Anomaly Detection Rules

Anomaly detection is an essential task in various domains, aiming to identify unusual or abnormal patterns in data. When setting up detection rules for anomalies, several parameters need to be defined to specify the type of anomalies to detect, the minimum score threshold for triggering an alert, and the severity level assigned to detected events. This documentation provides an overview of these parameters and their significance in anomaly detection systems.

Anomaly Type

Anomaly type refers to the specific category or classification of anomalies that are targeted for detection. It defines the nature or characteristics of the abnormal patterns that the detection algorithm focuses on. Different anomaly types may include:

• All Anomalies: In this setting, the detection rule is designed to identify all types of anomalies, regardless of their specific characteristics. It provides a general-purpose approach to detect any deviations from the expected or normal behavior.
• Below Normal Anomalies: This anomaly type focuses on detecting patterns that fall below the normal range or expected values. It is useful when anomalies manifest as unusually low values or occurrences that deviate from the typical behavior.
• Above Normal Anomalies: This anomaly type aims to identify patterns that exceed the normal range or expected values. It is applicable when anomalies present as unusually high values or events that go beyond the usual behavior.

Choosing the appropriate anomaly type depends on the specific application domain, the nature of anomalies of interest, and the desired focus of the anomaly detection system.

Minimum Score

The minimum score parameter sets a threshold for the anomaly detection algorithm, specifying the minimum anomaly score required to trigger an alert or flag an event as anomalous. The anomaly score represents the degree of abnormality or deviation from the expected behavior, as determined by the detection algorithm. The minimum score acts as a cutoff point to filter out less significant anomalies and focus on those with higher levels of abnormality.

By adjusting the minimum score threshold, analysts can control the sensitivity of the detection system. A lower threshold allows for the detection of subtle or less pronounced anomalies, while a higher threshold focuses on identifying more significant or extreme deviations.

Event Severity

Event severity refers to the level of impact or importance assigned to detected anomalies or flagged events. It provides a measure of the potential consequences or significance associated with the detected anomalies. Assigning severity levels helps prioritize responses and allocate appropriate resources based on the potential impact of the detected anomalies.

The severity levels can be defined on a scale, such as low, medium, and high, or based on a custom classification scheme tailored to the specific domain. The severity level assigned to each detected event aids in decision-making and response planning, ensuring that appropriate actions are taken based on the potential severity of the anomaly.

Conclusion

Setting up detection rules for anomalies involves defining parameters such as anomaly type, minimum score, and event severity. Anomaly type determines the specific category or classification of anomalies targeted for detection, such as all anomalies, below normal anomalies, or above normal anomalies. The minimum score parameter sets a threshold for triggering an alert, controlling the sensitivity of the detection system. Event severity helps prioritize responses and allocate resources based on the potential impact of the detected anomalies.

Selecting appropriate values for these parameters requires a thorough understanding of the application domain, the characteristics of anomalies, and the desired response to detected events. By fine-tuning these parameters, analysts can effectively tailor the anomaly detection system to their specific requirements and improve the accuracy and usefulness of anomaly detection results.