**1. Introduction**

124 Earthquake Research and Analysis – Statistical Studies, Observations and Planning

Ramasubramanian, P.; Kannan, A. "Quickprop neural network ensemble forecasting framework for database intrusion prediction system", In the Springer 7th ICAISC, 2004, pp 9-18. Reeves S., Douglas; Ning, Peng; Cui, Yun. "Constructing attack scenarios through

Roberts, S. W. "Control Chart Tests Based On Geometric Moving Average", Technometrics,

Silva, A. A. A.; "A security event analisys system to identify false positive alerts and

Sindhu, S.S.S.; Geetha, S.; Sivanath, S.S.; Kannan, A. "A neuro-genetic ensemble short term

Su, You-Po; Zhu, Qing-Jie (2009). Application of ANN to Prediction of Earthquake

Valdes, Alfonso; Skinner, Keith; Probabilistic Alert Correlation. SRI International; In the

Viinikka, J.; Debar, H.; Mé, L.; Séguier, R. "Time Series Modeling for IDS Alert

Wong, W.; Guan, X., Zhang, X.; Yang, L. "Profiling program behavior for anomaly intrusion

Ye, N.; Li, X.; Chen, Q.; Emran, S. M.; Xu, M. "Probabilistic techniques for IDS based on

Ye, N.; Vilbert, S.; Chen, Q. "Computer intrusion detection through EWMA for

Yin, Q.; Shen, L.; Zhang, R.; Li, X "A new intrusion detection method based on behavioral

Zhay, Yan; Ning, Peng; Iyer, Purush; Reeves, Douglas S. "Reasoning about complementary

Zhay, Yan; Ning, Peng; Xu, Jun "Integrating IDS alert correlation and os-level dependency

Zhengdao, Z.; Zhumiao, P.; Zhiping, Z. "The Study of Intrusion Prediction Based on HSMM", In the IEEE Asia-Pacific Services Computing Conference, 2008, pp 1358-1363. Zuckerman, E.; Roberts, H.; McGrady, R.; York, J.; Palfrey, J. "distributed denial of service

Mehrotra et al. (Eds.): ISI 2006, LNCS 3975, pp. 272–284, 2006.

correlation of intrusion alerts". In the 9th ACM CCCS, North Carolina State

evaluate isolated alerts creating multi-correlation criteria". IPT; São Paulo, SP, Brasil, 2010, 107 f. Masters Dissertation, Computer Engineering Department. Silva, A. A. A.; Guelfi, A. E. "Sistema para identificação de alertas falso positivos por meio

de análise de correlacionamentos e alertas isolados", In the 9th IEEE I2TS 2010, Rio

forecasting framework for anomaly intrusion prediction", In the IEEE ADCOM,

Influence, Proceedings of IEEE ICIC '09 Second International Conference on Information and Computing Science, pp. 234 – 237, ISBN 978-0-7695-3634-7,

2001 International Workshop on the RAID, 2001, pp. 54-68. Springer-Verlag Berlin

Management", A In the CM ASIAN ACM Symposium on Information, Computer

detection based on the transition and frequency property of computer audit data",

computer audit data", In the IEEE Transactions on Systems, Man and Cybernetics,

autocorrelated and uncorrelated data", In the IEEE Transactions on Reliability,

intrusion evidence", In 20th Annual CSAC. North Carolina State University;USA,

tracking". Technical Report TR-2005-27 North Carolina State University , 2006, S.

attacks against independent media and human rights sites", 2010, [Online].

Prechter, R. R. Jr; Frost, A. J "Elliott Wave Principles", John Wiley, 2002.

pages 239-251,1959.

de Janeiro, Brazil, 2010.

Manchester, UK, May 21-22, 2009

and Communications Security, 2006.

pages 266-274, IEEE, 2001.

pages 75-82, IEEE, 2003.

2004. pp. 39-48.

In the ELSEVIER Computer & Security, 2006.

model", In the IEEE WCICA, 2004, pp 4370-4374.

Available: http://www.soros.org, 2010.

2006, pp 187-190.

University; CCS'02, Washington, DC, USA., 2002. p. 10.

Heidelberg , 2001, W. Lee, L. Me, and A. Wespi (Eds).

