School of Computing and Information Systems (CIS) The University of Melbourne COMP90073
Security Analytics
Tutorial exercises: Week 7
1. Give example of 2 applications that it is better to use adaptive window over sliding window in data stream anomaly detection. Justify your answer.
Copyright By PowCoder代写 加微信 powcoder
2. We used the following example to explain the step by step iLOF’s measurements update. We included point 11 in reachdist update (Figure 1) but not in lrd update (Figure 2). Explain why, given k=2.
Figure 1: reachdist update
Figure 2: lrd update
Solution: We update lrd value of point p if
• The k-neighbourhood of the point p changes,
• Reachdist from point p to one of its k-neighbours changes.
3. In iLOF deleting a point pi from the existing dataset always increases the k- distances of Rk-NN of pi. Justify the reason.
See lecture notes
4. InwhatcaseperformanceofMiLOFresemblestoiLOF?
Solution: As the width of the summarization bucket/window decreases, MiLOF begins to resemble iLOF, and in the limit (when there is no historical retention by summarization), MiLOF reduces to iLOF.
its dual formulation.
5. InthelecturewesawhowwecanderiveSVDD’sdualformulationfromits primal formulation. Now given OCSVM’s primal formulation as below, derive
min ‖𝑤𝑤‖2+ �𝜉𝜉−𝜌𝜌
𝑤𝑤,𝜉𝜉𝑖𝑖,𝜌𝜌 2 𝜈𝜈𝜈𝜈 𝑖𝑖=1 𝑖𝑖
𝑖𝑖 s.t. 𝑖𝑖
�𝑤𝑤 ⋅ 𝜙𝜙(𝑥𝑥 )� ≥ 𝜌𝜌 − 𝜉𝜉 , ∀ 𝑖𝑖 = 1, … , 𝜈𝜈
𝜉𝜉𝑖𝑖 ≥ 0, ∀ 𝑖𝑖 = 1, … , 𝜈𝜈 𝑛𝑛𝑛𝑛𝑛𝑛
𝐿𝐿(w,ρ,𝝃𝝃,𝜶𝜶,𝜸𝜸)=2𝑤𝑤𝑇𝑇𝑤𝑤+𝜈𝜈𝜈𝜈�𝜉𝜉𝑖𝑖 −𝜌𝜌−�𝛼𝛼𝑖𝑖(𝑤𝑤𝑇𝑇𝜙𝜙(𝑥𝑥𝑖𝑖)+𝜌𝜌+𝜉𝜉𝑖𝑖)−�𝛾𝛾𝑖𝑖𝜉𝜉𝑖𝑖
