Anomaly detection is the practice of identifying data points and patterns that may deviate significantly from an established hypothesis.
As a concept, anomaly detection has been around forever. Today, detecting anomalies today is a critical practice. That’s because anomalies can indicate important information, such as:
Let’s talk a look at the wide world of anomaly detection. It’s not only about how it works — that’s fairly straightforward — it’s really about knowing all the limitations that can come from not having the right type or quality of data. And we’ll end with a look at anomaly detection in AI, as interest in anomalies always grows with advances in AI, like those we’re seeing with generative and adaptive AIs.
Detecting anomalies can be useful in all sorts of pursuits. In the business world, anomaly detection is commonly used to identify unusual incidents in the domain of cybersecurity and enterprise IT. Using AI models that describe the behavior of a system alongside data analytics, you can compare real-world data against the predicted values — and learn a lot of valuable information.
When the difference between the predicted and true data measurements exceeds a given threshold, the true data is identified as an outlier or anomaly. This information provides a direction for data analysts and decision makers to both…
There is rarely a universal basis or model that can fully represent the behavior of a complex real-world system.
For example, the network traffic flows to your servers are governed by a variety of factors and constraints. These include the performance of hardware and software systems that route traffic across the globe, the diverse user base you serve and their preferences and intent.
Despite inherent limitations, data-driven organizations nevertheless rely on concrete information from real-world interactions between technologies and end-users, often captured via monitoring options like synthetic monitoring and real-user monitoring. Using this information, they develop a data model or establish a generally acceptable basis that conforms to the applicable factors and constraints.
When looking at a time series of data (data that is collected sequentially, over a period of time), there are three main types of anomalies, which we’ll demonstrate with a classic example:
Indeed, anomaly detection plays a key role in financial activities, like financial crime risk management. But you can apply these anomaly types to any sort of data.
This presents both a challenge and an opportunity to make informed decisions on data that appears as an outlier, a non-conformity to their existing models and hypothesis about the expected truth.
First things first: These anomalies may be introduced by a variety of reasons depending on the application. Considering the case of network traffic flows, above, a surge in user traffic could stem from a variety of places:
Anomalies can emerge from a variety of sources, which are often naturally inadequately explained by your existing notion of truth.
In order to fully understand the underlying causes, the following key challenges are addressed as part of the anomaly detection process:
Defining a statistical model that encompasses all data dimensions (factors and the applicable constraints) and quantifying intangible qualitative metrics such as user preferences and intent is doubly challenging. Often, it is practically implausible or inviable.
In the pursuit of defining a holistic model, any observation close to the edge of the normal and expected behavior can also be deemed as acceptable. Therefore, the boundary and limitations for anomaly detection may not be sufficiently inelastic for decision makers to differentiate between an outlier and normal behavior after all.
For example, if the anomaly results from an act of malicious intent, these adversaries could eventually adapt their actions or manipulate the system such that the anomalous observations conform to the acceptable models and hypothesis.
Add to it another complicating factor: The notion of anomaly deviates highly between the application and sensitivity of the situation. An unauthorized login attempt by a front-line employee of your ITSM organization may not be regarded as an anomaly. On the other hand, a similar attempt on a c-suite user account with escalated access privileges should be immediately alarming and trigger an automated control mechanism for intrusion prevention.
The notion of normal and expected behavior within the organization itself evolves continuously. Internal organizational changes and a growing user base may require decision makers to redefine things like:
In the age of big data, many organizations find themselves in a never-ending cycle of defining new metrics and factors that can affect their business decisions. An accurate unified model that accounts for all such class dimensions may not be developed due to several reasons.
And now, lastly, we turn to the big topic this year: working AI. Interest in anomaly detection renews whenever we leap forward in AI capabilities. In the domain of Artificial Intelligence, anomaly detection techniques study:
An AI-based anomaly detection capability can be an important component of intrusion prevention systems that prevent unauthorized network traffic flows, login attempts and data transfers. They achieve this by…
Given sufficient deviation, it is classified as unauthorized — and therefore prevents execution.
(Learn about the growing field of ethical AI.)
To summarize, anomaly detection is about defining normal behavior, developing a model that can generalize such a normal behavior and specifying the thresholds for observations that can be accurately deemed as a significant variation from the expected true normal behavior.
How your organization uses this information, however, is up to you. And THAT is where the good stuff happens.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.