Precision and Recall for Range-Based Anomaly Detection

1. Introduction

Anomaly detection (AD) seeks to identify atypical events. Anomalies tend to be domain or problem specific, and many occur over a period of time. We refer to such events as range-based anomalies, as they occur over a range (or period) of time¹¹1Range-based anomalies are a specific type of collective anomalies (Chandola et al., 2009). Moreover, range-based anomalies are similar, but not identical, to sequence anomalies (Warrender et al., 1999).. Therefore, it is critical that the accuracy measures for anomalies, and the systems detecting them, capture events that occur over a range of time. Unfortunately, classical metrics for anomaly detection were designed to handle only fixed-point anomalies (Aggarwal, 2013)

. An AD algorithm behaves much like a pattern recognition and binary classification algorithm: it recognizes certain patterns in its input and classifies them as either normal or anomalous. For this class of algorithms,

Recall and Precision are widely used for evaluating the accuracy of the result. They are formally defined as in Equations 1 and 2, where

T P

denotes true positives,

F P

denotes false positives, and

F N

denotes false negatives.

(1)		$R e c a l l$	$= T P \div (T P + F N)$
(2)		$P r e c i s i o n$	$= T P \div (T P + F P)$

While useful for point-based anomalies, classical recall and precision suffer from their inability to capture, and bias, classification correctness for domain-specific time-series anomalies. Because of this, many time-series AD systems’ accuracy are being misrepresented, as point-based recall and precision are used to measure their effectiveness (Singh and Olinsky, 2017). Furthermore, the need to accurately identify time-series anomalies is growing due to the explosion of streaming and real-time systems (Twitter, 2015; Malhotra et al., 2015; Guha et al., 2016; Ahmad et al., 2017; Lee et al., 2018). To address this, we redefine recall and precision to encompass range-based anomalies. Unlike prior work (Lavin and Ahmad, 2015; Ahmad et al., 2017), our mathematical definitions are a superset of the classical definitions, enabling our system to subsume point-based anomalies. Moreover, our system is broadly generalizable, providing specialization functions to control a domain’s bias along a multi-dimensional axis that is necessary to accommodate the needs of specific domains.

In this short paper, we present novel formal definitions of recall and precision for range-based anomaly detection that both subsume those formerly defined for point-based anomaly detection as well as being customizable to a rich set of application domains. Empirical data has been omitted to meet the venue’s compressed format.

function

ω

(AnomalyRange, OverlapSet,

δ

)

MyValue \leftarrow 0

MaxValue \leftarrow 0

AnomalyLength \leftarrow length(AnomalyRange)

for

i \leftarrow 1, AnomalyLength

Bias \leftarrow δ (i, AnomalyLength)

MaxValue \leftarrow MaxValue + Bias

if AnomalyRange[i] in OverlapSet then

MyValue \leftarrow MyValue + Bias

return

MyValue / MaxValue

(a) Overlap Size

// Flat positional bias function

δ

(i, AnomalyLength) return 1 // Front-end positional bias function

δ

(i, AnomalyLength) return AnomalyLength - i + 1 // Tail-end positional bias function

δ

(i, AnomalyLength) return i

(b) Positional Bias

Figure 1. Example Functions for

ω ()

and

δ ()

2. Range-based Recall

Classical Recall rewards an AD system when anomalies are successfully identified (i.e., TP) and penalizes it when they are not (i.e., FN). It is computed by counting the number of anomalous points successfully predicted and then dividing that number by the total number of anomalous points. However, it is not sensitive to domains where a single anomaly can be represented as a range of contiguous points. In this section, we propose a new way to compute recall for such range-based anomalies. Table 1 summarizes our notation.

