Ad Hoc Networks - fp7-genesi.di.uniroma1.itfp7-genesi.di.uniroma1.it/files/Distributed online outlier.pdf · one-class SVM-based outlier detection techniques to iden-tify outliers

Ad Hoc Networks xxx (2012) xxx–xxx

Contents lists available at SciVerse ScienceDirect

Ad Hoc Networks

journal homepage: www.elsevier .com/locate /adhoc

Distributed online outlier detection in wireless sensor networks usingellipsoidal support vector machine

Yang Zhang ⇑, Nirvana Meratnia, Paul J.M. HavingaPervasive Systems Group, Department of Computer Science, University of Twente, PO Box 217, 7500 AE Enschede, The Netherlands

a r t i c l e i n f o

Article history:Received 29 September 2011Received in revised form 3 October 2012Accepted 7 November 2012Available online xxxx

Keywords:Outlier detectionEllipsoidal support vector machineSpatial correlationTemporal correlationWireless sensor networks

1570-8705/$ - see front matter � 2012 Elsevier B.Vhttp://dx.doi.org/10.1016/j.adhoc.2012.11.001

⇑ Corresponding author.E-mail address: [email protected] (Y. Zhang

Please cite this article in press as: Y. Zhang et avector machine, Ad Hoc Netw. (2012), http://d

a b s t r a c t

Low quality sensor data limits WSN capabilities for providing reliable real-time situation-awareness. Outlier detection is a solution to ensure the quality of sensor data. An effectiveand efficient outlier detection technique for WSNs not only identifies outliers in a distrib-uted and online manner with high detection accuracy and low false alarm, but also satisfiesWSN constraints in terms of communication, computational and memory complexity. Inthis paper, we take into account the correlation between sensor data attributes and pro-pose two distributed and online outlier detection techniques based on a hyperellipsoidalone-class support vector machine (SVM). We also take advantage of the theory of spatio-temporal correlation to identify outliers and update the ellipsoidal SVM-based model rep-resenting the changed normal behavior of sensor data for further outlier identification.Simulation results show that our adaptive ellipsoidal SVM-based outlier detection tech-nique achieves better detection accuracy and lower false alarm as compared to existingSVM-based techniques designed for WSNs.

� 2012 Elsevier B.V. All rights reserved.

1. Introduction of sensor data as well as additional information and con-

With the increasing advances of digital electronics andwireless communications, in the past decade a new breedof tiny embedded systems known as wireless sensor nodeshas emerged. These wireless sensor nodes are equippedwith sensing, processing, wireless communication, andmore recently actuation capability. They usually are den-sely deployed in a wide geographical area and continu-ously measure various parameters (e.g. ambienttemperature, relative humidity, soil moisture, wind speed)of the physical world. A large collection of these sensornodes forms a wireless sensor network (WSN) [1].

Event-driven WSN applications [2,3] require timelydata analysis and assessment in order to facilitate (near)real-time, efficient, and accurate critical decision makingand situation awareness. Accurate sensor data analysisand decision making process rely heavily on the quality

. All rights reserved.

).

l., Distributed online outlx.doi.org/10.1016/j.adhoc

text. However, raw sensor observations collected from sen-sor nodes often have low data quality and reliability due tothe limited capability of sensor nodes in terms of energy,memory, computational power, bandwidth, dynamic nat-ure of network, and harshness of the deployment environ-ment. Use of low quality sensor data in any data analysisand decision making process limits the possibilities forreliable real-time situation-awareness.

A solution to ensure the quality of sensor data is detec-tion of outliers. In the context of WSNs, outliers are definedas those sensor observations that do not conform to the defined(expected) normal behavior of sensor data [4]. This definitionindicates that a straightforward way for outlier detection inWSNs is to define a normal behavior of sensor data andconsider those sensor observations that deviate from thedefined normal behavior of sensor data as outliers. Aneffective and efficient outlier detection technique for WSNsshould be able to identify outliers in a distributed andonline manner with high detection accuracy and low falsealarm, while satisfying WSN constraints in terms of com-munication, computational and memory complexity [5].

ier detection in wireless sensor networks using ellipsoidal support.2012.11.001

http://dx.doi.org/10.1016/j.adhoc.2012.11.001

mailto:[email protected]


http://www.sciencedirect.com/science/journal/15708705

http://www.elsevier.com/locate/adhoc


2 Y. Zhang et al. / Ad Hoc Networks xxx (2012) xxx–xxx

A commonly used method to model the normal behav-ior of given data vectors in data mining and machine learn-ing fields is similarity measure [18]. The majority of datavectors with high similarity represents the normal behav-ior of the given data vectors. Use of such similarity mea-sure avoids making any assumption on statisticaldistribution of data as well as saves on expensive compu-tational and memory complexity of data distribution esti-mation. For multivariate sensor data, modeling thenormal behavior of data precisely needs taking sensor datacorrelations into account [26]. In reality sensor data attri-butes are often correlated, e.g., ambient temperature hascertain correlation with relative humidity. Observationsindicate that when the air is warmer it can hold morehumidity [4]. In this way, the correlated sensor data vec-tors are not distributed around the center of mass in aspherical manner, instead their distribution has an ellipsoi-dal shape [6]. The direction of the formed ellipsoid revealsthe multivariate nature of data distribution trend as well asthe strength of the correlation between data attributes.

In this paper, we simplify an ellipsoidal one-class SVM[7] to model the normal behavior of sensor data attributesin resource-constrained WSNs and propose two ellipsoidalone-class SVM-based outlier detection techniques to iden-tify outliers in a distributed and online manner. In the pro-cess of detecting outliers, these two techniques also takeadvantage of the theory of spatio-temporal correlation toprecisely detect outliers and changes of the normal behav-ior of sensor data. Furthermore, the proposed adaptivetechnique enables to update the ellipsoidal SVM-basedmodel to represent changes of the normal behavior of sen-sor data for further outlier identification. Simulations withtwo synthetic datasets and one real environmental datasetfrom the Grand St. Bernard [8] show that our adaptive out-lier detection technique achieves better detection accuracyand lower false alarm as compared to existing SVM-basedoutlier detection techniques [9,10,23,22] designed forWSNs.

The remainder of this paper is organized as follows. Re-lated work on developing one-class SVM-based outlierdetection in WSNs as well as in data mining and machinelearning fields is described in Section 2. Principles of mod-eling the ellipsoidal one-class SVM classifier are addressedin Section 3. How to lower down the complexity of tradi-tional hyperellipsoidal one-class SVM classifier to fitrequirements of WSNs is addressed in Section 4. Our pro-posed two ellipsoidal SVM-based outlier detection tech-niques are presented in Section 5. Simulation results andperformance evaluation of our techniques with other exist-ing SVM-based outlier detection techniques are reported inSections 6 and 7. Finally this paper is concluded in Section 8with plans for future research.

