RoSAS: Deep Semi-supervised Anomaly Detection with Contamination-resilient Continuous Supervision

Traditional unsupervised anomaly detection identifies anomalies according to different data characteristics like proximity and probability (Bandaragoda et al., 2018; Li et al., 2020; Liu et al., 2008). The burgeoning of deep learning has fueled a plethora of deep anomaly detectors. In this research line, many studies (Ding et al., 2019; Gong et al., 2019; Lv et al., 2023; Xu et al., 2019; Zhang et al., 2019) train Autoencoders or generative adversarial networks to reconstruct/generate the original inputs. Self-supervised methods (Golan & El-Yaniv, 2018; Shenkar & Wolf, 2022; Xu et al., 2023b) define data-driven supervision and proxy tasks. These methods essentially learn intrinsic patterns of training data that are dominated by normal data, and loss values are directly used to estimate abnormal degrees during inference. In addition, some studies enhance traditional models by harnessing the strong representation capability of deep learning. Deep SVDD (Ruff et al., 2018) is based on support vector data description (Tax & Duin, 2004), and DIF (Xu et al., 2023a) enhances the isolation process of (Liu et al., 2008) by proposing deep representation ensemble. Basic insights in mainstream deep anomaly detectors can be also achieved via non-deep models. The literature (Xu et al., 2021b) uses tree models to realize the reconstruction pipeline. Although these unsupervised methods are intuitive and practical, without knowing real anomalies, they often lead to many false alarms which may overwhelm anomalies of real interest.

In contrast, relatively few studies consider semi-supervised anomaly detection utilizing limited anomaly examples. In this category, we also review the related literature that uses both labeled normal data and labeled anomalies since they can also work under this scenario by treating unlabeled data as normal.

The study (Zhang et al., 2018b) employs canonical clustering to divide labeled anomalies into $k$ clusters and detect anomalies by a ($k$+1)-class classifier. Non-deep unsupervised anomaly detection methods can be also enhanced to leverage weak incomplete supervision. Barbariol & Susto (2022) extend ensemble-based isolation forest (Liu et al., 2008) by leveraging supervision information to filter ensemble members, which improves detection performance and simultaneously reduces computational costs.

This incomplete supervision can be also leveraged in deep models to learn a good representation. Some methods map input data to a representation space and explicitly impose specific criteria such as triplet loss (Pang et al., 2018) and anomaly-informed one-class loss (Ruff et al., 2020) upon the representation. They further employ distance-based anomaly scoring protocols upon this learned representation space. Besides, data representations can be also implicitly learned via Autoencoders or generative adversarial networks. Huang et al. (2020) propose a novel encoder-decoder-encoder structure. It modifies the reconstruction loss to force the network to reconstruct labeled anomalies to pre-defined noises. Bidirectional GAN is used in (Tian et al., 2022), in which labeled anomalies are used to learn a probability distribution, and the distribution can assign low-density values to labeled anomalies. These methods are indirectly optimized to yield abnormal degrees of data samples, and anomaly scores can be only obtained in an isolated manner.

Some advanced deep approaches are in an end-to-end fashion to directly optimize the produced anomaly scores. The pioneering work in this research line (Pang et al., 2019, 2021a) assumes anomaly scores of normal data follow a Gaussian distribution and yield the reference score. It further employs the z-score function to define the deviation loss to ensure anomaly scores of labeled anomalies significantly deviate from the reference. An Autoencoder is added to the above framework in (Zhou et al., 2021). In addition to a deviation loss imposed on the derived anomaly scores, the reconstruction error of labeled anomalies is optimized to be as larger as a pre-defined margin. By defining the ordinal target of paired data samples, Pang et al. (2019) use mean absolute error to optimize anomaly scores. The cross-entropy loss is used in (Ding et al., 2022) to classify labeled anomalies, transferred pseudo anomalies, and latent residual anomalies from unlabeled data.

It is also noteworthy that, except for tabular data or images, related studies also consider this semi-supervised learning paradigm of anomaly detection in graph data (Ding et al., 2021; Dou et al., 2020; Zhou et al., 2022) and time series (Carmona et al., 2022; Huang et al., 2022).

