SlideShare a Scribd company logo

Statistical Learning Based Anomaly Detection @ Twitter

Arun Kejariwal, profile picture
Arun Kejariwal

This document discusses Twitter's approach to statistical learning based anomaly detection. It begins with an overview of anomaly detection challenges at scale given Twitter's massive time series data. It then reviews traditional approaches and their limitations, particularly in dealing with seasonality. The document proposes addressing seasonality through time series decomposition before applying a robust statistical approach like ESD on the residual. It provides an example and discusses applications and production deployment at Twitter. In closing, it promotes joining Twitter's efforts in open sourcing their anomaly detection work.

Technology
Related topics:
Anomaly DetectionTime Series Analysis
1 of 30
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Sta$s$cal Learning Based Anomaly Detec$on @ Twi9er Arun Kejariwal (@arun_kejariwal) Joint work with Jordan Hochenbaum and Owen Vallis November 2014
Internet trends • Real-time [1] h9p://techcrunch.com/2014/05/05/amazon-­‐extends-­‐its-­‐shopping-­‐cart-­‐to-­‐twi9er/ AK 2 [1]
Twi9er: Global Town Square AK 3
Data Fidelity • Data-driven decision making q Evolving product landscape • Data partners q Nielsen q Dataminr • Operational q Performance and Availability AK 4
Data Fidelity: Challenges • Anomalies q Exogenic factors § User behavior § Events § Data center q Endogenic factors § Agile development o Fail fast § Data collection • Millions of time series [1,2] q Scalability AK 5 [1] h9p://strata.oreilly.com/2013/09/how-­‐twi9er-­‐monitors-­‐millions-­‐of-­‐$me-­‐series.html [2] h9p://strataconf.com/strata2014/public/schedule/detail/32431
Anomaly Detec$on: Why Bother? • Analyze User Engagement q Events § Super Bowl, Japanese New Year q Year over year analysis (input to forecasting) • Identify Attacks q DoS q Malware attacks • Identify Bots q Separating actual users from spam AK 6
Anomaly Detec$on • Visual q Prone to errors q Not scalable § Machine generated data 11% of the digital universe in 2005 to > 40% by 2020 [1] § Cloud Infrastructure 2013-2017 CAGR ~50% [2] • Algorithmic approach q Automate! [1] h9p://www.emc.com/about/news/press/2012/20121211-­‐01.htm AK 7 [2] h9p://www.forbes.com/sites/gilpress/2013/12/12/16-­‐1-­‐billion-­‐big-­‐data-­‐market-­‐2014-­‐predic$ons-­‐from-­‐idc-­‐and-­‐iia/
Anomaly Detec$on: Background • Over 50 years of research [1] q Statistics § Extreme Value Theory § Robust Statistics, Grubb’s Test, ESD q Econometrics q Finance § Value at Risk (VaR) q Signal Processing q Music Information Retrieval q Networking q E- Commerce q Performance Regression [1] “Anomaly Detec$on” by Chandola et al. ACM Compu$ng Surveys, 2009. AK 8 Jon from Etsy Toufic from Metafor
Anomaly Detec$on: Overview • Definition q “An anomaly is an observation that deviates so much from other observations so as to arouse suspicions that it is was generated by a different mechanism” [1,2] [1] “Iden$fica$on of outliers” by Hawkins, Douglas M. London: Chapman and Hall, 1980. AK 9 [2] “Outlier Analysis” by Charu C. Aggarwal. Springer, 2013.
Anomaly Detec$on • Characterization q Magnitude q Width q Frequency q Direction AK 10
Anomaly Detec$on (contd.) • Two flavors q Global § Max Value q Local § Intra-day AK 11 Global Local
