Most anomaly detection systems try to model normal behavior and assume anomalies deviate from it in diverse manners. However, there may be patterns in the anomalies as well. Ideally, an anomaly detection system can exploit patterns in both normal and anomalous behavior. In this paper, we present AD-MERCS, an unsupervised approach to anomaly detection that explicitly aims at doing both. AD-MERCS identifies multiple subspaces of the instance space within which patterns exist, and identifies conditions (possibly in other subspaces) that characterize instances that deviate from these patterns. Experiments show that this modeling of both normality and abnormality makes the anomaly detector performant on a wide range of types of anomalies. Moreover, by identifying patterns and conditions in (low-dimensional) subspaces, the anomaly detector can provide simple explanations of why something is considered an anomaly. These explanations can be both negative (deviation from some pattern) as positive (meeting some condition that is typical for anomalies).

翻译：大多数异常检测系统试图对正常行为进行建模，并假设异常以多种方式偏离正常行为。然而，异常本身也可能存在模式。理想情况下，异常检测系统能够同时利用正常行为和异常行为中的模式。本文提出AD-MERCS，一种明确旨在同时实现这两点的无监督异常检测方法。AD-MERCS识别实例空间中存在模式的多个子空间，并识别刻画偏离这些模式的实例的条件（可能在其他子空间中）。实验表明，这种对正常性与异常性的联合建模使异常检测器在多种异常类型上表现优异。此外，通过识别（低维）子空间中的模式与条件，该检测器能对某实例被视为异常的原因提供简洁的解释。这些解释既可以是负向的（偏离某种模式），也可以是正向的（满足异常典型的某种条件）。