-
Notifications
You must be signed in to change notification settings - Fork 34
How does ADE find unusual intervals
Jim Caffrey edited this page Aug 1, 2016
·
1 revision
ADE determines if the interval is unusual by comparing the current interval to set of intervals within the training period.
- Each intervals is scored by accumulating the message contribution score for each message within the interval to create the sum of the message contribution score for the interval (sum of message contribution scores).
- The expected behavior of the system is created by assigning the sum of message contribution score for all of the messages in the training period to one thousand (1000) buckets.
- The interval anomaly score for the interval is found by finding the bucket with a floor greater than then sum of message contribution score and less than the ceiling of the bucket.
- If the sum of message contribution score is greater than 1.5 times the floor of the largest bucket, then the interval is assigned to a special bucket with the value of 101.
The anomaly score for the interval reflects the stability of the system. If the system is stable, then for an interval to be unusual it needs a small change in the sum of messages contribution score. If the system is unstable, then for an interval to be unusual it needs a large change sum of message contribution score.