Anomaly detection has a range of business applications, from discovering fraud in credit card transactions to intrusions in a computer network.

With deeper context for fluctuating metrics through anomaly detection, forecasting and predictive monitoring, identifying unusual network traffic patterns can help an IT Security team ward off attempted attacks. Algorithms modeled to forecast expected behavior can give your team the ability to both visualize expected trends and specify when they want to receive alerts about potential issues.

Forecasting evaluates a metric’s evolution and predicts future values, but there’s more to defining critical levels for the checks and warnings that measure these values. Setting levels too low creates false alarms, while setting them too high blinds monitoring to potential problems.

metric-forecasting

Metric Forecasting is based on Holt Winters, a mathematical model that relies on historic behavior to establish value for an input signal. Through a proprietary service that collects and track metrics, monitors log files and sets alarms, CenturyLink Cloud Application Manager weeds out a greater number of false positives than standard systems. Other monitoring options can leave much to be desired, especially when alerts occur and there’s really nothing to worry about.

holt-winters

Holt Winters, or Triple Exponential Smoothing, models and predicts the behavior of a sequence of values over time and is the IT industry’s best-practice approach for time series. More than 60 years old, this popular methodology is still used in many applications, including monitoring, for anomaly detection, as well as for purposes such as capacity planning.

When applied to monitoring, Holt Winters can observe metric trends as they extend into the future, alert on problems based on changes in normal behavior, or not alert on normal behavior that may approach or exhaust system capacity.

Holt-Winters forecasting takes into account three components of a dataset:

  • Level: Behavior of the y-axis value over time
  • Trend: Behavior of the incline/slope of the dataset over time
  • Season: Repeating patterns in a dataset over a fixed time period

level-trend-season

Three coefficients are critical to the accuracy of the model:

  • alpha - a factor adjusting to changes in level
  • beta - a factor adjusting to changes in trend
  • gamma - a factor adjusting to changes in season

Any metric available can be graphed in the Watcher UI — including AWS CloudWatch metrics.

metric-graphing

Anomaly Check

  • Detects aberrant signals without the use of thresholds
  • Input parameters
    • Metric ID: Defines the metric
    • Scale: Adjusts the confidence interval (3)
    • History: Relative time to perform the query over (-1w)

Forecast Check

  • Gives advanced warning of signals that trend towards a threshold
  • Input parameters
    • Metric ID: Defines the metric
    • Thresholds for over and under future forecasted points
    • Forecast period: Time in the future to be forecasted

central-value

Forecasting with Holt-Winters can handle many complicated seasonal patterns by simply finding the central value, then adding in the effects of slope and seasonality.

By combining log data from the risk profiles of each customer asset with near real-time threat intelligence data from our global corporate network and partner threat intelligence feeds, anomaly detection with CenturyLink Cloud Application Manager gives you the power to set thresholds that are likely to be more meaningful — so your monitoring doesn’t “cry wolf,” or overlook a real-time threat.

More resources:

Anomaly Detection & Forecasting Cloud Application Management Monitoring – Suppressions Cloud Application Management Monitoring – Events MSSP - Security Log Monitoring with Trending and Threat Analysis