Holo-entropy adaptive boosting based anomaly detection

We claim: 1. A computer-implemented method for determining whether data is anomalous, the method comprising: generating a holo-entropy adaptive boosting model using, at least in part, a set of normal data, wherein the holo-entropy adaptive boosting model includes a plurality of holo-entropy models and associated model weights for combining outputs of the plurality of holo-entropy models, wherein generating the holo-entropy adaptive boosting model comprises, while an overfitting check passes and a training error is decreasing during training of the holo-entropy adaptive boosting model, iteratively adding a new holo-entropy model to the holo-entropy adaptive boosting model, and wherein adding the new holo-entropy model comprises: determining a training error value of the training error; determining a model weight for the new holo-entropy model using, at least in part, the training error value; and updating corresponding weights of data points in the set of normal data that are mis-classified by the new holo-entropy model, wherein the corresponding weights of the data points in the set of normal data are used for the new holo-entropy model; receiving additional data; and determining at least one of (a) whether the additional data is normal or abnormal relative to the set of normal data or (b) a score indicative of how abnormal the additional data is using, at least in part, the generated holo-entropy adaptive boosting model. 2. The method of claim 1 , wherein generating the holo-entropy adaptive boosting model includes: receiving the set of normal data, each data point in the set of normal data including one or more features that are assigned an initial weight of 1. 3. The method of claim 1 , wherein the overfitting check includes determining whether a set of sensitive data points that are abnormal are classified as normal by the holo-entropy adaptive boosting model. 4. The method of claim 1 , wherein adding the new holo-entropy model and determining the model weight for the new holo-entropy model includes: performing a modified holo-entropy algorithm, wherein: the modified holo-entropy algorithm takes as inputs data points in the set of normal data, respective weights associated with the data points in the set of normal data, and a test data set that is the same as the set of normal data, and in the modified holo-entropy algorithm, a weight is assigned to each data point, the weight of each data point is used to calculate a probability, and an outlier factor is calculated using a weighted summation of features. 5. The method of claim 1 , further comprising, looping over a plurality of values of a learning rate hyperparameter and, during the looping, iteratively performing the steps of while the overfitting check passes and the training error is decreasing, adding the new holo-entropy model and determining the model weight for the new holo-entropy model. 6. The method of claim 5 , wherein the plurality of values of the learning rate hyperparameter include values from 0.01 to 1 in increments of 0.01. 7. The method of claim 1 , wherein determining at least one of (a) whether the additional data is normal or abnormal relative to the set of normal data or (b) the score indicative of how abnormal the additional data includes: determining, using each of the plurality of holo-entropy models in the holo-entropy adaptive boosting model, a respective score; and combining the determined scores based, at least in part, on the model weight associated with each of the holo-entropy models. 8. The method of claim 1 , wherein: the additional data is associated with at least one behavior of a process or an alarm generated by at least one behavior of the process; and the set of normal data includes intended state information for the process associated with a baseline of behaviors for the process. 9. The method of claim 8 , wherein the process is a system process executed in one or more virtual computing instances. 10. The method of claim 8 , wherein at least one feature in the set of normal data comprises a connection on a port associated with the process. 11. The method of claim 1 , further comprising, taking remedial action in response to determining the additional data is abnormal. 12. A non-transitory computer-readable medium comprising instructions to be executed in a processor of a computer system, the instructions when executed in the processor cause the computer system to carry out a method for determining whether data is anomalous, comprising: generating a holo-entropy adaptive boosting model using, at least in part, a set of normal data, wherein the holo-entropy adaptive boosting model includes a plurality of holo-entropy models and associated model weights for combining outputs of the plurality of holo-entropy models, wherein generating the holo-entropy adaptive boosting model comprises, while an overfitting check passes and a training error is decreasing during training of the holo-entropy adaptive boosting model, iteratively adding a new holo-entropy model to the holo-entropy adaptive boosting model, and wherein adding the new holo-entropy model comprises: determining a training error value of the training error; determining a model weight for the new holo-entropy model using, at least in part, the training error value; and updating corresponding weights of data points in the set of normal data that are mis-classified by the new holo-entropy model, wherein the corresponding weights of the data points in the set of normal data are used for the new holo-entropy model; receiving additional data; and determining at least one of (a) whether the additional data is normal or abnormal relative to the set of normal data or (b) a score indicative of how abnormal the additional data is using, at least in part, the generated holo-entropy adaptive boosting model. 13. The non-transitory computer-readable medium of claim 12 , wherein generating the holo-entropy adaptive boosting model includes: receiving the set of normal data, each data point in the set of normal data including one or more features that are assigned an initial weight of 1. 14. The non-transitory computer-readable medium of claim 12 , wherein the overfitting check includes determining whether a set of sensitive data points that are abnormal are classified as normal by the holo-entropy adaptive boosting model. 15. The non-transitory computer-readable medium of claim 12 , wherein adding the new holo-entropy model and determining the model weight for the new holo-entropy model includes: performing a modified holo-entropy algorithm, wherein: the modified holo-entropy algorithm takes as inputs data points in the set of normal data, respective weights associated with the data points in the set of normal data, and a test data set that is the same as the set of normal data, and in the modified holo-entropy algorithm, a weight is assigned to each data point, the weight of each data point is used to calculate a probability, and an outlier factor is calculated using a weighted summation of features. 16. The non-transitory computer-readable medium of claim 12 , the method further comprising, looping over a plurality of values of a learning rate hyperparameter and, during the looping, iteratively performing the steps of while the overfitting check passes and the training error is decreasing, adding the new holo-entropy model and determining the model weight for the new holo-entropy model. 17. The non-transitory computer-readable medium of claim 16 , wherein the plurality of values of the learning rate hyperparameter