We below introduce a general framework of deep semi-supervised anomaly detection, and this framework can well cover representative existing models (Carmona et al., 2022; Pang et al., 2018, 2019, 2021a, 2023; Ruff et al., 2020; Wu et al., 2021; Zhou et al., 2021) and summarize their limitations.

We first define the network structure of the framework. Let $f:\mathcal{X}\mapsto\mathbb{R}$ represent the network that outputs anomaly scores given the input data $\mathcal{X}$. The whole procedure can be divided into a feature representation module $\phi:\mathcal{X}\mapsto\mathbb{R}^{H}$ and an anomaly scoring module $\psi:\mathbb{R}^{H}\mapsto\mathbb{R}$. Feature representation module $\phi$ aims to map $\mathcal{X}$ into a feature space with dimensionality $H$. Anomaly scoring module $\psi$ outputs final anomaly scores based on the intermediate representation. Anomaly detection network $f$ is denoted as:

where $\Theta_{\phi}$ and $\Theta_{\psi}$ are network parameters in $\phi$ and $\psi$.

We then define a general learning objective. Under the semi-supervised setting, each data sample in the training set can be assigned a target. Let $\mathcal{D}=\{(\mathbf{x},y)\in\mathcal{X}\times\mathcal{Y}\}$ with $\mathcal{Y}=\{y^{+},y^{-}\}$ be a set of training samples, where $y^{+}$ denotes labeled anomalies and $y^{-}$ denotes unlabeled data. Although most of $(\mathbf{x},y^{-})$ are genuine normal samples, there are still some unlabeled anomalies that are wrongly assigned $y^{-}$. Data augmentation techniques can be also used to obtain a new training set $\tilde{\mathcal{D}}=\{(\tilde{\mathbf{x}},\tilde{y})\}$. A general objective function is defined as follows:

The above equation can be interpreted as the optimization of the representation $\phi(\cdot)$ and/or the final anomaly scores $\psi(\phi(\cdot))$ by using supervision signals provided by original data $\mathcal{D}$ and/or augmented data $\tilde{\mathcal{D}}$.

As for the network structure in Eqn (1), different network structures are used according to data types and data characteristics, e.g., multi-layer perceptron net is used for multi-dimensional tabular data (Pang et al., 2018, 2019, 2021a, 2023; Wu et al., 2021; Zhou et al., 2021), convolutional net is used for image data (Ruff et al., 2020), and temporal net is used for time series (Carmona et al., 2022).

The proposed objective function Eqn. (2) can well cover existing deep semi-supervised anomaly detectors by specifying each of its terms, as shown in Table 1. We below explain their instantiation method in detail.

• 1.

  Deep SAD (Ruff et al., 2020) defines $\mathcal{L}^{\prime}_{D}$. Upon the representation space, labeled anomalies are repulsed to be distant to a pre-defined center $\mathbf{c}$ as far as possible, and unlabeled data are expected to be included in a compact hypersphere with the minimum volume taking $\mathbf{c}$ as the center.

• 2.

  FeaWAD (Zhou et al., 2021) first instantiates $\mathcal{L}_{D}$. It is optimized to enlarge anomaly scores of labeled anomalies to a pre-defined margin $e$ and maps scores of unlabeled data to zero. $\mathcal{L}^{\prime}_{D}$ is further instantiated by a reconstruction loss with the help of an Autoencoder structure.

• 3.

  DevNet (Pang et al., 2019, 2021a) specifies $\mathcal{L}_{D}$. It proposes a z-score-based deviation function by assuming a pre-defined Gaussian prior of anomaly scores and sampling reference scores $\mu$ and standard deviation values $\sigma$ from this distribution.

• 4.

  PReNet (Pang et al., 2023) specifies $\mathcal{L}_{\tilde{D}}$ as Mean Absolute Error (MAE) between the scores of concatenated pairs (anomaly-unlabeled, anomaly-anomaly, and unlabeled-unlabeled) and pre-defined ordinal regression targets ($e_{1}$, $e_{2}$, and $e_{3}$).

REPEN (Pang et al., 2018) and NCAD (Carmona et al., 2022) also repulse labeled anomalies upon the representation space, as has been done in Deep SAD. PLSD (Wu et al., 2021) is similar to PReNet by replacing MAE loss with cross-entropy loss. Therefore, these methods are omitted in Table 1.

