A. Statistical and machine learning

Several commonly used time series anomaly detection techniques include 3sigma, PCA, KNN, copula-based outlier detection (COPOD), LOF, and OC-SVM. The 3sigma method measures deviations from historical averages, while PCA calculates eigenvector distance differences according to Shyu et al. (2003). KNN determines anomalies based on the mean distance of nearest neighbors, as discussed in Kiss et al. (2014). COPOD utilizes statistical probability functions, OC-SVM seeks to learn decision boundaries for typical observations, and LOF is an unsupervised method based on density, as described by Li et al. (2020).

Patcha & Park (2007) introduced an outline of several methods for anomaly detection, including hidden Markov chains, PCA, process regression, and isolation forest, while also highlighting their limitations. Yaacob et al. (2010) introduced an auto-regressive integrated moving average (ARIMA) method, as a representative statistical approach for modeling and detecting anomalous behaviors. Bandaragoda et al. (2014) widely used isolation forest, which recursively divides the feature space using multiple isolation trees for anomaly detection.

In the healthcare sector, Salem et al. (2014) utilized linear regression combined with SVM to capture anomaly detection in wireless sensor networks. Shang et al. (2018) introduced SVM combined with mean clustering to increase the effectiveness of model training and enhance anomaly detection precision. Boniol et al. (2020) presented GraphAn, a graph-based approach that converts time series data using interval graph distance. Tran et al. (2020) employed clustering and database manipulation history in their outlier detection method, called CPOD. Kingsbury & Alvaro (2020) proposed Elle, another outlier detection method that leverages clustering and database manipulation history.

In their study, Dhiman et al. (2021) employed adaptive threshold techniques and Twin Support Vector Machines (TWSVM) to detect anomalies within two univariate time series data. They proposed these methods as effective approaches in their study. On the other hand, Wang et al. (2021) focused on enhancing the security of CAV (connected and autonomous vehicle) systems. They used an adaptive extended Kalman filter with a pre-trained single-class SVM. Their strategy attempted to increase the CAV systems’ overall security.

B. Neural network and deep learning

Several deep learning-based methods have already been proposed to resolve it. For robust anomaly detection, LSTM-based neural network architecture is used by neural system identification and Bayesian filtering (NSIBF) for Bayesian filtering and system identification. EncDec-AD (Malhotra et al. 2016) used LSTM as the base cell for both the encoder and decoder. To recreate the error for each input data and produce a representation with low-dimension, deep autoencoding Gaussian mixture model (DAGMM) (Zong et al. 2018) uses a deep autoencoder. The advantage of this method is it will not exploit temporal information. Meanwhile, MSCRED (Zhang et al. 2019) uses a convolutional encoder-decoder and an attention-based Conv-LSTM to recreate a multi-scale signature matrix. This will use residual signature matrices to detect anomalies, but it may take longer training time and limited performance with insufficient data.

Ergen and Kozat (2020) introduced an algorithm that uses LSTM to transform dynamic data length sequences into sequences with static length, then a single-class support vector machine-based anomaly detector decision function or a support vector data description technique comes next. OmniAnomaly (Su et al. 2019) proposed a recurrent neural network incorporating stochasticity to identify irregularities in multivariate time series data. LSTM-VAE (Park et al. 2018) combined LSTM and variational autoencoder but overlooked the interconnection between stochastic variables. Multivariate anomaly detection for time series data with generative adversarial networks (MAD-GAN) (Li et al. 2019) adopts generator and discriminator base models in the GAN framework that utilizes LSTM-RNN to visualize time series distributions’ temporal relations. TCN-AE (Thill et al. 2021) ignores the correlation between time series and combines TCN and AE. Multivariate time-series anomaly detection via GAN (MTAD-GAT) (Zhao et al. 2020) employs GAT (GATs) (Veličković et al. 2018) in both the feature and time dimensions to capture temporal and feature correlations. Anomaly Transformer (Xu et al. 2022) proposed a minimax training strategy and used self-attention weights to identify anomalies. Graph learning with transformer for anomaly detection (GTA) (Chen et al. 2022) employed an architecture based on transformers to learn and capture temporal dependencies. They utilized this approach to acquire a graph structure that accurately represents the relationships between different elements within the data. Deep transformer networks for anomaly detection (TranAD) (Tuli et al. 2022) incorporated adversarial training and self-conditioning techniques in a transformer-based model to improve performance.

