The anomaly detection features are the basis of the anomalous behavior (AB) learner. Each feature handles the residuals output of the normal behavior (NB) learner from different perspective and thus each one is suited for indicating different types of anomalies. The process of training the AB learner consists of training one submodel and producing one anomaly indicator for each feature.
The individual aspects of the anomaly detection features are explained in the subsections below. We assume that the residuals output from the NB learner looks as following:
Each subsection contains a visualization of applying the AB learner with particular feature to the residuals output. The grey and pink areas indicate the in-sample period where the model is trained and the out of sample period used for detecting anomalies, respectively. The upper subplot shows the residuals that are entering the AB learner as well as the detected anomalies. The lower subplot shows the particular feature when applied to the residuals output.
AB learner with the residual feature detects global outliers in the residuals output. Residuals with significantly higher magnitude than those observed on the in-sample period are detected as anomalous.
AB learner with the residual change feature seeks for local outliers in the residuals output. It does so by detecting the most extreme changes in the residuals, i.e. relatively stable periods followed by extreme residual. Anomaly is detected if the change is too "extreme" compared to what the AB learner can see on the in-sample period.
The fluctuation feature describes the fluctuation of the residuals output. The values of the feature varies with varying fluctuation in the residuals. Using the fluctuation feature, AB learner detects anomalies if different fluctuations are observed than those which were present during the in-sample period.
The fluctuation change feature focuses on fluctuation of the residuals output similarly as fluctuation feature. The difference is, however, that fluctuation change feature seeks only for the change in the fluctuation. The image below shows the in-sample period without fluctuation change followed by the out of sample period with anomalies detected as soon as fluctuation change is observed.
Let's assume for this and the following subsection that the residuals output from the NB learner looks as following:
Imbalance feature helps to detect anomalies accompanied by deviation of the residuals output from zero for a longer period of time. The magnitude and direction of the deviation reflect into the magnitude and direction of the feature respectively. The image below shows an example of the AB learner detecting two periods with high imbalance, each one in the opposite direction.
AB learner with imbalance change feature is suited for detecting anomalies that occur when a change of imbalance in the residuals output is observed. The image below shows the in-sample period without change in imbalance and four out of sample periods where the change occurred.