Explainable Sequential Anomaly Detection via Prototypes

Sequential anomaly detection has received more and more attention because of its wide applications in various domains, such as debugging system failures via logs. Researchers have recently proposed many deep learning-based approaches for sequential anomaly detection. However, these approaches work as black-boxed models, not providing explanations for detected anomalies. On the other hand, explainability is a critical requirement to build trustworthiness in detection results. Moreover, domain experts would like to learn why a sequence is labeled as an anomaly. To overcome this challenge, in this paper, we propose a framework for Explainable Sequential Anomaly Detection (ESAD) in a semi-supervised setting. As there are various normal and abnormal behaviors in sequential data, ESAD derives multiple prototypes to describe diverse normal and abnormal sequences. Each prototype can encode one type of normal or abnormal behavior. Given a new sequence, if the sequence is similar to an abnormal prototype, the sequence will be detected as abnormal. After decoding the abnormal prototype as a prototypical sequence, domain experts can further understand the newly detected abnormal sequence by examining the prototypical sequence. We conduct experiments on one log dataset and two text datasets. Experimental results including quantitative and qualitative analysis on three datasets show the effectiveness of our model.

[1]  Yongyi Mao,et al.  ContrastNet: A Contrastive Learning Framework for Few-Shot Text Classification , 2022, AAAI.

[2]  Matthew Lease,et al.  ProtoTEx: Explaining Model Decisions with Prototype Tensors , 2022, ACL.

[3]  Shuhan Yuan,et al.  InterpretableSAD: Interpretable Anomaly Detection in Sequential Log Data , 2021, 2021 IEEE International Conference on Big Data (Big Data).

[4]  Xintao Wu,et al.  LogBERT: Log Anomaly Detection via BERT , 2021, 2021 International Joint Conference on Neural Networks (IJCNN).

[5]  Hanghang Tong,et al.  Few-shot Insider Threat Detection , 2020, CIKM.

[6]  Marius Kloft,et al.  Explainable Deep One-Class Classification , 2020, ICLR.

[7]  Gary D Bader,et al.  DeCLUTR: Deep Contrastive Learning for Unsupervised Textual Representations , 2020, ACL.

[8]  Junnan Li,et al.  Prototypical Contrastive Learning of Unsupervised Representations , 2020, ICLR.

[9]  Yasin Yilmaz,et al.  Any-Shot Sequential Anomaly Detection in Surveillance Videos , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW).

[10]  Geoffrey E. Hinton,et al.  A Simple Framework for Contrastive Learning of Visual Representations , 2020, ICML.

[11]  Ross B. Girshick,et al.  Momentum Contrast for Unsupervised Visual Representation Learning , 2019, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[12]  Shenglin Zhang,et al.  LogAnomaly: Unsupervised Detection of Sequential and Quantitative Anomalies in Unstructured Logs , 2019, IJCAI.

[13]  Min-hwan Oh,et al.  Sequential Anomaly Detection using Inverse Reinforcement Learning , 2019, KDD.

[14]  Huamin Qu,et al.  Interpretable and Steerable Sequence Learning via Prototypes , 2019, KDD.

[15]  Cynthia Rudin,et al.  Interpretable Image Recognition with Hierarchical Prototypes , 2019, HCOMP.

[16]  Phillip Isola,et al.  Contrastive Multiview Coding , 2019, ECCV.

[17]  Alexander Binder,et al.  Deep Semi-Supervised Anomaly Detection , 2019, ICLR.

[18]  Oriol Vinyals,et al.  Representation Learning with Contrastive Predictive Coding , 2018, ArXiv.

[19]  C. Rudin,et al.  This looks like that: deep learning for interpretable image recognition , 2018, NeurIPS.

[20]  Stella X. Yu,et al.  Unsupervised Feature Learning via Non-parametric Instance Discrimination , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[21]  Honglak Lee,et al.  An efficient framework for learning sentence representations , 2018, ICLR.

[22]  Feifei Li,et al.  DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning , 2017, CCS.

[23]  Zibin Zheng,et al.  Drain: An Online Log Parsing Approach with Fixed Depth Tree , 2017, 2017 IEEE International Conference on Web Services (ICWS).

[24]  Scott Lundberg,et al.  A Unified Approach to Interpreting Model Predictions , 2017, NIPS.

[25]  Ankur Taly,et al.  Axiomatic Attribution for Deep Networks , 2017, ICML.

[26]  Abhishek Das,et al.  Grad-CAM: Visual Explanations from Deep Networks via Gradient-Based Localization , 2016, 2017 IEEE International Conference on Computer Vision (ICCV).

[27]  Carlos Guestrin,et al.  "Why Should I Trust You?": Explaining the Predictions of Any Classifier , 2016, ArXiv.

[28]  Gilles Louppe,et al.  Independent consultant , 2013 .

[29]  Zhi-Hua Zhou,et al.  Isolation Forest , 2008, 2008 Eighth IEEE International Conference on Data Mining.

[30]  Jon Stearley,et al.  What Supercomputers Say: A Study of Five System Logs , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[31]  Bernhard Schölkopf,et al.  Estimating the Support of a High-Dimensional Distribution , 2001, Neural Computation.

[32]  S. Hochreiter,et al.  Long Short-Term Memory , 1997, Neural Computation.

[33]  Xintao Wu,et al.  Contrastive Learning for Insider Threat Detection , 2022, DASFAA.

[34]  Geoffrey E. Hinton,et al.  Visualizing Data using t-SNE , 2008 .