Data Mining:

Concepts and Techniques

(4th ed.)
— Chapter 10 —

Jiawei Han, Micheline Kamber, and Jian Pei

University of Illinois at Urbana-Champaign &
Simon Fraser University
©2011 Han, Kamber & Pei. All rights reserved.
1
 What Are Outliers?
◼ Outlier: A data object that deviates significantly from the normal
objects as if it were generated by a different mechanism
◼ Ex.: Unusual credit card purchase, sports: Michael Jordon, Wayne

Gretzky, ...
◼ Outliers are different from the noise data
◼ Noise is random error or variance in a measured variable

◼ Noise should be removed before outlier detection

◼ Outliers are interesting: It violates the mechanism that generates the

normal data
◼ Outlier detection vs. novelty detection: early stage, outlier; but later
merged into the model
◼ Applications:
◼ Credit card fraud detection

◼ Telecom fraud detection

◼ Customer segmentation

◼ Medical analysis
2
 Types of Outliers (I)
◼ Three kinds: global, contextual and collective outliers
◼ Global outlier (or point anomaly) Global Outlier

◼ Object is Og if it significantly deviates from the rest of the data set

◼ Ex. Intrusion detection in computer networks

◼ Issue: Find an appropriate measurement of deviation

◼ Contextual outlier (or conditional outlier)

◼ Object is Oc if it deviates significantly based on a selected context

o
◼ Ex. 80 F in Urbana: outlier? (depending on summer or winter?)

◼ Attributes of data objects should be divided into two groups

◼ Contextual attributes: defines the context, e.g., time & location

◼ Behavioral attributes: characteristics of the object, used in outlier

evaluation, e.g., temperature

◼ Can be viewed as a generalization of local outliers—whose density

significantly deviates from its local area

◼ Issue: How to define or formulate meaningful context?

3
 Types of Outliers (II)
◼ Collective Outliers
◼ A subset of data objects collectively deviate
significantly from the whole data set, even if the
individual data objects may not be outliers
◼ Applications: E.g., intrusion detection: Collective Outlier
◼ When a number of computers keep sending
denial-of-service packages to each other
◼ Detection of collective outliers
◼ Consider not only behavior of individual objects, but also that of

groups of objects
◼ Need to have the background knowledge on the relationship

among data objects, such as a distance or similarity measure

on objects.
◼ A data set may have multiple types of outlier
◼ One object may belong to more than one type of outlier
4
 Challenges of Outlier Detection
◼ Modeling normal objects and outliers properly
◼ Hard to enumerate all possible normal behaviors in an application

◼ The border between normal and outlier objects is often a gray area

◼ Application-specific outlier detection

◼ Choice of distance measure among objects and the model of

relationship among objects are often application-dependent

◼ E.g., clinic data: a small deviation could be an outlier; while in

marketing analysis, larger fluctuations

◼ Handling noise in outlier detection
◼ Noise may distort the normal objects and blur the distinction

between normal objects and outliers. It may help hide outliers and
reduce the effectiveness of outlier detection
◼ Understandability
◼ Understand why these are outliers: Justification of the detection

◼ Specify the degree of an outlier: the unlikelihood of the object being

generated by a normal mechanism

5
 Outlier Detection I: Supervised Methods
◼ Two ways to categorize outlier detection methods:
◼ Based on whether user-labeled examples of outliers can be obtained:

◼ Supervised, semi-supervised vs. unsupervised methods

◼ Based on assumptions about normal data and outliers:

◼ Statistical, proximity-based, and clustering-based methods

◼ Outlier Detection I: Supervised Methods

◼ Modeling outlier detection as a classification problem

◼ Samples examined by domain experts used for training & testing

◼ Methods for Learning a classifier for outlier detection effectively:

◼ Model normal objects & report those not matching the model as

outliers, or
◼ Model outliers and treat those not matching the model as normal

◼ Challenges

◼ Imbalanced classes, i.e., outliers are rare: Boost the outlier class

and make up some artificial outliers

◼ Catch as many outliers as possible, i.e., recall is more important

than accuracy (i.e., not mislabeling normal objects as outliers)