By looking into Table 1, we perceive two key gaps in these existing approaches, i.e., robustness w.r.t. contamination and continuous supervision of optimization.

RoSAS first produces new augmented data samples with controllable and reliable abnormal degrees via the mass interpolation method. Compared to directly using contaminated discrete targets, RoSAS can optimize anomaly scores as a regression problem with faithful continuous targets.

Specifically, based on the original mini-batch data $\mathcal{B}=\{(\mathbf{x},y)\}$ with $y=1$ for labeled anomalies and $y=-1$ for unlabeled data, RoSAS creates a novel mini-batch $\tilde{\mathcal{B}}$ of augmented data samples by the mass interpolation. These augmented data samples are synthesized as a weighted summation of $k$ original data samples. Different weights of candidates $\{\lambda_{1},\cdots,\lambda_{k}\}$ produce continuous targets in new supervision. $\tilde{\mathcal{B}}$ is defined as follows.

where $\sum_{i=1}^{k}\lambda_{i}=1$, $\{(\mathbf{x}_{i},y_{i})\}_{i=1}^{k}\subset\mathcal{B}$, and $\lambda_{i}$ is sampled from a continuous distribution.

As for the distribution of $\lambda$, inspired by (Zhang et al., 2018a), RoSAS uses Beta distribution, i.e., $\lambda\sim Beta(\alpha,\alpha)$. It is because adjusting distribution parameter $\alpha$ can produce different types of weights, e.g., a uniform distribution when $\alpha=1$ or an approximate truncated normal distribution when $\alpha$ is a larger value. If $\alpha>1$, interpolation weights will centralize around 0.5, and some noisy labels might be produced (e.g., mixing two anomalies may yield a new sample in the normal manifold, but an anomalous label is given to this new sample). This is also known as “manifold intrusion” (Guo et al., 2019). To tackle this problem, we use $\alpha=0.5$ by default. In doing so, interpolation weights are more likely to be slightly larger/smaller than 0/1, which makes the interpolation located in the local regions of the original samples. Thus, these possible noisy labels can be reduced or eliminated.

The loss function $L$ measures the empirical risks of derived anomaly scores of augmented samples compared to the continuous targets. Additionally, we add a consistency term to measure the difference between each augmented sample’s anomaly score and the weighted summation of their original data instances’ anomaly scores using the same interpolation weights. This consistency learning is to encourage the network to produce smoother anomaly scores, thus better describing abnormal degrees. Therefore, $L$ is finally defined as:

where $\{\mathbf{x}_{i}\}_{i=1}^{k}$ is the original data samples when creating $\tilde{\mathbf{x}}$ as defined in Eqn. (3), and $\ell(\cdot,\cdot)$ is a base regression loss.

The loss function $L$ not only fulfills continuous optimization but can tolerate anomaly contamination. The unlabeled set is still dominated by genuine normal data because of the rarity of anomalies. The contaminated area can be calibrated via new data samples that are augmented from a group of data with correct labels. Even if these noisy unlabeled anomalies are sampled in Eqn. (3), they are likely to be combined with labeled anomalies or real normal data. That is, the generation process of augmented data samples also dilutes the anomaly contamination in a simple yet effective manner. Therefore, RoSAS is more robust w.r.t. anomaly contamination.

The feature representation module $\phi:\mathcal{X}\mapsto\mathbb{R}^{H}$ maps input data into a new feature space. We further define a new loss term ${L}^{\prime}$ upon this intermediate representation space, which serves as a new optimization constraint to regularize the network and further enhance the robustness.

To fully leverage these labeled anomalies, $L^{\prime}$ is designed to learn a feature representation that can effectively repulse these labeled anomaly examples from unlabeled data (the majority of unlabeled data is normal). Let $\mathbf{q}$ be an anchor data object, and we utilize the difference between the deviation of unlabeled-anchor and anomaly-anchor pairs to measure the separability of labeled anomalies, which is defined as follows.

where $d(\cdot,\phi(\mathbf{q}))$ indicates the deviation given the anchor data, and $e$ is a margin. Different distance functions or similarity measures can be used. Considering the simplicity, we employ Euclidean distance here. $\mathcal{B}_{U}$ and $\mathcal{B}_{A}$ are unlabeled data and labeled anomalies in mini-batch $\mathcal{B}$. In practical implementation, a mini-batch of anchor data is sampled from the unlabeled set along with mini-batch $\mathcal{B}$, i.e., $\mathbf{q}\in\mathcal{B}_{q},\mathcal{B}_{q}\subset\mathcal{X}_{u}$. Anchor data can also be determined as representative normal prototypes if labeled normal data are available.