2. Related work

SVM-based techniques are original from the family ofclassification-based techniques in data mining and ma-chine learning fields. The main idea of classification-basedtechniques is to learn a classifier using data vectors in thetraining phase and classify an unseen instance into one of

Please cite this article in press as: Y. Zhang et al., Distributed online outlvector machine, Ad Hoc Netw. (2012), http://dx.doi.org/10.1016/j.adho

the learned classes in the testing phase. SVM-based tech-niques specifically separate the data vectors belonging todifferent classes by fitting a hyperplane, which producesa maximal margin in a high-dimensional data space.SVM-based techniques are commonly used for the purposeof outlier detection due to the fact that they have threemain attracting advantages, i.e., (i) do not require an expli-cit statistical model and complex parameter estimation, (ii)use an optimum solution to produce a more reliable nor-mal boundary to precisely distinguish between normaldata and outliers, and (iii) avoid the curse of data dimen-sionality problem for computing the similarity measureamong data vectors.

However, traditional SVM-based outlier detection tech-niques suffer from two disadvantages: (i) they require er-ror-free or labeled data for training, and (ii) they requirea computationally expensive quadratic optimization.One-class (unsupervised) SVM-based techniques can solvethe first disadvantage as they can model the normal behav-ior of the unlabeled data while ignoring the anomaliesexisting in the training set. Their main idea is to use anon-linear function to map the data vectors collected fromthe original input space to a higher dimensional spacecalled feature space. Then a decision boundary of normaldata is found, which encompasses the majority of data vec-tors in the feature space. Those data vectors falling outsidethe normal boundary are classified as outliers. To this end,Scholkopf et al. [11] have proposed a hyperplane-basedone-class SVM, which identifies outliers by fitting a hyper-plane from the origin. Those data vectors near the originare declared as outliers. Tax and Duin [12] have proposeda hypersphere-based one-class SVM, which identifies out-liers by fitting a hypersphere with a minimum radius.Those data vectors falling outside the hypersphere are de-clared as outliers. Wang et al. [7] have proposed a hyperel-lipsoid-based one-class SVM, which identifies outliers byfitting multiple hyperellipsoids with minimum effectiveradii. Those data vectors falling outside the hyperellipsoidsare declared as outliers. However, these one-class SVM-based techniques still require a computationally expensivequadratic optimization.

In order to reduce high computational cost of the qua-dratic optimization, Campbell and Bennett [13] have for-mulated a linear programming approach for thehyperplane-based SVM proposed in [11], which is basedon attracting the hyperplane towards the average of thedistribution of mapped data vectors. Laskov et al. [14] haveextended work in Tax and Duin [12] by proposing a quar-ter-sphere one-class SVM, which converts the quadraticoptimization problem to a linear optimization problemby fitting a hypersphere centered at the origin, and conse-quently reduces computational complexity of learning thenormal boundary of data vectors.

Rajasegarar et al. [9] use the quarter-sphere one-classSVM proposed in [14] to present a distributed outlierdetection technique for WSNs. In their technique, eachnode analyzes sensor data in an offline manner only afterall observations are collected within a day, which obvi-ously causes a considerable outlier detection delay. Thisis not suitable for detecting outliers in critical real-timeapplications of WSNs. Rajasegarar et al. [10] have further

ier detection in wireless sensor networks using ellipsoidal supportc.2012.11.001


Y. Zhang et al. / Ad Hoc Networks xxx (2012) xxx–xxx 3

extended work in [7,14] by proposing a hyperellipsoidalone-class SVM using a linear optimization. However, thistechnique is neither distributed nor online. It only operatesin a single location in an offline manner.

In this paper, we propose two distributed and onlineoutlier detection techniques based on a simplified hyperel-lipsoidal one-class SVM using a linear optimization. Ourtechniques enable to identify outliers online and adapt tochanges of the normal behavior of sensor data in real-time.

3. Principles of modeling hyper-ellipsoid one-class SVM

In this section, we describe the principles of modelingthe hyperellipsoidal one-class SVM proposed in [7] formultivariate data vectors and further compare the differ-ences between hyper-ellipsoid SVM and hyper-sphereSVM.

3.1. Modeling hyper-ellipsoid one-class SVM

The quadric optimization problem of modeling thehyperellipsoidal SVM classifier has been converted to thelinear optimization problem in [10] by fixing the centerof mapped data vectors in the feature space at the origin.The geometry of hyperellipsoidal one-class SVM-based ap-proach is shown in Fig. 1. The general process of modelingthe hyperellipsoidal SVM classifier for multivariate datavectors is addressed below.

Assume that m data vectors fxi�Rd; i ¼ 1; . . . ;mg of dvariables in the input space are mapped into the featurespace using some non-linear mapping function /. Thehyperellipsoidal SVM aims at enclosing the majority ofmapped data vectors /(xi) in the feature space by fittinga hyperellipsoid centered at the origin with a minimumeffective radius R. Thus, the optimization problem in thishyperellipsoidal SVM classifier is represented as:

minR�R;n�Rm

R2 þ 1tm

Xm

i¼1

ni ð1Þ

subject to : /ðxiÞR�1/ðxiÞT 6 R2 þ ni; ni P 0; i ¼ 1;2; . . . m

where t�(0,1) is a parameter that controls the fraction ofmapped data vectors that can be outliers. The slack vari-ables {ni:i = 1, 2, . . . , m} allow some of mapped data vectors

Fig. 1. Geometry of the hyper-ellipsoidal formulation of one-class SVM[10].

Please cite this article in press as: Y. Zhang et al., Distributed online outlvector machine, Ad Hoc Netw. (2012), http://dx.doi.org/10.1016/j.adhoc

to lay outside the hyperellipsoid. R�1 is the inverse of thecovariance matrix R of mapped data vectors, which is com-puted as follows:

R ¼ 1m

Xm

i¼1

ð/ðxiÞ � lÞð/ðxiÞ � lÞT ; l ¼ 1m

Xm

i¼1

/ðxiÞ ð2Þ

Using Mercer Kernels [15], the inner products of mappeddata vectors in the feature space can be computed in theinput data space without needing any knowledge aboutthe non-linear function /. Let K�Rm�m be the kernel matrixof the original data vectors. Mapped data vectors can becentered in the feature space by subtracting the mean.Then the centered kernel matrix Kc can be obtained interms of the kernel matrix K using Kc = K � 1mK � K1m + 1-mK1m, where 1m is the m �m matrix with all its valuesequal to 1

m.The eigen structures of Kc is denoted by Kc = AXAT,

where X is a diagonal matrix with positive eigenvaluesas the diagonal elements. A is the eigenvector matrix corre-sponding to the positive eigenvalues [16]. Hence the

covariance matrix R can be denoted as R ¼ X�12A/ðxÞT

� ��

Xm

� �X�

12A/ðxÞT

� �ÞT , where X is the data vectors in feature

space. By calculating the pseudo inverse R+, we can approx-imate R�1 as R�1 = R+ = mXTAX�2ATX [7]. Consequently, Eq.(1) will become:

minR�R;n�Rm

R2 þ 1tm

Xm

i¼1

ni ð3Þ

subject to :ffiffiffiffiffimp

X�1AT Kic

��

26 R2 þ ni; ni P 0; i ¼ 1;2; . . . m

where Kic is the ith column of the kernel matrix Kc. Using

similar Lagrange function and deviations, finally the dualformulation of hyper-ellipsoidal SVM will become a linearoptimization problem represented as:

mina�Rm

�Xm

i¼1

aikffiffiffiffiffimp

X�1AT Kick

2 ð4Þ

subject to :Xm

i¼1

ai ¼ 1;0 6 ai 61

tm; i ¼ 1;2; . . . m

Those data vectors with ai = 0 falling inside the hyperellip-soid will be considered as normal. Those data vectors with0 < ai <

1tm will reside on the surface of the hyperellipsoid.

