Monotonic anomaly detection
This work addresses a specific need in anomaly detection for monotonic patterns, but it is incremental as it builds on existing semi-supervised methods with tailored distance measures.
The paper tackled the problem of detecting monotonic anomalies where only high or low attribute values are of interest, and introduced two asymmetrical distance measures, ramp and signed distance, showing that ramp distance improves detection performance over absolute distance.
Semi-supervised anomaly detection is based on the principle that potential anomalies are those records that look different from normal training data. However, in some cases we are specifically interested in anomalies that correspond to high attribute values (or low, but not both). We present two asymmetrical distance measures that take this monotonicity into account: ramp distance and signed distance. Through experiments on synthetic and real-life datasets, we show that ramp distance increases anomaly detection performance over the traditional absolute distance. While signed distance also performs well on synthetic data, it performs substantially poorer on real-life datasets. We argue that this is a consequence of the fact that when using signed distance, low values of certain attributes automatically compensate for high values of other attributes, such that anomaly detection is reduced to counting the total attribute value sum, which is too simplistic in practice.