Anomaly Detection using Clustered Deep One-Class Classification

Abstract

Anomalies on Cyber-Physical System (CPS) can have a devastating effect on the entire system of complex CPS. Thus, it is important to detect anomalies quickly. Since CPS can collect sensor data in near real-time throughout the process, many attempts have been made to solve this problem from the perspective of data-driven security based on the collected data. However, since the CPS datasets are big data and most of the data are normal data, it has always been a great challenge to analyze the data and implement the anomaly detection model. In this paper, we propose and evaluate the Clustered Deep One-Class Classification (CD-OCC) model that combines the clustering algorithm and deep learning (DL) models using only a normal dataset for anomaly detection. We classify normal data into optimal cluster size using the K-means clustering algorithm. DL models train to classify each cluster based on clustered normal data, and we can obtain the softmax values in the process of predicting the cluster. We use the softmax values as a dataset with distilled knowledge of the DL model for anomaly detection. We transfer the softmax values to one-class classification (OCC) models to detect anomalies. As a result of the experiment, the F1-score of the proposed model shows performance close to 0.8 and performance improvement of about 0.5 compared to the encoded OCC model, which has reduced-dimensionality through auto-encoder as well as the basic OCC model.