Changes in radon and other soil-gas concentrations, and other parameters, before and after earthquakes have been widely reported (Asada, 1982; Chyi *et al.*, 2001; Climent *et al.*, 1999; Crockett *et al.*, 2006a; Crockett & Gillmore, 2010; Igarishi *et al.*, 1995; Kerr, 2009; Koch & Heinicke, 1994; Planinic *et al.*, 2000; Plastino *et al.*, 2002; Wakita, 1996; Walia *et al.*, 2005; Walia *et al.*, 2006; Zmazek *et al.*, 2000). However, in the majority of such radon cases, changes in magnitude in single time-series have been reported, often large changes recorded using integrating detectors, and the majority of radon time-series analysis is reported for single time-series (e.g. Baykut *et al*., 2010; Bella & Plastino, 1999; Finkelstein *et al.*, 1998). With a single time-series, recorded at a single location, there is no measure of the spatial extent of any anomaly and, to a great extent, only anomalies in magnitude can be investigated. With two, or more, time-series from different locations, it is possible to investigate the spatial extent of anomalies and also investigate anomalies in time, i.e. frequency and phase components, as well as anomalies in magnitude.

The aim of this chapter is to present techniques, developed and adapted from techniques more familiar in the field of signal analysis, for investigating paired time-series for simultaneous similar anomalous features. A paired radon time-series dataset is used to illuminate these techniques. This is not to imply that the techniques are restricted to radon time-series: it is simply that the investigation at the University of Northampton of these techniques in the context of earthquake precursory phenomena has been conducted on radon datasets. This work commenced in the autumn of 2002, following the Dudley earthquake of 23 September which was felt in Northampton and which occurred approximately three months into a radon monitoring programme being conducted as part of another project (Crockett *et al.*, 2006a; Phillips *et al.*, 2004).

#### **1.1 UK earthquakes**

The UK is not generally regarded as a seismically active region. In general, across the UK as a whole, in any given year there might be a few earthquakes of magnitude up to 3 or 4 and every 5-10 years there might be an earthquake of magnitude 5 or thereabouts (e.g. Bolt, 2004; Musson, 1996). This is simultaneously an advantage and disadvantage to this research. It is an advantage in that with so few earthquakes there is very little seismic 'noise' in any radon, or other, dataset. It is a disadvantage in that with so few earthquakes, long intervals can

Identification of Simultaneous Similar Anomalies in Paired Time-Series 127

normalisation does not account for different radon responses to identical stimuli as might arise from differences in emission properties of rocks, soils, groundwater etc. SRIs, in standardising according to probability of occurrence, allow comparison of different radon datasets having different, possibly non-linear, responses to changes in radon emission in response to identical stimuli. In the case of paired time-series, as being considered herein, if values in the time-series have the same probabilities of occurrence they will have the same

Whilst not the focus of this chapter, this technique is discussed briefly, with an example, in

In any application of any of the correlation and coherence techniques described herein, the durations and sampling intervals of the paired time-series must be equal. Ideally, the two time-series should be sampled at the same times so as to avoid a built-in timedifference between pairs of data. Where there is such a time difference, it might be possible to pre-process the time series, e.g. via a moving average, to minimise its significance, although this must be balanced against the resultant loss of high-frequency content. Under some circumstances where the sampling intervals are different but one is a multiple of the other, it can be possible to aggregate shorter-interval data to correspond to

In the following sections, it is implicitly assumed that differences between the paired timeseries do not arise from different monitoring equipment responses. Where both time-series are of the same parameter or process recorded using the same equipment, this is generally a safe assumption. However, where this is not the case, e.g. the same parameter or process recorded using different equipment for each time-series or different parameters or processes (recorded using different equipment), it will generally be necessary to pre-process the timeseries to minimise such differences. In such cases, filtering or spectral decomposition techniques can be used. In particular, Empirical Mode Decomposition (EMD), in decomposing a time-series into separate components (Intrinsic Mode Functions) according to frequency content, has shown promise (Crockett & Gillmore, 2010; Feng, 2011; Huang *et* 

Correlation and coherence are techniques for comparing time-series (more generally, waveforms, signals). In brief, correlation compares shape, i.e. envelope, and is a timedomain technique; coherence compares composition, i.e. frequency (harmonic) content, and is a frequency-domain technique. Neither technique directly compares scale, i.e. neither

Correlation is a relatively familiar and straightforward technique, widely used in various forms to compare datasets in general. However, correlation can be misleading, particularly if used in isolation as sole means of comparison. For example, consider a pair of identical time-series, such as two equal-frequency sinusoids in the simplest case. If the two sinusoids are exactly in-phase, then their correlation coefficient will be 1 (maximum positive correlation) because both time-series are always changing in the same sense (positively or negatively) at the same time. Conversely, if they are exactly, i.e. a half-cycle, out-of-phase

SRI even if their (relative) magnitudes are different.