Huang et al. introduced HitAnomaly, an anomaly detection model based on log analysis. HitAnomaly utilizes a hierarchical transformer structure to capture and represent both the sequences of log templates and their corresponding parameter values. The classification model developed by the researchers was constructed by incorporating an attention mechanism. Additionally, they devised separate log sequences and parameter value encoders to obtain their respective representations. The study provides evidence that the transformer model outperforms LSTM and illustrates the successful modeling of log sequences using a hierarchical framework. Using three log datasets, the results demonstrated that Other currently used log-based anomaly detection methods have not performed as well as HitAnomaly (Huang et al. 2020).

Yu et al. (2023) combines autoregressive (AR) and adaptive ensemble (AE) with the addition of the transformer to capture the information of long sequences. Design convolution and dilated convolution as local TCN, introduce feedback mechanism, and loss ratio to improve detection accuracy and expand association differences.

C. State of the art

The deep learning methodology has promising performance in multivariate time series (MTS) anomaly detection. Various approaches, including transformer-based models, autoencoder-based models, and others, have been proposed, each with unique architectures and techniques. These models represent substantial progress in MTS anomaly detection and offer enticing possibilities for future research endeavors. However, a notable challenge in deep learning methodologies is the slow training process and the considerable computational complexity, potentially hindering their efficacy, particularly when dealing with longer sequences. We summarize the features of the state-of-the-art methods in Table II, highlighting the capabilities of our proposed method.

A. Preprocess

We examine a set of data points or observations organized in a time-stamped sequence and numerous variables. Each datapoint in the set T is gathered at a unique timestamp t, forming the datapoints x_t of the set T. Each x_t belongs to the vector space of real numbers with dimension m, for all values of t. In the univariate setting, m = 1. We assume that the joint probability of the entire time series $x$M16 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[{\bf{x}}\] \end{document} can be factorized into a product of conditional probabilities, where each observation at time t is conditionally dependent on the past observations $x_1^{(i)},x_2^{(i)},\dots ,x_{t–1}^{(i)}$M17 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ x_1^{(i)},x_2^{(i)}, \ldots,x_{t-1}^{(i)} \] \end{document} in the same time series component i.

Given a multivariate time series input as the sum of values $z_{i,1:t_0}^l$M18 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ z_{i,1:{t_0}}^l \] \end{document} for each time series i and dimension l. Each $z_{i,1:t_0}^l$M19 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ z_{i,1:{t_0}}^l \] \end{document} represents a sequence of values $z_{i,1}^l,z_{i,2}^l,\hspace{0.17em}\dots ,z_{i,1:t_0}^l$M20 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ z_{i,1}^l,z_{i,2}^l, \ldots, z_{i,1:{t_0}}^l \] \end{document} in the l-th dimension of the time series data, where $z_{i,1:t_0}^l$M21 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ z_{i,1:{t_0}}^l \] \end{document} is a vector in ${ℝ}^m$M22 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ {{\mathbb{R}}^m} \] \end{document} . Each data point $x_t^{(i)}$M23 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ x_t^{(i)} \] \end{document} is a vector in ${ℝ}^m$M24 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ {{\mathbb{R}}^m} \] \end{document} . To increase training stability and strengthen the resilience of KBJNet, we take steps to standardize datasets obtained from different sources.

In the data preprocessing stage, we filter out nonessential information from the datasets to concentrate only on the crucial data for anomaly detection. We exclude irrelevant details such as the source and description of the dataset and other unnecessary information. Instead, we emphasize essential elements like the dataset size, anomaly labels, and the time steps. Additionally, we standardize the data formats and specifications to ensure consistency throughout the dataset.

The data is normalized and transformed into time-series windows for training and testing. The normalization of the time-series data is conducted by applying the following equation:

B. Sliding window

To represent the relationship of a value x_t in a specific timestamp t, we investigate a relevant window of a certain length K as

For timestamps less than K, to incorporate replication padding, we extend the window W_t by adding a constant vector of length K-t. The input time series $\mathcal{T}$M25 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ {\cal T} \] \end{document} is then converted into a sequence of sliding windows $\mathcal{W}\text{=}\{W_1,\hspace{0.17em}\dots ,\hspace{0.17em}{W}_T\}$M26 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ {\cal W}=\{ {W_1}, \ldots,\;{W_T}\} \] \end{document} . The use of sliding windows with replication padding helps preserve the data points’ local context, as shown in Figure 2.

W_t and O_t, the anomaly score s_t is computed.

