Anomaly Detection In Time Series
An anomaly is a point or stretch that departs from the series' normal behavior, such as a server spike or a sales crash. Detecting it early matters for monitoring and safety.
A residual based approach
A common recipe builds a model of expected behavior, then flags where reality differs.
- Forecast or smooth the series to get an expected value at each step.
- Compute the residual, the gap between the actual and expected value.
- Flag a point when the residual exceeds a threshold, often a few standard deviations.
This turns anomaly detection into watching the residual stream rather than the raw series.
Handling structure
- Remove seasonality first so a normal holiday peak is not flagged.
- Use a rolling estimate of spread so the threshold adapts as volatility changes.
- Distinguish a single spike from a sustained level shift, which signals a lasting change.
Trade offs
A tight threshold catches more anomalies but raises false alarms, while a loose one misses subtle drifts. The right balance depends on the cost of a miss versus the cost of a false alert.
Key idea
Anomaly detection models expected behavior, then flags residuals that exceed an adaptive threshold, balancing missed events against false alarms.