This is the
talk page for discussing improvements to the
Anomaly detection article. This is
not a forum for general discussion of the article's subject.
This article is within the scope of
WikiProject Databases, a project which is currently considered to be inactive.DatabasesWikipedia:WikiProject DatabasesTemplate:WikiProject DatabasesDatabases articles
This article is within the scope of WikiProject Computer science, a collaborative effort to improve the coverage of
Computer science related articles on Wikipedia. If you would like to participate, please visit the project page, where you can join
the discussion and see a list of open tasks.Computer scienceWikipedia:WikiProject Computer scienceTemplate:WikiProject Computer scienceComputer science articles
This article is within the scope of WikiProject Statistics, a collaborative effort to improve the coverage of
statistics on Wikipedia. If you would like to participate, please visit the project page, where you can join
the discussion and see a list of open tasks.StatisticsWikipedia:WikiProject StatisticsTemplate:WikiProject StatisticsStatistics articles
This article has been rated as Mid-importance on the
importance scale.
Requested move
The following discussion is an archived discussion of a
requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. No further edits should be made to this section.
The result of the move request was: No consensus. — Martin (
MSGJ ·
talk) 11:52, 14 July 2010 (UTC)reply
Anomaly detection → Outlier detection — Relisted.
Vegaswikian (
talk) 02:31, 2 July 2010 (UTC) As per
WP:COMMONNAME: it seems to me that "outlier" is much more common than "anomaly":
[1] are the top articles in data mining. Anomaly detection is only used in the title of #656 and #989 of the top 1000. "outlier" is #87, #108, #119, #123 (this is
Local Outlier Factor), #348, #353, #507, #620, #663, #772, #937, #948, #973, #974.
I have the impression that "anomaly detection" is more used in the network intrusion context, while outlier detection is in data mining maybe?
--
Chire (
talk) 13:33, 16 June 2010 (UTC)reply
Anomaly detection is used slightly more often in the scholarly literature, but the articles using outlier detection seem more highly cited. I'd say it's a toss up between the two.
Fences&Windows 19:32, 1 July 2010 (UTC)reply
Do you have some references using "anomaly detection" except the survey in the article?
ISBN1558609016 has a chapter 7.11 titled "Outlier Analysis", where all subpoints include "outlier detection" in their name. In
ISBN0387244352, chapter 7 is titled "outlier detection". Apart from my own experience (in the
KDD community, not in network intrusion) it is more common. It also seems to be in industry:
PMML seems to have an "outliers" XML attribute; "Oracle Data Mining Concepts"
[2] mentions "outliers" but not "anomaly".
Java Data Mining seems to use "outlier identification"
[3]. The only hit in the
WEKA wiki is for "outlier", too. --
Chire (
talk) 22:15, 6 July 2010 (UTC)reply
You're cherry-picking sources and assuming that data mining is the only use. Data security articles using "anomaly detection" in their thousands,
[4] and so do data mining articles, though less often.
[5]Fences&Windows 18:14, 11 July 2010 (UTC)reply
The above discussion is preserved as an archive of a
requested move. Please do not modify it. Subsequent comments should be made in a new section on this talk page. No further edits should be made to this section.
Need citation of independent sources
Thank you, 91.52.6.30. Your edits of the first paragraphs are a nice improvement. I noticed that you also removed the
citation needed tags I put on paragraph 2. I still feel that each of the 3 sentences in paragraph 2 make claims that should each be backed up by citations. What do other people think?
Karl (
talk) 13:38, 26 November 2012 (UTC)reply
I don't think this needs a reference. Port scans etc. do come in bursts. A lot of people in outlier detection seem to use the KDDCup1999 data set (which actually is flawed:
[6] and shouldn't be used). In the variant that I looked at, it had less than 20% "normal" entries, while the largest classes 52% smurf attacks, 18% neptune attacks. So in order to have this data set make sense for outlier detection, you clearly do need to aggregate the data set into something like host features etc. - i.e. detect bursts coming from such attacks. If you really need a reference, how about this one:
Paul Dokas, Levent Ertoz, Vipin Kumar, Aleksandar Lazarevic, Jaideep Srivastava, Pang-Nig Tan Data Mining for Network Intrusion Detection
There are generally two types of attacks in network intrusion detection: the attacks that involve single connections and the attacks that involve multiple connections (bursts of connections). The standard metrics (Table 1) treat all types of attacks similarly thus failing to provide sufficiently generic and systematic evaluation for the attacks that involve many network connections (bursty attacks). Therefore, two types of analysis may be applied; multi-connection attack analysis for bursty attacks and the single-connection attack analysis for single connection attacks.
I think this is a pretty sound reference (Vipin Kumar certainly is highly regarded) supporting that paragraph. I added it to the article. --
Chire (
talk) 11:45, 27 November 2012 (UTC)reply
Great reference. Thank you.
Karl (
talk) 12:21, 27 November 2012 (UTC)reply
Citation of Bayesian Network example is not correct
The citation given for the Bayesian Network example is the same one as given in the RNN example above it.
--
Dutugamunu (
talk) 15:39, 10 April 2020 (UTC)Dutugamunureply
Wiki Education assignment: INFO 505 - Foundations of Information Science
This article was the subject of a Wiki Education Foundation-supported course assignment, between 22 August 2023 and 11 December 2023. Further details are available
on the course page. Student editor(s):
SummerNightmare2023 (
article contribs). Peer reviewers:
CarpenterAnt.