Anomaly Detection Using Similarity-based One-Class SVM for NetworkTraffic Characterization

Bouchra Lamrini1, Augustin Gjini1, Simon Daudin1,François Armando1, Pascal Pratmarty1 and Louise Travé-Massuyès2

1LivingObjects, Toulouse, Francee-mail: {bouchra.lamrini,augustin.gjini,simon.daudin,françois.armando,pascal.pratmarty}@livingobjects.com

2LAAS-CNRS, Université de Toulouse, CNRS, Toulouse, Francee-mail: louise@laas.fr

Abstract

In this paper∗, we investigate an unsu-pervised machine learning method basedon one-class Support Vector Machines foranomaly detection in network traffic. Inthe absence of any prior expert knowledgeon anomalous data, we propose the use ofa similarity measure for Multivariate TimeSeries to evaluate the output results and se-lect the best model. A set of Key Perfor-mance Indicators, oriented for network andtraffic monitoring, has been used to demon-strate the promising performance of the un-supervised learning approach.

1 IntroductionAnomaly detection aims at identifying unusual pat-terns in data that do not conform to expected behav-ior [1]. These non-conforming patterns are generallyreferred in different application fields to as anomalies,aberrations, discordant observations, exceptions, nov-elty, outliers, peculiarities or contaminants, surprises,strangeness. There has been applications in severalapplication fields from intrusion detection, e.g. iden-tifying strange patterns in network traffic that couldsignal a hack [2], to system health monitoring, e.g.spotting a malignant tumor in an MRI image scan [3],and from fraud detection in credit card transactions[4], to fault detection in operating environments [5].In this paper we are interested in anomaly detectionin network traffic.

Support Vector Machines (SVMs) have been one ofthe most successful machine learning techniques thatcan be used in a variety of classification applications.

∗Index Terms: Anomaly Detection, Support Vector Ma-chines (SVMs), One-Class SVMs, Unsupervised Learning,Model Selection, Similarity Measure, Multivariate TimeSeries (MTS).

SVMs perform at least as good as other methods interms of the generalization error [6].

Many factors contributed to the high popularity ofSVMs today. First of all, their theoretical founda-tions have been deeply investigated and they comewith a convex optimization procedure ensuring thatthe global optimum will be reached. Moreover, thesolution is sparse making it really efficient in com-parison to other kernel-based approaches [7]. In ad-dition, they may use a non linear transformation inthe form of a kernel that even allow SVMs to be con-sidered as a dimensionality reduction technique [8].One-Class SVMs [9] have been devised for cases inwhich one class only is known and the problem is todetect anything outside this class. This is known asnovelty detection and it refers to automatic identifi-cation of unforeseen or abnormal phenomena [1; 10;11], i.e. outliers, embedded in a large amount of nor-mal data.

In contrast to traditional SVMs, One-Class SVMs(OC-SVM) learn a decision boundary that achievesmaximum separation between the samples of theknown class and the origin [12]. Only a small frac-tion of data points are allowed to lie on the other sideof the decision boundary: those data points are con-sidered as outliers.

Anomaly detection is particularly important fornetwork traffic. The observed growth rate of infor-mational and economic damage caused by intention-ally or unintentionally attacks, faults, and anomalieshas been a driving force behind efforts to ensure thatnetwork monitoring systems are able to detect ab-normal activity and characterize it. The limitationsof computing and storage resources require compe-tence and ingenuity to effectively characterize ever-changing network traffic trends.

Non-availability of labelled data, high costs forconstituting labeled training data, and need to iden-tify anomalous and novel observations in data withouthaving necessarily seen an example of that behaviourin the past are the main challenges tackled in this

work. A central issue is model selection, i.e. choiceof the optimal hyper-parameters that define the OC-SVM learning configuration. This requires a methodto evaluate the results.

This paper contributes to this problem by evalu-ating the results of the trained model by comparingsamples predicted normal with samples in the train-ing set. Because samples are composed of a set ofsignals over a temporal window, we propose to use asimilarity index for Multivariate Time Series (MTS)called EROS (Extended Frobenius Norm). The re-sults of the model are evaluated iterativelly for differ-ent hyper-parameters of OC-SVM and the model thatevaluates best is selected. We show that OC-SVM incombination with the Eros index [read more in Sec-tion 4.1] can create automatically tuned reliable clas-sifiers with reasonable computation cost.

The remainder of this paper is organized as follows.