Their distances to the hyperellipsoidal center indicate theminimum effective radius R, which can be obtained by

calculating R2 ¼ffiffiffiffiffimp

X�1AT Kic

��

2for any margin support

vectors. Those data vectors with a ¼ 1tm whose distances

to the origin are larger than R of the hyperellipsoid areconsidered as outliers.

3.2. Hyper-ellipsoid SVM vs. hyper-sphere SVM

Both hyper-ellipsoid SVM and hyper-sphere SVM areused to model the normal behavior of given data vectors.A significant difference between these two SVMs is thatthey use different distance measures to determine the sim-ilarity of data vectors before modeling the normal behaviorof the data vectors. More specifically, hyper-sphere SVMuses Euclidean distance (ED) while hyper-ellipsoid SVM




uses Mahalanobis distance (MD). These two distance mea-sures are both commonly used to measure the similaritybetween any two data vectors [17]. Euclidean distancedoes not consider the correlation between attributes butcalculates the distance in terms of individual attribute.On the contrary, Mahalanobis distance considers the corre-lation between attributes and calculates the distance bycombining all attributes together. Consequently, the corre-lation between attributes learned by Mahalanobis distancecan be represented by covariance matrix, where varianceof a variable itself and covariance between any two vari-ables are included. Formally, Mahalanobis distance of gi-ven multivariate data vectors x = (x1, x2, x3, . . . , xN) withmean l = (l1, l2, l3, . . . , lN) and covariance matrix R isdefined as:

MDðxÞ ¼ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiðx� lÞR�1ðx� lÞT

qð5Þ

If the covariance matrix R is the identity matrix I, whereall diagonal elements are set to 1, Mahalanobis distance re-duces to the Euclidean distance for two data vectors x andy and is represented as:

EMðx; yÞ ¼

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiXN

i¼1

ðxi � yiÞ2

vuut ð6Þ

Compared to Euclidean distance, Mahalanobis distance,which takes into account both distances from the center ofmass and the direction, has a better understanding of mul-tivariate data structure. This is due to the fact that Euclid-ean distance is blind to attribute correlation and assumesall data vectors have equal distance from the center ofmass. Moreover, Mahalanobis distance is scale-invariantmeaning that it is insensitive to the scale of data attributes,while Euclidean distance is extremely sensitive to the scaleof data attributes. However, the computational and mem-ory complexity of Mahalanobis distance is much higherthan Euclidean distance due to computation of covariancematrix. Table 1 presents the major differences betweenthese two distance measures.

Using Euclidean distance as similarity measure wouldgenerate a sphere at 2-D data space, where data vectorsare equally distributed around the center of mass. UsingMahalanobis distance as similarity measure, however,would generate an ellipse at the 2-D data space, wheredata vectors are distributed in directional linear trend[18] indicating the correlation between variables. Thesetwo different shapes actually define the normal behaviorof data vectors. We here introduce an example to representthe results of outliers using these two shapes. Fig. 2 illus-trates the normal behavior of data vectors modeled by

Table 1Comparison between hyper-ellipsoid SVM and hyper-sphere SVM.

Classifiers Distance measure

Hyper-ellipsoid Mahalanobis distanceSVM

Hyper-sphere Euclidean distanceSVM


hyper-ellipsoid SVM and hyper-sphere SVM using corre-sponding distance measures. It can be clearly seen thatthose outliers detected by the sphere may not be consid-ered as outliers by the ellipse (e.g., point B); whereas, thosedata vectors that are not declared as outliers may beconsidered as outliers by the ellipse (e.g., point A). There-fore, using an appropriate shape and its corresponding dis-tance measure to model the normal behavior of datavectors is significantly important for accurate outlierdetection. The choice of using Euclidean distance or Maha-lanobis distance depends on data characteristics and appli-cation requirements.

4. Fitting hyper-ellipsoid one-class SVM modeling toresource-constraint WSNs

In the previous section, we compared hyper-ellipsoidSVM and hyper-sphere SVM regarding modeling the nor-mal behavior of data vectors and identifying outliers. Weare aware that modeling hyper-ellipsoid SVM has highcomputational and memory complexity due to the fact thatit considers attribute correlation, generates kernel matrix,and requires the transformation of central kernel matrix.To reduce the cost of modeling hyper-ellipsoid SVM inthe feature space, we instead model hyper-ellipsoid SVMin the input space and fix the center of hyperellipsoid atthe origin. For doing so, raw sensor data has to be firsttransformed to a better symmetric data distribution usingBox–Cox method [19]. Then due to the fact that Mahalan-obis distance is scale-invariant, the data vectors can becentered at the origin just by subtracting the mean. For atransformed data vector x0i, its mean-centered value is for-mulated as x00i ¼ x0i � l

� �. Considering that mean-centered

values may be sensitive to outliers, we replace the arith-metic mean by the median.

After the above data preprocessing, the data vectors arecentered at the origin in the input space, which lowersdown the computational and memory complexity of mod-eling hyper-ellipsoid SVM in the feature space. Conse-quently, the dual formulation of Eq. (4) in the inputspace will be simplified to:

mina�Rm

�Xm

i¼1

ai x00i R�1x00Ti

� �ð7Þ

subject to :Xm

i¼1

ai ¼ 1;0 6 ai 61

tm; i ¼ 1;2; . . . m

where x00i R�1x00Ti represents the Mahalanobis distances of

mean-centered data vectors in the input space from theorigin. We further present a basic decision function to

Characteristics Shape

Considers attribute correlation EllipseScale-insensitiveHigh complexity

Ignores attribute correlation SphereScale-sensitiveLow complexity



Fig. 2. Use of Mahalanobis distance and Euclidean distance as similaritymeasure. Mahalanobis distance generates an ellipse while Euclideandistance generates a sphere at 2-D space.