The input window is labeled anomalous if its anomaly score is greater than the threshold value, which is calculated using the anomaly scores of the previous input windows.

C. Dilated TCN

We have developed a novel architecture to enhance feature-sharing efficiency while retaining the network’s ability to learn new features. Our approach involves implementing a bi-joint TCN design in which all blocks share a common dilated TCN. This approach significantly reduces redundancy in the feature extraction process while enabling the network to learn new features through its densely connected path.

The dilated convolution operation, concluded in Figure 3, is used in convolutional neural networks, known as a jump filter, that expands the receptive field exponentially in each layer. For a 1-D sequence input $\text{x}\in {ℝ}^n$M27 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ {\rm{x}} \in {{\mathbb{R}}^n} \] \end{document} and a convolutional filter $f\text{=}\left\{0,\hspace{0.17em}\dots ,\hspace{0.17em}k–1\right\}\in ℝ$M28 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[f=\left\{ {0,\; {\ldots },\;k-1} \right\} \in\] \end{document} , the operation F on an element s of the sequence is defined as

where d denotes the dilation factor, k is the convolutional filter size, and $s–d\cdot i$M29 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ s-d \cdot i \] \end{document} indicates the index to the past according to d. In general, the receptive field r of a 1D convolutional network with n layers and a kernel size of k is given by $r\text{=}1\text{+}n\cdot (k–1)$M30 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ r=1+n \cdot (k-1) \] \end{document} . To completely cover the input length, we set the number of layers n such that $n\text{=}\lceil (l–1)/(k–1)\rceil$M31 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ n=\left\lceil {(l-1)/(k-1)} \right\rceil \] \end{document} , where $\lceil \cdot \rceil$M32 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ \left\lceil \cdot \right\rceil \] \end{document} is rounded up. However, this causes the network to become too deep, resulting in a model with many parameters. We obtain a minimum number of layers required by the global TCN (Yu et al. 2023).

Our proposed approach involves feeding the decoder output back into the same TCN for additional processing, which helps the model improve the input data representation over time. This process potentially captures more complex patterns. The feedback loop between the decoder facilitates the model’s learning and adjustment to the input data.

D. Transformer

The Transformer model, widely used in natural language processing and machine vision, is based on attention. Attention scoring computes the dot product of d_k-dimensional queries and keys and the d_v-dimensional value, then applies a softmax activation function to the result to obtain weights multiplied by the value. This scoring function is efficient and compact. In the transformer, inputs undergo a transformation process, creating query, key, and value matrices Q, K, and V. To simplify the subsequent neural network model inference operations, the matrix V is compressed into a smaller representative embedding space using the softmax distribution to generate convex combination weights. The square root of the $\sqrt{d_k}$M33 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ \sqrt {{d_k}} \] \end{document} is used to stabilize the model’s gradient, reduce weight fluctuations, and promote more stable training.

where Q, K, and V are matrices in ${ℝ}^{n\times d_{\text{model}}}$M34 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ {{\mathbb{R}}^{n \times {d_{{\rm{model}}}}}} \] \end{document} , and d_model is a learned dimension. Multi-headed attention enables the model to focus on diverse information simultaneously, and the result is concatenated and transformed using a linear projection to obtain d_model-dimensional features. The model consists of two encoders and one decoder, with position encoding added to the output of the model’s first half to obtain the encoders’ input.

Position encoding is performed using sine and cosine functions where pos is the token’s position in the sequence, i is the index of the dimension in the encoding, and d_model is the dimension of the model. The FFN layers apply two linear layers with leaky ReLU activation functions to the input data. The first FFN’s output was then routed through the second linear layer to generate the FFN’s final output. In the decoder, the last FFN is then passed through by a sigmoid activation function.

E. Kinematic bi-joint TCN and transformer

The kinematic bi-joint TCN and transformer, as concluded in Figure 1 model processes input from a dilated TCN with dimensions (B, L, C), where B is the batch size, and L is the sequence length, and C is the number of features. The input is normalized using LayerNorm, which calculates the mean (μ) and variance (σ²) along the feature dimension as follows:

The normalized input ${\widehat{X}}_{blc}$M35 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ {\hat X_{blc}} \] \end{document} at position (b, l, c) is obtained by subtracting μ from X_blc and dividing by the square root of ${\sigma }^2\text{+}ϵ$M36 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ {\sigma ^2}+ {\epsilon} \] \end{document} , where ϵ is a small constant added for increasing numerical stability:

The normalized tensor is then adjusted by scaling and shifting using ${\gamma }_c$M38 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ {\gamma _c} \] \end{document} and ${\beta }_c$M39 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ {\beta _c} \] \end{document} learnable parameters to get the output Y_blc of the LayerNorm operation at position (b, l, c):

Both ${\gamma }_c$M40 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[{\gamma _c}\] \end{document} and ${\beta }_c$M41 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[{\beta _c}\] \end{document} are learnable parameters updated during training. The sliding window output $\overrightarrow{T}$M42 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[\vec T\] \end{document} is then transferred to a stack of B bi-joint TCN transformer blocks.