Section 2 presents our case study. Section 3 is de-voted to an overview of SVMs and One-Class SVMsmethods. In Section 4, we present the EROS similar-ity measure used to search for the best training modelfor anomaly detection. Experimental results and re-lated discussions are provided in Section 5 to demon-strate the approach performance. Finally, Section 6concludes the paper.

2 Case StudyProcessing network traffic involves dealing with animmense amount of data that is quickly and con-stantly varying. Considering the enormous amountof data involved it is very easy for malicious activitiesto go undetected, especially without any knowledge apriori about the nature of the traffic, like it is often thecase in the network domain.

Figure 1: Training Data Set. The y-axis represents the KPI signals. From top to bottom: Total IncomingTraffic, Total Outgoing Traffic, Server Delay, and Network Delay.

In this study, data was collected from a real-timemonitoring platform dedicated to ensure key applica-tion performance. 51 sites using applications of thesame kind and having roughly the same uses at thesame time, were chosen. For each application, weselected carefully four relevant Key Performance In-dicators (KPIs) describing:

1. Total Incoming Traffic.2. Total Outgoing Traffic.3. Server Delay, i.e. the connection time to the

server, which sets the expiration time for send-ing a request.

4. Network Delay that specifies how long it takesfor a bit of data to travel across the network fromone node to another.

A history of two months (3408 samples) of datagenerated at a 5 minutes rate was collected for eachof the four KPIs above and for each site. Data wassegmented into time-windows wi, each of 48 points.Figure 1 shows the data contained in the training set.Each time-window wi ∈ {w0, ..., wl}, l = 70, isidentified between lines and there are 70 samples.

Let us notice that the data samples that are providedto the OC-SVM classification algorithm are multivari-ate, each composed of four KPI segments over thesame time-window. The idea is to detect insidiousproblems that require an analysis of the signal under-lying interactions. We therefore want to detect “ab-normal windows”. Each segment is characterized byseven statistical attributes: minimum (MIN), maxi-mum (MAX), mean (MEAN), median (MED), stan-

Page 2/8

dard deviation (STD), number of average crossings(nbpMean), squared mean error (SME) computed be-tween the raw data and the linear fitting. These at-tributes are used by OC-SVM after normalization.Figure 2 shows the attributes built for the 70 segmentsof the four KPIs mentioned above. The seven at-

tributes MEAN, MED, MAX, MIN, STD, nbpMean,and SME are illustrated in sub-figures from left toright. We can already notice some overruns that willmake considerable contribution to the classifier pro-file defined by the decision function.

Figure 2: Attributes built for training data KPIs. Each point is calculated on a segment of 48 points.

3 An Unsupervised Similarity-basedMethod for Anomaly Detection

Support Vector Machines (SVMs) have always beenof interest in anomaly detection because of their abil-ity to provide non-linear classification through a ker-nel function. Via this short overview, we show thatSVMs are theoretically well founded. We briefly in-troduce the basic concepts of SVMs then focus onOC-SVM that we adopted in this study. A more de-tailed presentation can be found in [13] and a goodexample is available on URL using "LibSVM" libraryof Matlab.

3.1 Support Vector MachinesLet us consider the traditional two-class support vec-tor machines in which we are given a set of n train-ing instances S = {(x1, y1), (x2, y2), ..., (xn, yn)}.xi ∈ Rd, where yi is the class label of the xi in-stance and yi ∈ [−1,+1]. The linear SVMs classifierrecovers an optimal separating hyperplane maximiz-ing the "margin" of the classifier with the equation:wTx+ b = 0, with w ∈ F and b ∈ R two parameterswitch determine the position of the decision hyper-plane in feature space F (its orientation is tuned by wand its displacement by b). The decision function canthus be generally written as:

f(x;w, b) = sign(wTx+ b) ∈ {−1,+1} (1)

where:

sign(wTx+ b) =

{+ 1, if (wTx+ b) ≥ 0

− 1, otherwiseThe concept of SVMs is to find (w, b) such that the

hyperplane is positioned at maximum distance of thenearest training samples of the two classes in orderto reduce the generalization error. This distance de-fines the "margin". SVMs have first been proposedfor linearly separable classification tasks. Howeverthey were extended to non-linearly separable classifi-cation problems. Some samples are allowed to violatethe margin (soft-margin SVMs) and a non-linear deci-sion boundary can be obtained by projecting the datainto a higher dimension space thanks to a non-linearfunction Φ(x). Data points may not be linearly sepa-rable in their original space but they are “lifted” intoa feature space F where a hyperplane can separatethem. When that hyperplane is projected back intothe input space, it has a non-linear shape. To preventthe SVM classifier from over-fitting noisy data, slackvariables ξ are introduced to allow some data points tolie within the margin, and the parameterC > 0 (Eq.2)tunes the trade-off between the classification error onthe training data and margin maximization. The ob-jective function of SVM classifiers has the followingminimization formulation:

minw,b,ξi

‖w‖2

2+ C

n∑i=1

ξi (2)

