Anomaly detection methods
What Makes a Point Anomalous?
WHY this matters: In real systems, anomalies are rare (<1% of data) but high-impact. A fraudulent transaction costs money; a network breach compromises security. We need automated methods because human inspection doesn't scale.
Method 1: Statistical (Gaussian) Anomaly Detection
Derivation from First Principles
WHAT: Model normal data as following a multivariate Gaussian distribution. Points with very low probability density are anomalies.
WHY: If normal behavior clusters around a mean with some spread, points far from this cluster are suspicious. The Gaussian captures "typical" in terms of mean and variance.
HOW:
Step 1 - Fit the Distribution: Given training data where :
Why this step? The mean is our best estimate of "center of normal behavior" under squared loss.
Why this step? The covariance captures how features vary together. It tells us the "shape" of normal data—which directions have high/low variance.
Step 2 - Compute Probability Density: For a new point , compute:
Why this formula?
- The term is the Mahalanobis distance: how far is from measured in units of .
- The exponential decays as distance increases: far points → low probability.
- The normalization constant ensures .
Step 3 - Flag Anomalies: If , flag as anomaly.
Why this step? We set a threshold based on desired false-positive rate. Lower = stricter detection = fewer false alarms but may miss some anomalies.
Equivalently, flag if Mahalanobis distance where .
New observation:
Step 1: Compute Mahalanobis distance:
Why this step? We invert the covariance to measure distance in the natural coordinate system of the data.
Step 2: Compute :
Why this step? The probability is astronomically small—this server is behaving nothing like normal.
Step 3: If , this is anomaly (possible CPU/memory leak).
Method 2: Isolation Forest
Derivation from First Principles
WHAT: Build random decision trees that isolate points. Anomalies are easier to isolate (require fewer splits) than normal points.
WHY: Normal points are "deep in the crowd"—you need many questions to separate them. Anomalies are "out alone"—one or two questions isolate them.
HOW:
Step 1 - Build Isolation Trees: For each tree:
- Randomly select feature and split value between min/max of
- Partition data: vs
- Recurse until points isolated or max depth reached
Why random splits? We're not trying to classify—just partition space. Random splits avoid overfitting to "normal" structure and naturally isolate outliers quickly.
Step 2 - Compute Path Length: For a point , its path length is the number of splits to reach a leaf in a tree.
Why this step? Short path = easy to isolate = likely anomaly. Normal points require more splits to separate from neighbors.
Step 3 - Aggregate Over Trees: Average path length over trees:
Anomaly score:
where is the average path length for points (for normalization).
Why this formula?
- is the expected depth of an unsuccessful search in a Binary Search Tree—our baseline for "normal"
- We normalize by so scores are comparable across dataset sizes
- The exponential maps to [0,1]: scores near 1 = anomaly, near 0 = normal
If , typically flag as anomaly.
Normal transaction: $45 at 2pm in user's city → average path length Why? Many similar transactions exist; takes ~7 splits to isolate from neighbors.
Anomalous transaction: $9,999 at 3am in foreign country → Why? Very few transactions like this; isolated in ~2 splits (maybe one amount, one on location).
Scoring:
Decision: 0.92 > 0.6 threshold → flag for fraud review.
Method 3: One-Class SVM
Derivation from First Principles
WHAT: Find a hypersphere (or hyperplane) that tightly encloses normal data in feature space. Points outside are anomalies.
WHY: We want a decision boundary that separates normal data from the rest of space, maximizing the margin to capture "normal" compactly.
HOW:
Step 1 - Kernel Mapping: Map data to high-dimensional space via kernel . Common choice: RBF kernel .
Why this step? In high dimensions, data that's not linearly separable input space often becomes separable. The kernel trick avoids explicit computation.
Step 2 - Optimization Problem: Find hyperplane that separates data from origin with maximum margin:
subject to:
Why this objective?
- : minimize (maximize margin )
- : push hyperplane away from origin (larger normal region)
- : allow some slack for outliers in training data
- : controls trade-off (upper bound on fraction of outliers)
Step 3 - Decision Function: For new point :
where are Lagrange multipliers from solving dual problem.
Why this step? means is on the "origin side"—outside the normal region, hence anomaly.
where support vectors () define the boundary.
