Anomaly Detection for Monitoring
anomaly-detection-monitoring
anomaly-detection-monitoring
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CHAPTER 3<br />
Modeling and Predicting<br />
<strong>Anomaly</strong> detection is based on predictions derived from models. In<br />
simple terms, a model is a way to express your previous knowledge<br />
about a system and how you expect it to work. A model can be as<br />
simple as a single mathematical equation.<br />
Models are convenient because they give us a way to describe a<br />
potentially complicated process or system. In some cases, models<br />
directly describe processes that govern a system’s behavior. For<br />
example, VividCortex’s Adaptive Fault <strong>Detection</strong> algorithm uses Little’s<br />
law 1 because we know that the systems we monitor obey this<br />
law. On the other hand, you may have a process whose mechanisms<br />
and governing principles aren’t evident, and as a result doesn’t have<br />
a clearly defined model. In these cases you can try to fit a model to<br />
the observed system behavior as best you can.<br />
Why is modeling so important? With anomaly detection, you’re<br />
interested in finding what is unusual, but first you have to know<br />
what to expect. This means you have to make a prediction. Even if<br />
it’s implicit and unstated, this prediction process requires a model.<br />
Then you can compare the observed behavior to the model’s prediction.<br />
Almost all online time series anomaly detection works by comparing<br />
the current value to a prediction based on previous values. Online<br />
means you’re doing anomaly detection as you see each new value<br />
1 http://bit.ly/littleslaw<br />
15