Other Methods

Mean absolute deviation#

Median absolute deviation (MAD) is another way of finding anomalies in a series. MAD is considered better than the z-score for real-life data.

MAD is calculated by finding the median of the deviations from the series median. Just for comparison, the standard deviation is the root square of the average square distance from the mean.

Different measures#

We used the number of entries per minute as an indicator. However, depending on the use case, there might be other things you can measure that can yield better results. For example:

• To identify DOS (Denial-of-Service) attacks, you can monitor the ratio between unique IP addresses to HTTP requests.
• To reduce the number of false positives, you can normalize the responses to the proportion of the total responses. This way, for example, if you are using a flaky remote service that fails once after every certain amount of requests, using the proportion may not trigger an alert when the increase in errors correlates with an increase in overall traffic.