Notation	Description
$R$	set of real anomaly ranges
$R_{i}$	the $i^{t h}$ real anomaly range
$P$	set of predicted anomaly ranges
$P_{j}$	the $j^{t h}$ predicted anomaly range
$N_{r}$	number of real anomaly ranges
$N_{p}$	number of predicted anomaly ranges
$α$	relative weight of existence reward
$β$	relative weight of overlap reward
$γ ()$	overlap cardinality function
$ω ()$	overlap size function
$δ ()$	positional bias function

Table 1. Notation

Given a set of real anomaly ranges $R = {R_{1}, . ., R_{N_{r}}}$ and a set of predicted anomaly ranges $P = {P_{1}, . ., P_{N_{p}}}$ , our $R e c a l l_{T} (R, P)$ formulation iterates over the set of all real anomaly ranges ( $R$ ), computing a recall score for each real anomaly range ( $R_{i} \in R$ ) and adding them up into a total recall score. This total score is then divided by the total number of real anomalies ( $N_{r}$ ) to obtain an average recall score for the whole time-series.

(3)

R e c a l l_{T} (R, P)

= \frac{\sum_{i = 1}^{N_{r}} R e c a l l_{T} (R_{i}, P)}{N_{r}}

When computing the recall score $R e c a l l_{T} (R_{i}, P)$ for a single real anomaly range $R_{i}$ , we take the following aspects into account:

Existence: Identifying an anomaly (even by a single point in $R_{i}$ ) may be valuable in some application domains.
Size: The larger the size of the correctly predicted portion of $R_{i}$ , the higher the recall score will likely be.
Position: In some cases, not only size, but also the relative position of the correctly predicted portion of $R_{i}$ may be important to the application (e.g., early and late biases).
Cardinality: Detecting $R_{i}$ with a single predicted anomaly range $P_{j} \in P$ may be more valuable to an application than doing so with multiple different ranges in $P$ .

We capture these aspects as a sum of two reward terms weighted by $α$ and $β$ , respectively, where $0 \leq α, β \leq 1$ and $α + β = 1$ . $α$ represents the relative importance of rewarding existence, whereas $β$ represents the relative importance of rewarding size, position, and cardinality, which all stem from the overlap between $R_{i}$ and the set of all predicted anomaly ranges ( $P_{i} \in P$ ).

	$R e c a l l_{T} (R_{i}, P)$	$= α \times E x i s t e n c e R e w a r d (R_{i}, P)$
(4)			$+ β \times O v e r l a p R e w a r d (R_{i}, P)$

If anomaly range $R_{i}$ is identified (i.e., $| R_{i} \cap P_{j} | \geq 1$ across all $P_{j} \in P$ ), then an existence reward of $1$ is earned.

(5)

E x i s t e n c e R e w a r d (R_{i}, P)

= {\begin{matrix} 1 & , if \sum_{j = 1}^{N_{p}} | R_{i} \cap P_{j} | \geq 1 0 & , otherwise \end{matrix}

Additionally, an overlap reward, dependent upon three application-defined functions $0 \leq γ () \leq 1$ , $0 \leq ω () \leq 1$ , and $δ () \geq 1$ , can be earned. These functions capture the cardinality ( $γ$ ), size ( $ω$ ), and position ( $δ$ ) of the overlap. The cardinality term serves as a scaling factor for the rewards earned from size and position of the overlap.

	$O v e r l a p R e w a r d (R_{i}, P)$	$= C a r d i n a l i t y F a c t o r (R_{i}, P)$
(6)			$\times N_{p} \sum j = 1 ω (R_{i}, R_{i} \cap P_{j}, δ)$

The cardinality factor is largest (i.e., 1), when $R_{i}$ overlaps with at most one predicted anomaly range (i.e., it is identified by a single prediction range). Otherwise, it receives a value $0 \leq γ () \leq 1$ defined by the application.

(7)

C a r d i n a l i t y F a c t o r (R_{i}, P)

={1\parbox[t]51.214961pt,if$Ri$overlapswithatmostone$Pj∈P$γ(Ri,P), otherwise

The $R e c a l l_{T}$ constants ( $α$ and $β$ ) and functions ( $γ ()$ , $ω ()$ , and $δ ()$ ) are tunable according to the needs of the application. Next, we illustrate how they can be customized with examples.

