Anomaly detection has been used in variety of applications in practice, including cyber-security, fraud detection and detecting faults in safety critical systems, etc. Anomaly detectors produce a ranked list of statistical anomalies, which are typically examined by human analysts in order to extract the actual anomalies of interest. Unfortunately, most anomaly detectors provide no explanations about why an instance was considered anomalous. To address this issue, we propose a feature based explanation approach called sequential feature explanation (SFE) to help the analyst in their investigation. A second problem with the anomaly detection systems is that they usually produce a large number of false positives due to a mismatch between statistical and semantic anomalies. We address this issue by incorporating human feedback, that is, we develop a human-in-the-loop anomaly detection system which can improve its detection rate with a simple form of true/false positive feedback from the analyst. We show empirically the efficacy and the superior performance of both of our explanation and feedback approaches on significant cyber security applications including red team attack data and real corporate network data along with a large number of benchmark datasets. We also delve into a set of state-of-the-art anomaly detection techniques to understand why they perform so well with a small number of training examples. We unify their working principle into a common framework underlying different pattern spaces and compute their sample complexity for achieving performance guarantees. In addition, we empirically investigate learning curves for anomaly detection in this framework.
Funding Statement (additional comments about funding)
This work is partially supported by DARPA under Contracts N66001-17-2-4030 and FA8650-15-C7557. Any opinions, findings and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of the DARPA.
This work is partially supported by the Future of Life Institute under Contract W911NF-11-C-0088. Any opinions, findings and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of the Future of Life Institute.