What Is Anomaly Detection?
ServiceNow notes that an anomaly is a change within a data pattern, an outlier or an event that falls outside of a standard trend. It’s a deviation from something expected or something that doesn’t conform to expectations.
There are three broad types of anomalies: point, contextual and collective.
- Point anomalies, also called global anomalies, are single points or pieces of data identified as too far off from similar data points in the group.
- Contextual anomalies are abnormal in one context but normal in another; for example, over two data sets collected at different times.
- Collective anomalies are entire subsets of data that are outliers when compared to wider sets of data of similar nature or type.
Anomaly detection is the process of finding and identifying point, contextual or collective anomalies that fall outside the bounds of defined policies. Detection itself is only the first step; further analysis can help determine whether anomalies are defects, malfunctions, fraud or security compromises.
How Does Anomaly Detection Work?
According to Andrew Stewart, senior federal strategist for the Industries Solution Group at Cisco, data drives effective anomaly detection.
“Any time you are doing this, more data is good,” he says. “Data analysts will tell you that more data is good, and that diversity in data is tremendously important.”
Collecting and leveraging this data makes it possible to identify both common patterns and outliers, allowing state and local agencies to pinpoint potential problems. This data comes from entities, or devices and services connected to a network.
“You need to know every entity,” says Stewart. “That’s table stakes. What you want to see is their telemetry, every conversation between these entities.”
He likens it to a cell phone bill, which provides a list of whom you called and for how long. Anomaly detection provides details about how entities interacted and whether that interaction was out of the ordinary.