Anomaly Detec$on (contd.) • Traditional Approaches q Metrics § Mean μ § Variance σ q Rule of thumb § μ + 3*σ q Which time series? § Raw § Moving Averages o SMA, EWMA, PEWMA AK 12 3 * σ
Anomaly Detec$on (contd.) • Impact of multi-modal distribution q μ Shift ~ 0.2% q Inflates σ by 4.5% § Miss quite a few anomalies q What do multiple modes correspond to? § Seasonality AK 13
• Robust Statistics q MAD § Robust Breakdown point o Median 50% vs. Mean 0% q σMAD § K = 1.4826 for normally distributed data AK 14 Anomaly Detec$on (contd.)
• Limitations of using MAD AK 15 Anomaly Detec$on (contd.)
• Grubb’s Test q Critical value is derived from data using a statistical confidence (α) • Limitations q Assumes data distribution is normal q Good for detecting ONLY 1 outlier q Seasonality unaware AK 16 Anomaly Detec$on (contd.)
• ESD (Generalized Extreme Studentized Deviate) [1] q Critical value (λi) re-calculated every iteration q Largest i such that Ri > λi determines # of anomalies q An upper-bound on the number of anomalies is an input parameter • Limitations q Generalized ESD assumes a “normal” distribution q Seasonality unaware AK 17 Anomaly Detec$on (contd.) [1] Rosner, Bernard. “Percentage Points for a Generalized ESD Many-­‐outlier Procedure.” Technometrics 25, no. 2 (1983): 165–172.
Our Approach
• Addressing Seasonality q Key Idea § Time Series Decomposition AK 19 Anomaly Detec$on (contd.)
• Determining seasonal component q Regression on sub-cycle plots [1] AK 20 Anomaly Detec$on (contd.) [1] “STL: A seasonal-­‐trend decomposi$on procedure based on loess” by Cleveland, et al. Journal of Official Sta$s$cs, Vol. 6, Issue 1, 1990.
• Impact of removal of seasonal and trend q Transforms our multi-modal data into unimodal data. § Amenable to ESD/MAD! AK 21 Anomaly Detec$on (contd.) The decomposed Residual becomes "Uni-modal". This significantly shrinks the value of sigma. The original "Multi-Modal" Raw Data has a much wider value for sigma, leading ESD to miss a lot of the outliers.
Trend Smoothing Distortion Creates “Phantom” Anomalies • Challenges remain! AK 22 Anomaly Detec$on (contd.)
• Marrying Robust Statistics with Seasonal Decomposition AK 23 Anomaly Detec$on (contd.) Median is Free from Distortion
• Applying ESD on the Residual AK 24 Anomaly Detec$on (contd.) Decomposition Exposes Anomalies
• Recap q Extract the seasonal component using STL § Filters out periodic spikes q Residual = Raw - Seasonalraw- Medianraw q Run ESD on residual (using median and MAD) AK 25 Anomaly Detec$on (contd.)
• Illustrative example AK 26 Anomaly Detec$on (contd.)
• Applications q Three perspectives § Capacity o CPU utilization o Garbage collection o Network activity § User behavior o Events • Impressions • Link clicks o Spam § Forecasting AK 27 Anomaly Detec$on (contd.)
• Deployed in production q Used by large number of services at Twitter q Automatic e-mail notification § Only sent if anomalies are present § Anomalies annotated § CSV with anomaly locations attached AK 28 Anomaly Detec$on (contd.)
• Skyline from Etsy q https://github.com/etsy/skyline/blob/master/src/analyzer/algorithms.py • Coming soon! q R package AK 29 Open Sourcing
Join the Flock Like problem solving? Like challenges? Be at cukng Edge Make an impact • We are hiring!! q https://twitter.com/JoinTheFlock q https://twitter.com/jobs q Contact us: @arun_kejariwal AK 30

