What are anomalies?
Anomalies are deviations from a normal pattern in one or more metrics that signal unexpected behavior. Anomalies are not, by definition, good or bad. They are simply unexpected results. An anomaly could be an unusually high number of users logging in or an unusually low number as well. If bandwidth use spikes suddenly beyond what would be expected for that time of day, for example, an anomaly would be generated by Anodot and the administrator would likely try to investigate why this happened, perhaps because of a DDOS attack.
Once you start sending your metrics to Anodot, Anodot’s machine learning algorithms automatically track them to determine an expected pattern. The result is a normal range, referred to as the baseline for each metric. So long as the metric value is within the learned normal range, no anomalies are detected.
The normal range for each metric is determined using Anodot’s patent algorithms and is based on many factors that are automatically detected, such as, metric category (stationary/non-stationary, discrete, sparse, and more), detected seasonal patterns and trends.
Where do I see my anomalies?
The Anomalies tab is the central repository of anomalies, each displayed as a customized Anoboard dashboard, that shows anomalies in a predefined set of metrics. To view Anoboards dashboards, select the Anomalies tab from the Navigation Panel.
Anoboards enable teams and individuals to create customized views of anomalies within a set of metrics that represent the service parts of metrics that are their responsibility to track. Selecting an Anoboard dashboard enables you to investigate issues you received from alert notifications.
Anodot establishes that an anomaly has occurred when current values have exceeded learned normal values for the metric. Anodot also assigns a Significance score to each anomaly based on the size and duration of the exception as compared to past performance.
The Anodot Significance Score is a powerful factor in anomaly detection. While each deviation from the normal range is an anomaly, not all anomalies are equally relevant. A decline of 20% in the number of users clicking on a campaign ad is less significant than a 50% decline; but it may be more significant if the 20% decline lasts for 3 hours, while the 50% decline only lasted for 5 minutes. Anodot’s algorithms assign a significance score (a number between 0 and 100) for each anomaly. The score represents how anomalous is the anomaly compared to past anomalies seen for the metric (or group of metrics). Using the significance score makes filtering anomalies that may be less significant easy, thus simplifying the creation of alerts and investigation of anomalies.
Anodot also learns the relationship between metrics, using its behavior topology learning algorithms, so when many related metrics become anomalous, Anodot groups them to identify an “event storm” which is characterized by one or more metrics being measured above or below the normal range. These event storms are grouped anomalies. They help in investigating and isolating of possible causes of anomalous behaviors.
Note: Related metrics are discovered by Anodot’s behavioral topology learning algorithms.
Anoboard anomalies are displayed in two formats:
- Anomaps – the Anomap is a bar chart of all the metrics that are currently filtered by this Anoboard, ranking their most relevant properties and values using a color coding and size relevancy ranking order for a specified time range.
- Anomalies Line Charts – the line chart displays one or a group of metrics simultaneously for a specified time range. Each instance of the anomaly is displayed in a separate chart.