Page 3/8

Subject to:

yi(wTφ(xi) + b) ≥ 1− ξiξi ≥ 0, i = 1, ..., n

The minimization problem is solved using La-grange Multipliers αi, i = 1, . . . , n. The new deci-sion function rule for a data point x is:

f(x) = sign(

n∑i=1

αiyiK(x, xi) + b) (3)

Every αi > 0 is weighted in the decision function andthus supports the machine. Since SVMs are consid-ered to be sparse, there are relatively few Lagrangemultipliers with a non-zero value.

The function K(x, xi) = Φ(x)TΦ(xi) is known asthe kernel function. Since the outcome of the decisionfunction only relies on the dot-product of the vectorsin the feature space F (i.e. all the pairwise distancesfor the vectors), it is not necessary to perform an ex-plicit projection. As long as a functionK provides thesame results, it can be used instead. This is known asthe kernel trick.

Popular choices for the kernel function are linear,polynomial, and sigmoïdal. In this study, we used theGaussian Radial Base Function:

K(x, xi) = exp(−‖x− xi‖2

2σ2) (4)

where σ ∈ R is a kernel parameter and ‖x− xi‖ isthe dissimilarity measure. With this set of formulasand concepts we are able to classify a set of data pointinto two classes with a non-linear decision function.

The power of the method comes from using ker-nel functions, which enable it to operate in a high-dimensional, implicit feature space without ever com-puting the coordinates of the data in that space, butrather by simply computing the inner products be-tween the images of all pairs of data in the fea-ture space. This operation is often computationallycheaper than the explicit computation of the coordi-nates. Figure 3 illustrates a non linearly separabledata set clustered by SVM with two different kernelfunctions: linear and radial based. The observationsare plotted blue or magenta depending on the classand the background is darker as the distance from thehyperplane is higher. Scores are given on the rightbottom corners and show a significant increase for thenon linear kernel.

3.2 One-Class Support Vector MachinesOne-Class SVMs (OC-SVMs) are used to separatethe data of one specific class, the target class, fromother data. They are trained with positive examplesonly, i.e. data points from the target class. There aretwo different approaches: the approach according to

Figure 3: SVM results with two kernel functions.

Schölkopf [13], which is presented in the next para-graph, and that according to Tax and Duin [14].

In the feature space F , OC-SVM method basicallyseparates all the data points from the origin by a hy-perplane and it maximizes the distance of this hyper-plane to the origin. This results in a binary functionwhich captures the region of the input space wherethe training data lives. Thus the function returns +1in a “small” region (capturing the training data points)and −1 elsewhere. The quadratic programming min-imization function is slightly different from the origi-nal stated by (Eq.2) and (Eq.3):

minw,ξi,ρ

‖w‖2

2+

1

ηn

n∑i=1

ξi − ρ (5)

Subject to:w.φ(xi) ≥ ρ− ξi

ξ ≥ 0

i = 1, ..., n

Schölkopf et al. [13] has reformulated SVMs totake the new regularization parameter η instead ofC in the original formulation (Eq.2 and Eq.3). Therange of C is from zero to infinity, but η is alwaysbetween [0, 1]. η characterizes the solution in a niceinterpretable way: (1) it sets an upper bound on thefraction of outliers, e.g. the training examples re-garded out-of-class, (2) and it sets a lower bound onthe number of training examples used as support vec-tors.

Again by using Lagrange techniques and using akernel function for the dot-product calculations, thedecision function becomes:

f(x) = sign((wΦ(xi))− ρ)

= sign(

n∑i=1

αiK(x, xi)− ρ)(6)

OC-SVMs thus create a hyperplane characterizedby w and ρ which has maximal distance from the ori-gin in the feature space F , hence separating all thedata points from the origin.

4 Similarity-based PerformanceEvaluation for Model Selection

In this section, we address the problem of fitting thehyper-parameters of OC-SVM automatically, that is

Page 4/8

the problem of automatic model selection. In the caseof OC-SVM, this amounts to choose the kernel pa-rameter γ and the regularization parameter η. A pair(γi, ηj) is defined as a learning configuration.