More Related Content

PDF
Gangliaはじめました
yuzorock
 
PDF
Yahoo! JAPANにおけるApache Cassandraへの取り組み
Yahoo!デベロッパーネットワーク
 
PDF
PostgreSQL16新機能紹介 - libpq接続ロード・バランシング(第41回PostgreSQLアンカンファレンス@オンライン 発表資料)
NTT DATA Technology & Innovation
 
PDF
TIME_WAITに関する話
Takanori Sejima
 
PDF
ネットワーク ゲームにおけるTCPとUDPの使い分け
モノビット エンジン
 
PDF
並行実行制御の最適化手法
Sho Nakazono
 
PDF
ダブル配列の豆知識
s5yata
 
PPTX
Tensor コアを使った PyTorch の高速化
Yusuke Fujimoto
 
Gangliaはじめました
yuzorock
 
Yahoo! JAPANにおけるApache Cassandraへの取り組み
Yahoo!デベロッパーネットワーク
 
PostgreSQL16新機能紹介 - libpq接続ロード・バランシング(第41回PostgreSQLアンカンファレンス@オンライン 発表資料)
NTT DATA Technology & Innovation
 
TIME_WAITに関する話
Takanori Sejima
 
ネットワーク ゲームにおけるTCPとUDPの使い分け
モノビット エンジン
 
並行実行制御の最適化手法
Sho Nakazono
 
ダブル配列の豆知識
s5yata
 
Tensor コアを使った PyTorch の高速化
Yusuke Fujimoto
 

What's hot (20)

PDF
ストリーミングのげんざい
Tetsuya Morimoto
 
PDF
失敗から学ぶ機械学習応用
Hiroyuki Masuda
 
PPTX
これがCassandra
Takehiro Torigaki
 
PPT
Cassandraのしくみ データの読み書き編
Yuki Morishita
 
PPTX
HashMapとは?
Trash Briefing ,Ltd
 
PDF
時系列分析入門
Miki Katsuragi
 
PPTX
分散システムについて語らせてくれ
Kumazaki Hiroki
 
PDF
DDD&Scalaで作られたプロダクトはその後どうなったか?(Current state of products made with DDD & Scala)
MicroAd, Inc.(Engineer)
 
PDF
できる!並列・並行プログラミング
Preferred Networks
 
PDF
Graph Attention Network
Takahiro Kubo
 
PDF
PostgreSQL 15 開発最新情報
Masahiko Sawada
 
PPTX
トランザクションの設計と進化
Kumazaki Hiroki
 
PPTX
押さえておきたい、PostgreSQL 13 の新機能!! (PostgreSQL Conference Japan 2020講演資料)
NTT DATA Technology & Innovation
 
PPT
インフラエンジニアのためのcassandra入門
Akihiro Kuwano
 
PDF
暗号文のままで計算しよう - 準同型暗号入門 -
MITSUNARI Shigeo
 
PDF
WebブラウザでP2Pを実現する、WebRTCのAPIと周辺技術
Yoshiaki Sugimoto
 
PDF
最近強化学習の良記事がたくさん出てきたので勉強しながらまとめた
Katsuya Ito
 
PDF
Apache Impalaパフォーマンスチューニング #dbts2018
Cloudera Japan
 
PDF
クラシックな機械学習の入門 4. 学習データと予測性能
Hiroshi Nakagawa
 
PPTX
Elasticsearch as a Distributed System
Satoyuki Tsukano
 
ストリーミングのげんざい
Tetsuya Morimoto
 
失敗から学ぶ機械学習応用
Hiroyuki Masuda
 
これがCassandra
Takehiro Torigaki
 
Cassandraのしくみ データの読み書き編
Yuki Morishita
 
HashMapとは?
Trash Briefing ,Ltd
 
時系列分析入門
Miki Katsuragi
 
分散システムについて語らせてくれ
Kumazaki Hiroki
 
DDD&Scalaで作られたプロダクトはその後どうなったか?(Current state of products made with DDD & Scala)
MicroAd, Inc.(Engineer)
 
できる!並列・並行プログラミング
Preferred Networks
 
Graph Attention Network
Takahiro Kubo
 
PostgreSQL 15 開発最新情報
Masahiko Sawada
 
トランザクションの設計と進化
Kumazaki Hiroki
 
押さえておきたい、PostgreSQL 13 の新機能!! (PostgreSQL Conference Japan 2020講演資料)
NTT DATA Technology & Innovation
 
インフラエンジニアのためのcassandra入門
Akihiro Kuwano
 
暗号文のままで計算しよう - 準同型暗号入門 -
MITSUNARI Shigeo
 
WebブラウザでP2Pを実現する、WebRTCのAPIと周辺技術
Yoshiaki Sugimoto
 
最近強化学習の良記事がたくさん出てきたので勉強しながらまとめた
Katsuya Ito
 
Apache Impalaパフォーマンスチューニング #dbts2018
Cloudera Japan
 
クラシックな機械学習の入門 4. 学習データと予測性能
Hiroshi Nakagawa
 
Elasticsearch as a Distributed System
Satoyuki Tsukano
 
Ad

Viewers also liked (20)

