Building Better Unsupervised Anomaly Detector with S-Transform Sirikarn Pukkawanna, Hiroaki Hazeyama, Youki Kadobayashi, and Suguru Yamaguchi Nara Institute of Science and Technology 8916-5 Takayama, Ikoma, Nara 630-0192, Japan {sirikarn-p,hiroa-ha,youki-k,suguru}@is.naist.jp Abstract. Unsupervised anomaly detection is most widely applicable due to capabilities of detecting known and novel anomalies without prior knowledge. In this paper, we propose an unsupervised anomaly detection method based on time-frequency analysis. We firstly use S-Transform to reveal the frequency characteristics of a network signal. Secondly, heuris- tics are used for anomaly detection. We evaluate performance of our method on MAWI and DARPA datasets. Furthermore, we compare the results with an unsupervised Wavelet Transform-based anomaly detec- tion method. The results indicate that our method achieves better detec- tion performance compared with the Wavelet Transform-based method. Keywords: Unsupervised anomaly detection, time-frequency analysis, signal processing, multi-resolution analysis, S-Transform 1 Introduction Several unsupervised anomaly detection techniques have been proposed due to limitations of signature-based or learning-based methods, which rely on labeled training data and can not detect unseen anomalies. Unsupervised anomaly de- tection detects anomalies without labeled data but by assuming that most traf- fic is normal and the remaining traffic is anomalous [2]. Clustering-based tech- niques [5,6] group similar instances and use a distance measurement algorithm to detect outliers. The performance of these techniques depends on the clustering and distance measurement algorithms. [7, 8] use Principle Component Analy- sis (PCA) to decompose traffic feature distribution into normal and anomalous components. Gaining good results from PCA-based techniques requires proper parameter tuning [11]. [3, 4] apply time-frequency analysis by using Discrete Wavelet Transform (DWT) to reveal anomalies hidden in a network signal. A benefit of the DWT-based techniques is Multi-Resolution Analysis (MRA) which is able to detect various behaviors of anomalies. However, choosing a proper mother wavelet and decomposition level are considerable tasks. In this paper, we developed an unsupervised anomaly detector based on time- frequency analysis called STAD, which consists of 3 stages: 1) Conversion of