It is noteworthy that ${L}^{\prime}$ uses a relative and soft manner to judge whether these labeled anomalies are effectively separated by introducing a reference divergence degree $d(\phi(\mathbf{x}^{-}),\phi(\mathbf{q}))$ between unlabeled data and anchor data. It avoids blindly enlarging $d(\phi(\mathbf{x}^{+}),\phi(\mathbf{q}))$, i.e., the anomalies that have been successfully deviated are no longer required to be optimized; thus, the optimizer can focus on true errors. On the other hand, even if unlabeled anomalies are wrongly identified as anchor data $\mathbf{q}$ or $\mathbf{x}^{-}$ in Eqn. 5, this function can still work to isolate labeled anomalies.

Instead of setting a fixed weight, the loss term ${L}$ and the regularizer ${L}^{\prime}$ are assembled via dynamic weight averaging (Liu et al., 2019), i.e.,

where $w$ is defined according to the optimization pace (loss descending rate) of ${L}$ and ${L}^{\prime}$. $w$ is defined as follows.

where $\bar{L}$ and $\bar{L}^{\prime}$ are the average loss of the last training epoch, and $T$ is the temperature as used in the softmax function.

Algorithm 1 presents the training procedure of RoSAS. Step 1 initializes the loss terms for the subsequent dynamic weight averaging. For each training batch, a mini-batch of known anomalies $\mathcal{B}_{a}$ of size $b$ is sampled from $\mathcal{X}_{A}$, $2b$ data objects are sampled from $\mathcal{X}_{U}$ as mini-batch $\mathcal{B}_{u}$ and anchor $\mathcal{B}_{q}$ in Steps 4-5. Step 6 creates a mini-batch of augmented data. The scoring loss and the regularization term are computed in Steps 7-8. Dynamic weights are adjusted in Step 9. Step 10 performs back propagation to optimize the network parameters w.r.t. the loss $wL+(1-w)L^{\prime}$. Step 12 updates the average losses.

The computation of loss term ${L}$ and ${L}^{\prime}$ has an overall time complexity of $O(n\_epoch*n\_batch*b*H)$, where $H$ is the representation dimension. The time complexity of RoSAS also depends on the network structure. We take a multi-layer perceptron network with $u$-hidden layer as an example, the feed-forward propagation incurs $O(n\_epoch*n\_batch*b*(Dh_{1}+h_{1}h_{2}+\dots+h_{u}*1))$, where $h_{i}$ is the number of hidden units in the $i$-th hidden layer.

This experiment evaluates the robustness of RoSAS w.r.t. different anomaly contamination ratios (i.e., the proportion of anomalies in the unlabeled set $\mathcal{X}_{U}$). As anomalies are rare events in practical scenarios, we vary the contamination level from 0% up to 8%, and all the contamination levels use 30 random true anomalies as labeled data.

Figure 4 (a) shows the AUC-PR results on all the eleven real-world datasets with varying anomaly contamination levels. Anomaly detection performance generally decreases when the contamination level increases. Nevertheless, in the vast majority of cases, RoSAS is more robust than the competitors. It is noteworthy that, in some datasets (e.g., DoH, PortScan, and Pendigits), most anomaly detectors are stable when increasing the contamination rate. It might be because the increased anomalies are isolated data samples, and anomaly detection models can easily filter the interference. The competitors can also obtain very competitive performance on these datasets. However, in complicated datasets like Exploit, Backdoor, Thyroid, and Fraud, these anomalies that are hidden in the unlabeled set greatly blur the boundary between normal data and anomalies. RoSAS can consistently obtain better performance than the competitors in challenging noisy environments with high contamination levels.

This experiment estimates the data efficacy of different numbers of labeled anomalies in terms of the value they bring to semi-supervised anomaly detection. In other words, this experiment examines whether RoSAS achieves more significant performance improvement than its competing methods when more labeled anomalies are available. The number of labeled anomalies is increased from 10 to 90, and the contamination level is maintained at 2%.