PDF
Data Data Everywhere: Not An Insight to Take Action Upon
Arun Kejariwal
 
PDF
Anomaly detection
QuantUniversity
 
PPTX
Anomaly detection
철 김
 
PDF
Finding bad apples early: Minimizing performance impact
Arun Kejariwal
 
PDF
Velocity 2015-final
Arun Kejariwal
 
PDF
Real Time Analytics: Algorithms and Systems
Arun Kejariwal
 
PDF
Anomaly detection in real-time data streams using Heron
Arun Kejariwal
 
PDF
Anomaly Detection @Twitter
Zhan Zhang
 
PDF
Isolating Events from the Fail Whale
Arun Kejariwal
 
PDF
Gimme More! Supporting User Growth in a Performant and Efficient Fashion
Arun Kejariwal
 
PDF
When Data is Everywhere, Where Do You Start?: Using Drupal to Manage, Distrib...
Forum One
 
PDF
Everyone Is an Analyst and Data Is Everywhere, But Research Has Never Been Ne...
MRAMidAtlanticChapter
 
PPTX
Everyone is a Data Analyst Adobe EMEA Summit 2014
Simon James
 
PDF
Days In Green (DIG): Forecasting the life of a healthy service
Arun Kejariwal
 
PDF
A Systematic Approach to Capacity Planning in the Real World
Arun Kejariwal
 
PPTX
Time series Analysis & fpp package
Dr. Fiona McGroarty
 
PPTX
PyGotham 2016
Manojit Nandi
 
PDF
Anomaly detection : QuantUniversity Workshop
QuantUniversity
 
PDF
Data, data, everywhere… - SEE UK - 2016
TOPdesk
 
PDF
Anomaly detection Meetup Slides
QuantUniversity
 
Data Data Everywhere: Not An Insight to Take Action Upon
Arun Kejariwal
 
Anomaly detection
QuantUniversity
 
Anomaly detection
철 김
 
Finding bad apples early: Minimizing performance impact
Arun Kejariwal
 
Velocity 2015-final
Arun Kejariwal
 
Real Time Analytics: Algorithms and Systems
Arun Kejariwal
 
Anomaly detection in real-time data streams using Heron
Arun Kejariwal
 
Anomaly Detection @Twitter
Zhan Zhang
 
Isolating Events from the Fail Whale
Arun Kejariwal
 
Gimme More! Supporting User Growth in a Performant and Efficient Fashion
Arun Kejariwal
 
When Data is Everywhere, Where Do You Start?: Using Drupal to Manage, Distrib...
Forum One
 
Everyone Is an Analyst and Data Is Everywhere, But Research Has Never Been Ne...
MRAMidAtlanticChapter
 
Everyone is a Data Analyst Adobe EMEA Summit 2014
Simon James
 
Days In Green (DIG): Forecasting the life of a healthy service
Arun Kejariwal
 
A Systematic Approach to Capacity Planning in the Real World
Arun Kejariwal
 
Time series Analysis & fpp package
Dr. Fiona McGroarty
 
PyGotham 2016
Manojit Nandi
 
Anomaly detection : QuantUniversity Workshop
QuantUniversity
 
Data, data, everywhere… - SEE UK - 2016
TOPdesk
 
Anomaly detection Meetup Slides
QuantUniversity
 
Ad

Similar to Statistical Learning Based Anomaly Detection @ Twitter (20)

PDF
Outlier analysis for Temporal Datasets
QuantUniversity
 
PPTX
Anomaly detection
Dr. Stylianos Kampakis
 
PDF
Anomaly Detection in Seasonal Time Series
Humberto Marchezi
 
PPTX
Time Series Anomaly Detection with .net and Azure
Marco Parenzan
 
PDF
Anomaly detection (Unsupervised Learning) in Machine Learning
Kuppusamy P
 
PDF
Anomaly detection Workshop slides
QuantUniversity
 
PDF
Anomaly detection: Core Techniques and Advances in Big Data and Deep Learning
QuantUniversity
 
