MELODY: Robust Semi-Supervised Hybrid Model for Entity-Level Online Anomaly Detection with Multivariate Time Series

First, to address the non-comparable time series values of different entities, we transform the raw values of individual univariate time series to their anomalous degrees. Specifically, for the $i$-th deployment $\mathcal{X}_{i}$, its $j$-th variate’s observation at time step $t$, i.e., $x_{i,j}^{t}$ ($1\leq j\leq n_{i}$), is transformed to a score $s_{i,j}^{t}$ representing the deviation of $x_{i,j}^{t}$ from the normal history ${\textbf{x}}_{i,j}=[x_{i,j}^{1},...,x_{i,j}^{T}]$ for any $t>T$. The more $x_{i,j}^{t}$ deviates from ${\textbf{x}}_{i,j}$, i.e., the higher the score $s_{i,j}^{t}$ is, the more anomalous $x_{i,j}^{t}$ is. It is noteworthy that $s_{i,j}^{t}$ defines the change of $x_{i,j}^{t}$ relative to its history ${\textbf{x}}_{i,j}$ for any univariate time series consistently, thus it is a comparable score across entities.

As illustrated in Fig. 2(b), the OFE has three Featurizers to generate score $s_{i,j}^{t}$. Each Featurizer is a general class. Given a concrete deployment $\mathcal{X}_{i}$, each Featurizer first initializes a set of instances, one per variate using its history, for some (or all) of the variates, e.g., an instance is initialized using the history ${\textbf{x}}_{i,j}$ for variate $j$.

Then the $j$-th instance is used to transform $x_{i,j}^{t}$ to $s_{i,j}^{t}$ in an online manner. Because of the Low Latency Tolerance (Challenge 2 in Sec. 1), we design three Featurizers that initialize instances efficiently:

At the initialization stage, SbF learns the mean $\mu$ and standard deviation $\sigma$ of all $T$ values in the history ${\textbf{x}}_{i,j}$, and defines a threshold $\tau=\mu+\alpha*\sigma$, where $\alpha$ is a multiplier. At the inference stage, it sets $s_{i,j}^{t}=1$ at time step $t$ if it observes $w_{s}$ continuous values $x_{i,j}^{t-w_{s}+1}$, …, $x_{i,j}^{t}$ above $\tau$; and sets $s_{i,j}^{t}=0$ otherwise. By defining different $\alpha$ and $w_{s}$ for the metrics of interest, SbF has a total of 11 instances.

TbF is similar to SbF except that TbF uses a predefined threshold $\tau$ directly without resorting to $\mu$ and $\sigma$. By defining $\tau$ and $w_{s}$, TbF has 7 possible instances. CbF is used to count the number of continuous missing observations, which can indicate anomalies on certain metrics. CbF’s initialization sets up a sliding window of size $w_{c}$. At the inference stage, CbF sets $s_{i,j}^{t}=1$ if the window ending at time step $t$ is full of missing observations; and sets $s_{i,j}^{t}=0$ otherwise. CbF has 1 possible instance.

It is noteworthy that all of the SbF, TbF, CbF Featurizers have efficient initialization. In total, rule-based featurizer has 19 possible instances for the metrics that the rules monitor.

SubNN is a distance based scorer. At the initialization stage, SubNN segments the history ${\textbf{x}}_{i,j}$ into subsequences with window size $w_{n}$ and stride 1, forming a set $\mathcal{S}$ of length-$w_{n}$ subsequences, and sets up a sliding window of size $w_{n}$ for the inference stage. At the inference stage, SubNN sets $s_{i,j}^{t}$ as the distance between the sliding window ending at time step $t$ and its nearest neighbor in $\mathcal{S}$. MD is an efficient forecasting approach. At the initialization stage, it only sets up a sliding window of size $w_{m}$. At the inference stage, based on the sliding window at $t-1$, it calculates $m_{\text{obs}}=\text{median}([x_{i,j}^{t-w_{m}},...,x_{i,j}^{t-1}])$, and $m_{\text{dif}}=\text{median}([x_{i,j}^{t-w_{m}+1}-x_{i,j}^{t-w_{m}},...,x_{i,j}^{t-1}-x_{i,j}^{t-2}])$, and forecasts the subsequent value $\hat{x}_{i,j}^{t}=m_{\text{obs}}+(w_{m}/2)*m_{\text{dif}}$. We adapted it for scoring anomalies by setting $s_{i,j}^{t}$ as the deviation of $x_{i,j}^{t}$ from $\hat{x}_{i,j}^{t}$, i.e., $s_{i,j}^{t}=|x_{i,j}^{t}-\hat{x}_{i,j}^{t}|$.

