aK-Nearest Neighbors

1. K Nearest Neighbors (KNN)• The basic idea of KNN is to figure out what an unlabeled example is according to its neighbors.• Parameter k${\displaystyle k}$ indicates the number of neighbors we're considering.• The label is determined by majority voting.– For example, for k=7${\displaystyle k=7}$, and 6 of examples → 1${\displaystyle 1}$ and 1 example → 0${\displaystyle 0}$. 6⁄7=85.7% → 1${\displaystyle 6⁄7=85.7\%\to 1}$ and 1⁄7=14.3% → 0${\displaystyle 1⁄7=14.3\%\to 0}$.– Note: In order to avoid ties, it's better to pick odd numbers for k${\displaystyle k}$.• Distance is KNN is defined as Euclidean Distance → d(a,b) = (a1-b1)2+…+(am-bm)2${\displaystyle d(\overrightarrow{a},\overrightarrow{b})=\sqrt{(a_1-b_1{)}^2+\dots +(a_m-b_m{)}^2}}$– Note: We should use some feature normalization like Minmax Scaling before calculating distance.– Note: We could also use Manhattan distance → d(a,b) = |a1-b1|+...+|am-bm|${\displaystyle d(\overrightarrow{a},\overrightarrow{b})=|a_1-b_1|+...+|a_m-b_m|}$• KNN can be susceptible to outliers. – In order to determine if an unlabeled example is an outlier, we can average its distance to k${\displaystyle k}$ nearest neighbors and if the average distance is greater than some threshold, we can label it as an outlier (an odd example).– We can determine the threshold through cross validation.• How to account for categorical features in KNN?– For ordinal categorical features, we can use Gower Distance.– For comparing two asymmetric binary variables, we can use Jaccard Distance.* Note: For two asymmetric binary variables, we exclude the zeros. But for a symmetric binary we include the zeros as well.– For multi-category variables we can use Hamming Distance.• How does KNN predict regression models?– It just averages the value of k${\displaystyle k}$ nearest neighbors.• Partial Considerations– KNN performs poorly when features are in dimensionality (especially euclidean distance).* One way to mitigate this problem is dimensionality reduction.* Another way is to do forward feature selection using cross validation.– KNN is sensitive to scaling (this is true for any model that's based upon distance).– One way to improve the performance of KNN is to weigh the votes.* For any node i${\displaystyle i}$ (i⩽k${\displaystyle i⩽k}$), the weight is calculated by → d1+d2+…+dk

di${\displaystyle \frac{d_1+d_2+\dots +d_k}{d_i}}$* So, if the distance to neighbor node i${\displaystyle i}$, di${\displaystyle d_i}$, gets smaller it will get higher weight.* Note: Numerator is fixed and only the denominator changes.– KNN is computationally expensive → O(n.d.k)${\displaystyle O(n.d.k)}$ where n${\displaystyle n}$ is the number of nodes, and d${\displaystyle d}$ is the dimension of each node.* To reduce the complexity down, we can use a k-d tree data structure which allows us to locate the relevant points faster than iterating over all the points. * Note that k-d tree also suffers from increase in dimensionality.• Example: Cyber Security– Every once in a while these programs will make calls to the operating system (i.e. system calls).– Our goal is to detect intrusive processes/programs in all the machines in a system.– Our features are going to be system calls which look like this:* pid1 = ['mkdir', 'mount', 'poll', 'chown']${\displaystyle pi{d}_1=[\mathtt{\text{'}}\mathtt{m}\mathtt{k}\mathtt{d}\mathtt{i}\mathtt{r}\mathtt{\text{'}}\mathtt{,}\mathtt{\text{'}}\mathtt{m}\mathtt{o}\mathtt{u}\mathtt{n}\mathtt{t}\mathtt{\text{'}}\mathtt{,}\mathtt{\text{'}}\mathtt{p}\mathtt{o}\mathtt{l}\mathtt{l}\mathtt{\text{'}}\mathtt{,}\mathtt{\text{'}}\mathtt{c}\mathtt{h}\mathtt{o}\mathtt{w}\mathtt{n}\mathtt{\text{'}}]}$* pid2 = ['chroot', 'bind', 'fork', 'open', 'pready']${\displaystyle pi{d}_2=[\mathtt{\text{'}}\mathtt{c}\mathtt{h}\mathtt{r}\mathtt{o}\mathtt{o}\mathtt{t}\mathtt{\text{'}}\mathtt{,}\mathtt{\text{'}}\mathtt{b}\mathtt{i}\mathtt{n}\mathtt{d}\mathtt{\text{'}}\mathtt{,}\mathtt{\text{'}}\mathtt{f}\mathtt{o}\mathtt{r}\mathtt{k}\mathtt{\text{'}}\mathtt{,}\mathtt{\text{'}}\mathtt{o}\mathtt{p}\mathtt{e}\mathtt{n}\mathtt{\text{'}},\text{'}\mathtt{p}\mathtt{r}\mathtt{e}\mathtt{a}\mathtt{d}\mathtt{y}\text{'}]}$* pid3 = ...${\displaystyle pi{d}_3=...}$– The labels are instrusive → 1${\displaystyle instrusive\to 1}$ and non-intrusive → 0${\displaystyle non-intrusive\to 0}$.– We can treat system calls as just words and perform TF-IDF on the them to make them numerical.* pid1 = [0.15, 0.12, 0.13, 0.31]${\displaystyle pi{d}_1=[0.15,0.12,0.13,0.31]}$* pid2 = [0.16, 0.31, 0.46, 0.21, 0.11]${\displaystyle pi{d}_2=[0.16,0.31,0.46,0.21,0.11]}$* pid3 = ...${\displaystyle pi{d}_3=...}$– For an unlabeled example, we calculate its distance to all other nodes, and determine its label based on the majority voting of its closest k${\displaystyle k}$ neighbors.– Let's say we also have a categorical features named 'priority'. It has three values: High, Medium, Low. Let's calculate Gower distance.* High → 0, Medium → 1, Low → 2* Gower Distance = value⁄max(value)${\displaystyle value⁄\max (value)}$* dGower(high) = 0⁄2, dGower(medium) = 1⁄2, dGower(low) = 2⁄2${\displaystyle d_{Gower}(high)=0⁄2,d_{Gower}(medium)=1⁄2,d_{Gower}(low)=2⁄2}$