PDF
Anomaly Detection in Sequences of Short Text Using Iterative Language Models
Cynthia Freeman
 
PDF
Dataday Texas 2016 - Datadog
Datadog
 
PDF
Term_Paper_Shengzhe_Wang
Shengzhe Wang
 
PPTX
Anomaly Detection and Spark Implementation - Meetup Presentation.pptx
Impetus Technologies
 
PDF
An Introduction to Anomaly Detection
Kenneth Graham
 
PPTX
Time Series Anomaly Detection with .net and Azure
Marco Parenzan
 
PPTX
Anomaly Detection - New York Machine Learning
Ted Dunning
 
PDF
Analytics for large-scale time series and event data
Anodot
 
PPTX
Simple math for anomaly detection toufic boubez - metafor software - monito...
tboubez
 
PDF
A_review_on_outlier_detection_in_time_series_data__BCAM_1.pdf.pdf
TadiyosHailemichael
 
PPTX
"Building Anomaly Detection For Large Scale Analytics", Yonatan Ben Shimon, A...
Dataconomy Media
 
PPTX
Anomaly Detection for Real-World Systems
Manojit Nandi
 
PPTX
Data centre analytics toufic boubez-metafor-dev ops days vancouver-2013-10-25
tboubez
 
Outlier analysis for Temporal Datasets
QuantUniversity
 
Anomaly detection
Dr. Stylianos Kampakis
 
Anomaly Detection in Seasonal Time Series
Humberto Marchezi
 
Time Series Anomaly Detection with .net and Azure
Marco Parenzan
 
Anomaly detection (Unsupervised Learning) in Machine Learning
Kuppusamy P
 
Anomaly detection Workshop slides
QuantUniversity
 
Anomaly detection: Core Techniques and Advances in Big Data and Deep Learning
QuantUniversity
 
Anomaly Detection in Sequences of Short Text Using Iterative Language Models
Cynthia Freeman
 
Dataday Texas 2016 - Datadog
Datadog
 
Term_Paper_Shengzhe_Wang
Shengzhe Wang
 
Anomaly Detection and Spark Implementation - Meetup Presentation.pptx
Impetus Technologies
 
An Introduction to Anomaly Detection
Kenneth Graham
 
Time Series Anomaly Detection with .net and Azure
Marco Parenzan
 
Anomaly Detection - New York Machine Learning
Ted Dunning
 
Analytics for large-scale time series and event data
Anodot
 
Simple math for anomaly detection toufic boubez - metafor software - monito...
tboubez
 
A_review_on_outlier_detection_in_time_series_data__BCAM_1.pdf.pdf
TadiyosHailemichael
 
"Building Anomaly Detection For Large Scale Analytics", Yonatan Ben Shimon, A...
Dataconomy Media
 
Anomaly Detection for Real-World Systems
Manojit Nandi
 
Data centre analytics toufic boubez-metafor-dev ops days vancouver-2013-10-25
tboubez
 

More from Arun Kejariwal (13)

PDF
Anomaly Detection At The Edge
Arun Kejariwal
 
PDF
Serverless Streaming Architectures and Algorithms for the Enterprise
Arun Kejariwal
 
PDF
Sequence-to-Sequence Modeling for Time Series
Arun Kejariwal
 
PDF
Sequence-to-Sequence Modeling for Time Series
Arun Kejariwal
 
PDF
Model Serving via Pulsar Functions
Arun Kejariwal
 
PDF
Designing Modern Streaming Data Applications
Arun Kejariwal
 
PDF
Correlation Analysis on Live Data Streams
Arun Kejariwal
 
PDF
Deep Learning for Time Series Data
Arun Kejariwal
 
PDF
Correlation Analysis on Live Data Streams
Arun Kejariwal
 
PDF
Live Anomaly Detection
Arun Kejariwal
 
PDF
Modern real-time streaming architectures
Arun Kejariwal
 
PDF
Techniques for Minimizing Cloud Footprint
Arun Kejariwal
 
PDF
A Tool for Practical Garbage Collection Analysis In the Cloud
Arun Kejariwal
 
Anomaly Detection At The Edge
Arun Kejariwal
 
Serverless Streaming Architectures and Algorithms for the Enterprise
Arun Kejariwal
 