The algorithm-based featurizers are applicable to any metric. There are 22 possible metrics in total, thus the SubNN and MD featurizers have 44 instances.

The second issue in Challenge 1 (Sec. 1) is the variable duration of different deployments. Using any instance of the rule-based and algorithm-based featurizer, we can obtain a feature $s_{i,j}^{t}$ at time step $t$. However, as described in Sec. 2, the labels y of the training deployments in $\mathcal{X}^{l}$ are at the entity-level, where ${\textbf{y}}_{i}=1$ only indicates the deployment $\mathcal{X}_{i}$ is anomalous before it ended, without marking any anomalous time points. Thus we cannot train a model on the feature $s_{i,j}^{t}$ at a specific time point $t$ using ${\textbf{y}}_{i}$. To address it, we seek for an entity-level method that (1) can be updated efficiently to track dynamic features, and (2) is invariant to the variable duration of deployments.

To this end, we designed a time pooling layer with two pooling methods up to the current time point $t$:

where the $\hat{s}_{i,j}^{t}$ records the most anomalous status up to time point $t$, and $\bar{s}_{i,j}^{t}$ records the accumulative anomalous status.

The pooling methods are invariant to variable sequence lengths. For model training, Eq. (1) generates a feature per training deployment by pooling up to the end of its length. Also, because both MaxPool and MeanPool can be updated incrementally in constant time, we can use Eq. (1) to dynamically track salient features of new deployments up to any time point for online inference.

So far, using any of the featurizer instances, we can generate features $[\hat{s}_{i,j}^{t},\bar{s}_{i,j}^{t}]$ for each univariate time series of $\mathcal{X}_{i}$, which has a unique label ($\texttt{service}_{j}$, $\texttt{metrics}_{j}$) (Sec. 2.1). The third issue in Challenge 1 (Sec. 1) implies the number of variates $n_{i}$ is different for different $\mathcal{X}_{i}$, leading to different feature dimensions for different $\mathcal{X}_{i}$. There are two reasons for the different $n_{i}$: (1) the deployments can have different subsets of metrics, and (2) multiple services may be monitored for the same metric, generating multiple univariate time series on the same metric.

To address this challenge, and embed different deployments in the same feature space, we propose a feature aggregator. After we obtain the feature $[\hat{s}_{i,j}^{t},\bar{s}_{i,j}^{t}]$ from Eq. (1) for each univariate time series, we aggregates the features over different services for the same metric. Suppose $m_{k}$ is the $k$-th metric. Taking $\hat{s}_{i,j}^{t}$ as an example, we perform an aggregation for $m_{k}$

where MaxPool is used because we want to keep the most salient anomalous feature from different services.

Similarly, we can obtain $\bar{z}_{i,j}^{t}$ from $\bar{s}_{i,j}^{t}$, and this step addresses the issue (2). To address issue (1), if a deployment misses a specific metric value $m_{k}$ and Eq. (2) cannot be applied for $m_{k}$, we perform mean-based imputation on $\hat{z}_{i,k}^{t}$ using the training deployments in $\mathcal{X}$. Thus we align all deployments to the same set of 134 features (63 $\hat{z}_{i,k}^{t}$, 63 $\bar{z}_{i,k}^{t}$ from the 63 featurizer instances and 8 meta-data features in Sec. 4.1.1). Then each deployment $\mathcal{X}_{i}$ is represented by a vector ${\textbf{z}}_{i}\in\mathbb{R}^{d}$ of fixed dimension $d=134$.

To address noisy imputation and model the correlation of variates in MTS, next, we propose a semi-supervised model on $\{{\textbf{z}}_{i}\}_{i=1}^{N}$ for learning meaningful embeddings using supervision signals.

A one-class model is an unsupervised anomaly detector that is trained on samples of a single, typically normal, class. It is used to predict whether a testing sample belongs to this class or not. One prominent example is kernel-based method, such as One-Class SVM (OC-SVM) (Schölkopf et al., 2001) and Support Vector Data Description (SVDD) (Tax and Duin, 2004), which aims to maximize the margin between normal samples and others. For example, SVDD aims to find the smallest hypersphere with a center vector c and a radius $R>0$ to enclose the majority of the (normal) samples in the feature space.

where $\phi({\textbf{z}}_{i})$ is a kernel function on input feature ${\textbf{z}}_{i}$, $\xi_{i}$ is a slack variable to allow soft boundary, and $\nu\in(0,1]$ is a hyperparameter to control the trade-off between the volume of the sphere and the penalties on $\xi_{i}$. Once c and $R$ are determined by solving the dual form of the primal problem in Eq. (3), samples that are outside the sphere, i.e., $\|\phi({\textbf{z}}_{i})-{\textbf{c}}\|^{2}>R^{2}$, are deemed anomalies.

Recently, DeepSVDD was introduced in (Ruff et al., 2018). Compared to the kernel-based methods, it is more robust to the noises from feature engineering, and more scalable to large datasets. It replaces $\phi(\cdot)$ by a neural network $\phi(\cdot;\boldsymbol{\theta}):\mathbb{R}^{d}\rightarrow\mathbb{R}^{d_{e}}$ with parameter $\boldsymbol{\theta}$, where $d_{e}$ is the dimension of the embedding space. The objective of DeepSVDD is to train $\boldsymbol{\theta}$ for learning a transformation $\phi(\cdot;\boldsymbol{\theta})$ that minimizes the volume of a hypersphere centered on a predetermined c.

where $D(\cdot,\cdot)$ is a distance function, such as Euclidean or Hamming distance, and $\lambda$ is the hyperparameter for weight decay.

Although DeepSVDD can learn embeddings that are less sensitive to the noises in ${\textbf{z}}_{i}$, it can not harness the supervised signals for learning embeddings that resolve the ambiguous anomaly definition (Challenge 3 in Sec. 1). Recent works also indicated even with a small amount of labels, semi-supervised methods could outperform unsupervised methods significantly on anomaly detection (Han et al., 2022).

Therefore, we introduce our Semi-Supervised Deep One-Class Model (SemiDOC). Our goal is to use the small amount of labeled anomalies to tighten the boundary of the hypersphere. To this end, we propose a negative sampling based model trained in batch-wise. In each batch, we randomly sample $B$ normal samples from the labeled set $\mathcal{X}^{l}$ or the unlabeled set $\mathcal{X}^{u}$ (which is auto-labeled as normal as described in Sec. 3.1) as the queries $\{{\textbf{z}}_{i}^{q}\}_{i=1}^{B}$. For each query ${\textbf{z}}_{i}^{q}$, we sample an anomaly from $\mathcal{X}^{l}$ as its negative sample, and form a tuple $({\textbf{z}}_{i}^{q},{\textbf{z}}_{i}^{n})$. Then each batch is a set of $B$ tuples $\{({\textbf{z}}_{i}^{q},{\textbf{z}}_{i}^{n})\}_{i=1}^{B}$, and the learning objective is

where

is a hinge loss to maximize the distance between the embeddings of ${\textbf{z}}_{i}^{q}$ and ${\textbf{z}}_{i}^{n}$, and $\delta$ is a threshold to avoid arbitrarily large distance values in the loss function, for training stability.

After training the model, SemiDOC uses the following function to infer anomaly score of a new sample ${\textbf{z}}_{\text{new}}$.

where $R=\max_{{\textbf{z}}_{i}\in\mathcal{Z}_{\text{normal}}}D\big{(}\phi({\textbf{z}}_{i};\boldsymbol{\theta}),{\textbf{c}}\big{)}$ is the maximal radius of the normal embeddings in set $\mathcal{Z}_{\text{normal}}$ in the training set, i.e., the learned hypersphere, and the Clip function is used to prevent extreme values from dominating the anomaly scores.

Given the intricate anomalous patterns and the potential presence of noise in the unlabeled set $\mathcal{X}^{u}$, a semi-supervised model may be biased from learning an accurate boundary. To address it, we add a robust supervised model to provide another angle of class boundary, and combine it with SemiDOC in an ensemble in Sec. 4.2.3. Our empirical findings in Sec. 5 consolidate the superiority of such a hybrid model.

We employ LightGBM (Ke et al., 2017) as the supervised detector. LightGBM is a boosting tree-based ensemble method that has high accuracy and efficiency. As a binary classifier, it has been demonstrated as useful in anomaly detection tasks (Vargaftik et al., 2021; Han et al., 2022), and been deployed in many production pipelines of fraud prevention systems. Similar methods such as XGBoost (Chen and Guestrin, 2016) and CatBoost (Prokhorenkova et al., 2018) are also compatible with our framework. We selected LightGBM for its better efficiency and superior accuracy. By feeding a feature ${\textbf{z}}_{i}$ to LightGBM, we use the probability to the anomalous class as the anomaly score.

Ensembling was found as a powerful regularization technique for performance improvement (Oreshkin et al., 2019). We ensemble SemiDOC and LightGBM to form a hybrid model for anomaly detection. The core property of an ensemble is diversity. Thus we perform a bagging procedure (Breiman, 1996) by including models (SemiDOC or LightGBM) trained with different random initializations.

As for the ensemble aggregation function, the widely used approach is taking mean of the anomaly scores from different models in the hybrid. However, as a one-class model, a high score from SemiDOC in Eq. (7) does not necessarily mean anomalies, but indicates an unknown entity is different from the normal majority of the training set. Thus taking mean of the scores of SemiDOC and LightGBM may generate a high score for unknown but normal entities, leading to more false positives.

To alleviate it, we propose a sequential approach with two steps. First, SemiDOC is used to filter normal entities with scores lower than a threshold. Second, the entities that SemiDOC is less confident (i.e., with high scores) are sent to LightGBM for anomaly detection. If there are multiple SemiDOC (or LightGBM) in the hybrid, the mean score of SemiDOCs (or LightGBMs) is used in the two steps.

In our experiments, we evaluated both mean-based and sequential models, which are named as MELODY-M and MELODY-S.

We compare MELODY with a variety of anomaly detection (AD) methods from two groups: MTS-based methods and General AD methods. For the first group, because our entity-level AD problem does not assume the availability of point-level labels on MTS, we only evaluated unsupervised SOTA methods: (1) OmniAnomaly (Su et al., 2019), (2) AnomalyTransformer (Xu et al., 2021), (3) TranAD (Tuli et al., 2022). We applied these methods on the MTS of each deployment individually. Following (Xu et al., 2021), once an anomalous time point is detected, the deployment is considered as anomalous. For the second group, we included unsupervised method: (4) DeepSVDD (Ruff et al., 2018), semi-supervised method: (5) DeepSAD (Ruff et al., 2019), and supervised methods: (6) RandomForest (RF) (Breiman, 2001), (7) LightGBM (Ke et al., 2017), which can use the entity-level labels by applying them on the features generated by our OFE module. Thus they were named with prefix “OFE+”, e.g., OFE+LGBM. For fair comparison, the bootstrap ensemble versions of the methods in the second group were included and named with suffix “-B”, e.g., OFE+LGBM-B.

For our method, we considered two variants: MELODY-M and MELODY-S as discussed in Sec. 4.2.3. We used Hamming distance $D(\cdot,\cdot)$ in Eq. (5). The hyperparameter $\delta$, i.e. the threshold in Eq. (6) was grid searched in {1, 10, 100} using validation set. By default, we used 3 LightGBMs and 3 SemiDOCs in our method, with a total 6 models. For fair comparison, each of the ensemble baseline used 6 models. In Sec. 5.4.1 and Sec. 5.4.3, we performed hyperparameter study and ablation analysis to evaluate the design choice of MELODY. Its implementation details are in Appendix A.2.

We randomly split the labeled set $\mathcal{X}^{l}$ into 60% /20%/20% train/validation/test sets 5 times, and run each method on these 5 splits to evaluate the average performance. The unlabeled set $\mathcal{X}^{u}$ was only used for training semi-supervised methods as it does not have valid labels for validation and testing.

Following (Xu et al., 2021; Huang et al., 2022), we use Precision, Recall, and F1-score to evaluate the AD performance of the compared methods. Additionally, we added False Positive Rate (FPR) because in a rollback system, it is important to avoid false positives, i.e., unnecessary rollbacks, that lead to slow deployments and poor user experience. Following (Huang et al., 2022), for each method, we select the threshold with the best F1-score.

There are two major hyperparameters in MELODY, the number of model instances in the hybrid and the margin threshold $\delta$ in the hinge loss in Eq. (6). In this section, we use MELODY-S to evaluate the influence of these parameters (MELODY-M is similar thus is ignored for brevity). Fig. 3 presents the change of F1 scores w.r.t. the two parameters on the three labeled sets. In Fig. 3(a), the number represents the the number of either SemiDOC or LightGBM, e.g., 3 indicates 3 SemiDOC + 3 LightGBM. We can see that using either 3 or 5 is better than 1, indicating MELODY-S also benefits from ensembling. Also, the performance marginally improves or degrades after the number is larger than 3, validating our choice in Sec. 5.2.1. From Fig. 3(b), we can see MELODY-S is not very sensitive to $\delta$. A small margin (e.g., 0.1) is insufficient for distinguishing normal and abnormal entities, and a too large margin (e.g., 1000) may lead to overfitting. Thus a proper choice is $\delta=100$, which is our setup for MELODY.

As discussed in Sec. 4.2.1, SemiDOC uses a small amount of labeled anomalies to tighten the boundary of the hypersphere of normal entities. To understand how it works, we uniformly sampled a batch of training data and took all test data for visualization (the full training set is too large to visualize). The embeddings of SemiDOC were visualized using tSNE (Van der Maaten and Hinton, 2008) in a 2D space. Fig. 4 presents the distribution of the training and test embeddings. From Fig. 4(a), SemiDOC effectively pushed anomalies away from the boundary of normal entities. As designed by the negative sampling in Eq. (5), the anomalies do not need to form a cluster but are used to shape the boundary of normal class. From Fig. 4(b), SemiDOC generalizes well on the test set. Although the anomalies overlap with a small amount of normal entities, the majority of the normal class is distinguishable. This explains the design of MELODY-S, where SemiDOC first filters out most of the normal entities (with a few false negatives), and LightGBM classifies the rest set of normal and abnormal entities.

In this section, we evaluate several variants of MELODY-S to validate the design choices of its OFE and SemiAD modules. Table 3 summarizes the testing results of our ablation analysis. In (a)-(c), we alternately removed the three featurizers in OFE (Sec. 4.1.1). In (d) and (e), we replaced SemiDOC in SemiAD module by DeepSVDD and DeepSAD, respectively. In (f), we replaced the Hamming distance with Euclidean distance in Eq. (5) and Eq. (6) to evaluate the choice of distance function. First, in (a)-(c), we observe removing any of the featurizers degrades the performance of MELODY-S. Removing Rule/Algorithmic featurizers have more impacts than the Meta featurizer because they are more fine-grained and dynamic at the time series level. In (d)(e), we observe SemiDOC is better than DeepSVDD and DeepSAD for anomaly detection, validating the design of the negative sampling based regularization in Eq. (6). Finally, (f) suggests Hamming distance, which is commonly used in embedding retrieval (Song et al., 2018), is more suitable than Euclidean distance in MELODY-S for entity-level anomaly detection. Therefore, the results in Table 3 justify the design choices of our method.