[ML] Anomaly detection for multiple bucket features #175
Conversation
…t has been superseded
…ure anomalousness for anomaly modelling using the base model probabilities
…introduce significant noise
bin/autodetect/CCmdLineParser.cc
Outdated
| @@ -118,7 +117,7 @@ bool CCmdLineParser::parse(int argc, | |||
| ("multivariateByFields", | |||
| "Optional flag to enable multi-variate analysis of correlated by fields") | |||
| ("multipleBucketspans", boost::program_options::value<std::string>(), | |||
| "Optional comma-separated list of additional bucketspans - must be direct multiples of the main bucketspan") | |||
| "Deprecated - ignored") | |||
There was a problem hiding this comment.
what's the reason to keep it? Are there clients using this?
There was a problem hiding this comment.
I'm happy to completely remove this, although it does then commit us to removing the corresponding options on the Java side. @dimitris-athanasiou said he would do this. The functionality to silently drop any settings related to this functionality (which was never documented and not fully tested) will then live in the Java code.
There was a problem hiding this comment.
I think it's fine to drop everything from the c++ side. I'll prepare the java side and we will merge them both in 6.5.
There was a problem hiding this comment.
I raised elastic/elasticsearch#32496. @tveasey, this means you can completely remove the multipleBucketspans param in this PR.
There was a problem hiding this comment.
Ok great. I'll tidy.
| #include <boost/bind.hpp> | ||
| #include <boost/circular_buffer.hpp> | ||
| #include <boost/iterator/counting_iterator.hpp> | ||
|
|
There was a problem hiding this comment.
does not seem to be used in this place
There was a problem hiding this comment.
I think this was left over from earlier versions, I'll tidy.
|
|
||
| if (m_Correlations != nullptr) { | ||
| m_Correlations->addSamples(m_Id, params, samples, multiplier); | ||
| } | ||
|
|
||
| if (randomSample) { | ||
| m_SlidingWindow.push_back({randomSample->first, randomSample->second}); | ||
| m_RecentSamples.push_back({randomSample->first, randomSample->second}); |
There was a problem hiding this comment.
could be an emplace_back?
There was a problem hiding this comment.
This is a boost circular buffer which doesn't support emplace_back unfortunately.
|
I had a first scan over it, looks good. One remark with respect to naming: I find |
| //! Univariate implementation returns zero. | ||
| template<typename T> | ||
| static double conformable(const T& /*x*/, double value) { | ||
| return value; |
There was a problem hiding this comment.
The comment says this should be returning 0.
There was a problem hiding this comment.
Indeed, comment is out of date.
|
@hendrikmuhs and @dimitris-athanasiou I addressed all your review comments. I also refined aggregation to take account of correlation between the multi-bucket and bucket features, in this commit. Can you take another look please? |
| //! time series from a user's perspective. | ||
| class CTimeSeriesMultibucketFeatures { | ||
| public: | ||
| //! The geometric weight applied the window. |
There was a problem hiding this comment.
nit: "... applied to the window" ?
| @@ -162,6 +162,10 @@ class MODEL_EXPORT CAnomalyDetectorModelConfig { | |||
| //! The default maximum time to test for a change point in a time series. | |||
| static const core_t::TTime DEFAULT_MAXIMUM_TIME_TO_TEST_FOR_CHANGE; | |||
|
|
|||
| //! The default number of time buckets used to generate multibucket features | |||
| //! for anomaly detection. | |||
| static const std::size_t MULTIBUCKET_FEATURE_WINDOW_LENGTH; | |||
There was a problem hiding this comment.
nit: MULTIBUCKET_FEATURE_WINDOW_LENGTH in other places it is MULTIBUCKET_FEATURES_WINDOW_LENGTH, feature - > features
lib/maths/CTimeSeriesModel.cc
Outdated
| const std::string MEAN_ERROR_TAG{"a"}; | ||
| const std::string ANOMALIES_TAG{"b"}; | ||
| const std::string ANOMALY_FEATURE_MODEL_TAG{"d"}; | ||
| // Version 6.4 |
| //! anomaly detection. Specifically, unusual values of certain properties | ||
| //! of extended time ranges are often the most interesting events in a | ||
| //! time series from a user's perspective. | ||
| class CTimeSeriesMultibucketFeatures { |
| void CTimeSeriesMultibucketFeaturesTest::testMean() { | ||
| // Test we get the value and weight we expect. | ||
|
|
||
| LOG_DEBUG(<< "Univariate"); |
There was a problem hiding this comment.
nit: why not make 2 tests?
| class CTimeSeriesMultibucketFeaturesTest : public CppUnit::TestFixture { | ||
| public: | ||
| void testMean(); | ||
| void testContrast(); |
|
I had another pass, only nitpicks except the version tags which I think should be bumped to 6.5. |
…support additional features in future
tveasey
force-pushed
the
feature/multiple-bucket-detection
branch
from
a35419c
to
20df95c
Compare
Currently, we perform anomaly detection only on a single bucket feature, typically derived from some aggregation applied to all the documents which fall in that bucket's time interval. However, In many cases interesting events span multiple buckets.
The most important case is where any given bucket is not especially unusual, given the variation w.r.t. our predictions we've historically seen, but a collection of contiguous buckets are jointly unusual.
Such cases can be detected by modelling and detecting unusual events w.r.t. collective properties of a number of contiguous buckets, i.e. features derived from multiple buckets; this PR uses the cumulative prediction error in a sliding window ending at the current bucket. This has proved effective for picking up the sort of events we want to detect, i.e. extended periods where are model is systematically in error.
This constitutes a reasonably significant change to results: increasing the relative importance we'll report for longer lasting anomalies. However, it is giving consistently better area under the P-R curve against our internal test suit. In addition, we pay some extra memory costs (both to compute the feature and for the extra model). This has been more than recouped in other preparatory changes, i.e. #127, #146, etc.