When a comprehensive training set is available, a supervised anomaly detec- tion technique can typically outperform an unsupervised anomaly technique when performance is evaluated using measures such as the detection and false alarm rate. However, in some cases, such as fraud detection, new types of anomalies are always developing. Performance can be evaluated according to the detection and false alarm rates, because it is usually possible to de- termine, upon investigation, whether an object (transaction) is anomalous. Discuss the relative merits of supervised and unsupervised anomaly detection under such conditions.

What will be an ideal response?

When new anomalies are to be detected, an unsupervised anomaly detection
scheme must be used. However, supervised anomaly detection techniques are

still important for detecting known types of anomalies. Thus, both super-
vised and unsupervised anomaly detection methods should be used. A good

example of such a situation is network intrusion detection. Profiles or sig-
natures can be created for well-known types of intrusions, but cannot detect

new types of intrusions.