TIM for Anomaly Detection

TIM for Anomaly Detection allows you to build a new anomaly detection model, rebuild an existing, run detection using such model.  Having a reasonable model is crucial for finding true anomalies. To train such a model, TIM requires data, routine and mathematical settings. A feedback in the form of results is also at your disposal and can be very instructive. 

First, you put your data in a required format, determine a target/KPI on which you want to detect anomalies and, if available, include influencers/features that affect your KPI. You build your model on historical data and then, as new measurements flow into your database, you use this model to evaluate them. Technically, if you have data, you can automatically create a model. 

However, to have a model which meets your situation from the perspective of routine (predictor updates, times of detection, …), understanding of what your data looks like in the moment of detection is essential. Model building task returns not only a model but also results - anomaly indicator values on the model building period. Analysis of the result helps you to decide if the model was configured appropriately.

In case you are not satisfied with the results and want to tweak TIMs performance, you can change the sensitivity parameter, training period, or the configuration of math settings manually. If you are satisfied with the model, you can use it for detection as often as a new data point comes into your database. 

To sum it up, data and routine are a must for creating a model. In case you want to tweak your model you can play with the configuration of TIM. A built model can be used for detection as often as required. We will go into detail for all of the mentioned topics.  

The typical approach in automatic model building is to find and tune the best model possible, store it and then interpret it with new data coming in to make detection. Then, after a while, you would rebuild it with new data.   As we have already learnt, to build a reasonable model is essential. Then, with such a model you can detect anomalies for both old and new data points.   Yet, imagine a situation where you have built a model you can rely on from the perspective of routine and math settings, but you want to update your model with new incoming data. If so, this is the right method to use.  

All of the configuration remains the same and is written in a corresponding model, the only thing you change is training period of the input data. It is up to you whether you will shorten or extend it.  

So what you need to have are a model and input data in the same form as when building a model.   In addition, you have more options of rebuilding, since the anomaly detection layer consists of two parts. The options are following:  


Recalibrating the normal behavior model 

Normal Behavior Model

Rebuilding the normal behavior model 

Abnormal Behavior Model

Rebuilding the abnormal behavior model 


Rebuilding both normal and abnormal behavior model 

Note : By default it rebuilds both 

Most often, the case is that you have built a model suitable for your problem and want to use it for real-time detection. To detect TIM requires two things - model and new data. There are a couple of things you have to care about - we will go through them.

When detecting, you have to make sure that data you are sending to TIM are in the same form as when training. Therefore it might be useful first to read the section regarding data.
Also, to make detection possible for the chosen period, you have to include at least that amount of data which is required by the underlying model. Otherwise, points without all the expected inputs can't be calculated by the model. Data requirements differ from predictor to predictor.