### Table 2: Parameter-Free Anomaly Detection Algorithm function loc_of_anomaly = kolmogorov_anomaly(data) loc_of_anomaly = 1;

"... In PAGE 8: ... While the word anomaly implies that a radically different subsection of the data has been detected, we may actually be interested in more subtle deviations in the data, as reflected by some of the synonyms for anomaly detection, interestingness/deviation/surprise/novelty detection, etc. For true parameter-free anomaly detection, we can use a divide-and-conquer algorithm as shown in Table2 . The algorithm works as follows: Both the left and right halves of the entire sequence being examined are compared to the entire sequence using the CDM dissimilarity measure.... In PAGE 9: ...AX representation when working with time series, as discussed in Section 2.4. The second is to introduce a simple and intuitive way to set a single parameter. The algorithm in Table2 allows several potential weaknesses for the sake of simplicity. Firstly, it assumed a single anomaly in the dataset.... In PAGE 15: ...2 Anomaly Detection Although our approach can be used to find anomalies in text, video, images, and other data sources, we will confine our attention here to time series, since this domain has attracted the most attention in the data mining community and readily lends itself to visual confirmation. For all the problems shown below, we can objectively discover the anomaly using the simple algorithm in Table2 . However, that algorithm only tells us the location of the anomaly, without telling us anything about the relative strength of the anomaly.... ..."

### Table 2: Parameter-Free Anomaly Detection Algorithm function loc_of_anomaly = kolmogorov_anomaly(data) loc_of_anomaly = 1;

2004

"... In PAGE 4: ... While the word anomaly implies that a radically different subsection of the data has been detected, we may actually be interested in more subtle deviations in the data, as reflected by some of the synonyms for anomaly detection, interestingness/deviation/surprise/novelty detection, etc. For true parameter-free anomaly detection, we can use a divide- and-conquer algorithm as shown in Table2 . The algorithm works as follows: Both the left and right halves of the entire sequence being examined are compared to the entire sequence using the CDM dissimilarity measure.... In PAGE 4: ...ection 2.4. The second is to introduce a simple and intuitive way to set parameter. The algorithm in Table2 allows several potential weaknesses for the sake of simplicity. First, it assumes a single anomaly in the dataset.... In PAGE 7: ...Although our approach can be used to find anomalies in text, video, images, and other data sources, we will confine our attention here to time series, since this domain has attracted the most attention in the data mining community and readily lends itself to visual confirmation. For all the problems shown below, we can objectively discover the anomaly using the simple algorithm in Table2 . However, that algorithm only tells us the location of the anomaly, without telling us anything about the relative strength of the anomaly.... ..."

Cited by 63

### Table 2 Parameter-free anomaly detection algorithm

in Data Min Knowl Disc DOI 10.1007/s10618-006-0049-3 Compression-based data mining of sequential data

2005

"... In PAGE 9: ...unity (Shahabi et al. 2000; Ma and Perkins 2003; Christen and Goiser 2005). While the word anomaly implies that a radically different subsection of the data has been detected, we may actually be interested in more subtle devia- tions in the data, as reflected by some of the synonyms for anomaly detection, interestingness/deviation/surprise/novelty detection, etc. For true parameter-free anomaly detection, we can use a divide-and-conquer algorithm as shown in Table2 . The algorithm works as follows: Both the left and right halves of the entire sequence being examined are compared to the entire sequence using the CDM dissimilarity measure.... In PAGE 10: ...ussed in Sect. 2.4. The second is to introduce a simple and intuitive way to set a single parameter. The algorithm in Table2 allows several potential weaknesses for the sake of simplicity. Firstly, it assumed a single anomaly in the dataset.... In PAGE 17: ...2 Anomaly detection Although our approach can be used to find anomalies in text, video, images, and other data sources, we will confine our attention here to time series, since this domain has attracted the most attention in the data mining community and readily lends itself to visual confirmation. For all the problems shown below, we can objectively discover the anomaly using the simple algorithm in Table2 . However, that algorithm only tells us the location of the anomaly, without telling us anything about the relative strength of the anomaly.... ..."

### Table 17. User Anomaly Description

2000

"... In PAGE 22: ... We recorded the normal range of the similarity scores during this week. The data in the 6th week has some user anomalies, as described in Table17 . For each of the anomalous sessions, we compared its patterns against the original user apos;s pro le, and then compared the resulting similarity score against the recorded normal range of the same time segment.... In PAGE 22: ... A 1 here means that the user did not login during the time segment in the 5th week. The column \Anomaly quot; is the similarity measure of the anomalous session described in Table17 . We see that all anomalous sessions can be clearly detected since their similarity scores are much smaller than the normal range.... In PAGE 23: ... The data of the 5th week was used to establish the range of similarity measures for all the users of each group. The user anomalies described in Table17 include \illegal job function quot; cases during the 6th week: programmer1 becomes a secretary, secretary becomes a manager, and sysadm becomes a programmer. Table 19 compares the similarity measure of each user in an anomalous session with his/her normal similarity range gathered for the same time segment.... ..."