Normal packet: size=512, duration=0.5s, protocol=HTTP → ✓ Why? Within the learned boundary of typical HTTP traffic.
Suspicious packet: size=6535, duration=0.01s, protocol=ICMP → ✗ Why? Max-size ICMP with tiny duration is unlike normal; kernel distance to all support vectors is large, pushing negative.
Method 4: Autoencoder-Based Detection
Derivation from First Principles
WHAT: Train a neural network to compress then reconstruct normal data. Anomalies have high reconstruction error because the network never learned to encode them.
WHY: If a network learns the manifold of normal data, it can faithfully reproduce normal points but struggles with anomalies (they're off-manifold).
HOW:
Step 1 - Architecture: Encoder: maps to code where Decoder: reconstructs from code
Why bottleneck? Forcing compression to low ensures the network learns essential structure, not memorizes every point.
Step 2 - Training Objective: Minimize reconstruction loss on normal data:
Why squared error? It's the maximum likelihood estimate under Gaussian noise assumption. Other losses (absolute, perceptual) work too.
Step 3 - Anomaly Detection: For test point , compute:
If (threshold set on validation set), flag as anomaly.
Why this works? The autoencoder's weights encode . When shown anomaly, the decoder tries to "hallucinate" the nearest normal point, yielding large error.
Normal board: Input pixel patterns match training → (low error, reconstructs faithfully) Why? The network learned features of solder joints, traces, components. It can regenerate them accurately.
Defective board: Missing component, short circuit → (high error) Why? The defect is out-of-distribution. The decoder tries to "imagine" a component there (from learned prior), but actual pixels differ drastically.
Decision: If , defect flaged (3400 > 500).
Comparing Methods
| Method | Strengths | Weaknesses | Best For |
|---|---|---|---|
| Gaussian | Fast, interpretable, works well if data ~Gaussian | Assumes Gaussian, breaks with multi-modal or skewed data | Low-dimensional numerical data, when you need explain-ability |
| Isolation Forest | No distribution assumption, handles high-dim, fast | Harder to interpret, needs tuning tree count | High-dimensional data, mixed feature types |
Concept Map
Hinglish (regional understanding)
Intuition Hinglish mein samjho
Dekho, is note ka core idea bahut simple hai - hume machine ko sikhana hai ki "normal" kaisa dikhta hai, aur phir jo bhi cheez normal se bahut door hai, use anomaly (outlier) mark kar do. Jaise fraud detection mein, network security mein, ya factory mein defective products dhoondhne mein - yeh sab jagah rare events hote hain jo common cheezon se zyada important hote hain. Problem yeh hai ki humare paas anomalies ke labels nahi hote, kyunki woh itne rare hote hain (1% se bhi kam), isliye hume sirf unlabeled normal data se hi "normal ka pattern" seekhna padta hai.
Ab statistical method mein kya karte hain - hum maan lete hain ki normal data ek Gaussian distribution follow karta hai. Iske liye do cheezein calculate karte hain: mean () jo batata hai ki normal data ka center kahan hai, aur covariance () jo batata hai ki data ka shape kaisa hai - matlab kaunse directions mein zyada spread hai. Phir jab koi naya point aata hai, hum uski probability density nikalte hain. Yahan Mahalanobis distance ka concept aata hai - yeh simple straight-line distance nahi hai, balki data ke natural spread ko consider karke distance measure karta hai. Agar yeh distance zyada hai toh probability bahut kam ho jaati hai, aur agar (threshold) toh hum use anomaly bol dete hain.
Yeh important isliye hai kyunki real-world mein human inspection scale nahi karti - lakhon transactions ya servers ko manually check karna impossible hai. Server example dekho: normal CPU 30% aur memory 50% tha, lekin ek server 80% CPU aur 90% memory dikha raha hai - iski probability nikli, matlab yeh point normal behavior se bilkul match nahi karta. Yahi automated detection ka power hai. Aur threshold ko adjust karke aap decide kar sakte ho ki kitna strict rehna hai - kam matlab kam false alarms lekin kuch real anomalies miss ho sakti hain. Yeh trade-off samajhna practical applications ke liye bahut zaroori hai.