Sequence-to-Sequence Modeling for Time Series
Arun Kejariwal
 
Sequence-to-Sequence Modeling for Time Series
Arun Kejariwal
 
Model Serving via Pulsar Functions
Arun Kejariwal
 
Designing Modern Streaming Data Applications
Arun Kejariwal
 
Correlation Analysis on Live Data Streams
Arun Kejariwal
 
Deep Learning for Time Series Data
Arun Kejariwal
 
Correlation Analysis on Live Data Streams
Arun Kejariwal
 
Live Anomaly Detection
Arun Kejariwal
 
Modern real-time streaming architectures
Arun Kejariwal
 
Techniques for Minimizing Cloud Footprint
Arun Kejariwal
 
A Tool for Practical Garbage Collection Analysis In the Cloud
Arun Kejariwal
 

Recently uploaded (20)

PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Approach and Philosophy of On baking technology
30anthuong17
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
KodekX | Application Modernization Development
KodekX
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Encapsulation theory and applications.pdf
gurumoop
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 

Statistical Learning Based Anomaly Detection @ Twitter

  • 1. Sta$s$cal Learning Based Anomaly Detec$on @ Twi9er Arun Kejariwal (@arun_kejariwal) Joint work with Jordan Hochenbaum and Owen Vallis November 2014
  • 2. Internet trends • Real-time [1] h9p://techcrunch.com/2014/05/05/amazon-­‐extends-­‐its-­‐shopping-­‐cart-­‐to-­‐twi9er/ AK 2 [1]
  • 3. Twi9er: Global Town Square AK 3
  • 4. Data Fidelity • Data-driven decision making q Evolving product landscape • Data partners q Nielsen q Dataminr • Operational q Performance and Availability AK 4
  • 5. Data Fidelity: Challenges • Anomalies q Exogenic factors § User behavior § Events § Data center q Endogenic factors § Agile development o Fail fast § Data collection • Millions of time series [1,2] q Scalability AK 5 [1] h9p://strata.oreilly.com/2013/09/how-­‐twi9er-­‐monitors-­‐millions-­‐of-­‐$me-­‐series.html [2] h9p://strataconf.com/strata2014/public/schedule/detail/32431
  • 6. Anomaly Detec$on: Why Bother? • Analyze User Engagement q Events § Super Bowl, Japanese New Year q Year over year analysis (input to forecasting) • Identify Attacks q DoS q Malware attacks • Identify Bots q Separating actual users from spam AK 6
  • 7. Anomaly Detec$on • Visual q Prone to errors q Not scalable § Machine generated data 11% of the digital universe in 2005 to > 40% by 2020 [1] § Cloud Infrastructure 2013-2017 CAGR ~50% [2] • Algorithmic approach q Automate! [1] h9p://www.emc.com/about/news/press/2012/20121211-­‐01.htm AK 7 [2] h9p://www.forbes.com/sites/gilpress/2013/12/12/16-­‐1-­‐billion-­‐big-­‐data-­‐market-­‐2014-­‐predic$ons-­‐from-­‐idc-­‐and-­‐iia/
  • 8. Anomaly Detec$on: Background • Over 50 years of research [1] q Statistics § Extreme Value Theory § Robust Statistics, Grubb’s Test, ESD q Econometrics q Finance § Value at Risk (VaR) q Signal Processing q Music Information Retrieval q Networking q E- Commerce q Performance Regression [1] “Anomaly Detec$on” by Chandola et al. ACM Compu$ng Surveys, 2009. AK 8 Jon from Etsy Toufic from Metafor
  • 9. Anomaly Detec$on: Overview • Definition q “An anomaly is an observation that deviates so much from other observations so as to arouse suspicions that it is was generated by a different mechanism” [1,2] [1] “Iden$fica$on of outliers” by Hawkins, Douglas M. London: Chapman and Hall, 1980. AK 9 [2] “Outlier Analysis” by Charu C. Aggarwal. Springer, 2013.
  • 10. Anomaly Detec$on • Characterization q Magnitude q Width q Frequency q Direction AK 10