𝑖𝑖=1 𝑖𝑖=1 𝑖𝑖=1 • 𝜕𝜕𝜕𝜕 =𝑤𝑤−∑𝑛𝑛𝑖𝑖=1𝛼𝛼𝑖𝑖𝜙𝜙(𝑥𝑥𝑖𝑖)=0 𝑤𝑤=∑𝑛𝑛𝑖𝑖=1𝛼𝛼𝑖𝑖𝜙𝜙(𝑥𝑥𝑖𝑖)
• 𝜕𝜕𝑤𝑤 =−1−∑ 𝛼𝛼 =0 ∑ 𝛼𝛼 =−1 𝜕𝜕𝜕𝜕 𝑛𝑛𝑖𝑖=1 𝑖𝑖 𝑛𝑛𝑖𝑖=1 𝑖𝑖
• 𝜕𝜕𝜌𝜌= −𝛼𝛼−𝛾𝛾=0 =𝛼𝛼+𝛾𝛾 𝜕𝜕𝜕𝜕 1 𝑖𝑖 𝑖𝑖 1 𝑖𝑖 𝑖𝑖
𝜕𝜕𝜉𝜉𝑖𝑖𝜈𝜈𝑛𝑛11𝑛𝑛 𝑛𝑛𝜈𝜈𝑛𝑛 𝑛𝑛𝑛𝑛 𝑛𝑛 𝐿𝐿(w,ρ,𝝃𝝃,𝜶𝜶,𝜸𝜸)=2𝑤𝑤𝑇𝑇𝑤𝑤+𝜈𝜈𝜈𝜈�𝜉𝜉𝑖𝑖 −𝜌𝜌−�𝛼𝛼𝑖𝑖𝑤𝑤𝑇𝑇𝜙𝜙(𝑥𝑥𝑖𝑖)−𝜌𝜌�𝛼𝛼𝑖𝑖 −�𝛼𝛼𝑖𝑖𝜉𝜉𝑖𝑖 −�𝛾𝛾𝑖𝑖𝜉𝜉𝑖𝑖
1 1𝑛𝑛 𝑖𝑖=1 𝑛𝑛 𝑖𝑖=1 𝑛𝑛 𝑖𝑖=1𝑛𝑛 𝑖𝑖=1 𝑖𝑖=1 =2𝑤𝑤𝑇𝑇𝑤𝑤+𝜈𝜈𝜈𝜈�𝜉𝜉𝑖𝑖 −𝜌𝜌−�𝛼𝛼𝑖𝑖𝑤𝑤𝑇𝑇𝜙𝜙(𝑥𝑥𝑖𝑖)−𝜌𝜌�𝛼𝛼𝑖𝑖 −�𝛼𝛼𝑖𝑖(𝜉𝜉𝑖𝑖 +𝛾𝛾𝑖𝑖)
𝑖𝑖=1 𝑖𝑖=1 𝑖𝑖=1 11𝑛𝑛𝑛𝑛𝑛𝑛1𝑛𝑛
𝑖𝑖=1 =2𝑤𝑤𝑇𝑇𝑤𝑤+𝜈𝜈𝜈𝜈�𝜉𝜉𝑖𝑖 −𝜌𝜌−�𝛼𝛼𝑖𝑖𝑤𝑤𝑇𝑇𝜙𝜙(𝑥𝑥𝑖𝑖)−𝜌𝜌�𝛼𝛼𝑖𝑖 −𝜈𝜈𝜈𝜈�𝜉𝜉𝑖𝑖
1𝑖𝑖=1 𝑖𝑖=1 𝑖𝑖=1 𝑖𝑖=1 𝑛𝑛𝑛𝑛
= 2 𝑤𝑤 𝑇𝑇 𝑤𝑤12 − 𝜌𝜌 − � 𝛼𝛼 𝑖𝑖 𝑤𝑤 𝑇𝑇 𝜙𝜙 ( 𝑥𝑥 𝑖𝑖 ) − 𝜌𝜌 � 𝛼𝛼 𝑖𝑖 𝑖𝑖=1 𝑛𝑛 𝑖𝑖=1
= 𝑤𝑤𝑇𝑇𝑤𝑤12−𝜌𝜌−𝑤𝑤𝑇𝑇𝑤𝑤−𝜌𝜌�𝛼𝛼𝑖𝑖 𝑛𝑛 𝑖𝑖=1
=− 𝑤𝑤𝑇𝑇𝑤𝑤−𝜌𝜌−𝜌𝜌�𝛼𝛼𝑖𝑖 𝑖𝑖=1
= − 12 𝑤𝑤 𝑇𝑇 𝑤𝑤 − 𝜌𝜌 + 𝜌𝜌
= − 12 𝑤𝑤 𝑇𝑇 𝑤𝑤
argmin ∑𝑛𝑛𝑖𝑖=1 ∑𝑛𝑛𝑗𝑗=1 𝛼𝛼𝑖𝑖 𝛼𝛼𝑗𝑗 𝑘𝑘(𝑥𝑥𝑖𝑖 , 𝑥𝑥𝑗𝑗 )
s.t.𝛼𝛼 0≤𝛼𝛼𝑖𝑖≤1, ∑𝑛𝑛𝑖𝑖=1𝛼𝛼𝑖𝑖=1 𝜈𝜈𝑛𝑛
6. UseOneClassSVMinSplunktoperformunsupervisedoutlierdetection. Some useful information regarding the parameters: https://scikit- learn.org/stable/modules/generated/sklearn.svm.OneClassSVM.html
7. YoumayuseLIBSVM(https://www.csie.ntu.edu.tw/~cjlin/libsvm/)forthe following exercises. The web page provides the necessary information for parameter tuning.
Download the KDDCUP data set from the UCI Machine Learning Repository https://archive.ics.uci.edu/ml/datasets/kdd+cup+1999+data
a. UseSVDDandOCSVMtoidentifytheattacks.
b. Howmanydatapointsarecommonamongtheidentifiedanomalies
using different methods?
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com