Fig. 3. Example of a sensor sub-network.


determine whether a new arriving sensor observation x isan outlier using the modeled hyper-ellipsoid SVM in theinput space. According to Eq. (7), the decision functioncan be formulated as:

f ðxÞ ¼ sgnðR2 � dðx00Þ2Þ ¼ sgnðR2 � x00R�1x00TÞ ð8Þ

¼ sgn R2 � R�12x00T

��

� �

where R2 is the square of the effective radius of the hyper-ellipsoid and can be computed by the inner product of anymargin support vectors in the input space. Those observa-tions with a negative value are classified as outliers sincetheir square distances from the origin depending on thedirection in the input space are larger than R2. It can beobviously seen from Eq. (4) and (7) that the computationof the decision function in the input space is cheaper thanin the feature space. Also, modeling hyper-ellipsoid SVM inthe input space solves the problem of impossible calcula-tion of inverse matrix of R when R is singular [19].

5. Proposed ellipsoidal SVM-based outlier detectiontechniques

In this section, we propose our distributed and onlineoutlier detection techniques using the addressed simplifiedhyper-ellipsoid SVM model to identify outliers online anddetect changes of the normal behavior of sensor data inreal-time.

Let us first consider a small sensor sub-network, whichcan be easily extend to a cluster-based or a hierarchal net-work topology. This sub-network consists of densely de-ployed n sensor nodes {s1, . . . , sn}, in which observationsare made at (nearly) equal time intervals and all nodes di-rectly communicate with each other. Moreover, spatial andtemporal correlations are assumed to exist in sensor obser-vations collected in this sub-network. Fig. 3 illustrates anexample of such a sub-network.

At a time instant t, x(s1, t), . . . , x(sn, t) denote datavectors measured at nodes s1, . . . , sn, respectively. Eachdata vector at the corresponding node is composed of mul-tiple attributes xl(si, t), where xl(si, t) = {xl(si, t):i = 1 . . . , n,l = 1, . . ., ,d} and xðsi; tÞ�Rd.


According to the requirements of applications, outlierscan be identified as local outliers or global outliers. Localoutliers represent those outliers that are detected at indi-vidual sensor node only using its local data. Global outliersrepresent those outliers that are detected in a more globalperspective [24] by considering a cluster of sensor nodes.Specifically, global outliers can be identified at a parentnode, cluster-head node, or even a central station, by col-lecting many data from its assigned sensor nodes. Alterna-tively, global outliers can be identified at individual sensornode using a well-defined normal behavior of sensor data,which is modeled in a global view. In this paper, we usethis strategy in our outlier detection techniques to identifyglobal outliers at individual sensor node. One should notethat a local outlier may not be identified as a global outlierand vice versa [5]. For instance, a local outlier is an obser-vation collected by a sensor node that is significantly dif-ferent with respect to other observations of this sensornode, but may not be a global outlier in a global view ofa cluster of neighboring nodes.

5.1. Ellipsoidal SVM-based online outlier detection technique(EOOD)

Our ellipsoidal SVM-based online outlier detectiontechnique (EOOD) enables each node to determine itsevery new observation as normal or outlier in real-time.Specifically, each node models its own hyper-ellipsoidSVM after collecting sensor data during a time interval.As a result, each node obtains the effective radius of themodeled hyperellipsoid together with the median andthe covariance matrix of centered data. Based on temporalcorrelation of sensor data, each node uses the modeled hy-per-ellipsoid SVM to determine whether its new arrivedobservations are normal or outliers in the time domain.Moreover, each node communicates the effective radiusof the modeled hyperellipsoid, the median and the covari-ance matrix parameters with its neighboring nodes tocooperatively identify outliers based on spatial correlationof sensor data. The main steps of EOOD are:

� Step 1. Each node si models its own hyper-ellipsoid SVMfor m sequential observations and then calculates theeffective radius Ri as well as the corresponding parame-ters of the median and the covariance matrix of cen-tered data. Then the local outliers at each sensor node




si can be determined in real-time by comparing the dis-tances between new arrived observations and the originwith Ri using Eq. (8).� Step 2. Each node si communicates its parameters, i.e., Ri

as well as the median and the covariance matrix to itsneighbors. Ri and the median are transmitted by 1 ele-ment, respectively. For the covariance matrix, eachnode si only needs to transmit d(d + 1)/2 elements dueto the fact that the covariance matrix is symmetric,where d is the dimension of a sensor observation.� Step 3. Each node si collects these Ri, median and covari-

ance matrix parameters from its neighbors and com-bines these parameters together with its own Ri,median and covariance matrix. Specifically, these effec-tive radii and medians are merged by arithmetic aver-age and these covariance matrixes need to be mergedby the formula used in [6]. These merged parametersare denoted as the global effective radius Rg, the globalmedian, and the global covariance matrix Rg.� Step 4. Each node si uses these global parameters to

determine the global outlierness of its new arrivedobservations in real-time. For a new observation x, thedecision function indicating whether it is a global out-lier in the input space can be defined as:

Pleasevector

f ðxÞ ¼ sgn R2g � R

�12

g x00T��

��

ð9Þ

EOOD scales well with the increased number of nodesdue to its distributed processing nature. It enables to up-date the global parameters by communicating amongneighboring nodes at the end of each time interval. It low-ers down communication overhead and computationalcomplexity, especially no need to transmit any actualobservations between sensor nodes except the requiredparameters, i.e., Ri, median and covariance matrix.

EOOD can detect the change of the normal behavior be-tween two consecutive time windows when most of obser-vations measured in the second time window are detectedas outliers. However, EOOD cannot detect changes of thenormal behavior of data within one time window or adaptto a new normal behavior of sensor data due to the factthat it does not update the existing SVM model until theend of the entire time window. In this way, EOOD may suf-fer from a possibly high rate of false alarm when newobservations arrived in the same time window represent-ing a new normal behavior of sensor data are detected asoutliers. In order to alleviate this problem, our adaptiveoutlier detection technique incorporates new arrivedobservations and updates the modeled hyper-ellipsoidSVM for more reliable outlier detection.

5.2. Ellipsoidal SVM-based adaptive outlier detectiontechnique (EAOD)

Our ellipsoidal SVM-based adaptive outlier detectiontechnique (EAOD) enables each node to detect changes ofthe normal behavior of sensor data within a time windowbased on decision results achieved in a sliding window andthen update the ellipsoidal SVM-based model to representthe changed normal behavior of sensor data for further

cite this article in press as: Y. Zhang et al., Distributed online outlmachine, Ad Hoc Netw. (2012), http://dx.doi.org/10.1016/j.adho

outlier detection. The use of the sliding window in EAODis to incorporate new arrived observations and meanwhileremove the oldest observations. Consequently, the hyper-ellipsoid SVM can be updated using the observations rep-resenting a change of the normal behavior in the slidingwindow. Initially the sliding window includes all msequential observations for modeling a hyper-ellipsoidSVM.