Cited by 97

### Table 1. Timing of the Magnetic Anomaly Detection module of the Signature Management System.

"... In PAGE 5: ... We hope to apply the C++ library to additional APL programs soon. CASE STUDIES Case Study 1: Determining Magnetic Detectability of Submarines Table1 gives timing statistics for the Signature Management System Magnetic Anomaly Detection module, timed after various uses of memoization were put into effect. Memoization provided a 24-fold in- crease in speed, even before persistent tables were used.... ..."

### Table 2: Piecewise analysis of the traffic data in Figure 2.

1999

"... In PAGE 15: ...hem to be in excellent agreement with the access log data. This can also be observed in the results of Figure 2. 400 500 600 700 800 900 1000 1100 1200 1300 11000 11500 12000 12500 13000 13500 14000 Batch Size Time (seconds) Number of requests every second for all HTTP requests over an hour on 2/13 Request Batch Size Fit Upper Limit Lower Limit Figure 2: Traffic data for the Olympic Web site over the course of an hour on February 13, 1998, and measures from the corresponding ARMA(2,2) model. In Table2 we provide additional details on the ARMA models for each of the four phases, as well as for the entire hour as a whole. We note that our decomposition of the time-series analysis into piecewise time series makes it possible to use smaller order ARMA processes to represent each of these phases, which was one of the motivating factors for our approach (see Section 2).... In PAGE 18: ... Upon comparing these plots, we observe that the request process generated from our methodology better resembles the trace data in Figure 2 than the often used M2M approach. This is further quantified in Table 3 where we provide statistical characterizations of the generated time series from the scaled ARMA(1,1) and M2M processes in Figure 6, together with the corresponding measures from Table2 for phase 2 of Figure 2. We observe that the key statistical measures for the scaled ARMA(1,1) process are much closer to those for phase 2 in Figure 2 than the corresponding measures from the scaled M2M... In PAGE 20: ... It is well known that the first two moments are not sufficient to completely characterize a stochastic process in general, and this is particularly the case for bursty processes. As a specific (simple) example, we note that the value of a3a6a5 a0 for each phase in Table2 is much smaller than the a3a6a5 a0 value for the entire hour. This is because the process is non-stationary and there are some phases for which the mean of the process shifts.... In PAGE 20: ... This is because the process is non-stationary and there are some phases for which the mean of the process shifts. The value of a3a6a5 a0 is very sensitive to such shifts, as illustrated by the results in Table2 . Because it is based solely on the first two moments, the M2M approach is not very robust with respect to characterizing a general stochastic arrival process, especially a non-stationary process (i.... ..."

Cited by 39

### Table 7: Aggregate time-series: 1973-1990

### Table 2: Piecewise analysis of the traffic data in Figure 2.

1999

"... In PAGE 15: ...hem to be in excellent agreement with the access log data. This can also be observed in the results of Figure 2. 400 500 600 700 800 900 1000 1100 1200 1300 11000 11500 12000 12500 13000 13500 14000 Batch Size Time (seconds) Number of requests every second for all HTTP requests over an hour on 2/13 Request Batch Size Fit Upper Limit Lower Limit Figure 2: Traffic data for the Olympic Web site over the course of an hour on February 13, 1998, and measures from the corresponding ARMA(2,2) model. In Table2 we provide additional details on the ARMA models for each of the four phases, as well as for the entire hour as a whole. We note that our decomposition of the time-series analysis into piecewise time series makes it possible to use smaller order ARMA processes to represent each of these phases, which was one of the motivating factors for our approach (see Section 2).... In PAGE 18: ... Upon comparing these plots, we observe that the request process generated from our methodology better resembles the trace data in Figure 2 than the often used M2M approach. This is further quantified in Table 3 where we provide statistical characterizations of the generated time series from the scaled ARMA(1,1) and M2M processes in Figure 6, together with the corresponding measures from Table2 for phase 2 of Figure 2. We observe that the key statistical measures for the scaled ARMA(1,1) process are much closer to those for phase 2 in Figure 2 than the corresponding measures from the scaled M2M... In PAGE 20: ... It is well known that the first two moments are not sufficient to completely characterize a stochastic process in general, and this is particularly the case for bursty processes. As a specific (simple) example, we note that the value of cvA for each phase in Table2 is much smaller than the cvA value for the entire hour. This is because the process is non-stationary and there are some phases for which the mean of the process shifts.... In PAGE 20: ... This is because the process is non-stationary and there are some phases for which the mean of the process shifts. The value of cvA is very sensitive to such shifts, as illustrated by the results in Table2 . Because it is based solely on the first two moments, the M2M approach is not very robust with respect to characterizing a general stochastic arrival process, especially a non-stationary process (i.... ..."

Cited by 39

### Table 1. Time component pattern representation

2006

"... In PAGE 3: ... For example, if a rule says a date is a month in text form followed by a day in number form and a year in 4-digit number form , the term sequence October 29, 2005 will satisfy the rule and will be parsed into a date. In order to express the rules in a systematic way, we define the letter representations for each component (see Table1 ). Considering that a component may have text or number presentation formats, we adopt a different representation for each format.... ..."

Cited by 1