Ymir: A Supervised Ensemble Framework for Multivariate Time Series Anomaly Detection

TL;DR

Ymir is a supervised ensemble framework that combines multiple unsupervised models and expert labels to improve multivariate time series anomaly detection in real-world systems.

Contribution

It introduces a novel supervised ensemble approach that integrates unsupervised models with expert labels for enhanced anomaly detection.

Findings

Achieved good anomaly detection performance on large monitoring system datasets.

Effectively combines unsupervised feature extraction with supervised classification.

Provides robust detection results in unsupervised scenarios through ensemble learning.

Abstract

We proposed a multivariate time series anomaly detection frame-work Ymir, which leverages ensemble learning and supervisedlearning technology to efficiently learn and adapt to anomaliesin real-world system applications. Ymir integrates several currentlywidely used unsupervised anomaly detection models through anensemble learning method, and thus can provide robust frontalanomaly detection results in unsupervised scenarios. In a super-vised setting, domain experts and system users discuss and providelabels (anomalous or not) for the training data, which reflects theiranomaly detection criteria for the specific system. Ymir leveragesthe aforementioned unsupervised methods to extract rich and usefulfeature representations from the raw multivariate time series data,then combines the features and labels with a supervised classifier todo anomaly detection. We evaluated Ymir on internal multivariatetime series datasets from large monitoring systems and achievedgood anomaly detection performance.