The cardinality factor should generally be inversely proportional to $C a r d (R_{i})$ , i.e., the number of distinct prediction ranges that a real anomaly range $R_{i}$ overlaps. For example, $γ (R_{i}, P)$ can simply be set to $1 / C a r d (R_{i})$ .

Figure (a)a provides an example for the $ω ()$ function for size, which can be used with many different $δ ()$ functions for positional bias as shown in Figure (b)b. If all index positions are equally important, then the flat bias function should be used. If earlier ones are more important than later ones (e.g., early cancer detection (Kourou et al., 2015), real-time apps (Ahmad et al., 2017)), then the front-end bias function should be used. Finally, if later index positions are more important (e.g., delayed response in robotic defense), then the tail-end bias function should be used.

Our recall formula for range-based anomalies subsumes the classical one for point-based anomalies (i.e., $R e c a l l_{T} \equiv R e c a l l$ ) when:

[nosep,label=()]
all $R_{i} \in R$ and $P_{j} \in P$ are represented as single-point ranges (e.g., range $[1, 3]$ represented as $[1, 1], [2, 2], [3, 3]$ ), and
$α = 0, β = 1, γ () = 1$ , $ω ()$ is as in Figure (a)a, and $δ ()$ returns flat positional bias as in Figure (b)b.

3. Range-based Precision

Classical $P r e c i s i o n$ is computed by counting the number of successful prediction points (i.e., TP) in proportion to the total number of prediction points (i.e., TP+FP). The key difference between Precision and Recall is that Precision penalizes FPs. In this section, we extend classical precision to handle range-based anomalies. Our formulation follows a similar structure as $R e c a l l_{T}$ .

Given a set of real anomaly ranges $R = {R_{1}, . ., R_{N_{r}}}$ and a set of predicted anomaly ranges $P = {P_{1}, . ., P_{N_{p}}}$ , $P r e c i s i o n_{T} (R, P)$ iterates over the set of predicted anomaly ranges ( $P$ ), computing a precision score for each range ( $P_{i} \in P$ ) and then sums them. This sum is then divided by the total number of predicted anomalies ( $N_{p}$ ), averaging the score for the whole time-series.

(8)

P r e c i s i o n_{T} (R, P)

= \frac{\sum_{i = 1}^{N_{p}} P r e c i s i o n_{T} (R, P_{i})}{N_{p}}

When computing $P r e c i s i o n_{T} (R, P_{i})$ for a single predicted anomaly range $P_{i}$ , there is no need for an existence reward, because precision by definition emphasizes prediction quality, and existence by itself is too low a bar for judging the quality of a prediction. This removes the need for $α$ and $β$ constants. Therefore:

	$P r e c i s i o n_{T} (R, P_{i})$	$= C a r d i n a l i t y F a c t o r (P_{i}, R)$
(9)			$\times N_{r} \sum j = 1 ω (P_{i}, P_{i} \cap R_{j}, δ)$

$γ ()$ , $ω ()$ , and $δ ()$ are customizable as before. Furthermore, $P r e c i s i o n_{T}$ $\equiv P r e c i s i o n$ under the same settings as in Section 2 (except $α$ and $β$ are not needed). Note that, while $δ ()$ provides a potential knob for positional bias, we believe that in many domains a flat bias function will suffice for $P r e c i s i o n_{T}$ , as an $F P$ is typically considered uniformly bad wherever it appears in a prediction range.

4. Conclusion

In this paper, we note that traditional recall and precision were invented for point-based analysis. In range-based anomaly detection, anomalies are not necessarily single points, but are, in many cases, ranges. In response, we offered new recall and precision definitions that take ranges into account.

Acknowledgments. This research has been funded in part by Intel.

