Talk:Anomaly detection
This is the talk page for discussing improvements to the Anomaly detection article. This is not a forum for general discussion of the article's subject. |
Article policies
|
Find sources: Google (books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL |
This article is rated Start-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||||||||||||||||
|
Requested move
edit- The following discussion is an archived discussion of a requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. No further edits should be made to this section.
The result of the move request was: No consensus. — Martin (MSGJ · talk) 11:52, 14 July 2010 (UTC)
Anomaly detection → Outlier detection — Relisted. Vegaswikian (talk) 02:31, 2 July 2010 (UTC) As per WP:COMMONNAME: it seems to me that "outlier" is much more common than "anomaly": [1] are the top articles in data mining. Anomaly detection is only used in the title of #656 and #989 of the top 1000. "outlier" is #87, #108, #119, #123 (this is Local Outlier Factor), #348, #353, #507, #620, #663, #772, #937, #948, #973, #974. I have the impression that "anomaly detection" is more used in the network intrusion context, while outlier detection is in data mining maybe? -- Chire (talk) 13:33, 16 June 2010 (UTC)
- Anomaly detection is used slightly more often in the scholarly literature, but the articles using outlier detection seem more highly cited. I'd say it's a toss up between the two. Fences&Windows 19:32, 1 July 2010 (UTC)
- Do you have some references using "anomaly detection" except the survey in the article? ISBN 1558609016 has a chapter 7.11 titled "Outlier Analysis", where all subpoints include "outlier detection" in their name. In ISBN 0387244352, chapter 7 is titled "outlier detection". Apart from my own experience (in the KDD community, not in network intrusion) it is more common. It also seems to be in industry: PMML seems to have an "outliers" XML attribute; "Oracle Data Mining Concepts" [2] mentions "outliers" but not "anomaly". Java Data Mining seems to use "outlier identification" [3]. The only hit in the WEKA wiki is for "outlier", too. --Chire (talk) 22:15, 6 July 2010 (UTC)
- You're cherry-picking sources and assuming that data mining is the only use. Data security articles using "anomaly detection" in their thousands,[4] and so do data mining articles, though less often.[5] Fences&Windows 18:14, 11 July 2010 (UTC)
- The above discussion is preserved as an archive of a requested move. Please do not modify it. Subsequent comments should be made in a new section on this talk page. No further edits should be made to this section.
Need citation of independent sources
editThank you, 91.52.6.30. Your edits of the first paragraphs are a nice improvement. I noticed that you also removed the citation needed tags I put on paragraph 2. I still feel that each of the 3 sentences in paragraph 2 make claims that should each be backed up by citations. What do other people think? Karl (talk) 13:38, 26 November 2012 (UTC)
- I don't think this needs a reference. Port scans etc. do come in bursts. A lot of people in outlier detection seem to use the KDDCup1999 data set (which actually is flawed: [6] and shouldn't be used). In the variant that I looked at, it had less than 20% "normal" entries, while the largest classes 52% smurf attacks, 18% neptune attacks. So in order to have this data set make sense for outlier detection, you clearly do need to aggregate the data set into something like host features etc. - i.e. detect bursts coming from such attacks. If you really need a reference, how about this one:
- Paul Dokas, Levent Ertoz, Vipin Kumar, Aleksandar Lazarevic, Jaideep Srivastava, Pang-Nig Tan
Data Mining for Network Intrusion Detection- There are generally two types of attacks in network intrusion detection: the attacks that involve single connections and the attacks that involve multiple connections (bursts of connections). The standard metrics (Table 1) treat all types of attacks similarly thus failing to provide sufficiently generic and systematic evaluation for the attacks that involve many network connections (bursty attacks). Therefore, two types of analysis may be applied; multi-connection attack analysis for bursty attacks and the single-connection attack analysis for single connection attacks.
- Paul Dokas, Levent Ertoz, Vipin Kumar, Aleksandar Lazarevic, Jaideep Srivastava, Pang-Nig Tan
- I think this is a pretty sound reference (Vipin Kumar certainly is highly regarded) supporting that paragraph. I added it to the article. --Chire (talk) 11:45, 27 November 2012 (UTC)
- Great reference. Thank you. Karl (talk) 12:21, 27 November 2012 (UTC)
Citation of Bayesian Network example is not correct
editThe citation given for the Bayesian Network example is the same one as given in the RNN example above it. -- Dutugamunu (talk) 15:39, 10 April 2020 (UTC)Dutugamunu
Wiki Education assignment: INFO 505 - Foundations of Information Science
editThis article was the subject of a Wiki Education Foundation-supported course assignment, between 22 August 2023 and 11 December 2023. Further details are available on the course page. Student editor(s): SummerNightmare2023 (article contribs). Peer reviewers: CarpenterAnt.
— Assignment last updated by CarpenterAnt (talk) 16:33, 6 November 2023 (UTC)