Sequential anomaly detection in the presence of noise and limited feedback

TL;DR

This paper introduces a noise-robust sequential anomaly detection method that combines filtering and adaptive hedging, leveraging exponential-family models and online convex programming to achieve low regret and mistake bounds.

Contribution

It presents a novel online anomaly detection algorithm that does not require full posterior computations and adapts thresholds based on user feedback, with theoretical guarantees.

Findings

Achieves sublinear regret against static and slowly varying distributions.

Provides mistake bounds relative to offline optimal thresholds.

Validated on synthetic high-dimensional data and real Enron email dataset.

Abstract

This paper describes a methodology for detecting anomalies from sequentially observed and potentially noisy data. The proposed approach consists of two main elements: (1) {\em filtering}, or assigning a belief or likelihood to each successive measurement based upon our ability to predict it from previous noisy observations, and (2) {\em hedging}, or flagging potential anomalies by comparing the current belief against a time-varying and data-adaptive threshold. The threshold is adjusted based on the available feedback from an end user. Our algorithms, which combine universal prediction with recent work on online convex programming, do not require computing posterior distributions given all current observations and involve simple primal-dual parameter updates. At the heart of the proposed approach lie exponential-family models which can be used in a wide variety of contexts and applications, and which yield methods that achieve sublinear per-round regret against both static and slowly varying product distributions with marginals drawn from the same exponential family. Moreover, the regret against static distributions coincides with the minimax value of the corresponding online strongly convex game. We also prove bounds on the number of mistakes made during the hedging step relative to the best offline choice of the threshold with access to all estimated beliefs and feedback signals. We validate the theory on synthetic data drawn from a time-varying distribution over binary vectors of high dimensionality, as well as on the Enron email dataset.