For this purpose, we propose to run OC-SVM forseveral learning configurations and select the bestconfiguration by evaluating the similarity of the KPIsignals for the windows tagged normal by OC-SVMand the KPI windows of the training data that are as-sumed to be normal examples. Since a sample win-dow is composed of several KPI signals, we needa multidimensional similarity index for MultivariateTime Series (MTS).

4.1 The similarity Index ErosMultidimensional similarity measures aim to indicatesimultaneously the level of similarity between severaldatasets (databases, data clusters, etc.). Unlike othermethods [15; 16; 17] that seek the level of similaritybetween two variables by omitting the existing cor-relation between the set of variables, a multidimen-sional method takes into account the contribution ofeach variable in defining a global similarity measure.

One of the methods processing MTS is the methodEros (Extended Frobenius Norm) [18]. The interestbehind this method lies in its ability to assess the simi-larity of MTS composed of a different number of datapoints. It indeed uses the eigenvalues and eigenvec-tors of the covariance matrix that has size n×n, n be-ing the number of times series composing the MTS.In doing so, it also performs dimension reduction be-cause the number of observations is generally higherthan that of the variables.

We briefly describe the similarity index Eros basedon the Frobenius Norm below. The definitions and no-tations used in this paper are taken from [19]. We firstformally define the similarity index Eros. Next, wepresent the algorithm describing the similarity mea-sure procedure and the approach proposed for modelselection.

Definition 1. Eros (Extended Frobenius Norm).Let A and B be two MTS items of size mA × nand mB × n respectively. Let VA and VB two righteigenvector matrices by applying Singular Value De-composition (SVD) to the covariance matrices, MA

and MB , respectively. Let VA = [a1, . . . , an] andVB = [b1, . . . , bn], where ai and bi are column-orthonormal of size n. The Eros similarity of A andB is then defined as:

Eros(A,B,w) =

n∑i=1

wi |< ai, bi >|

=

n∑i=1

|cos(θi)|(7)

where 〈ai, bi〉 is the inner product of ai and bi, w is aweight vector which is based on the eigenvalues of theMTS dataset,

∑ni=1 wi = 1 and cos(θi) is the angle

between ai and bi. The range of Eros is between 0and 1, with 1 being the most similar.

Definition 2. Singular Value Decomposition. LetA be a general real m× n matrix. The singular valuedecomposition (SVD) of A is the factorization:

A = UΣV (8)where U is a column-orthonormal N × r matrix, ris the rank of the matrix A, Σ is a diagonal r × rmatrix of the eigenvalues γi of A where γ1 ≥ ·· ≥γr ≥ 0 and V is a column-orthonormalM×r matrix.The eigenvalues and the corresponding eigenvectorsare sorted in non-increasing order. V is called theright eigenvector matrix, and U the left eigenvectormatrix.

Yang et al. (2005) [18] describe the similarity in-dex algorithm with the following steps:

1. Compute the covariance matrix of each MTS.2. Use SVD to decompose each covariance matrix.3. Recover eigenvalues and eigenvectors.4. Compute the weight w of individuals by normal-

izing the eigenvalues [18].5. Compute similarity between MTS.

4.2 Automatic Model SelectionThe first task is to define the learning configurationsthat will be tested with OC-SVM. We follow the stepsbelow:

1. Define the hyper-parameter space and a proce-dure to explore this space. In our case, we set amin-max and a variation step to constitute a grid(β × β) value pairs, i.e. β values for each hyper-parameter.

2. Explore the hyper-parameter space and set OC-SVM accordingly: for each pair of values, oneOC-SVM classifier is obtained after the learningstep. The best configuration is retained by usingthe Eros similarity index on the validation data(25% of all data) and the training data (50% ofall data). The corresponding OC-SVM classifieris taken as the best model.

3. Once found the best model, anomaly detection isperformed on new data to evaluate how well themodel behaves.

The similarity of windows tagged normal by OC-SVM, denoted by MTSnormalk , k = 0, ..., p, and thedata windows of the training data (considered as nor-mal), denoted by MTSlearnl , l = 1, ..., q, is obtainedas follows. For every learning configuration [Figure4] given by (γi, ηj):

Page 5/8

1. Compute Eros for every window pair(MTSnormal

k ,MTSlearnl ), k = 0, ..., p, and

l = 1, ..., q.