**1.3 Quality of data, validity of comparison** 

Section 3.

longer-interval data.

*al.*, 1998; Rilling *et al.* 2003).

**2. Correlation and coherence** 

directly detects magnitude anomalies.

elapse between events and there is an element of luck in obtaining suitably paired timeseries to investigate for potential earthquake-related anomalies.

Indeed, in 2002, luck played a major role in stimulating this research. During the latter part of 2002 the University of Northampton Radon Research Group had two hourly-sampling radon detectors deployed for a period which included the Dudley earthquake and also an unusual earthquake swarm in the Manchester area. Subsequently, 5.5 years then elapsed until another UK earthquake of similar magnitude occurred at Market Rasen in February 2008. Again, the University of Northampton had two hourly-sampling radon detectors deployed and, although that paired time-series was shorter in duration, it was still possible identify simultaneous similar anomalies (Crockett and Gillmore, 2010).

#### **1.2 Magnitude anomalies, probability of occurrence**

An anomaly in magnitude is, expressed straightforwardly, a magnitude that occurs infrequently, at low probability, often determined according to user-defined probability criteria in a given context. One commonly used criterion assumes that the magnitudes are normally distributed and defines an anomalous magnitude as being one that lies more than a specified number of standard deviations from the arithmetic mean. For example, in any normally-distributed data, an interval of two standard deviations either side of the mean includes 95.45% of the data and any data lying outside this interval can be defined as anomalous, occurring only 4.55% of the time (2.28% at each tail of the distribution). This straightforward type of criterion is clearly satisfactory for normally distributed data but becomes increasingly less robust with divergence of data from normal distributions, indicating the use of more rigorous probability criteria.

#### **1.2.1 Standardised data, Standardised Radon Index (SRI)**

Where the data are not normally distributed, or not sufficiently close to normally distributed in a given context, account must be taken of the specific probability distribution. In some cases, it is possible to map onto a normal distribution, via an equiprobability mapping, and then use the mapped-onto distribution to investigate magnitude anomalies. This is essentially the approach taken with, for example, Standardised Precipitation Indices (SPIs) as described by McKee *et al.* (1993) which are a representation of (precipitation) data in terms of standard normal variables, i.e. standard deviations around a zero mean. Alternatively, where the data are lognormally distributed, as is generally the case with radon datasets, or for example, square-root or cube-root normally distributed (Fu *et al.*, 2010), it is possible to define magnitude anomalies in terms of the normal distributions of the logarithms, square-roots or cube-roots of the data respectively, again a representation of the data in terms of standard normal variables. This is the premise underpinning the Standardised Radon Indices (SRIs) proposed by Crockett & Holt (2011). SRIs are determined from the normally-distributed logarithms of lognormally distributed radon data, a representation of the data in terms of standard normal variables. Thus, a given magnitude of SRI is determined by the probability of occurrence of a given magnitude of radon concentration within a dataset.

In addition to transforming radon data, or other data by extension, such that the familiar normal-distribution definitions of magnitude anomaly can be used reliably, SRIs also allow radon time-series to be compared more fully than by considering relative magnitude as obtained by normalising the data, e.g. scaling the data to unit mean value. Such normalisation does not account for different radon responses to identical stimuli as might arise from differences in emission properties of rocks, soils, groundwater etc. SRIs, in standardising according to probability of occurrence, allow comparison of different radon datasets having different, possibly non-linear, responses to changes in radon emission in response to identical stimuli. In the case of paired time-series, as being considered herein, if values in the time-series have the same probabilities of occurrence they will have the same SRI even if their (relative) magnitudes are different.

Whilst not the focus of this chapter, this technique is discussed briefly, with an example, in Section 3.

