Anomaly Detection: Review and preliminary Entropy method tests

TL;DR

This paper reviews anomaly detection in wireless sensor networks, focusing on entropy-based methods, and presents preliminary tests comparing probability density function estimation techniques for entropy calculation.

Contribution

It introduces a non-parametric entropy estimation approach using data splitting and compares it with k-nearest neighbor methods for anomaly detection.

Findings

Data-split method provides better PDF approximation than k-NN

Entropy increases with anomalous data points in the dataset

Preliminary results support entropy-based anomaly detection effectiveness

Abstract

Anomalies are strange data points; they usually represent an unusual occurrence. Anomaly detection is presented from the perspective of Wireless sensor networks. Different approaches have been taken in the past, as we will see, not only to identify outliers, but also to establish the statistical properties of the different methods. The usual goal is to show that the approach is asymptotically efficient and that the metric used is unbiased or maybe biased. This project is based on a work done by [1]. The approach is based on the principle that the entropy of the data is increased when an anomalous data point is measured. The entropy of the data set is thus to be estimated. In this report however, preliminary efforts at confirming the results of [1] is presented. To estimate the entropy of the dataset, since no parametric form is assumed, the probability density function of the data set is first estimated using data split method. This estimated pdf value is then plugged-in to the entropy estimation formula to estimate the entropy of the dataset. The data (test signal) used in this report is Gaussian distributed with zero mean and variance 4. Results of pdf estimation using the k-nearest neighbour method using the entire dataset, and a data-split method are presented and compared based on how well they approximate the probability density function of a Gaussian with similar mean and variance. The number of nearest neighbours chosen for the purpose of this report is 8. This is arbitrary, but is reasonable since the number of anomalies introduced is expected to be less than this upon data-split. The data-split method is preferred and rightly so.