2. Compute the average similarity "Erosmean" over

all the window pairs.

The best learning configuration is taken as the oneleading to the maximal "Erosmean" value over all con-sidered learning configurations (γi, ηj).

Figure 4: Diagram showing the model selection process.

5 Experiments on the Case StudyOur detection approach was applied to the case studypresented in Section 2. A history of two months ofdata generated every 5 minutes for four KPIs was col-lected over 151 sites. The window segmentation [20]was performed after analyzing two points that can sig-nificantly impact the detection stage:

• choice of the time-window length, i.e. the num-ber of hours and samples to take account in awindow,

• definition of a reliable methodology to normalizetraining and testing datasets versus in these.

As mentioned in section 2, the time-window lengthwas chosen of 4 hours, i.e. 48 samples. Clearly,when access to web applications is established in afew hours, a window of four hours is considered asignificant period for traffic analysis. As noted above,each time-window is characterized by seven statisticalattributes: minimum (MIN), maximum (MAX), mean(MEAN), median (MED), standard deviation (STD),number of average crossings (nbpMean), squaredmean error (SME) computed between the raw dataand their linear fit. The attributes are computed foreach time-window in order to obtain a multidimen-sional scatter plot, where each point represents a time-window. One of the major interests of segmentationand feature computation is to synthesize the informa-tion contained in a time-window. This allows the de-

tection not only of singular points, but also of an atyp-ical set of points even if each point taken.

Acquired raw data provide KPIs with differentranges, then features (attributes) themselves don’thave homogeneous ranges. In order to guarantee goodperformances of the anomaly detection approach, wechose to normalize these attributes with respect totheir maximal and minimal values with a toleranceusing a threshold s ∈ [0, 1]. This standard preprocess-ing ensures that all the attributes contribute equally tothe decision process independently of the parametersresponsible of KPI dynamics.

To automatically select the best model, the hyper-parameter space was discretized with a 10 × 10 grid,i.e. β = 10. 100 learning configurations were there-fore evaluated to select the best model. This off-linetask was performed for each application site and ap-peared computationally feasible.

Figure 5 shows some of the test results (25% of alldata). From 24 time-windows (wi ∈ {w0, . . . , wm},m = 23), 4 anomalies have been detected representedby the 4 time-windows (yellow colored): w3, w4, w10

and w12. The results were confirmed with ParallelCoordinates plots given in Figure 6.

In a Parallel Coordinates Plot, each attribute isgiven its own axis and all the axes are placed paral-lel to each other. Values are plotted as a series of linesthat connect across all the axes. This means that eachline corresponds to one data window for which wehave 7× 4 attributes (7 features for every KPI).

Page 6/8

The order in which the axes are arranged can im-pact the way how the reader understands the data.One reason for this is that the relationships betweenadjacent variables are easier to perceive than those be-tween non-adjacent variables. So re-ordering the axescan help in discovering patterns or correlations acrossvariables. We clearly see that the four time-windowsdefined by the pink lines represent a strange behav-ior compared to the normal windows defined by thegreen lines.

Presenting this type of detection can ensure that thenetwork administrators adopts another reasoning tocharacterize the nature of the traffic (normal, abnor-mal, critical, ...) circulating on the network. It mayhelp him to identify the different forms of anomalyin his network. Data analysis must give meaningto the data with the goal of discovering useful in-formation, suggesting conclusions, and supportingdecision-making. The value of the data lies in thestory it tells.

Figure 5: Anomaly detection (yellow windows are detected abnormal). From top to bottom, KPIs appearin this order on the y-axis: Total Incoming Traffic, Total Outgoing Traffic, Server Delay, and Network Delay

Figure 6: Parallel Coordinates Plot illustrating thefour abnormal windows. From top to bottom, thecurves labeled in pink color shows successivelythe time-windows: w3, w4, w10 and w12.

6 ConclusionIn this work, we applied the OC-SVM method to de-tect anomalies in real network traffic, contributingwith an automatic method based on the similarity in-dex Eros [19] for setting the hyper-parameters whichdefine the learning configuration. It provided very sat-isfactory results.

The advantages of novelty detection for complexprocesses like network traffic are multiple. In partic-ular there is no need of faulty data. A wide variety ofcases of anomaly exist and it would be impossible tocharacterize them all or to gather the correspondingdata. Challenges for future work is related to thefact that data comes in a stream and dealing with thedata in real-time is quite tedious. The amount of dataleads to cases where resources are limited. Noveltydetection in a distributed framework is also to beinvestigated.

