| With the booming growth of database, internet networks and other kinds of information technologies, there is a growing need for turning the collected data into useful information and knowledge. As a result, data mining has attracted a great deal of attention. Data mining helps to discover hidden knowledge from volumes of data, so that we could have a thorough comprehension of the data and make right decisions. Furthermore, the mining of sequential data, especially the detection of anomalies in sequences is an important data mining issue with broad applications.A good anomaly detecting algorithms could be validated in many fields, such as finance, physics and internet networks. However, the existing algorithms of anomaly detection subject to high false alarm rates and low detection rates. Thus, it is valuable to develop new algorithms to slove the anomaly detection problems in other effective ways.This thesis briefly introduces the work in the field of data mining, especially the research on the anomaly detection in time series in the first place. The formal notations of intrinsic subsequences and intrinsic trend subsequences are first proposed in this work. Then, some algorithms based on the definitions of intrinsic subsequences and intrinsic trend subsequences are developed to solve the problems of anomaly detection in sequence. The experiment results demonstrate the utility and efficiency of this approach. And the main contributions of our work are listed as follows:Firstly, considering the intrinsic nature of the sequences of Windows Native API and network connections, the original definition of intrinsic subsequence and the idea of decomposition of sequence are introduced in this paper, which could be validated in diverse domains. An intrinsic subsequence is the longest subsequence whose subsequences appear the same times in the sequence. An intrinsic subsequence means that all items in it are always present together as a whole in sequence. They could not be separated from each other because of the strong integrity of the intrinsic subsequence.In fact, such definition of intrinsic subsequence is significant in the sequence of system calls of a system process. When a process is running, some operations are executed in certain order in system calls. If an operation is executed in the process, the corresponding subsequence will appear in the sequence of system calls of the process. Such subsequence is considered as an intrinsic subsequence in the system call sequence. And then we demonstrate the utility and efficiency of our new approach on the data sets of intrusions on both Linux and Windows operating systems.2. Considering the peculiarity of the ECG sequence, the formal notation of intrinsic trend susbequence is proposed for the first time. An intrinsic trend subsequence is the subsequence that all items have similar transformation trend. Actually, the definition of intrinsic trend subsequence is significant in ECG signals. In the continuous ECG sequence, there is a nearly stable transform trend in a small range. The data in this stable transform trend range have similar transform characteristic. And they are nearly stable compared to the data out of this range. Therefore, the subsequence with stable transform trend is considered as an intrinsic trend subsequence. As the jump change of data always shows a changing situation in the activity of heart muscle, the stable segment also represents a stable stage in heart activities. Thus, the definition of intrinsic trend subsequence exactly coincides with the stable activity of heart muscle. Finally, we demonstrate the utility and effciency of our new approach on the data sets of the MIT-BIH Arrhythmia database, European ST-T database, QT database and BIDMC Congestive Heart Failure database. |
PDF Full Text Request