Each bi-joint block part of our model comprises one transformer encoder and one decoder. We then combine the output of the first part of the model with position encoding to obtain the input I_i, which is then passed through two separate encoders:

where $i\in \left\{1,\hspace{0.17em}2\right\}$M43 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ i \in \left\{ {1,\;2} \right\} \] \end{document} for the first and second encoder. The encoder’s output is then connected to the feedforward layer using residual connections and sent separately to the two decoders to obtain the final predicted outputs:

The sigmoid activation function is used to constrain the output range of ${\mathcal{O}}_i$M44 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[ {{\cal O}_i} \] \end{document} to be between 0 and 1, which is suitable for the later error reconstruction with the normalized sliding window input.

F. Procedure for training

We use mean squared error (MSE) as the loss criterion to measure the error between the output prediction of each decoder and the original input window x_t. We calculate the losses of the two decoders as L₁ and L₂, respectively, using the following equations:

To obtain the total loss $ℒ$M45 \documentclass[10pt]{article} \usepackage{wasysym} \usepackage[substack]{amsmath} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage[mathscr]{eucal} \usepackage{mathrsfs} \usepackage{pmc} \usepackage[Euler]{upgreek} \pagestyle{empty} \oddsidemargin -1.0in \begin{document} \[{\cal L}\] \end{document} , we combine the losses of the two decoders from the first TCN and the second TCN by taking a weighted sum with a hyperparameter λ. The goal is to minimize the total loss of the hyperparameters W and model parameters Θ:

where ϕ represents the overall network with total model parameters Θ, W denotes the collection of hyperparameters, and ψ represents the overall learning mapping for anomaly detection task.

G. Meta learning

To improve the training of our KBJNet model with limited data, which exists in Algorithm 1 line 12, In every training epoch, we update the weights of neural networks θ with a gradient descent step using the loss function L and the learning rate α.

This gives us the updated weights θ¢. Model-agnostic and meta-learning (MAML) (Finn et al. 2017) is performed at the end of each epoch using the updated weights to update the model parameters θ with a meta step-size β. As a result, the model can be trained quickly with limited data. The algorithm can be written as:

H. Inference procedure, anomaly detection, and diagnosis

Our approach, as concluded in Algorithm 2, involves performing online inference sequentially on a sliding window of input data, generating anomaly scores for each timestamp in each dimension. The Peak Over Threshold (Siffer et al. 2017) approach is used to dynamically select thresholds for each dimension by applying the Extreme Value Theory (EVT) to the univariate time series of anomaly scores obtained during offline training. Instead of manually setting thresholds and making assumptions about the distribution, we use the Generalized Pareto Distribution (GPD) (Siffer et al. 2017) function following EVT to fit the data and determine the appropriate value-at-risk (label) for dynamically setting the threshold, which is consistent with OmniAnomaly (Su et al. 2019), TranAD (Tran et al. 2020), and DTAAD (Yu et al. 2023) (Figure 4).

A. Dataset sources

We use nine datasets in our experiments (eight public data sets). Table III shows the details of datasets. As an illustration, the SMAP dataset contains 55 distinct entities, each with 25 dimensions.

