Overview
Anomaly detection is the task of identifying observations, events, or patterns that deviate from expected (i.e., normal) behavior. What counts as normal depends on the system, the time horizon, and assumptions about the data-generating process.
Common Anomaly Types
- Point anomaly: a single observation is abnormal.
- Contextual anomaly: abnormal only in a specific context (time, location, seasonality, operating mode).
- Collective anomaly: a sequence/group is abnormal even if individual points appear normal.
Common Approaches
- Supervised: learn a classifier from labeled normal/anomalous examples (often highly imbalanced).
- Semi-supervised / one-class: learn a model of normal behavior and flag deviations (e.g., one-class SVM, reconstruction models).
- Unsupervised: detect outliers via distance/density/clustering assumptions (e.g., k-means variants, LOF, Isolation Forest).
Modalities (Examples)
- Networking: flow-level statistics, packet traces, service metrics.
- Logs: templates, sequences, and event-count features.
- Time series: forecasting-based or reconstruction-based detectors (uni-/multivariate).
Related Notes
- Network anomaly detection
- Anomaly Detection by Using Streaming K-Means and Batch K-Means
- Log message anomaly detection with oversampling
- Multivariate Time Series Anomaly Detection
- Deep Learning for multivariate time series data Anomaly Detection
- Wireless Anomaly detection Project
- networking autoencoders Un-Supervised Anomaly Detection
References
- Chandola, V., Banerjee, A., & Kumar, V. (2009). Anomaly detection: A survey. ACM Computing Surveys, 41(3), 1–58.