Before describing when and how to detect a new nor-mal behavior using the sliding window, we recall theparameter m, which is very important to model a hyper-ellipsoid SVM in Eq. (1). It controls the fraction of data vec-tors that can be outliers and it significantly impacts theperformance of one-class SVM-based outlier detectiontechniques. The m actually denotes the upper bound onthe fraction of detected outliers in a dataset [11], whichindicates the maximum number of outliers allowed by aSVM model. In this ways, if the fraction of outliers detectedby the hyper-ellipsoid SVM model exceeds the given upperbound within a time period, it indicates that a new normalbehavior is emerged and the previously modeled SVM isnot suitable to represent the current normal behavior ofsensor data any more so as to be updated. On the otherhand, we consider reducing the computational and com-munication cost of updating the SVM model and being ableto compare the performance of our outlier detection tech-niques with the existing techniques described in [9,10,23].Thus our proposed EAOD decides to update the modeledhyper-ellipsoid SVM when the same amount of m newsequential observations inserted in the sliding window isinstantly detected as normal or outlier and also the frac-tion of detected outliers in this sliding window exceedsthe given upper bound (m).

After detecting a new arriving observation as normal oroutlier, each node does not immediately update the effec-tive radius (R) of the model but instead only updates themedian and covariance matrix [21] of the changed slidingwindow, in which the oldest observation is removed andreplaced by the new observation, for further outlier detec-tion. There is no need for communication among nodes un-til the effective radius (R) of the model changes. Oneshould note that all new arrived observations, regardlessof being detected as normal or outlier, can be incorporatedinto the sliding window due to the fact that the parameterm of the one-class SVM model allows anomalous observa-tions in the training set. Moreover, removing anomalousobservations from the set would bias the normal boundaryof the one-class SVM model [20]. When all new observa-tions are instantly detected as normal or outlier and in-serted in the entire sliding window, each node checks ifthe fraction of detected outliers exceeds the given upperbounder (m). If so, a new normal behavior is detected in thissliding window and the SVM model needs to be updated,i.e., the effective radius R. After the hyper-ellipsoid SVMis updated, each observation in the sliding window canbe labeled as normal or outlier using the updated SVMmodel and Eq. (9).

EAOD enables robust detection of outliers usingsequential observations and also detects changes of thenormal behavior of sensor data for reliable outlier detec-tion. It recognizes the previously detected outliers as the




indication of a new normal behavior and reduces the falsealarm rate in EOOD. Moreover, EAOD is generated effi-ciently in terms of communication while requires lesscomputational time. Fig. 4 illustrates the update policy ofEAOD. The corresponding pseudocode for EAOD is shownin Table 2.

6. Simulation results

This section describes simulation results of our EOODand EAOD, compared to the spherical SVM-based adaptiveoutlier detection technique (SAOD) we proposed in [22],and the ellipsoidal SVM-based batch outlier detectiontechnique (EBOD) and the spherical SVM-based batch out-lier detection technique (SBOD) presented in Rajasegararet al. [9,10,23]. Our proposed SAOD in [22] uses the quar-ter-sphere one-class SVM to model the normal behaviorof sensor data. It takes the similar strategy as EAOD to de-tect changes of the normal behavior of sensor data and up-date the modeling quarter-sphere SVM for reliable outlierdetection.

For EBOD and SBOD proposed in [9,10,23], as we de-scribed before, they cause a considerable outlier detectiondelay, in which each node analyzes sensor data in an off-line manner only after all observations are collected withina day. They also do not provide online outlier detection fornew arriving observations. More specifically, EBOD is nei-ther online nor distributed. It only identifies outliers in asingle node without any parameter or raw data exchangeso that the achieved outlier detection results are not suffi-ciently reliable in case of node failure. SBOD uses the quar-ter-sphere one-class SVM for distributed outlier detectionbut exchanges just only radius information among neigh-boring nodes for outlier detection while ignoring the otherimportant modeling parameters, i.e., the mean and thestandard deviation. These modeling parameters of thequartersphere SVM contribute to provide more reliableoutlier detection results. Furthermore, EBOD and SBODthat model the SVM in the feature space need the genera-tion of kernel matrix and the transformation of centeredkernel matrix so that they bring very high computationaland memory complexity for WSNs.

The goals of our simulation in this section are threefold,i.e., (i) to test the accuracy of our distributed and online

Fig. 4. The update policy of EAOD. The circles represent sensor observa-tions. The sliding window is composed of the last m observations. Theblack dot represents the observation identified at current time t.


outlier detection techniques compared to the existingSVM-based outlier detection techniques and their robust-ness in terms of parameter selection, (ii) to compare theaccuracy between ellipsoidal and spherical SVM-basedoutlier detection techniques, and (iii) to investigate impactof three commonly used labeling techniques, i.e., Mahalan-obis distance, density and running average, on perfor-mance of outlier detection techniques.

6.1. Simulation datasets

In our simulation, we use two c datasets as well as a realdataset gathered at the Grand St. Bernard [8]. The syntheticdatasets we used are similar to the one used in [24]. Weconsider a sensor sub-network consisting of seven sensornodes, as illustrated in Fig. 3, which can be within radiotransmission range of each other or communicated witha cluster-head in this sub-network.

The first 2-D synthetic dataset is composed of 200 datavectors for each node having a mixture of three Gaussiandistributions with uniform distribution of outliers. Themean value of this dataset is randomly selected from(0.32, 0.35, 0.38) while the standard deviation is set to be0.03. Subsequently, 10 uniform outliers (i.e., 5% of the nor-mal data) are introduced and uniformly distributed in the[0.5,1] interval. The total number of the data vectors in thisdataset is 2940 including the 5% outliers. Fig. 5 illustratesthe data distribution of dataset of a single node.

The second 2-D synthetic dataset changes the mean of amixture of three Gaussian distributions into (0.25,0.35,0.45). The standard deviation is still 0.03 and 5% (of thenormal data) anomalous data is introduced and uniformlydistributed in the [0.5,1] interval. Fig. 5 illustrates the datadistribution of dataset of a single node. These two syn-thetic datasets aim to evaluate the accuracy of ellipsoidaland spherical SVM-based outlier detection techniques fordifferent data distributions.

The real dataset is collected from the small cluster ofneighboring sensor nodes, i.e., nodes 25, 28, 29, 31, 32 atthe Grand St. Bernard, as illustrated in Fig. 6. In our simu-lations, we test the real data collected during the period of6am–14am on 1st October 2007 with two attributes:ambient temperature and relative humidity for each sen-sor observation. We label this dataset using three differentlabeling techniques, i.e., Mahalanobis distance, density andrunning average. Labeling results of applying these label-ing techniques are illustrated in Fig. 7. More details aboutlabeling techniques for sensor data are referred to [25].

