Anomaly Score

SUMMARY

An anomaly score is a numerical value that quantifies how much a data point or pattern deviates from expected normal behavior. In time-series analysis, these scores help identify and rank potential anomalies, enabling automated detection systems to prioritize and classify unusual events.

How anomaly scores work

Anomaly scores measure the degree of deviation from normal patterns using statistical or machine learning methods. The higher the score, the more likely a data point represents an anomaly. These scores typically account for multiple factors:

Historical patterns and seasonality
Statistical distributions
Multiple dimensions or metrics
Context-specific thresholds

# Simplified example of Z-score based anomaly scoring
def calculate_anomaly_score(value, mean, std_dev):
    return abs((value - mean) / std_dev)

Next generation time-series database

QuestDB is an open-source time-series database optimized for market and heavy industry data. Built from scratch in Java and C++, it offers high-throughput ingestion and fast SQL queries with time-series extensions.

Try live demo Read documentation

Common scoring methods

Statistical approaches

Statistical methods calculate anomaly scores based on probability distributions and statistical measures:

Z-score: Measures deviation in standard deviations from the mean
Modified Z-score: More robust version using median absolute deviation
Interquartile range (IQR) based scoring

Machine learning-based scoring

Modern anomaly detection systems often use more sophisticated scoring methods:

Isolation Forest scores
Local Outlier Factor (LOF)
Autoencoder reconstruction error
Density-based scores

Next generation time-series database

Try live demo Read documentation

Applications in time-series data

Anomaly scores are particularly valuable in time-series analysis, where they help identify:

Industrial systems monitoring

In industrial settings, anomaly scores help detect:

Equipment failures
Process deviations
Quality control issues
Safety-critical events

Financial market surveillance

For financial data, anomaly scores can identify:

Unusual trading patterns
Market manipulation attempts
Risk events
System issues

Here's an example using QuestDB to calculate simple anomaly scores:

WITH baseline AS (
    SELECT avg(price) AS mean_price,
           stddev(price) AS std_price
    FROM trades
    WHERE timestamp > dateadd('d', -1, now())
)
SELECT timestamp,
       price,
       abs((price - mean_price) / std_price) AS anomaly_score
FROM trades
CROSS JOIN baseline
WHERE timestamp > dateadd('h', -1, now())
ORDER BY anomaly_score DESC
LIMIT 10;

Setting thresholds

Converting anomaly scores into actionable insights requires careful threshold setting:

Static thresholds
- Fixed score cutoffs
- Simple but may not adapt to changing conditions
Dynamic thresholds
- Adapt to temporal patterns
- Account for seasonality and trends
- More complex but more accurate
Multiple threshold levels
- Warning levels
- Critical levels
- Emergency response triggers

Best practices

When implementing anomaly scoring systems:

Choose appropriate scoring methods based on:
- Data characteristics
- Performance requirements
- Detection sensitivity needs
Validate scoring effectiveness:
- Use labeled datasets when possible
- Monitor false positive/negative rates
- Adjust parameters based on feedback
Consider computational efficiency:
- Score calculation overhead
- Real-time requirements
- Resource constraints
Maintain interpretability:
- Document scoring methodology
- Provide context for scores
- Enable root cause analysis

Anomaly scores are fundamental to modern anomaly detection systems, providing a quantitative foundation for identifying and responding to unusual events in time-series data.