6
 Outlier Detection II: Unsupervised Methods
◼ Assume the normal objects are somewhat ``clustered'‘ into multiple
groups, each having some distinct features
◼ An outlier is expected to be far away from any groups of normal objects
◼ Weakness: Cannot detect collective outlier effectively
◼ Normal objects may not share any strong patterns, but the collective
outliers may share high similarity in a small area
◼ Ex. In some intrusion or virus detection, normal activities are diverse
◼ Unsupervised methods may have a high false positive rate but still
miss many real outliers.
◼ Supervised methods can be more effective, e.g., identify attacking
some key resources
◼ Many clustering methods can be adapted for unsupervised methods
◼ Find clusters, then outliers: not belonging to any cluster

◼ Problem 1: Hard to distinguish noise from outliers

◼ Problem 2: Costly since first clustering: but far less outliers than
normal objects
◼ Newer methods: tackle outliers directly

7
Outlier Detection III: Semi-Supervised Methods
◼ Situation: In many applications, the number of labeled data is often
small: Labels could be on outliers only, normal objects only, or both
◼ Semi-supervised outlier detection: Regarded as applications of semi-
supervised learning
◼ If some labeled normal objects are available
◼ Use the labeled examples and the proximate unlabeled objects to
train a model for normal objects
◼ Those not fitting the model of normal objects are detected as outliers
◼ If only some labeled outliers are available, a small number of labeled
outliers many not cover the possible outliers well
◼ To improve the quality of outlier detection, one can get help from
models for normal objects learned from unsupervised methods

8
 Outlier Detection (1): Statistical Methods
◼ Statistical methods (also known as model-based methods) assume
that the normal data follow some statistical model (a stochastic model)
◼ The data not following the model are outliers.
◼ Example (right figure): First use Gaussian distribution
to model the normal data
◼ For each object y in region R, estimate g D(y), the

probability of y fits the Gaussian distribution

◼ If gD(y) is very low, y is unlikely generated by the

Gaussian model, thus an outlier

◼ Effectiveness of statistical methods: highly depends on whether the
assumption of statistical model holds in the real data
◼ There are rich alternatives to use various statistical models
◼ E.g., parametric vs. non-parametric

9
Outlier Detection (2): Proximity-Based Methods
◼ An object is an outlier if the nearest neighbors of the object are far
away, i.e., the proximity of the object is significantly deviates from
the proximity of most of the other objects in the same data set
◼ Example (right figure): Model the proximity of an
object using its 3 nearest neighbors
◼ Objects in region R are substantially different
from other objects in the data set.
◼ Thus the objects in R are outliers
◼ The effectiveness of proximity-based methods highly relies on the
proximity measure.
◼ In some applications, proximity or distance measures cannot be
obtained easily.
◼ Often have a difficulty in finding a group of outliers which stay close to
each other
◼ Two major types of proximity-based outlier detection
◼ Distance-based vs. density-based
10
Outlier Detection (3): Clustering-Based Methods
◼ Normal data belong to large and dense clusters, whereas
outliers belong to small or sparse clusters, or do not belong
to any clusters
◼ Example (right figure): two clusters
◼ All points not in R form a large cluster
◼ The two points in R form a tiny cluster,
thus are outliers
◼ Since there are many clustering methods, there are many
clustering-based outlier detection methods as well
◼ Clustering is expensive: straightforward adaption of a
clustering method for outlier detection can be costly and
does not scale up well for large data sets

11
 Statistical Approaches
◼ Statistical approaches assume that the objects in a data set are
generated by a stochastic process (a generative model)
◼ Idea: learn a generative model fitting the given data set, and then
identify the objects in low probability regions of the model as outliers
◼ Methods are divided into two categories: parametric vs. non-parametric
◼ Parametric method
◼ Assumes that the normal data is generated by a parametric
distribution with parameter θ
◼ The probability density function of the parametric distribution f(x, θ)
gives the probability that object x is generated by the distribution
◼ The smaller this value, the more likely x is an outlier

◼ Non-parametric method
◼ Not assume an a-priori statistical model and determine the model
from the input data
◼ Not completely parameter free but consider the number and nature
of the parameters are flexible and not fixed in advance
◼ Examples: histogram and kernel density estimation

12
 Distance-Based Outlier Detection
◼ For each object o, examine the # of other objects in the r-neighborhood
of o, where r is a user-specified distance threshold
◼ An object o is an outlier if most (taking π as a fraction threshold) of
the objects in D are far away from o, i.e., not in the r-neighborhood of o