6.2. Simulation results

We evaluate two important accuracy metrics, (i) thedetection rate (DR), which represents the percentage ofoutliers that are correctly detected, and (ii) the false alarmrate, also known as false positive rate (FPR), which repre-sents the percentage of normal data that are incorrectlyconsidered as outliers. DR represents the ratio betweenthe number of correctly detected outliers and the totalnumber of outliers, while FPR represents the ratio betweenthe number of normal data detected as outliers and the to-tal number of normal data.



Table 2Pseudocode of EAOD.

1 procedure ModellingSVMProcess()2 each node models the hyper-ellipsoid SVM;3 each node locally broadcasts the modeled hyper-ellipsoid Ri as well as the median and the covariance matrix to its spatially neighboring nodes;4 each node then computes the global Rg as well as the global median and covariance matrix;5 initiate OutlierDetectionProcess(Rg, the global median and covariance matrix);6 return;7 procedure OutlierDetectionProcess(Rg, the global median and covariance matrix)8 when x(t) arrives9 compute d(x);10 if (d(x) > Rg)11 x(t) indicates an outlier;12 else13 x(t) indicates a normal observation;14 endif;15 initiate UpdatingSVMProcess(x(t));16 set t t + 1;17 if (m data observations are collected)18 if (the fraction of detected outliers > the given upper bound (m))19 update the SVM model for outlier detection of (x(t �m + 1) . . . x(t));20 endif;21 endif;22 return;23 procedure UpdatingSVMProcess(x(t))24 update the sliding window: the oldest observations x(t �m) is removed and replaced by x(t);25 update the median and the covariance matrix of the sliding window;26 return;

Attribute 1

Attribute2

0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

normaloutliers

Attribute 1

Attribute2

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.90.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

normaloutlier

Fig. 5. (left) Data plot for a single node with spherical data distribution and (right) data plot for a single node with ellipsoidal data distribution.


We also examine the effect of the regularization param-eter t for EBOD, SBOD, EOOD, EAOD and SAOD in the inputspace. As representing the fraction of data vectors that canbe outliers, the parameter t with the larger value results inbetter detection rate, however, it can lead to higher falsealarm rate. The value of t is usually chosen based on a pri-ori knowledge of the data characteristics and its normalbehavior [20]. In the case of having no a priori knowledgeabout the outliers ratio, the parameter t can be used toevaluate the robustness of the techniques. It indicates thata robust technique can achieve high accuracy rate whilekeeping a false alarm rate low regardless of the increaseor decrease of the parameter t. In the simulation, we havevaried t between 0.02 and 0.08 in intervals of 0.01. A recei-ver operating characteristics (ROC) curve is usually used torepresent the trade-off between the detection rate and thefalse alarm rate. The larger the area under the ROC curve,


the better the accuracy of the technique. Furthermore,after finding a robust outlier detection techniques, a rela-tively reliable t can be determined when the outlier detec-tion technique archives the best trade-off between thedetection rate and the false alarm rate, which can be illus-trated in the area under the ROC.

Fig. 8 shows the detection rate and the false alarm rateobtained by our online techniques EOOD, EAOD, SAOD aswell as EBOD and SBOD offline techniques in the inputspace for the first synthetic data with ellipsoidal data dis-tribution. We can see when data vectors have ellipsoidaldata distribution, our ellipsoidal SVM-based techniquesEOOD and EAOD achieve better detection accuracy andlower false alarm compared with spherical SVM-basedSBOD and SAOD in presence of different t parameters.Furthermore, our EOOD and EAOD perform better thanEBOD.



Fig. 6. The small cluster of the Grand St. Bernard deployment [8].

Fig. 7. (left) Plot for labeled data based on Mahalanobis distance, (right) Plot for labeled data based on density and (lower) plot for labeled data based onrunning average.


Please cite this article in press as: Y. Zhang et al., Distributed online outlier detection in wireless sensor networks using ellipsoidal supportvector machine, Ad Hoc Netw. (2012), http://dx.doi.org/10.1016/j.adhoc.2012.11.001


Nu (v)

DR(%)

(a) Detection Rate Vs Nu (Input Space)

0.02 0.03 0.04 0.05 0.06 0.07 0.0830

40

50

60

70

80

90

100EBODSBODEOODEAODSAOD

Nu (v)

FPR(%)

(b) False Alarm Rate Vs Nu (Input Space)

0.02 0.03 0.04 0.05 0.06 0.07 0.080

2

4

6

8

10

12

14

EBODSBODEOODEAODSAOD

Fig. 8. (a) Detection rate in the input space for synthetic data of ellipsoidal data distribution and (b) false alarm rate in the input space for synthetic data ofellipsoidal data distribution.

Nu (v)

DR(%)

(a) Detection Rate Vs Nu (Input Space)

0.02 0.03 0.04 0.05 0.06 0.07 0.0840

50

60

70

80

90

100


Nu (v)

FPR(%)

(b) False Alarm Rate Vs Nu (Input Space)

0.02 0.03 0.04 0.05 0.06 0.07 0.080

0.5

1

1.5

2

2.5

3

3.5


Fig. 9. (a) Detection rate in the input space for synthetic data of spherical data distribution and (b) false alarm rate in the input space for synthetic data ofspherical data distribution.

FPR (%)

DR(%)

(a) ROC curve (Input Space)

0 10 20 30 40 50 60 70 80 9020

30

40

50

60

70

80

90

100


Nu (v)

DR(%)

(b) Detection Rate Vs Nu (Input Space)

0.02 0.03 0.04 0.05 0.06 0.07 0.0820

30

40

50

60

70

80

90

100EBODSBODEOODEAODSAOD

Fig. 10. (a) ROC curve in the input space for labeled data based on Mahalanobis distance and (b) detection rate in the input space for labeled data based onMahalanobis distance.


Please cite this article in press as: Y. Zhang et al., Distributed online outlier detection in wireless sensor networks using ellipsoidal supportvector machine, Ad Hoc Netw. (2012), http://dx.doi.org/10.1016/j.adhoc.2012.11.001


FPR (%)

DR(%)

(a) ROC curve (Input Space)

0 10 20 30 40 50 60 70 800

20

40

60

80

100


FPR (%)

DR(%)

(b) ROC curve (Input Space)

0 10 20 30 40 50 60 70 80 9010

20

30

40

50

60

70

80

90


Fig. 11. (a) ROC curve in the input space for labeled data based on running average and (b) ROC curve in the input space for labeled data based on density.


Fig. 9 shows the detection rate and the false alarm rateobtained by our online techniques EOOD, EAOD, SAOD aswell as EBOD and SBOD offline techniques in the inputspace for the second synthetic data with spherical data dis-tribution. We can clearly see when data vectors havespherical data distribution, our spherical SVM-based tech-nique SAOD achieves better detection accuracy and lowerfalse alarm compared with ellipsoidal SVM-based EOOD,EAOD and EBOD. Moreover, our SAOD performs better thanSBOD. Furthermore, our EOOD and EAOD have betterdetection accuracy than EBOD.