Figure 4 (b) shows the AUC-PR results of RoSAS and its contenders w.r.t varying numbers of labeled anomalies. Semi-supervised anomaly detectors generally perform better when more labeled anomalies are accessible. However, this law is not always true in practice. Some anomaly detectors also present fluctuation trends on some datasets. These increased labeled anomalies may have heterogeneous behaviors and carry conflicting information which imposes negative effects on anomaly detectors, as has been explained in (Pang et al., 2019). By contrast, our method obtains more stable and superior performance by fully utilizing limited labeled anomalies. It is noteworthy that some detectors also do not perform better when more labeled anomalies are available. It might be because these increased labeled anomalies have very similar behaviors and fail to bring useful information related to the anomaly distribution.

This experiment evaluates the scalability of RoSAS. Nine datasets are created with the same data size (i.e., 5,000) and dimensionality increasing in multiples of 2 from 16 to 4,096. Another nine datasets are generated with varying data sizes increasing from 4,000 to 1,024,000 with fixed dimensions (i.e., 128). For the sake of comparison fairness, we employ deep semi-supervised anomaly detection methods (i.e., PReNet, DevNet, FeaWAD, DSAD, TSS, and BiGAN) as counterparts in this experiment. We use the same training configuration for these methods including the size of mini-batches (32) and the number of mini-batches per training epoch (20). We report the execution time including the training time of 10 epochs and the inference time. Scalability test results are reported in Figure 5. RoSAS and its counterparts can efficiently handle high-dimensional data thanks to the parallel accelerators in the mini-batch calculation of GPU. RoSAS only takes less than 10 seconds when handling 4,096-dimensional data. In terms of the scale-up test w.r.t. data size, RoSAS, DSAD, and TSS have comparably good efficiency. In comparison, FeaWAD and PReNet have complicated network structures that lead to significantly increased execution time. RoSAS uses about 20 seconds to handle the dataset containing 1,024,000 data samples.

This experiment is to validate the contribution of key designs in RoSAS. We set five ablated versions. The changes in these variants are introduced as follows, and other parts are the same as RoSAS.

• 1.

  $L$$\rightarrow$$L_{dis}$ discretizes the generated continuous supervision targets used in the anomaly scoring loss function $L$.

• 2.

  $L$$\rightarrow$$L_{dev}$ uses state-of-the-art anomaly scoring loss function used in DevNet (Pang et al., 2019, 2021a) to replace $L$.

• 3.

  $L$$\rightarrow$$L_{reg}$ uses a bare regression loss function used in RoSAS (i.e., smooth-$\ell_{1}$ loss) to replace $L$.

• 4.

  w/o $L^{\prime}$ removes the feature learning-based regularizer $L^{\prime}$.

• 5.

  w/o $L_{c}$ removes the consistency learning part in $L$.

The first three variants ($L$$\rightarrow$$L_{dis}$, $L$$\rightarrow$$L_{dev}$, and $L$$\rightarrow$$L_{reg}$) only take discrete supervision information to optimize anomaly scores, which are used to verify the significance of continuous supervision-guided anomaly score optimization. The ablated variants w/o $L^{\prime}$ and w/o $L_{c}$ measure the contributions of the feature learning-based regularization $L^{\prime}$ and the consistency constraint in $L$.

The AUC-PR performance of RoSAS and its five ablated variants is shown in Table 4. RoSAS significantly outperforms its three ablated versions $L$$\rightarrow$$L_{dis}$, $L$$\rightarrow$$L_{dev}$, and $L$$\rightarrow$$L_{reg}$ at 98% confidence level. More than 7% average improvement rate is achieved. These three variants use various objectives with only discrete supervision information. This comparison result validates the significance of using continuous supervision signals in anomaly score optimization. Anomalies are with various abnormal degrees, and anomaly scores naturally take on a continuous distribution. It is hard for discrete supervision information to accurately describe such consecutive trends in continuous distribution, resulting in suboptimal optimization of anomaly scores in these real-world datasets. Our work reveals this significant limitation in current anomaly detection studies and devises a simple but effective solution. On the other hand, RoSAS outperforms w/o $L^{\prime}$ by 8% and at 85% confidence level, which verifies the complementary robustness enhancement effect brought by the feature learning-based regularization. Compared to w/o $L_{c}$, the average improvement is above 2% and the confidence interval is 98%, which quantitatively measures the contribution of the consistency learning in producing smoother anomaly scores.

