interpretable autoencoder models to identify features leading

to high reconstruction errors using Shapley values. Similarly,

research in [24] adopts variational autoencoder as the anomaly

detection model and identiﬁes important features based on

the gradient values. OmniAnomaly achieves the interpretable

anomaly detection for multivariate time series data by a neural

network combining GRU and VAE, where the interpretation

is achieved based on the reconstruction probability of each

dimension of input data [25]. In this work, we target on

detecting anomalies in discrete sequence data, it is hard to

leverage the gradient-based approaches to achieve interpre-

tation. We leverage the idea of counterfactual interpretation

to achieve ﬁne-grained anomaly detection, which provides

human-understandable post-hoc interpretations to anomalous

sequence detection.

III. FRAMEWORK

A. Overview

We denote a sequence with length Las S={el}L

l=1

where elindicates the l-th entry. We use e+and e−to

denote normal and anomalous entries respectively. In this

work, we assume that no labeled anomalous sequences/entries

are available as training signals. Formally, given a set of

normal sequences P={S+

n}N

n=1 and another set of unlabeled

sequences U={Sm}M

m=1 with a mixture of normal and

anomalous sequences, i.e., U=U+∪U−, we aim at detecting

the anomalous sequences in Uas well as their corresponding

anomalous entries.

We propose a two-phase framework called CFDet, as shown

in Figure 1. We ﬁrst adopt the Deep SVDD approach to derive

an anomalous sequence detector f(·)based on the normal

sequence set P. Speciﬁcally, Deep SVDD is to minimize the

volume of a data-enclosing hypersphere in a latent space with

a center point cbased on P. Therefore, the anomalies can be

detected with a large distance to the center. Then, we deploy

the detector f(·)to classify the sequences in the unlabeled set

Uinto a subset of anomalous sequences ˜

U−and a subset of

normal sequences ˜

U+. For each detected anomalous sequence

set Z∈˜

U−, we further identify the ﬁne-grained anomalous

entries. We propose a novel self-supervised learning approach

based on the idea of counterfactual explanation to train an

anomalous entry detector g(·). Then, we are able to identify

the anomalous entries from the anomalous sequences.

The Key Idea of Anomalous Entry Detection. Given a

detected anomalous sequence Z, we denote the subsequence

consisting of only anomalous entries in Zas Z−. Formally

we have

Z−=AZ, (1)

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

10 玖币 0人已下载

立即下载

摘要：

Fine-grainedAnomalyDetectioninSequentialDataviaCounterfactualExplanationsHeCheng,DepengXuy,ShuhanYuan,XintaoWuzUtahStateUniversity,Logan,USA,yUniversityofNorthCarolinaatCharlotte,Charlotte,USA,zUniversityofArkansas,Fayetteville,AREmail:fhe.cheng,shuhan.yuang@usu.edu,depeng.xu@uncc.edu,xintaowu@ua...

展开>> 收起<<

Fine-grained Anomaly Detection in Sequential Data via Counterfactual Explanations He Cheng Depeng Xuy Shuhan Yuan Xintao Wuz.pdf

共10页,预览2页

还剩页未读，继续阅读

声明：本站为文档C2C交易模式，即用户上传的文档直接被用户下载，本站只是中间服务平台，本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私，请立即通知玖贝云文库，我们立即给予删除！

Fine-grained Anomaly Detection in Sequential Data via Counterfactual Explanations He Cheng Depeng Xuy Shuhan Yuan Xintao Wuz

相关推荐

开通VIP享超值会员特权

作者详情

相关内容

热门标签

举报选择: