TemperStack
Find Tools

Reliability Foundations: Understanding Anomaly Detection

15 min read

Introduction

Anomaly detection is the backbone of proactive monitoring. Rather than waiting for a system to fail completely before responding, anomaly detection identifies unusual patterns in metrics, logs, and traces that may indicate emerging problems. In reliability engineering, the difference between detecting an anomaly in seconds versus minutes can mean the difference between a minor blip and a major outage affecting thousands of users.

This article explores the fundamental concepts behind anomaly detection, the trade-offs between static and dynamic thresholds, the key parameters that drive detection accuracy, and practical strategies for implementing anomaly detection in production systems.

What Is Anomaly Detection?

Anomaly detection is the process of identifying data points, events, or observations that deviate significantly from expected behavior. In the context of infrastructure and application monitoring, this means identifying when a metric — such as CPU usage, request latency, error rate, or memory consumption — behaves in a way that is statistically unusual compared to its historical pattern.

Anomalies can be broadly categorized into three types:

  • Point anomalies: A single data point that is far from the norm (e.g., a sudden spike in error rate).
  • Contextual anomalies: A data point that is anomalous only in a specific context (e.g., high traffic at 3 AM when traffic is normally low).
  • Collective anomalies: A sequence of data points that together represent anomalous behavior, even if individual points appear normal (e.g., a gradual memory leak).

Static vs. Dynamic Thresholds

The simplest form of anomaly detection is the static threshold: an alert fires when a metric crosses a fixed value. For example, "alert if CPU > 90%." Static thresholds are easy to understand, easy to implement, and work well for metrics with stable, predictable behavior.

Limitations of Static Thresholds

  • No awareness of patterns: A metric at 85% CPU might be perfectly normal during a daily batch job but alarming at midnight.
  • Difficult to tune: Set the threshold too low and you get constant false alarms; set it too high and you miss real problems.
  • Scale challenges: In large environments with hundreds or thousands of services, manually setting and maintaining static thresholds per metric becomes unmanageable.

Dynamic thresholds address these limitations by automatically learning the normal behavior pattern of a metric and adjusting the alert boundary accordingly. Instead of a fixed number, the threshold becomes a band that expands and contracts based on historical patterns — accounting for daily cycles, weekly patterns, and seasonal trends.

Advantages of Dynamic Thresholds

  • Automatic tuning: The system learns what is "normal" without manual configuration.
  • Pattern awareness: Anomalies are detected relative to expected behavior at that specific time.
  • Scalability: Dynamic thresholds can be applied uniformly across thousands of metrics with minimal per-metric configuration.
  • Reduced noise: By understanding normal patterns, dynamic thresholds generate fewer false positives than poorly tuned static ones.

Key Parameters in Anomaly Detection

Whether using static or dynamic approaches, several key parameters determine the accuracy and usefulness of anomaly detection:

1. Metrics Selection

Not all metrics are equally valuable for anomaly detection. Focus on metrics that directly reflect user experience or system health: request latency (p50, p95, p99), error rates, throughput, queue depths, and saturation metrics (CPU, memory, disk, network). Avoid alerting on metrics that are noisy by nature or that don't correlate with meaningful system states.

2. Datapoints and Resolution

The granularity of your data matters. Metrics collected every 60 seconds provide a different picture than metrics collected every 10 seconds. Higher resolution enables faster detection but increases storage costs and computational requirements. For most production monitoring, 10-60 second resolution provides a good balance.

3. Evaluation Windows

Anomaly detection algorithms evaluate metrics over time windows. A short window (1-5 minutes) detects rapid changes quickly but may trigger on transient spikes. A longer window (15-30 minutes) smooths out noise but delays detection of real issues. Many systems use multiple windows — a short window for sudden spikes and a longer window for sustained deviations.

4. Baselines and Seasonality

Dynamic thresholds rely on historical baselines. The baseline period determines what the system considers "normal." Common approaches include:

  • Rolling window: Use the last N hours/days as the baseline (e.g., last 7 days).
  • Same time period: Compare against the same hour on the same day of week (effective for weekly patterns).
  • Exponential smoothing: Weight recent data more heavily while still incorporating historical trends.

Choosing the right baseline period is critical. Too short, and the system forgets long-term patterns. Too long, and it fails to adapt to legitimate changes in behavior.

5. Sensitivity and Standard Deviations

Most dynamic anomaly detection systems define their threshold as a number of standard deviations from the expected value. A common approach:

  • 2 standard deviations: Captures approximately 95% of normal values — triggers on relatively small deviations (more sensitive, more false positives).
  • 3 standard deviations: Captures approximately 99.7% of normal values — triggers only on significant deviations (less sensitive, fewer false positives).

The right sensitivity depends on the cost of a miss versus the cost of a false alarm. For business-critical metrics (payment processing error rates), higher sensitivity is warranted. For informational metrics, lower sensitivity reduces noise.

The Anomaly Detection Process

A practical anomaly detection implementation follows these steps:

  1. Data collection: Gather metrics at consistent intervals from all relevant sources (application, infrastructure, external services).
  2. Baseline computation: Calculate the expected value and expected variance for each metric at each point in time, using historical data.
  3. Threshold calculation: Define upper and lower bounds based on the expected value plus or minus a configured number of standard deviations.
  4. Evaluation: Compare incoming data points against the dynamic threshold band. Flag points outside the band as potential anomalies.
  5. Confirmation: Apply additional logic — such as requiring multiple consecutive datapoints outside the band — to reduce false positives.
  6. Alerting: Route confirmed anomalies to the appropriate notification channel with context about the deviation.

Statistical Foundations

At the core of most anomaly detection systems is the concept of the normal distribution and standard deviation. For a normally distributed metric:

  • 68% of values fall within 1 standard deviation of the mean.
  • 95% of values fall within 2 standard deviations.
  • 99.7% of values fall within 3 standard deviations.

However, many real-world metrics are not normally distributed. Request latency, for example, typically follows a log-normal or heavy-tailed distribution. Effective anomaly detection systems account for this by using techniques like:

  • Percentile-based detection: Alert when the p99 latency exceeds a threshold, rather than the mean.
  • Median Absolute Deviation (MAD): A robust alternative to standard deviation that is less sensitive to outliers.
  • Z-score normalization: Transform metrics to a standard scale for comparison across different metric types.

Practical Considerations

Cold Start Problem

When monitoring a new service or metric, there is no historical data to establish a baseline. During this "cold start" period, fall back to static thresholds or use data from similar services as a proxy until sufficient history accumulates (typically 1-2 weeks of data).

Change Events

Deployments, configuration changes, and infrastructure migrations can legitimately shift a metric's baseline. Integrate change events into your anomaly detection system so that post-deployment shifts are expected, not flagged as anomalies. Many monitoring platforms allow you to mark deployment events and adjust baselines accordingly.

Multi-Metric Correlation

A single anomalous metric may or may not indicate a real problem. Correlating anomalies across multiple metrics — for example, latency increase combined with error rate increase and throughput decrease — dramatically increases confidence that a genuine issue is occurring. Look for monitoring tools that support multi-signal correlation.

Conclusion

Anomaly detection is a critical capability for any team operating production systems. By understanding the trade-offs between static and dynamic thresholds, tuning key parameters like evaluation windows and sensitivity, and applying sound statistical foundations, you can build a monitoring system that catches real problems early while minimizing false alarms. The goal is not zero alerts — it's the right alerts at the right time.

Compare the top monitoring tools for anomaly detection in our analytics tools comparison.