1 / 18

Extensible Markov Model

Extensible Markov Model. ME. Margaret H. Dunham, Yu Meng, Jie Huang CSE Department Southern Methodist University Dallas, Texas 75275 mhd@engr.smu.edu This material is based upon work supported by the National Science Foundation under Grant No. IIS-0208741. EMM – Objectives/Outline.

Download Presentation

Extensible Markov Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Extensible Markov Model ME Margaret H. Dunham, Yu Meng, Jie Huang CSE Department Southern Methodist University Dallas, Texas 75275 mhd@engr.smu.edu This material is based upon work supported by the National Science Foundation under Grant No. IIS-0208741

  2. EMM – Objectives/Outline Develop modeling techniques which can “learn” past behavior of spatiotemporal events. • Objectives • Related Work • EMM Overview • EMM Applications and Performance

  3. Spatiotemporal Modeling • Example Applications: • Flood Prediction • Rare Event Detection – Network traffic, automobile traffic • Requirements • Capture Time • Capture Space • Dynamic • Scalable • Quasi-Real Time

  4. Problem with Markov Chains • The required structure of the MC may not be certain at the model construction time. • As the real world being modeled by the MC changes, so should the structure of the MC. • Not scalable – grows linearly as number of events. • Markov Property • Our solution: • Extensible Markov Model (EMM) • Cluster real world events • Allow markov chain to grow and shrink dynamically

  5. EMM Overview • Time Varying Discrete First Order Markov Model • Nodes are clusters of real world states. • Learning continues during prediction phase. • Learning: • Transition probabilities between nodes • Node labels (centroid of cluster) • Nodes are added and removed as data arrives

  6. Related Work • Splitting Nodes in HMMs • Create new states by splitting an existing state • M.J. Black and Y. Yacoob,”Recognizing facial expressions in image sequences using local parameterized models of image motion”,Int. Journal of Computer Vision, 25(1), 1997, 23-48. • Dynamic Markov Modeling • States and transitions are cloned • G. V. Cormack, R. N. S. Horspool. “Data compression using dynamic Markov Modeling,”The Computer Journal, Vol. 30, No. 6, 1987. • Augmented Markov Model (AMM) • Creates new states if the input data has never been seen in the model, and transition probabilities are adjusted • Dani Goldberg, Maja J Mataric. “Coordinating mobile robot group behavior using a model of interaction dynamics,” Proceedings, the Third International Conference on Autonomous Agents (agents ’99), Seattle, Washington

  7. EMM vs AMM Our proposed EMM model is similar to AMM, but is more flexible: • EMM continues to learn during the application (prediction, etc.) phase. • The EMM is a generic incremental model whose nodes can have any kind of representatives. • State matching is determined using a clustering technique. • EMM not only allows the creation of new nodes, but deletion (or merging) of existing nodes. This allows the EMM model to “forget” old information which may not be relevant in the future. It also allows the EMM to adapt to any main memory constraints for large scale datasets. • EMM performs one scan of data and therefore is suitable for online data processing.

  8. EMM Definition Extensible Markov Model (EMM): at any time t, EMM consists of an MC with designated current node, Nn, and algorithms to modify it, where algorithms include: • EMMCluster, which defines a technique for matching between input data at time t + 1 and existing states in the MC at time t. • EMMIncrement algorithm, which updates MC at time t + 1 given the MC at time t and clustering measure result at time t + 1. • EMMDecrement algorithm,which removes nodes from the EMM when needed.

  9. EMM Cluster • Find closest node to incoming event. • If none “close” create new node • Labeling of cluster is centroid of members in cluster • Problem • O(n) • Examining use of Birch O(lg n)

  10. 2/3 1/2 N3 2/3 N1 2/3 1/2 N3 1/3 1/1 N2 N1 N1 1/2 2/3 1/3 1/1 N2 1/3 N2 N1 1/3 N2 N3 1/1 1 N1 1/1 2/2 1/1 N1 EMM Increment <18,10,3,3,1,0,0> <17,10,2,3,1,0,0> <16,9,2,3,1,0,0> <14,8,2,3,1,0,0> <14,8,2,3,0,0,0> <18,10,3,3,1,1,0.>

  11. 1/3 1/3 1/3 1/6 1/6 N1 N1 N3 N3 1/3 2/2 1/3 1/6 N2 1/3 1/2 N6 N6 N5 N5 EMM Decrement Delete N2

  12. EMM Performance – Growth Rate

  13. EMM Performance – Growth Rate

  14. EMM Performance - Prediction

  15. Rare Events in Network Traffic • Detect (predict) unusual/rare behavior in network traffic. • Learning unusual behavior patterns and continue to learn as traffic arrives. • Not an outlier • We don’t know anything about the distribution of the data. Even if we did the data continues changing. • A model created based on a static view may not fit tomorrow’s data. • We view a rare event as: • Unusual state of the network (or subset thereof). • Transition between network states which does not frequently occur. • Base rare event detection on determining events or transitions between events that do not frequently occur.

  16. Rare Event Examples • The amount of traffic through a site in a particular time interval as extremely high or low. • The type of traffic (i.e. source IP addresses or destination addresses) is unusual. • Current traffic behavior is unusual based on recent precious traffic behavior. • Unusual behavior at several sites.

  17. Rare Event Detection Detected unusual weekend traffic pattern • Objective: Detect rare (unusual, surprising) events • Technique: New data modeling tool developed by SMU DBGroup called Extensible Markov Model • Advantages: • Dynamically learns what is normal • Based on this learning, can predict what is not normal • Do not have to a priori indicate normal behavior • Applications: • Network Intrusion • Data: IP traffic data, Automobile traffic data Weekdays Weekend Minnesota DOT Traffic Data

  18. Conclusion We welcome feedback

More Related