A plethora of outlier detectors have been explored in the time series domain, however, in a business sense, not all outliers are anomalies of interest. Existing anomaly detection solutions are confined to certain outlier detectors limiting their applicability to broader anomaly detection use cases. Network KPIs (Key Performance Indicators) tend to exhibit stochastic behaviour producing statistical outliers, most of which do not adversely affect business operations. Thus, a heuristic is required to capture the business definition of an anomaly for time series KPI. This article proposes an Adaptive Thresholding Heuristic (ATH) to dynamically adjust the detection threshold based on the local properties of the data distribution and adapt to changes in time series patterns. The heuristic derives the threshold based on the expected periodicity and the observed proportion of anomalies minimizing false positives and addressing concept drift. ATH can be used in conjunction with any underlying seasonality decomposition method and an outlier detector that yields an outlier score. This method has been tested on EON1-Cell-U, a labeled KPI anomaly dataset produced by Ericsson, to validate our hypothesis. Experimental results show that ATH is computationally efficient making it scalable for near real time anomaly detection and flexible with multiple forecasters and outlier detectors.

翻译：时间序列领域已涌现大量异常检测器，然而从业务角度来看，并非所有离群点都是关注的异常。现有异常检测解决方案受限于特定离群点检测器，限制了其在更广泛异常检测场景中的适用性。网络KPI（关键绩效指标）通常呈现随机特性，会产生统计意义上的离群点，其中大多数不会对业务运营产生不利影响。因此，需要一种启发式机制来捕捉时间序列KPI异常的业务定义。本文提出自适应阈值启发式方法（ATH），该方法可根据数据分布的局部特性动态调整检测阈值，并适应时间序列模式的变化。该启发式方法基于预期周期性和观测到的异常比例推导阈值，从而最小化误报并解决概念漂移问题。ATH可与任何底层季节分解方法及输出异常分数的离群点检测器联合使用。该方法已在爱立信提供的标注KPI异常数据集EON1-Cell-U上完成测试以验证假设。实验结果表明，ATH具有计算高效性，使其可扩展至近实时异常检测场景，并与多种预测器和离群点检测器保持灵活兼容。