1. Numenta Anomaly Benchmark (NAB) is an actual data stream containing marked exceptions from various sources, ranging from social media to temperature sensors to server network utilization (Su et al. 2019). We removed incorrectly tagged sequences of anomalies from this dataset for our performed tests.
2. HexagonML (UCR) is a multivariate time series dataset used in the KDD 2021 cup (Dau et al. 2019). We only used the portion of the dataset obtained from the real world.
3. MIT-BIH Supraventricular Arrhythmia Database (MBA) contains standard test materials for arrhythmia detectors (Moody & Mark 2001). This dataset has been used in around 500 studies of cardiac dynamics.
4. Soil Moisture Active Passive (SMAP) is a 25-dimensional dataset collected by NASA that contains telemetry information anomaly data extracted from Anomalous Event Anomaly (ISA) reports from spacecraft monitoring systems (Hundman et al. 2018).
5. Mars Science Laboratory (MSL) is a SMAP-like dataset that includes actuator and sensor data from the Mars rover itself. We used only three non-trivial sequences (A4, C2, and T1) dataset in Hundman et al. (2018).
6. Secure Water Treatment (SWaT) consists of data obtained from 51 sensors in a continuously operating water treatment system (Mathur & Tippenhauer 2016). The data includes water level, flow rate, and other sensor readings.
7. Server Machine Dataset (SMD) was gathered over five weeks from a major internet company (Zhao et al. 2020). SMD was split into two sets of the same size, one used for training and the other for testing. Only the four non-trivial sequences from this dataset were utilized.
8. Multi-Source Distributed System (MSDS) consists of application logs, metrics, and distributed traces from a multi-source distributed system (Zhang et al. 2021).
9. Water Distribution (WADI) refers to an expansion of the SWaT system, which includes over two times the sensors and actuators compared to the original SWaT model. Additionally, the dataset was obtained over a longer period of time, covering 14 days for normal scenarios and two days for attack scenarios system (Ahmed et al. 2017).

B. Result and analysis

We comprehensively compared our newly proposed algorithm, KBJNet, and several state-of-the-art algorithms in the field, such as MSCRED, MAD-GAN, USAD, MTAD-GAT, CAE-M, GDN, and DTAAD. To evaluate the performance of these algorithms, we employed a set of relevant metrics, including Precision (P), Recall (R), Area Under Curve (AUC), and F1 scores. We partition the data into 80% and 20% subsets for training purposes, respectively. This division allows us to examine how the models perform when provided with limited training examples and when trained on a larger volume of data. By assessing the model’s behavior in these contrasting scenarios, we can gain valuable insights into its scalability and generalization capabilities and identify potential challenges that may arise in real-world applications with varying data availability. This evaluation provides a comprehensive understanding of how our models perform with substantial data and a limited dataset, allowing us to make informed decisions regarding their suitability for different operational environments.

1) Performance with 20% of the training dataset: Recently developed models, including unsupervised anomaly detection (USAD), multivariate time-series anomaly detection via graph attention networks (MTAD-GAT), and graph deviation networks (GDN), utilize attention mechanisms to concentrate on particular features of the data and capture long-term trends by adjusting neural network weights. However, KBJNet, which utilizes self-attention, outperforms USAD, MTAD-GAT, and GDN across all datasets as shown Table V. USAD and MTAD-GAT have constraints when classifying anomalies that occur over an extended period because they only consider a local contextual window. To surpass this restriction, KBJNet utilizes self-conditioning on embedding the entire trace along with position encoding, which enhances temporal attention, except for DTAAD on the MBA dataset. The utilization of a meta-learning strategy with MAML enables KBJNet to swiftly acquire anomaly features within sequential data, even with a limited dataset volume (Figure 5). By employing only 20% of the available data, the performance of TranAD and DTAAD closely approaches that of KBJNet, primarily due to their utilization of a generative adversarial training approach for training the encoder-decoder structure. In general, KBJNet demonstrates better performance compared to all other methods.

2) Performance with 80% of the training dataset:Table IV provided illustrates a comparison between the KBJNet approach and other baseline methods in terms of performance metrics related to anomaly detection.

The POT method is used in models such as TranAD, DTAAD, and KBJNet to determine more precise threshold values by considering localized peak values in data sequences. Models like MSCRED use sequential observations as input and retain temporal information, but they may not detect anomalies close to normal trends. KBJNet addresses this issue by amplifying errors using a bi-joint network, enabling it to detect even mild anomalies in datasets such as SMD, where abnormal data is relatively close to regular data, shown in Figure 10.

MSCRED is effective in storing time information due to its continuous observation and good performance on partial datasets, but it struggles to identify anomalies close to normal and operates at a lower speed. The KBJNet architecture can effectively capture information from various dimensions simultaneously. At the same time, KBJNet can efficiently track input and capture long-range dependencies due to Position Encoding and residual connections. As seen in Figure 8, TranAD, DTAAD, and KBJNet demonstrate advantages over other models because they utilize meta-learning to accelerate model training. Among other models, MSCRED and GRU from the MTAD-GAT model make their operation speed quite inefficient as they are not executed in parallel. On large-volume datasets, their training time is slower than KBJNet. Apart from KBJNet, USAD considers time performance optimization with limited effect. Therefore, USAD and MAD-GAN adopt generative adversarial training, making USAD less computationally intensive than MAD-GAN. Figure 6 and Figure 7 illustrate the training time and inference time in all datasets.

