The hybrid approach: benefit from both multivariate and univariate anomaly detection techniques
In our previous post, we explained what time series data is and provided some details as to how the Anodot time series anomaly detection system is able to spot anomalies in time series data. We also discussed the importance of choosing a model for a metric’s normal behavior which included any and all seasonal patterns in the metric, and the specific algorithm which Anodot uses to find seasonal patterns.
A concise explanation of conciseness
At the end of that post we said it’s possible to get a sense of the bigger picture from a lot of individual anomalies. Conciseness is a requirement of any large-scale anomaly detection system because monitoring millions of metrics is guaranteed to generate a flood of reported anomalies, even if there are zero false positives. Achieving conciseness in this context is analogous to distilling the many individual symptoms into a single diagnosis, in much the same way that a mechanic might diagnose a car problem by observing the pitch, volume, and duration of all the sounds it makes, in addition to watching all the dials and indicator lights on the dashboard.
Univariate and multivariate anomaly detection techniques
After employing the anomaly detection techniques described in our last post (and in our previous series), how does a practical real-time system like Anodot’s actually achieve concise reporting of detected anomalies? How does the system determine the diagnosis? The answer is that after the system detects anomalies in individual metrics, a second layer of machine learning takes over and groups anomalies from related metrics together. This grouping of related anomalies condenses the original flood of individual alerts into a smaller, more manageable number of underlying incidents.
This two-step approach actually combines two different anomaly detection techniques: univariate and multivariate. Univariate anomaly detection looks for anomalies in each individual metric, while multivariate anomaly detection learns a single model for all the metrics in the system.
Univariate methods are simpler, so they are easier to scale to many metrics and large datasets; however, then someone would need to unravel the causal relationships between the anomalies in the resulting alert storm. Companies need to quickly understand what all those alerts mean before they can decide what to do in response.
Multivariate approaches, on the other hand, detect anomalies as complete incidents, yet are difficult to scale, both in terms of computation and accuracy of the models. This approach also produces anomaly alerts which are hard to interpret because all the metrics are inputs which generate a single output from the anomaly detection system. Multivariate methods are hard to scale beyond a few metrics because each added metric introduces interactions between itself and all the other metrics. Since multivariate anomaly detection methods have to model this entire complex system, the computational cost increases rapidly as the number of modeled metrics increases. Furthermore, the individual metrics need to have similar statistical behavior for multivariate methods to work accurately.
Revolutionizing anomaly detection techniques: Anodot’s two-step approach
Anodot effectively combines the strengths of each of these techniques into a hybrid approach. Since univariate anomaly detection is used first on individual metrics, Anodot’s approach benefits from its scalability and simplicity. By using other advanced AI techniques for discovering relationships between the metrics, Anodot utilizes the multivariate approach to group and interpret related anomalies, satisfying the requirement of conciseness we spoke of earlier.
This blending of univariate and multivariate anomaly detection is very similar to Anodot’s combination of supervised and unsupervised anomaly detection techniques we discussed in our previous series. At each layer of its anomaly detection system, Anodot uses the most appropriate data science and machine learning techniques for that layer, even combining them in sophisticated ways to provide businesses with actionable information in real time.
Tune in next time to learn how your business can sift through thousands or even millions of metrics in real time using automated anomaly detection.