Fig. 10 shows ROC curve and the detection rate obtainedby our online techniques EOOD, EAOD, SAOD as well asEBOD and SBOD offline technique in the input space forthe real dataset labeled by Mahalanobis distance. It canbe seen that EOOD generates the highest detection rateand highest false alarm due to the fact that it does not up-date the normal profile, while the data distribution haschanged. EAOD achieves the best accuracy with the highestdetection accuracy and the lowest false alarm.

Fig. 11 shows ROC curve obtained by our online tech-niques EOOD, EAOD, SAOD as well as EBOD and SBOD off-line techniques in the input space for the real datasetlabeled by running average and density labeling tech-niques. The results show that accuracy of our EAOD is bet-ter than other techniques using both labeling techniquesalthough it has not achieved good detection accuracy.EOOD still has the highest false alarm rate while generat-ing high detection rate.

7. Performance evaluation

This section further analyzes accuracy results achievedin our simulation. The complexity of those techniques isalso compared in terms of communication overhead, com-putation and memory complexity.

7.1. Accuracy analysis

For the data vectors which have ellipsoidal data distri-bution, EOOD and EAOD perform better than sphericalSVM-based SBOD and SAOD. The good results of EOOD


and EAOD stem from taking into account the correlationof data attributes and having better understanding of mul-tivariate nature of data distribution. On the contrary,spherical SVM-based techniques ignore the correlation be-tween data attributes and use a spherical boundary to fitthe data. This results in low detection rate and high falsealarm rate in case of non-spherical data distribution. More-over, among ellipsoidal SVM-based techniques, our EOODand EAOD perform better than EBOD due to the fact thatthey exchange essential ellipsoidal information, e.g., med-ian and covariance matrix, with neighboring nodes for reli-able outlier detection.

For the data vectors which have spherical data distribu-tion, SAOD achieves better detection accuracy and lowerfalse alarm compared with ellipsoidal SVM-based EOOD,EAOD and EBOD. This is because spherical SVM-basedtechniques assume that data vectors are distributedaround the center of mass in an ideal spherical shape.Although ellipsoidal SVM-based techniques take into ac-count correlation of data attribute, they do not performas good as spherical SVM-based techniques for sphericaldata distribution. Moreover, among spherical SVM-basedtechniques, our SAOD performs better than SBOD sinceSAOD alleviates the influence of outliers by using medianand median absolute deviation (MAD) and also exchangesthese spherical information with neighboring nodes forreliable outlier detection.

For the real data, EAOD achieves the best accuracy withthe highest detection accuracy and the lowest false alarmsince it considers the correlation of data attributes as wellas use of ellipsoidal information (median, covariance ma-trix) from neighboring nodes. On the contrary, EOOD gen-erates the highest false alarm due to the fact that it doesnot update the normal profile, while the data distributionhas changed. Therefore, EAOD performs best compared toother SVM-based techniques.

Furthermore, one should note that hyperellipsodialSVMs used in this paper generally suit to the multivariatedata vectors with the correlated data attributes. The direc-tion of the formed ellipsoid reveals the multivariate natureof data distribution trend as well as the strength of the cor-relation between data attributes. For the data vectors with



Table 3Complexity analysis of five outlier detection techniques for each sensornode.

Techniques Communicationcomplexity

Computationalcomplexity

Memorycomplexity

EBOD – O(kmd2) O(md + m2)SBOD O(d) O(kmp) O(md + m2)EOOD O(d2) O(md2) O(md)EAOD O(d2) O(md2) O(md)SAOD O(d) O(mp) O(md)


no strong data attribute correlation or with a data distribu-tion of a skewed shape, a spherical SVM or a hyperplane-based SVM could be used to characterize the kind of datasets. Therefore, a good understand of data distributionand correlation among data attributes is essential to modelthe normal behavior of data vectors and design a suitableoutlier detection technique.

7.2. Complexity analysis

The communication complexity of our distributed tech-niques depends on the transmission of local hyper-ellip-soid radius information as well as the median andcovariance matrix parameters. The communication over-head in EOOD for each node is O(d2), where d is the dimen-sion of observations. Each node only transmits its localhyper-ellipsoid radius information as well as the medianand covariance matrix once at the initial training phase.EAOD requires no update of radius information during on-line outlier detection and only possibly communicates theupdated median, covariance matrix and radius informationwith nodes at the end of a sliding time window. The max-imum communication overhead of EAOD for each node isapproximately equal to O(d2).

The computational complexity in EOOD is related tocomputation of the median, the covariance matrix, the lin-ear optimization function and the distance between everynew observation and the origin. The computational com-plexity of our techniques mainly depends on solving a lin-ear optimization problem, which is represented as O(p), aswell as computing covariance matrix, which is representedas O(md2). Hence, the maximum computational complex-ity of each node in EOOD and EAOD is O(md2), where mis the number of new observations to be classified. EBODstill needs to compute kernel matrix and the transforma-tion of centered kernel function (especially for RBF kernelfunction), whose complexity is represented by O(k). Thusthe maximum computational complexity of EBOD for eachnode is O(kmd2).

The memory complexity of our techniques is mainly re-lated to keeping observations of the size of sliding windowin memory and is represented as O(md), where d is thedimension of observations and m is the number of newobservations to be classified. Overhead of storing otherparameters such as covariance matrix with a complexityof O(d2) is negligible since m > d. Hence the maximummemory complexity of each node for our techniques isO(md). Due to the fact that EBOD needs to keep m �m ker-nel function, its memory complexity of each node isO(md + m2). Table 3 summarizes these complexities.


8. Conclusion

In this paper we propose two distribute and online out-lier detection techniques based on hyper-ellipsoid one-classSVM. We take into account data attribution correlation toprecisely detect outliers. To cope with the problem of gener-ating high false alarm rate, we also propose an updatingstrategy to incorporate new arrived observations and updatethe modeled hyper-ellipsoid SVM for more reliable outlierdetection and detect changes of the normal behavior of sen-sor data. We compare performance of these two hyper-ellip-soid SVM-based techniques with our previously proposedquarter-sphere SVM-based technique as well as two existingbatch SVM-based techniques using both synthetic and realdatasets as well as different labeling techniques. Simulationresults show that our EAOD achieves better detection accu-racy and lower false alarm. It implies that understandingdata distribution and correlation among data attributes isessential to design a suitable outlier detection technique.Our future research includes testing our EAOD using realdatasets with variant data distributions and implementingEAOD on wireless sensor nodes in real-life.

Acknowledgment

This work is supported by the EU’s Seventh FrameworkProgramme in the context of the SENSEI and GENSEIprojects.

References

[1] I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, E. Cayirci, A survey onsensor networks, IEEE Communications Magazine 40 (2002) 102–114.

