Anomalies are deviations from a normal pattern in one or more metrics that signal unexpected behavior. Anomalies are not, by definition, good or bad. They are simply unexpected results. An anomaly could be an unusually high number of users logging in or an unusually low number as well. If bandwidth use spikes suddenly beyond what would be expected for that time of day, for example, an anomaly would be generated by Anodot and the administrator would likely try to investigate why this happened, perhaps because of a DDOS attack.
Once you start sending your metrics to Anodot, Anodot’s machine learning algorithms automatically track them to determine an expected pattern. The result is a normal range, referred to as a sleeve, for each metric. So long as the metric value is within the learned normal range, no anomalies are detected.
The normal range for each metric is determined using Anodot’s patent-pending algorithms and is based on many factors that are automatically detected, such as, metric category (stationary/non-stationary, discrete, sparse, and more), detected seasonal patterns and trends.
The Anodot Significance Score is a powerful factor in anomaly detection. While each deviation from the normal range is an anomaly, not all anomalies are equally relevant. A decline of 20% in number of users clicking on a campaign ad is less significant than a 50% decline; but it may be more significant if the 20% decline lasts for 3 hours, while the 50% decline only lasted for 5 minutes. Anodot’s algorithms assign a significance score (a number between 0 and 100) for each anomaly. The score represents how anomalous is the anomaly compared to past anomalies seen for the metric (or group of metrics). Using the significance score makes filtering anomalies that may be less significant easy, thus simplifying the creation of alerts and investigation of anomalies.
Anodot also learns the relationship between metrics, using its behavior topology learning algorithms, so when many related metrics become anomalous, Anodot groups them to identify an “event storm” which is characterized by one or more metrics being measured above or below the normal range. These event storms are grouped anomalies. They help in investigating and isolating of possible causes of anomalous behaviors.
For working with anomalies, see Anomalies.