Possibility for Proactive Anomaly Detection

TL;DR

This work tackles proactive anomaly detection in time-series by combining a forecasting model specialized for anomaly detection with a data-driven threshold learned from training data. The forecasting model handles both continuous and discrete features via separate prediction paths and an adaptive graph convolution with $A = I + ext{softmax}( ext{ReLU}( ext{E} ext{E}^{ op}))$, optimized through $Loss_{ extbf{Total}} = Loss_{ extbf{C}} + Loss_{ extbf{D}}$ where $Loss_{ extbf{C}}$ is MSE and $Loss_{ extbf{D}}$ is cross-entropy. Anomaly scores are produced by a data-driven detector trained only on training data, with the threshold set as the minimum training score; forecasts feed into the detector to classify anomalies before they occur. Empirical results on four benchmarks demonstrate strong anomaly-detection performance and robustness, along with a Fourier-based forecastability analysis that highlights both predictable and unpredictable anomalies and clarifies practical limits of proactive detection.

Abstract

Time-series anomaly detection, which detects errors and failures in a workflow, is one of the most important topics in real-world applications. The purpose of time-series anomaly detection is to reduce potential damages or losses. However, existing anomaly detection models detect anomalies through the error between the model output and the ground truth (observed) value, which makes them impractical. In this work, we present a \textit{proactive} approach for time-series anomaly detection based on a time-series forecasting model specialized for anomaly detection and a data-driven anomaly detection model. Our proactive approach establishes an anomaly threshold from training data with a data-driven anomaly detection model, and anomalies are subsequently detected by identifying predicted values that exceed the anomaly threshold. In addition, we extensively evaluated the model using four anomaly detection benchmarks and analyzed both predictable and unpredictable anomalies. We attached the source code as supplementary material.

Figures (7)

• Figure 1: The architecture of our proposed time-series forecasting model specialized for anomaly detection in multivariate time-series data that considers both continuous and discrete values.
• Figure 2: Overall process of our proactive anomaly detection approach.
• Figure 3: Visualization of proactive anomaly detection in SMAP dataset. The x-axis represents samples over time. Red line is the time point where proactive detection works.
• Figure 4: Visualization of forecastable anomaly values. A convex hull (CV hull) is constructed using the magnitudes of the training data, which represent the absolute values of the coefficients. Anomalies are considered unforecastable if they have magnitudes outside the CV hull.
• Figure A: Visualization of comparison between ours and TimeNet in the SMAP dataset. Left: Anomaly score by the trained ECOD. Right: Predicted values for the categorical feature.