[2] C.F. Garcia-Hernandez, P.H. Ibarguengoytia-Gonzalez, J. Garcia-Hernandez, J.A. Perez-Diaz, Wireless sensor networks andapplications: a survey, International Journal of Computer Scienceand Network Security 7 (2007) 264–273.

[3] T. Arampatzis, J. Lygeros, S. Manesis, A survey of applications ofwireless sensors and wireless sensor networks, in: Proceedings ofthe 13rd Mediterranean Conference on Control and Automation,Limassol, Cyprus 2005, pp. 719–724.

[4] V. Chandola, A. Banerjee, V. Kumar, Anomaly detection: a survey,ACM Computing Surveys 41 (2009) 1–58.

[5] Y. Zhang, N. Meratnia, P.J.M. Havinga, Outlier detection techniquesfor wireless sensor network: a survey, IEEE Communications Surveys& Tutorials 12 (2010) 159–170.

[6] P. Kelly, An Algorithm for Merging Hyperellipsodial Clusters,Technical report, Los Alamos National Laboratory, 1994.

[7] D. Wang, D.S. Yeung, E.C.C. Tsang, Structured one-class classification, IEEETransactions on System, Man and Cybernetics 36 (2006) 1283–1295.

[8] F. Ingelrest, G. Barrenetxea, G. Schaefer, M. Vetterli, O. Couach, M.Parlange, SensorScope: application-specific sensor network forenvironmental monitoring, ACM Transactions on Sensor Networks6 (2010) 1–32.

[9] S. Rajasegarar, C. Leckie, M. Palaniswami, J.C. Bezdek, Quarter spherebased distributed anomaly detection in wireless sensor networks, in:Proceedings of IEEE International Conference on Communications,Glasgow, 2007, pp. 3864–3869.

[10] S. Rajasegarar, C. Leckie, M. Palaniswami, CESVM: Centeredhyperellipsoidal support vector machine based anomaly detection,in: Proceedings of IEEE International Conference onCommunications, Beijing, China, 2008, pp. 1610–1614.

[11] B. Scholkopf, J. Platt, J. Shawe-Taylor, A.J. Smola, R.C. Williamson,Estimating the support of a high dimensional distribution, Journal ofNeural Computation 13 (2001) 1443–1471.

[12] D.M.J. Tax, R.P.W. Duin, Support vector data description, Journal ofMachine Learning 54 (2004) 45–56.

[13] C. Campbell, K.P. Bennett, A linear programming approach to noveltydetection, Advances in Neural Information Processing Systems 14(2001) 395–401.




[14] P. Laskov, C. Schafer, I. Kotenko, Intrusion detection in unlabeleddata with quarter sphere support vector machines, Detection ofIntrusions and Malware & Vulnerability Assessment (2004) 71–82.

[15] V.N. Vapnik, Statistical Learning Theory, John Wiley and Sons, 1998.[16] G.H. Golub, C.F.V. Loan, Matrix Computations, John Hopkins, 1996.[17] P.N. Tan, Knowledge discovery from sensor data, Sensors (2006).[18] J. Han, M. Kamber, Data Mining: Concepts and Techniques, Morgan

Kaufmann, San Francisco, 2006.[19] K. Varmuza, P. Filzmoser, Introduction to Multivariate Statistical

Analysis in Chemometrics, CRC Press, 2009.[20] M. Davy, F. Desobry, A. Gretton, C. Doncarli, An online support vector

machine for abnormal events detection, Journal of Signal Processing8 (2006) 52–57.

[21] R.O. Duda, P.E. Hart, D.G. Stork, Pattern Classification, John Wiley andSons, 2001.

[22] Y. Zhang, N. Meratnia, P.J.M. Havinga, Ensuring high sensor dataquality through use of online outlier detection techniques,International Journal of Sensor Networks 7 (2010) 141–151.

[23] S. Rajasegarar, C. Leckie, J.C. Bezdek, M. Palaniswami, Centeredhyperspherical and hyperellipsoidal one-class support vectormachines for anomaly detection in sensor networks, IEEETransactions on Information Forensics and Security 5 (2010) 518–533.

[24] S. Subramaniam, T. Palpanas, D. Papadopoulos, V. Kalogerakiand, D.Gunopulos, Online outlier detection in sensor data using non-parametric models, Journal of Very Large Data Bases (2006).

[25] Y. Zhang, Observing the Unobservable – Distributed Online OutlierDetection in Wireless Sensor Networks, PhD thesis, University ofTwente, The Netherlands, 2010.

[26] P.N. Tan, M. Steinback, V. Kumar, Introduction to Data Mining,Addison Wesley, 2006.

Yang Zhang is a postdoctoral researcher inthe Pervasive Systems Group at the Universityof Twente in the Netherlands. He received theB.Sc. and M.Sc. degrees in Computer Scienceand Technology from the University ofJiangsu, China, in 2002 and 2004. Afterwardshe obtained the second M.Sc. degree in Tele-matics and his Ph.D. degree in the area ofoutlier detection for wireless sensor networksfrom the University of Twente in 2006 and2010. He has participated in a few Europeanfunded projects (EYES, e-SENSE, SENSEI) and

is currently involved in EU GENESI project. His research interested includedistributed data processing, outlier detection and event detection insensor networks.


Nirvana Meratnia is assistant professor in thePervasive Systems Group at the University ofTwente. After receiving her Ph.D. in 2005 onmoving object data management, she joinedthe Computer Architecture for EmbeddedSystems (CAES) group and later on the Per-vasive Systems (PS) group, as a researcher.Her research interests are in the area of dis-tributed data management/data mining andreasoning in wireless sensor networks, ambi-ent intelligence, context-awareness, smartand collaborative objects. She has been

involved in a number of EU (i.e., e-SENSE, CoBIs, and Embedded WiSeNts)and Dutch (i.e., Smart Surroundings) projects focusing on ambient intel-ligence, collaborative smart objects, and distributed data processing and
reasoning in wireless sensor networks.
Paul J.M. Havinga is full professor and chairof the Pervasive Systems research group at theComputer Science department at the Univer-sity of Twente in the Netherlands. He receivedhis Ph.D. at the University of Twente on thethesis entitled ‘‘Mobile Multimedia Systems’’in 2000, and was awarded with the ‘DOWDissertation Energy Award’ for this work. Hehas a broad background in various aspects ofcommunication systems: on wireless com-munication, on chiparea network architec-tures for handheld devices, on ATM network

switching, mobile multimedia systems, QoS over wireless networks,reconfigurable computing, and on interconnection architectures formultiprocessor systems. His research themes have focused on wireless
sensor networks, large-scale distributed systems, and energy-efficientwireless communication.


Documents

Ad Hoc Networks - fp7-genesi.di.uniroma1.itfp7-genesi.di.uniroma1.it/files/Distributed online outlier.pdf · one-class SVM-based outlier detection techniques to iden-tify outliers