International Business Machines Corporation
Multivariate anomaly detection and identification

Abstract:

A method, computerized apparatus and a computer program product for anomaly detection in a distributed system. The method comprises obtaining measurements of metrics of the distributed system within a timeframe. Each measurement comprises a time-series of values to a metric associated with an action of a component of the distributed system that was measured within the timeframe. A set of percentiles of the measurements is computed, whereby a dimensionality of the sets of percentiles is larger than a dimensionality of the metrics. A multivariate anomaly detection is performed based on the weights of the percentiles to determine an anomaly in the sets of percentiles. In response to detecting an anomaly, a source of the anomaly is identified based on a subset of the percentiles having weights above a threshold, by determining common components or actions that are common to at least a portion of the subset of the percentiles.