Master of Science

1
Extensible Markov Model
ME

Margaret H. Dunham, Yu Meng, Jie Huang CSE
Department Southern Methodist University Dallas,
Texas 75275 mhd_at_engr.smu.edu This material is
based upon work supported by the National Science
Foundation under Grant No. IIS-0208741
2
EMM Objectives/Outline

• Develop modeling techniques which can learn
  past behavior of spatiotemporal events.
• Objectives
• Related Work
• EMM Overview
• EMM Applications and Performance

3
Spatiotemporal Modeling

• Example Applications
• Flood Prediction
• Rare Event Detection Network traffic,
  automobile traffic
• Requirements
• Capture Time
• Capture Space
• Dynamic
• Scalable
• Quasi-Real Time

4
Problem with Markov Chains

• The required structure of the MC may not be
  certain at the model construction time.
• As the real world being modeled by the MC
  changes, so should the structure of the MC.
• Not scalable grows linearly as number of
  events.
• Markov Property
• Our solution
• Extensible Markov Model (EMM)
• Cluster real world events
• Allow markov chain to grow and shrink dynamically

5
EMM Overview

• Time Varying Discrete First Order Markov Model
• Nodes are clusters of real world states.
• Learning continues during prediction phase.
• Learning
• Transition probabilities between nodes
• Node labels (centroid of cluster)
• Nodes are added and removed as data arrives

6
Related Work

• Splitting Nodes in HMMs
• Create new states by splitting an existing state
• M.J. Black and Y. Yacoob,Recognizing facial
  expressions in image sequences using local
  parameterized models of image motion, Int.
  Journal of Computer Vision, 25(1), 1997, 23-48.
• Dynamic Markov Modeling
• States and transitions are cloned
• G. V. Cormack, R. N. S. Horspool. Data
  compression using dynamic Markov Modeling, The
  Computer Journal, Vol. 30, No. 6, 1987.
• Augmented Markov Model (AMM)
• Creates new states if the input data has never
  been seen in the model, and transition
  probabilities are adjusted
• Dani Goldberg, Maja J Mataric. Coordinating
  mobile robot group behavior using a model of
  interaction dynamics, Proceedings, the Third
  International Conference on Autonomous Agents
  (agents 99), Seattle, Washington

7
EMM vs AMM

• Our proposed EMM model is similar to AMM, but is
  more flexible
• EMM continues to learn during the application
  (prediction, etc.) phase.
• The EMM is a generic incremental model whose
  nodes can have any kind of representatives.
• State matching is determined using a clustering
  technique.
• EMM not only allows the creation of new nodes,
  but deletion (or merging) of existing nodes.
  This allows the EMM model to forget old
  information which may not be relevant in the
  future. It also allows the EMM to adapt to any
  main memory constraints for large scale datasets.
• EMM performs one scan of data and therefore is
  suitable for online data processing.

8
EMM Definition

• Extensible Markov Model (EMM) at any time t, EMM
  consists of an MC with designated current node,
  Nn, and algorithms to modify it, where algorithms
  include
• EMMCluster, which defines a technique for
  matching between input data at time t 1 and
  existing states in the MC at time t.
• EMMIncrement algorithm, which updates MC at time
  t 1 given the MC at time t and clustering
  measure result at time t 1.
• EMMDecrement algorithm, which removes nodes from
  the EMM when needed.

9
EMM Cluster

• Find closest node to incoming event.
• If none close create new node
• Labeling of cluster is centroid of members in
  cluster
• Problem
• O(n)
• Examining use of Birch O(lg n)

10
EMM Increment
lt18,10,3,3,1,0,0gt lt17,10,2,3,1,0,0gt lt16,9,2,3,1,0,
0gt lt14,8,2,3,1,0,0gt lt14,8,2,3,0,0,0gt lt18,10,3,3,1,
1,0.gt
11
EMM Decrement
Delete N2
12
EMM Performance Growth Rate
Data Sim Threshold Threshold Threshold Threshold Threshold
Data Sim 0.99 0.992 0.994 0.996 0.998
Ser went Jaccrd 156 190 268 389 667
Ser went Dice 72 92 123 191 389
Ser went Cosine 11 14 19 31 61
Ser went Ovrlap 2 2 3 3 4
Ouse Jaccrd 56 66 81 105 162
Ouse Dice 40 43 52 66 105
Ouse Cosine 6 8 10 13 24
Ouse Ovrlap 1 1 1 1 1
13
EMM Performance Growth Rate
14
EMM Performance - Prediction
NARE RMS No of States
RLF RLF 0.321423 1.5389
EMM Th0.95 0.068443 0.43774 20
EMM Th0.99 0.046379 0.4496 56
EMM Th0.995 0.055184 0.57785 92
15
Rare Events in Network Traffic

• Detect (predict) unusual/rare behavior in network
  traffic.
• Learning unusual behavior patterns and continue
  to learn as traffic arrives.
• Not an outlier
• We dont know anything about the distribution of
  the data. Even if we did the data continues
  changing.
• A model created based on a static view may not
  fit tomorrows data.
• We view a rare event as
• Unusual state of the network (or subset thereof).
• Transition between network states which does not
  frequently occur.
• Base rare event detection on determining events
  or transitions between events that do not
  frequently occur.

16
Rare Event Examples

• The amount of traffic through a site in a
  particular time interval as extremely high or
  low.
• The type of traffic (i.e. source IP addresses or
  destination addresses) is unusual.
• Current traffic behavior is unusual based on
  recent precious traffic behavior.
• Unusual behavior at several sites.

17
Rare Event Detection

• Objective Detect rare (unusual, surprising)
  events
• Technique New data modeling tool developed by
  SMU DBGroup called Extensible Markov Model
• Advantages
• Dynamically learns what is normal
• Based on this learning, can predict what is not
  normal
• Do not have to a priori indicate normal behavior
• Applications
• Network Intrusion
• Data IP traffic data, Automobile traffic data

Detected unusual weekend traffic pattern
Weekdays Weekend Minnesota DOT Traffic Data
18
Conclusion
We welcome feedback