◼ An object o is a DB(r, π) outlier if

◼ Equivalently, one can check the distance between o and its k-th
nearest neighbor ok, where . o is an outlier if dist(o, ok) > r
◼ Efficient computation: Nested loop algorithm
◼ For any object oi, calculate its distance from other objects, and
count the # of other objects in the r-neighborhood.
◼ If π∙n other objects are within r distance, terminate the inner loop
◼ Otherwise, oi is a DB(r, π) outlier
◼ Efficiency: Actually CPU time is not O(n2) but linear to the data set size
since for most non-outlier objects, the inner loop terminates early
13
 Density-Based Outlier Detection

◼ Local outliers: Outliers comparing to their local

neighborhoods, instead of the global data
distribution
◼ In Fig., o1 and o2 are local outliers to C1, o3 is a
global outlier, but o4 is not an outlier. However,
proximity-based clustering cannot find o1 and o2
are outlier (e.g., comparing with O4).
◼ Intuition (density-based outlier detection): The density around an outlier
object is significantly different from the density around its neighbors
◼ Method: Use the relative density of an object against its neighbors as
the indicator of the degree of the object being outliers
◼ k-distance of an object o, distk(o): distance between o and its k-th NN
◼ k-distance neighborhood of o, Nk(o) = {o’| o’ in D, dist(o, o’) ≤ distk(o)}
◼ Nk(o) could be bigger than k since multiple objects may have
identical distance to o
14
 Clustering-Based Outlier Detection (1 & 2):
Not belong to any cluster, or far from the closest one
◼ An object is an outlier if (1) it does not belong to any cluster, (2) there is
a large distance between the object and its closest cluster , or (3) it
belongs to a small or sparse cluster
◼ Case I: Not belong to any cluster
◼ Identify animals not part of a flock: Using a density-

based clustering method such as DBSCAN

◼ Case 2: Far from its closest cluster
◼ Using k-means, partition data points of into clusters

◼ For each object o, assign an outlier score based on

its distance from its closest center

◼ If dist(o, c o)/avg_dist(co) is large, likely an outlier

◼ Ex. Intrusion detection: Consider the similarity between

data points and the clusters in a training data set
◼ Use a training set to find patterns of “normal” data, e.g., frequent
itemsets in each segment, and cluster similar connections into groups
◼ Compare new data points with the clusters mined—Outliers are
possible attacks 15
Clustering-Based Method: Strength and Weakness
◼ Strength
◼ Detect outliers without requiring any labeled data

◼ Work for many types of data

◼ Clusters can be regarded as summaries of the data

◼ Once the cluster are obtained, need only compare any object

against the clusters to determine whether it is an outlier (fast)

◼ Weakness
◼ Effectiveness depends highly on the clustering method used—they

may not be optimized for outlier detection

◼ High computational cost: Need to first find clusters

◼ A method to reduce the cost: Fixed-width clustering

◼ A point is assigned to a cluster if the center of the cluster is

within a pre-defined distance threshold from the point

◼ If a point cannot be assigned to any existing cluster, a new

cluster is created and the distance threshold may be learned

from the training data under certain conditions
Classification-Based Method I: One-Class Model
◼ Idea: Train a classification model that can
distinguish “normal” data from outliers
◼ A brute-force approach: Consider a training set
that contains samples labeled as “normal” and
others labeled as “outlier”
◼ But, the training set is typically heavily
biased: # of “normal” samples likely far
exceeds # of outlier samples
◼ Cannot detect unseen anomaly

◼ One-class model: A classifier is built to describe only the normal class.

◼ Learn the decision boundary of the normal class using classification

methods such as SVM

◼ Any samples that do not belong to the normal class (not within the

decision boundary) are declared as outliers

◼ Adv: can detect new outliers that may not appear close to any outlier

objects in the training set

◼ Extension: Normal objects may belong to multiple classes

17
 Summary
◼ Types of outliers
◼ global, contextual & collective outliers
◼ Outlier detection
◼ supervised, semi-supervised, or unsupervised
◼ Statistical (or model-based) approaches
◼ Proximity-base approaches
◼ Clustering-base approaches
◼ Classification approaches
◼ Mining contextual and collective outliers
◼ Outlier detection in high dimensional data

18