TY - GEN
T1 - Anomaly Detection using Clustered Deep One-Class Classification
AU - Kim, Younghwan
AU - Kim, Huy Kang
N1 - Funding Information:
This work was supported by Institute of Information communications Technology Planning Evaluation (IITP) grant funded by the Korea government (MSIT) (No.2018-0-00232, Cloud-based IoT Threat Autonomic Analysis and Response Technology)
Publisher Copyright:
© 2020 IEEE.
PY - 2020/8
Y1 - 2020/8
N2 - Anomalies on Cyber-Physical System (CPS) can have a devastating effect on the entire system of complex CPS. Thus, it is important to detect anomalies quickly. Since CPS can collect sensor data in near real-time throughout the process, many attempts have been made to solve this problem from the perspective of data-driven security based on the collected data. However, since the CPS datasets are big data and most of the data are normal data, it has always been a great challenge to analyze the data and implement the anomaly detection model. In this paper, we propose and evaluate the Clustered Deep One-Class Classification (CD-OCC) model that combines the clustering algorithm and deep learning (DL) models using only a normal dataset for anomaly detection. We classify normal data into optimal cluster size using the K-means clustering algorithm. DL models train to classify each cluster based on clustered normal data, and we can obtain the softmax values in the process of predicting the cluster. We use the softmax values as a dataset with distilled knowledge of the DL model for anomaly detection. We transfer the softmax values to one-class classification (OCC) models to detect anomalies. As a result of the experiment, the F1-score of the proposed model shows performance close to 0.8 and performance improvement of about 0.5 compared to the encoded OCC model, which has reduced-dimensionality through auto-encoder as well as the basic OCC model.
AB - Anomalies on Cyber-Physical System (CPS) can have a devastating effect on the entire system of complex CPS. Thus, it is important to detect anomalies quickly. Since CPS can collect sensor data in near real-time throughout the process, many attempts have been made to solve this problem from the perspective of data-driven security based on the collected data. However, since the CPS datasets are big data and most of the data are normal data, it has always been a great challenge to analyze the data and implement the anomaly detection model. In this paper, we propose and evaluate the Clustered Deep One-Class Classification (CD-OCC) model that combines the clustering algorithm and deep learning (DL) models using only a normal dataset for anomaly detection. We classify normal data into optimal cluster size using the K-means clustering algorithm. DL models train to classify each cluster based on clustered normal data, and we can obtain the softmax values in the process of predicting the cluster. We use the softmax values as a dataset with distilled knowledge of the DL model for anomaly detection. We transfer the softmax values to one-class classification (OCC) models to detect anomalies. As a result of the experiment, the F1-score of the proposed model shows performance close to 0.8 and performance improvement of about 0.5 compared to the encoded OCC model, which has reduced-dimensionality through auto-encoder as well as the basic OCC model.
KW - anomaly detection
KW - clustering
KW - deep learning
KW - knowledge distillation
UR - http://www.scopus.com/inward/record.url?scp=85093358838&partnerID=8YFLogxK
U2 - 10.1109/AsiaJCIS50894.2020.00034
DO - 10.1109/AsiaJCIS50894.2020.00034
M3 - Conference contribution
AN - SCOPUS:85093358838
T3 - Proceedings - 2020 15th Asia Joint Conference on Information Security, AsiaJCIS 2020
SP - 151
EP - 157
BT - Proceedings - 2020 15th Asia Joint Conference on Information Security, AsiaJCIS 2020
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 15th Annual Asia Joint Conference on Information Security, AsiaJCIS 2020
Y2 - 20 August 2020 through 21 August 2020
ER -