Skip to content

Overview

This section summarizes the mathematical outputs across all TIM Anomaly Detection methods.

CSV result (table)

There are two differently structured result tables; the one that is returned is based on the type of anomaly detection job.

build-model, rebuild-model and detect jobs

The first table below gives an overview of the output to expect of the tabular response (csv output) for anomaly detection jobs of type build-model, rebuild-model and detect:

timestamp model_index kpi normal_behavior anomaly_code anomaly_indicator_"name of Detection Perspective"
2020-10-12T03:00:00.0 4 70115.16 71277.24 0 0.31
2020-10-12T04:00:00.0 5 83422.47 83687.43 0 0.45
2020-10-12T05:00:00.0 6 85931.01 92960.32 0 0.72
2020-10-12T06:00:00.0 7 91858.28 90857.38 1 1.23
2020-10-12T07:00:00.0 8 94156.52 91852.39 0 0.33
2020-10-12T08:00:00.0 9 94503.08 93413.58 0 0.56

Timestamp

The timestamp column represents the timestamp that corresponds to the given row of outputs.

Model index

The model_index column represents the index of the model that was used for the normal behavior evaluation of the KPI. The number of possible model indices depends on the configuration of the daily cycle parameter.

KPI

The kpi column shows the actual value of the selected KPI column for anomaly detection.

Normal behavior

Each row of the normal-behavior column contains a real number returned from the normal behavior model evaluation for a given data point. This number describes how the KPI is expected to behave under the circumstances given by the influencers.

Anomaly code

The anomaly_code column contains integer values from 0 to 3 indicating whether there is an anomaly in the KPI for a given timestamp. The returned value is evaluated based on all anomaly indicators (corresponding to the determined detection perspectives).

In case the anomaly indicators for all detection perspectives were calculated, the anomaly code is 1 in case at least one anomaly indicator is above 1, and 0 otherwise. In case the anomaly indicator for at least one detection perspective was not calculated, the anomaly code is 3 in case at least one of anomaly indicator is above 1, and 2 otherwise.

Anomaly indicators

For each of the included detection perspectives, a column is included for the corresponding anomaly indicator. These columns contain numbers from the interval (0, infinity) that specify the extent to which a given data point in time is anomalous. Data points with an anomaly indicator higher than 1 are considered anomalous. See the anomaly indicator section to learn more.

RCA jobs

The table below gives an overview of the output to expect of the tabular response (csv output) for anomaly detection jobs of type rca:

timestamp model_index kpi normal_behavior diff_normal_behavior _"name of Influencer 1" _"name of Influencer 2" ... _"name of Influencer N" _diff_"name of Influencer 1" _diff_"name of Influencer 2" ... _diff_"name of Influencer N"
2020-10-12T03:00:00.0 4 70115.16 71277.24 5250.57478589984 0 0.31 0.0856867739083295 6371.5959080431 0 727.376704085072 ... 0
2020-10-12T04:00:00.0 5 83422.47 83687.43 3450.52478589984 0 0.45 0.00976161198813676 7563.0550795337 0 825.976580193047 ... 0
2020-10-12T05:00:00.0 6 85931.01 92960.32 -2250.174728489984 0 0.72 1.27804752760902 83898.8481559912 0 1029.63298605852 ... 0.5
2020-10-12T06:00:00.0 7 91858.28 90857.38 3240.87478589984 0 1.23 0.0337970522302838 4671.2022090489 0 1362.98733337759 ... 0.1
2020-10-12T07:00:00.0 8 94156.52 91852.39 -1231.14178543984 0 0.33 0.229208764902578 8997.1516298713 0 -1345.38208161086 ... 0
2020-10-12T08:00:00.0 9 94503.08 93413.58 3210.17578289984 0 0.56 0.0415544217174877 9128.3621537876 0 -400.37972214374 ... 0

Root cause analysis (RCA)

The root cause analysis (RCA) result contains additional columns for each of the influencers in the normal behavior model in scope. These columns contain real numbers represented both as a nominal influencer's involvement (_"NameOfInfluencer") in normal behavior value and as a nominal influencer's change involvement ( _diff_"NameOfInfluencer" ) in normal behavior change for a given data point. The sum of influencer/influencer change terms equals the normal behavior/normal behavior change value for the given data point. See the root cause analysis section to learn more.

Model result

A model result consists of three parts: settings, normalBehaviorModel and anomalousBehaviorModel. The table below shows the availability of the model result in the anomaly detection methods:

Configuration field build-model rebuild-model detect rca
model

☑ available in a given method
☐ not available in a given method

Anomaly detection jobs of type build-model and rebuild-model produce a model, while anomaly detection jobs of type detect and rca make use of the model of their parent job.

Sensitivity

One of the parameters contained in the model is the sensitivity parameter that was used to build the model. If a concrete input sensitivity parameter is specified, then the output sensitivity will represent this same value. If, however, only the maximum sensitivity and/or minimum sensitivity parameters are specified, TIM determines the sensitivity automatically and the result of this calculation is returned. The returned sensitivity can be found in the anomalous behavior part of the model, under detectedSensitivity, as shown below. It is always linked to a specific detection perspective.

"model": {
  "anomalousBehaviorModel": {
    "submodels": [
      {
        "perspective": "Residual",
        "detectedSensitivity": 0.35
      }
    ]
  }
}

Error measures result

A performance metrics result consists of two parts: AUC and confusionMatrix. The table below shows the availability of this result based on the type of job:

Configuration field build-model rebuild-model detect rca
errorMeasures

☑ available in a given method, but only if an anomaly label is defined in the relevant job
☐ not available in a given method

Anomaly detection jobs of type build-model, rebuild-model and detect can produce error measures, but only in case an anomaly label is available in the data and was defined in the registration body of the job (build-model) or a parent job of the job (rebuild-model and detect). An RCA job type does not serve to measure the performance.

Example of the response:

{
  "AUC": 0.9948358700639194,
  "confusionMatrix": {
    "truePositive": 30,
    "trueNegative": 30502,
    "falsePositive": 12,
    "falseNegative": 200
  }
}

If you want to learn more about these performance metrics, see the error measures section.