Acknowledgement The authors thank BertrandLe Marec and David Maisonneuve, leading team ofLivingObjects, for their support and valuable com-ments about the application.

Page 7/8

References[1] V. Chandola, A. Banerjee, and V. Kumar.

Anomaly detection: A survey. ACM ComputingSurveys, 41(3):15:1–15:58, 2009.

[2] V. Kumar. Parallel and distributed computingfor cybersecurity. IEEE Distributed Systems On-line, 6(10):1–9, 2005.

[3] C. Spence, L. Parra, and P. Sajda. Detection,synthesis and compression in mammographicimage analysis with a hierarchical image prob-ability model. In Proceedings of the IEEEWorkshop on Mathematical Methods in Biomed-ical Image Analysis (MMBIA’01), MMBIA’01,pages 3–, 2001.

[4] E. Aleskerov, B. Freisleben, and B. Rao. Card-watch: a neural network based database min-ing system for credit card fraud detection. InProceedings Of The IEEE/IAFE 1997 Compu-tational Intelligence For Financial Engineering(CIFEr), pages 220–226, 1997.

[5] R. Fujimaki, T. Yairi, and K. Machida. An ap-proach to spacecraft anomaly detection problemusing kernel feature space. In Proceedings ofthe Eleventh ACM SIGKDD International Con-ference on Knowledge Discovery in Data Min-ing, KDD’05, pages 401–410, New York, NY,USA, 2005. ACM.

[6] C.J.C. Burges. A tutorial on support vector ma-chines for pattern recognition. Data Mining andKnowledge Discovery, 2(2):121–167, 1998.

[7] C.M. Bishop. Pattern Recognition and MachineLearning. Springer, 2006.

[8] W. Wang, Z. Xu, W. Lu, and X. Zhang. Deter-mination of the spread parameter in the gaussiankernel for classification and regression. Neuro-computing, 55(3-4):643–663, 2003.

[9] M.A.F. Pimentel, D.A. Clifton, and L.C.Tarassenko. A review of novelty detection. Sig-nal Processing, 99:215–249, 2014.

[10] D. Dasgupta and S. Forrest. Novelty detection intime series data using ideas from immunology.In Proceedings of The 5th International Con-ference on Intelligent Systems, Reno, Nevada,1996.

[11] E. Keogh, S. Lonardi, and W. Chiu. Findingsurprising patterns in a time series database inlinear time and space. In Proceedings of the8th ACM SIGKDD International Conference onKnowledge Discovery and Data Mining, KDD’02, pages 550–556, New York, NY, USA, 2002.ACM.

[12] B. Schölkopf, J.C. Platt, J.C. Shawe-Taylor, A.J.Smola, and R.C. Williamson. Estimating thesupport of a high-dimensional distribution. Neu-ral Computation, 13(7):1443–1471, 2001.

[13] B. Schölkopf, R. Williamson, A. Smola,J. Shawe-Taylor, and J. Platt. Support vectormethod for novelty detection. In Proceeding ofthe 12th International Conference on Neural In-formation Processing Systems, pages 582–588,1999.

[14] R.P.W. Tax, D.M.J. and Duin. Supportvector data description. Machine learning,54(1):45–66, 2004.

[15] G.E.A.P.A. Batista, W. Wang, and E.J. Keogh. Acomplexity-invariant distance measure for timeseries. SDM, 2011.

[16] C.A. Ratanamahatana and E.J. Keogh. Mak-ing time-series classification more accurate us-ing learned constraints. In Proceedings ofSIAM International Conference on Data Mining(SDM’04), pages 11–22, 2004.

[17] S. Park, W.W. Chu, J. Yoon, and C. Hsu. Effi-cient searches for similar subsequences of dif-ferent lengths insequence databases. In 16th

International Conference on Data Engineering,pages 23–32, 2000.

[18] K. Yang and C. Shahabi. A multilevel distancebased index structure for multivariate time se-ries. In 12th International Symposium on Tem-poral Representation and Reasoning, 2005.

[19] K. Yang and C. Shahabi. A pca-based simi-larity measure for multivariate time series. InProceedings of the Second ACM InternationalWorkShop on multimedia Databases, 2004.

[20] S. Fuertes, G. Picart, J.Y. Tourneret, L. Chaari,A. Ferrari, and C. Richard. Improving space-craft health monitoring with automatic anomalydetection techniques. In 14th International Con-ference on Space Operations., page 2430, 2016.

Page 8/8