#### **1.3 Quality of data, validity of comparison**

126 Earthquake Research and Analysis – Statistical Studies, Observations and Planning

elapse between events and there is an element of luck in obtaining suitably paired time-

Indeed, in 2002, luck played a major role in stimulating this research. During the latter part of 2002 the University of Northampton Radon Research Group had two hourly-sampling radon detectors deployed for a period which included the Dudley earthquake and also an unusual earthquake swarm in the Manchester area. Subsequently, 5.5 years then elapsed until another UK earthquake of similar magnitude occurred at Market Rasen in February 2008. Again, the University of Northampton had two hourly-sampling radon detectors deployed and, although that paired time-series was shorter in duration, it was still possible

An anomaly in magnitude is, expressed straightforwardly, a magnitude that occurs infrequently, at low probability, often determined according to user-defined probability criteria in a given context. One commonly used criterion assumes that the magnitudes are normally distributed and defines an anomalous magnitude as being one that lies more than a specified number of standard deviations from the arithmetic mean. For example, in any normally-distributed data, an interval of two standard deviations either side of the mean includes 95.45% of the data and any data lying outside this interval can be defined as anomalous, occurring only 4.55% of the time (2.28% at each tail of the distribution). This straightforward type of criterion is clearly satisfactory for normally distributed data but becomes increasingly less robust with divergence of data from normal distributions,

Where the data are not normally distributed, or not sufficiently close to normally distributed in a given context, account must be taken of the specific probability distribution. In some cases, it is possible to map onto a normal distribution, via an equiprobability mapping, and then use the mapped-onto distribution to investigate magnitude anomalies. This is essentially the approach taken with, for example, Standardised Precipitation Indices (SPIs) as described by McKee *et al.* (1993) which are a representation of (precipitation) data in terms of standard normal variables, i.e. standard deviations around a zero mean. Alternatively, where the data are lognormally distributed, as is generally the case with radon datasets, or for example, square-root or cube-root normally distributed (Fu *et al.*, 2010), it is possible to define magnitude anomalies in terms of the normal distributions of the logarithms, square-roots or cube-roots of the data respectively, again a representation of the data in terms of standard normal variables. This is the premise underpinning the Standardised Radon Indices (SRIs) proposed by Crockett & Holt (2011). SRIs are determined from the normally-distributed logarithms of lognormally distributed radon data, a representation of the data in terms of standard normal variables. Thus, a given magnitude of SRI is determined by the probability of occurrence of a given magnitude of radon

In addition to transforming radon data, or other data by extension, such that the familiar normal-distribution definitions of magnitude anomaly can be used reliably, SRIs also allow radon time-series to be compared more fully than by considering relative magnitude as obtained by normalising the data, e.g. scaling the data to unit mean value. Such

series to investigate for potential earthquake-related anomalies.

identify simultaneous similar anomalies (Crockett and Gillmore, 2010).

**1.2 Magnitude anomalies, probability of occurrence** 

indicating the use of more rigorous probability criteria.

concentration within a dataset.

**1.2.1 Standardised data, Standardised Radon Index (SRI)** 

In any application of any of the correlation and coherence techniques described herein, the durations and sampling intervals of the paired time-series must be equal. Ideally, the two time-series should be sampled at the same times so as to avoid a built-in timedifference between pairs of data. Where there is such a time difference, it might be possible to pre-process the time series, e.g. via a moving average, to minimise its significance, although this must be balanced against the resultant loss of high-frequency content. Under some circumstances where the sampling intervals are different but one is a multiple of the other, it can be possible to aggregate shorter-interval data to correspond to longer-interval data.

In the following sections, it is implicitly assumed that differences between the paired timeseries do not arise from different monitoring equipment responses. Where both time-series are of the same parameter or process recorded using the same equipment, this is generally a safe assumption. However, where this is not the case, e.g. the same parameter or process recorded using different equipment for each time-series or different parameters or processes (recorded using different equipment), it will generally be necessary to pre-process the timeseries to minimise such differences. In such cases, filtering or spectral decomposition techniques can be used. In particular, Empirical Mode Decomposition (EMD), in decomposing a time-series into separate components (Intrinsic Mode Functions) according to frequency content, has shown promise (Crockett & Gillmore, 2010; Feng, 2011; Huang *et al.*, 1998; Rilling *et al.* 2003).