  • 11. Anomaly Detec$on (contd.) • Two flavors q Global § Max Value q Local § Intra-day AK 11 Global Local
  • 12. Anomaly Detec$on (contd.) • Traditional Approaches q Metrics § Mean μ § Variance σ q Rule of thumb § μ + 3*σ q Which time series? § Raw § Moving Averages o SMA, EWMA, PEWMA AK 12 3 * σ
  • 13. Anomaly Detec$on (contd.) • Impact of multi-modal distribution q μ Shift ~ 0.2% q Inflates σ by 4.5% § Miss quite a few anomalies q What do multiple modes correspond to? § Seasonality AK 13
  • 14. • Robust Statistics q MAD § Robust Breakdown point o Median 50% vs. Mean 0% q σMAD § K = 1.4826 for normally distributed data AK 14 Anomaly Detec$on (contd.)
  • 15. • Limitations of using MAD AK 15 Anomaly Detec$on (contd.)
  • 16. • Grubb’s Test q Critical value is derived from data using a statistical confidence (α) • Limitations q Assumes data distribution is normal q Good for detecting ONLY 1 outlier q Seasonality unaware AK 16 Anomaly Detec$on (contd.)
  • 17. • ESD (Generalized Extreme Studentized Deviate) [1] q Critical value (λi) re-calculated every iteration q Largest i such that Ri > λi determines # of anomalies q An upper-bound on the number of anomalies is an input parameter • Limitations q Generalized ESD assumes a “normal” distribution q Seasonality unaware AK 17 Anomaly Detec$on (contd.) [1] Rosner, Bernard. “Percentage Points for a Generalized ESD Many-­‐outlier Procedure.” Technometrics 25, no. 2 (1983): 165–172.
  • 19. • Addressing Seasonality q Key Idea § Time Series Decomposition AK 19 Anomaly Detec$on (contd.)
  • 20. • Determining seasonal component q Regression on sub-cycle plots [1] AK 20 Anomaly Detec$on (contd.) [1] “STL: A seasonal-­‐trend decomposi$on procedure based on loess” by Cleveland, et al. Journal of Official Sta$s$cs, Vol. 6, Issue 1, 1990.
  • 21. • Impact of removal of seasonal and trend q Transforms our multi-modal data into unimodal data. § Amenable to ESD/MAD! AK 21 Anomaly Detec$on (contd.) The decomposed Residual becomes "Uni-modal". This significantly shrinks the value of sigma. The original "Multi-Modal" Raw Data has a much wider value for sigma, leading ESD to miss a lot of the outliers.
  • 22. Trend Smoothing Distortion Creates “Phantom” Anomalies • Challenges remain! AK 22 Anomaly Detec$on (contd.)
  • 23. • Marrying Robust Statistics with Seasonal Decomposition AK 23 Anomaly Detec$on (contd.) Median is Free from Distortion
  • 24. • Applying ESD on the Residual AK 24 Anomaly Detec$on (contd.) Decomposition Exposes Anomalies
  • 25. • Recap q Extract the seasonal component using STL § Filters out periodic spikes q Residual = Raw - Seasonalraw- Medianraw q Run ESD on residual (using median and MAD) AK 25 Anomaly Detec$on (contd.)
  • 26. • Illustrative example AK 26 Anomaly Detec$on (contd.)
  • 27. • Applications q Three perspectives § Capacity o CPU utilization o Garbage collection o Network activity § User behavior o Events • Impressions • Link clicks o Spam § Forecasting AK 27 Anomaly Detec$on (contd.)
  • 28. • Deployed in production q Used by large number of services at Twitter q Automatic e-mail notification § Only sent if anomalies are present § Anomalies annotated § CSV with anomaly locations attached AK 28 Anomaly Detec$on (contd.)
  • 29. • Skyline from Etsy q https://github.com/etsy/skyline/blob/master/src/analyzer/algorithms.py • Coming soon! q R package AK 29 Open Sourcing
  • 30. Join the Flock Like problem solving? Like challenges? Be at cukng Edge Make an impact • We are hiring!! q https://twitter.com/JoinTheFlock q https://twitter.com/jobs q Contact us: @arun_kejariwal AK 30