Detection Perspectives

The anomaly detection perspectives are the basis of the anomalous behavior (AB) model. Each perspective handles the residuals output of the normal behavior (NB) model from a different perspective, and thus each one is suited for indicating different types of anomalies. The process of building the AB model consists of building one submodel and producing one anomaly indicator for each perspective.

The individual aspects of the anomaly detection perspectives are explained in the subsections below. We assume that the residuals output from the NB model looks as following:

Each subsection contains a visualization of applying the AB model with a particular perspective to the residuals output. The grey and pink areas indicate the in-sample period where the model is built and the out of sample period used for detecting anomalies, respectively. The upper subplot shows the residuals that are entering the AB model as well as the detected anomalies. The lower subplot shows the particular perspective when applied to the residuals output. Finally, there is a formula, where t represents a timestamp and w is the window length, that is determined automatically by TIM based on the number of samples in a day.

Residual

AB model with the residual perspective detects global outliers in the residuals output. Residuals with significantly higher magnitude than those observed on the in-sample period are detected as anomalous.

$Residual_{(t)}=Actual_{(t)}-\widehat{NormalBehavior}_{(t)}$

Residual Change

AB model with the residual change perspective seeks for local outliers in the residuals output. It does so by detecting the most extreme changes in the residuals, i.e. relatively stable periods followed by extreme residual. Anomaly is detected if the change is too "extreme" compared to what the AB model can see on the in-sample period.

$ResidualChange_{(t,w_1,w_2)}=\frac{Residual_{(t)}-\widetilde{Residual}_{(t-w_1+1,t-w_2)}}{1+\sum_{i=t-w_1+1}^{t-w_2}\left|Residual_{(i)}-\widetilde{Residual}_{(t-w_1+1,t-w_2)}\right|},$

where

$\widetilde{Residual}_{(x_1, x_2)}=median\left(Residual_{(x_1)},Residual_{(x_1+1)},...,Residual_{(x_2)}\right)$

Fluctuation

The fluctuation perspective describes the fluctuation of the residuals output. The values of the perspective varies with varying fluctuation in the residuals. Using the fluctuation perspective, the AB model detects anomalies if different fluctuations are observed than those which were present during the in-sample period.

$Fluctuation_{(t,w)}=\sqrt{\frac{1}{w-1}\sum_{i=t-w+1}^{t}\left(Residual_{(i)}-\overline{Residual}_{(t-w+1,t)}\right)^{2}},$

where

$\overline{Residual}_{(x_1, x_2)}=mean\left(Residual_{(x_1)},Residual_{(x_1+1)},...,Residual_{(x_2)}\right)$

Fluctuation Change

The fluctuation change perspective focuses on the fluctuation of the residuals output similarly to the fluctuation perspective. However, the difference is that the fluctuation change perspective seeks only for the change in the fluctuation. The image below shows the in-sample period without fluctuation change followed by the out of sample period with anomalies detected as soon as fluctuation change is observed.

$FluctuationChange_{(t,w_1,w_2)}=\frac{Fluctuation_{(t,w_2)}-Fluctuation_{(t-w_2,w_1-w_2)}}{1+\sum_{i=t-w_1+1}^{t-w_2}\left|Residual_{(i)}-\widetilde{Residual}_{(t-w_1+1,t-w_2)}\right|}$

Imbalance

Let's assume for this and the following subsection that the residuals output from the NB model looks as following:

The imbalance perspective helps to detect anomalies accompanied by deviation of the residuals output from zero for a longer period of time. The magnitude and direction of the deviation reflect into the magnitude and direction of the perspective respectively. The image below shows an example of the AB model detecting two periods with high imbalance, each in the opposite direction.

$Imbalance_{(t,w)}=\frac{1}{w}\sum_{i=t-w+1}^{t}Residual_{(i)}$

Imbalance Change

AB model with an imbalance change perspective is suited for detecting anomalies that occur when a change of imbalance in the residuals output is observed. The image below shows the in-sample period without change in imbalance and four out of sample periods where the change occurred.

$ImbalanceChange_{(t,w_1,w_2)}=\frac{Imbalance_{(t,w_2)}-Imbalance_{(t-w_2,w_1-w_2)}}{1+\frac{1}{w_1-w_2}\sum_{i=t-w_1+1}^{t-w_2}\left|Residual_{(i)}-\widetilde{Residual}_{(t-w_1+1,t-w_2)}\right|}$

Residual​

Residual Change​

Fluctuation​

Fluctuation Change​

Imbalance​

Imbalance Change​