3) Sensitivity to the number of training epoch: The correlation between the performance of the anomaly detection model and the number of training epochs is illustrated in Table VI. It reveals that the model’s recall rate remains consistently high at 0.9974 across all training epochs. This indicates that the model can accurately identify the significance of the true positive cases and has a low rate of false negatives, which is important for effectively detecting anomalies in non-normal datasets. The AUC score, which evaluates the model’s performance, increases from 0.9200 in the first epoch to 0.9985 in the tenth. This indicates that the model’s ability to accurately differentiate between anomalies and normal data points improves with increased training epochs. The F1-Score shows an increasing trend from 0.9393 in the second epoch to 0.9972 in the tenth. This suggests that the model achieves a better balance between precision and recall as the number of training epochs increases, which is important for an effective anomaly detection model.

4) Sensitivity to window size: In this study, we present our findings derived from three multivariate datasets: SMD, MSDS, and WADI. This choice is based on the consistently better performance demonstrated by KBJNet across diverse datasets. Increasing the window size can affect the time dependency values in the data. A larger window size will result in increased dependency on other data points. This enhancement also impacts the speed of anomaly detection. Figure 8 illustrates the detection results for four window sizes across three datasets. Better performance is observed with window sizes of 5 and 20 for SMD and 20 for WADI. The results suggest that smaller windows are more suitable for datasets with weak dependencies. In the case of the SMD dataset, a decrease in performance is evident when the window size reduces the model’s generalization ability. Moreover, larger windows increase memory and computational requirements, thus slowing down the training process.

5) Sensitivity to MAML: The utilization of MAML enables KBJNet to swiftly discern unusual patterns in sequential data, even when dealing with a limited dataset (Table VII). The response of KBJNet to different datasets with varying K values in a sensitivity analysis is contingent upon the specific dataset under consideration. The effectiveness of MAML varies based on the degree of similarity between the meta-tasks and the target task. The findings suggest that selecting smaller K values in MAML is more suitable. In the case of the MSL dataset, we observe a deterioration in performance as K increases in SMD, impacting both computational efficiency and overall performance. Furthermore, larger K values impose greater computational demands and result in a slowdown of the training process.

6) Sensitivity to kernel size: In these findings, we maintained the global TCN layer and adjusted the filter size by altering the receptive field. Once again, we experimented using SMD, MSDS, and WADI datasets. The results are presented in Figure 9. Optimal performance was achieved for the SMD and MSDS datasets, with a slight decrease observed for WADI. Therefore, kernel size becomes a consideration. However, due to the consistent expansion factor, kernel size changes do not significantly impact the final results.

7) Ablation analysis:Table VIII summarizes the F1 scores and AUC values for KBJNet and its ablated versions, each with 80% of the training dataset. First, our proposed KBJNet model has proven effective as it achieves the highest performance regarding both AUC and F1 scores on most datasets.

We conducted ablation experiments on the KBJNet model to evaluate the impact of each component by removing the bi-joint TCN, MAML, and transformer from the KBJNet model. From Table VIII, by observing the results, it is evident that eliminating the bi-joint TCN module slightly reduces the F1 scores for most datasets. However, its effect on the AUC scores of the UCR, MBA, SMAP, and MSL datasets is more pronounced. This indicates that the bi-joint TCN module contributes significantly to capturing temporal dependencies and enhancing the overall effectiveness of the KBJNet model.

Next, we observe that removing the MAML module has a greater impact on the F1 scores than on the AUC values of most datasets, indicating that the MAML module contributes to improving the model’s ability to adapt to new tasks and data distributions. Finally, removing the transformer module exerts the greatest influence on the AUC values of the NAB and MSL datasets. This suggests that the transformer module is essential for capturing global contextual information and enhancing the model’s discriminative power. Figure 6 reveals that KBJNet requires significantly less time than the baseline methods. These findings indicate the lightweight nature of our model and highlight the benefits of incorporating positional encoding.

In summary The Table VIII, our ablation study confirms that the KBJNet model’s component contributes to performance as a whole in anomaly detection, with the bi-joint TCN module playing the most critical role in capturing temporal dependencies, followed by the MAML module for better adaptation to new tasks and the transformer module for capturing global contextual information.