The detection of abnormal behavior from data is a requirement of many applications. For example, abnormal behavior can indicate such things as a problem with a mechanical asset, a network attack, an intensive care patient in need of immediate attention, or a fraudulent transaction, etc.
Ideally developed on historical data that are known to be ‘normal,’ analytic models are built to detect abnormal behavior. However, there are many applications where historical data cannot be cleaned of anomalies. Such is the case when anomalous behavior has previously gone undetected and there has been no reason to take a retrospective look at the data. For example, consider a rotorcraft fitted with a health monitoring system that includes vibration sensors and magnetic debris detectors. An alert due to a magnetic-plug detection may result in replacement of the transmission. However, if the health monitoring system does not associate the alert with the vibration sensors, it may not tag the vibration data as abnormal. In other words, a health monitoring system may assume the vibration data are normal even though there could be evidence of abnormal behavior.
One may describe the detection of an anomaly or abnormal event using a priori knowledge. For example, consider a patient with a high temperature. A univariate measured feature such as a patient's temperature and knowledge of the patient's normal temperature response is sufficient to set a simple rule for detecting high temperature. Usually there is an assumption that the measured temperature is conditioned on the patient being in a restful state (e.g. not performing stressful exercise). For many scenarios there is no prior knowledge to define abnormal events (or states). Furthermore the definition of an abnormal event might require multivariate features. For example, detecting whether a person is overweight requires the features of height and weight. Multiple features commonly depend upon each other and these dependencies may vary (or be conditioned) on factors such as the current state of the observed object. For example, an aircraft may collect data during take-off, climb, cruise, etc. and the resulting data and its interrelated features can end up being very complicated. For applications that store historical data, it is often possible to construct models for anomaly detection by learning those models directly from the data. Often called a data-driven modeling approach, the general concept is to learn a model of ‘normal’ behavior from histories of past behavior.