We investigate the influence of different settings of key hyper-parameters in RoSAS, i.e., $\alpha$ in the Beta distribution, $k$ in the mass interpolation, $e$ in the regularizer, and the intermediate representation dimension $H$. These hyper-parameters are tuned in turn and other parameters are kept the same as previously reported. RoSAS is performed 10 times on each hyper-parameter setting. The box plot of 10 AUC-PR values per dataset is illustrated in Figure 6. We show four representative datasets, and the other seven datasets are with similar or stable trends. As analyzed before, $\alpha$ may influence the detection performance to some extent, and we use $\alpha\!=\!0.5$ considering the “manifold intrusion” problem. Besides, we can safely use a margin $e\!=\!1$ in the feature learning-based regularizer. The choice of $k$ might considerably influence the detection performance, and $k=2$ is more stable. Lower representation dimension $H$ fails to convey sufficient information to the downstream anomaly scoring process, and thus 128 is recommended.

This study first summarizes the prior arts of this research field by giving a general semi-supervised anomaly detection framework. This framework contributes a unifying view of this research line, and we theoretically show how representative existing methods are instantiated from this framework. It may also offer valuable insights into the design of new semi-supervised anomaly detection models. More importantly, we uncover the key limitations of supervisory signals directly supplied by the semi-supervised setting and broadly used in existing methods. Motivated by these problems, we further propose a concrete anomaly detection method, and specifically, we make the following technical contributions.

This study contributes to the semi-supervised anomaly detection literature by taking into account the anomaly contamination problem. Arguably, many prior works directly use the whole unlabeled set as normal data for training their models (see Table 1 and Section 3.3), and their performance is considerably downgraded by these noisy points (as illustrated in the toy case in Figure 1 and real-world datasets in Table 3). Our method RoSAS is shown to be a simple yet effective solution to address this limitation. Instead of directly feeding original flawed supervision into the learning model, we propose new supervision containing augmented data with more reliable label information, resulting in stronger robustness than existing state-of-the-art methods when the training set is with high contamination level (see empirical results in Figure 4).

We consider our work as a starting point for leveraging continuous supervision information to optimize continuously distributed anomaly scores. To the best of our knowledge, we are the first to raise this issue in anomaly detection. We empirically show the advantage of using continuous supervision over discretized ones (see Table 4). Continuous supervision can lead to significant performance gain at 98% confidence level. Also, we pose a consistency constraint to further enhance the capability of producing smoother anomaly scores, which brings about 5% performance improvement. These findings may foster future theoretical research or inspire new optimization mechanisms of anomaly scores.

To sum up, different from current studies that rely on contaminated discrete supervision, our core novelty is a new kind of contamination-resilient continuous supervision. This supervision better conforms to the real abnormal-normal distribution and offers significantly better guidance to the optimization of the end-to-end anomaly scoring neural network.

Albeit a plethora of unsupervised anomaly detection models, many real-world systems are looking for anomaly detectors that can exploit their historical anomalies, and this study adds a new competitive option to the list that currently only contains limited choices. We show that only 30 anomalies can bring drastically improved performance than unsupervised models that work on unlabeled data only (e.g., our approach RoSAS achieves 0.999 of AUC-PR on an intrusion detection dataset PortScan while unsupervised performance is only as low as 0.1). Given such huge benefits, instead of digging into the design of unsupervised anomaly detection models, one quick way to boost detection performance might be to transfer the unsupervised setting to the semi-supervised paradigm by feeding a few anomaly examples.

There are also many research and development fronts that we are pursuing in the future to further enhance the practical impact of this research. On one hand, this study can be extended to applications in different fields. We employ eleven datasets mainly from three domains including cybersecurity, medicine, and finance, and our approach also has the potential to identify system faults in AIOps or attacks in AI safety. On the other hand, by plugging in advanced network structures, our approach can be also applied to handle different data types (e.g., Transformer for sequential data, graph neural networks for graph data, and convolutional networks for images).