References

(1)
Aggarwal (2013) Charu C. Aggarwal. 2013. Outlier Analysis. Springer.
Ahmad et al. (2017) Subutai Ahmad, Alexander Lavin, Scott Purdy, and Zuha Agha. 2017. Unsupervised Real-time Anomaly Detection for Streaming Data. Neurocomputing 262 (2017), 134–147.
Chandola et al. (2009) Varun Chandola, Arindam Banerjee, and Vipin Kumar. 2009. Anomaly Detection: A Survey. ACM Computing Surveys 41, 3 (2009), 15:1–15:58.
Guha et al. (2016) Sudipto Guha, Nina Mishra, Gourav Roy, and Okke Schrijvers. 2016. Robust Random Cut Forest Based Anomaly Detection on Streams. In International Conference on Machine Learning (ICML)
. 2712–2721.
Kourou et al. (2015) Konstantina Kourou, Themis P. Exarchos, Konstantinos P. Exarchos, Michalis V. Karamouzis, and Dimitrios I. Fotiadis. 2015. Machine Learning Applications in Cancer Prognosis and Prediction. Computational and Structural Biotechnology Journal 13 (2015), 8–17.
Lavin and Ahmad (2015) Alexander Lavin and Subutai Ahmad. 2015. Evaluating Real-Time Anomaly Detection Algorithms - The Numenta Anomaly Benchmark. In IEEE International Conference on Machine Learning and Applications (ICMLA). 38–44.
Lee et al. (2018) Tae Jun Lee, Justin Gottschlich, Nesime Tatbul, Eric Metcalf, and Stan Zdonik. 2018. Greenhouse: A Zero-Positive Machine Learning System for Time-Series Anomaly Detection. https://arxiv.org/abs/1801.03168/. In SysML Conference.
Malhotra et al. (2015) Pankaj Malhotra, Lovekesh Vig, Gautam Shroff, and Puneet Agarwal. 2015. Long Short Term Memory Networks for Anomaly Detection in Time Series. In European Symposium on Artificial Neural Networks, Computational Intelligence and Machine Learning (ESANN)
. 89–94.
Singh and Olinsky (2017) Nidhi Singh and Craig Olinsky. 2017. Demystifying Numenta Anomaly Benchmark. In International Joint Conference on Neural Networks (IJCNN). 1570–1577.
Twitter (2015) Twitter. 2015. AnomalyDetection R Package. https://github.com/twitter/AnomalyDetection/. (2015).
Warrender et al. (1999) Christina Warrender, Stephanie Forrest, and Barak Pearlmutter. 1999. Detecting Intrusions using System Calls: Alternative Data Models. In IEEE Symposium on Security and Privacy. 133–145.

Precision and Recall for Range-Based Anomaly Detection

Authors

A New Model for Evaluating Range-Based Anomaly Detection Algorithms

PIDForest: Anomaly Detection via Partial Identification

A Discriminative Framework for Anomaly Detection in Large Videos

Variation and generality in encoding of syntactic anomaly information in sentence embeddings

Anomaly Detection Support Using Process Classification

A Taxonomy of Anomalies in Log Data

Smart Metering System Capable of Anomaly Detection by Bi-directional LSTM Autoencoder

1. Introduction

2. Range-based Recall

3. Range-based Precision

4. Conclusion

References

Precision and Recall for Range-Based Anomaly Detection

Authors

Related Research

A New Model for Evaluating Range-Based Anomaly Detection Algorithms

PIDForest: Anomaly Detection via Partial Identification

A Discriminative Framework for Anomaly Detection in Large Videos

Variation and generality in encoding of syntactic anomaly information in sentence embeddings

Anomaly Detection Support Using Process Classification

A Taxonomy of Anomalies in Log Data

Smart Metering System Capable of Anomaly Detection by Bi-directional LSTM Autoencoder

This week in AI

1. Introduction

2. Range-based Recall

3. Range-based Precision

4. Conclusion

References