<img src="../img/GTK_Logo_Social Icon.jpg" width=175 align="right" />

# Worksheet 7.0 Anomaly Detection

This worksheet covers concepts relating to Anomaly Detection.  It should take no more than 20-30 minutes to complete.  Please raise your hand if you get stuck.  

There are many ways to accomplish the tasks that you are presented with, however you will find that by using the techniques covered in class, the exercises should be relatively simple. 

## Import the Libraries
For this exercise, we will be using:
* Pandas (http://pandas.pydata.org/pandas-docs/stable/)
* Numpy (https://docs.scipy.org/doc/numpy/reference/)
* Matplotlib (http://matplotlib.org/api/pyplot_api.html)
* PyFlux (https://pyflux.readthedocs.io/en/latest/)

**Note:  At the time of writing, PyFlux can be difficult to install with Python 3.7.  This module can be run with either `PyFlux` or `StatsModels`** 


In [None]:
import pandas as pd
import numpy as np
import pyflux as pf
from sklearn.preprocessing import StandardScaler
import matplotlib.pyplot as plt
from matplotlib import style
from pandas.plotting import autocorrelation_plot
style.use("ggplot")
%matplotlib inline

# Part One:  Finding Anomalies in CPU Usage Data
The first part of this lab, you will be examining CPU usage data to find anomalies. 

## Step One:  Get the Data
For this example, we will be looking at CPU Utilization Data to see if we can identify periods of unusual activity.  The data can be found in several files:

* `cpu-full-a.csv`:  A full set of CPU usage data without anomalies
* `cpu-train-a.csv`:  The training set from data set A
* `cpu-test-b.csv`:  The test set from data set A
* `cpu-full-b.csv`:  A full set of CPU usage data with an anomaly
* `cpu-train-b.csv`:  The training set from data set A
* `cpu-test-b.csv`:  The test set from data set A


This dataset is from examples in *Machine Learning & Security*  by Clarence Chio and David Freeman.  https://github.com/oreilly-mlsec/book-resources/tree/master/chapter3/datasets/cpu-utilization.

First let's take a look at the data set A.  For the first part of this lab, load the training dataset into a dataframe.  DataFrames have an option `infer_datatime_format` which, when set to `True`, will automatically infer dates. Setting this will save time and steps in data preparation. 

Once the data is loaded, call the usual series of exploratory functions and most importantly, plot the data.

In [None]:
# Your code here



## Step Two:  Fit an ARIMA Model
Since we are dealing with time series data, let's train an ARIMA model and see how well this technique fits the actual data. 

ARIMA has three parameters:

* `p` (`ar`):  The number of lag observations included in the model
* `d` (`integ`): The number of times the raw observations are differenced
* `q` (`ma`):  The size of the moving average window

For the ARIMA model, use 11 for both the `ar` and `ma` parameters, and 0 for the `integ` parameter. The `ARIMA` function in PyFlux has a series of functions 

PyFlux has a series of plotting functions to visualize the model's performance including:

* `plot_fit()`:  This plot compares the fit of the ARIMA model with the actual data
* `plot_predict_is()`: This plot compares the predictions with the data. 
* `plot_predict()`: This plot compares the predictions and the confidence of the predictions

Run these all these plots on your model and see how well it forecasts the data.

Full documentation available here: https://pyflux.readthedocs.io/en/latest/arima.html

In [None]:
# Your code here...


## Step Three:  Find Anomalies in the CPU data
Using data set `B` train a new model. Once you have a trained model, the next step is to call the `.predict()` method to generate 60 predictions.  

Next, compare the predictions with the actual values in the test set, similar to how we assess the accuracy of a classifier.  We will call the difference between the actual and predicted value the anomaly score.  Calculate the anomaly score for the test data.  Finally, plot the anomaly scores, and see if you can find the time intervals with the highest anomaly score. 

In "real life", if you were streaming this, the first instance of an anomaly score outside of a pre-determined threshold would cause an alert.

In [None]:
df2_train = # Your code here... Use cpu-train-b.csv
df2_test = # Your code here... Use cpu-test-b.csv

# More code here...

## Conclusion:
If all went well, you should see anomalous behavior at 10 seconds into the test data.  Remembering that the forecasting's confidence goes down over time, the first anomaly should be enough to throw an alert for investigation. 