An Interactive Dive into Time-Series Anomaly Detection

Anomaly detection is an important problem in data analytics with applications in many domains. In recent years, there has been an increasing interest in anomaly detection tasks applied to time series. In this tutorial, we take a holistic view of anomaly detection in time series, starting from the core definitions and taxonomies related to time series and anomaly types, to an extensive description of the anomaly detection methods proposed by different communities in the literature. We explore the literature and the proposed methods by demonstrating systems that help users understand the core computational steps of some methods and navigate benchmark results. Finally, we describe the problem of model selection for anomaly detection and discuss recent experimental results.

Anomaly detection has received ample academic and industrial attention [24], [25].Moreover, as illustrated in Figure 1, anomaly detection applied to time series (compared to other data types) is attracting more interest lately.As commonly defined in the literature [26], anomalies refer to data points (single points or group of points) that do not conform to some notion of normality or an expected behavior based on previously observed data.In practice, anomalies can correspond to erroneous data (e.g., broken sensors) or data of interest (e.g., anomalous behavior of the measured system) [27].Detecting such cases is crucial for many applications [28].
In recent years, time-series anomaly detection is becoming increasingly popular.In particular, multiple surveys, benchmarks, and experimental studies summarize and analyze the state-of-the-art methods [29], [30], [31], [32], [33], [34], exploring different aspects of the problem.Based on these recent works, this tutorial provides a comprehensive view of the anomaly detection task in time series.
We start from definitions for time series, anomalies, and method categories to an interactive dive into demonstration systems.Our goal is four-fold: (i) introduce the motivation   [35]) ignoring several of the state-of-the-art methods, (ii) on specific types of temporal data (such as spatiotemporal data [36]), or (iii) on a much more general topic (only briefly discussing anomaly detection as a subpart of time series analysis [37]).An earlier version of this tutorial [38] focused on a description of the state-of-theart time series anomaly detection methods, offering details on the way they operate.In contrast, this tutorial briefly presents a taxonomy of the methods proposed in the literature, and then focuses on the evaluation of methods, on prototype systems that enable an interactive inspection of methods and their inner-workings, and on the new opportunities that automatic model selection brings to the field.To our knowledge, this is the first tutorial that (i) discusses anomaly detection through the lens of interactivity and demonstration systems, and (ii) addresses model selection opportunities for the specific case of time series anomaly detection.[Audience and Expected Background] This tutorial is for researchers and data analysts and will focus on recent advances in time series anomaly detection.The tutorial aims to initiate new collaborations between members of the data management community and data science practitioners in various domains and increase the interest in anomaly detection for time series.We will present material that includes the necessary background to follow the entire presentation and technical details of the current state-of-the-art solutions for anomaly detection.We will also discuss the drawbacks of existing solutions and the open problems.Both experts and newcomers in the area will be able to follow the material and benefit from the tutorial.

II. TUTORIAL SCOPE
In this 90 minutes lecture-style tutorial, we will go through the problem of anomaly detection in time series, starting from fundamental definitions of time series and anomaly to open problems and opportunities that model selection techniques can bring both in terms of accuracy and performance.

A. Introduction, Motivation and Foundations
We will start by discussing examples of scientific and industrial applications that rely on time-series anomaly detection.
[Type of Time Series] We first introduce the different types of time series.Specifically, we define a time series as an ordered sequence of real values on one (for univariate time series) or multiple dimensions (for multivariate time series).Moreover, we define static and streaming time series as sequences with a fixed length or continuously arriving subsequences.Finally, the normal behavior (i.e., subsequences representing the normal and recurrent behavior) might change over time.In this case, we differentiate single and multiple normalities time series.
[Type of Anomalies] We then introduce the different types of anomalies.The two first categories, point and contextual anomalies, refer to data points deviating remarkably from the rest of the data globally or given a specific context, respectively.With collective anomalies, we refer to sequences of points that do not repeat a typical (previously observed) pattern.Then, on top of these categories, their combination also matters.First, we need to differentiate time series containing single anomalies from time series containing multiple anomalies (with similar or different anomalies).For all these definitions and taxonomies, we will provide explicit examples.

B. Taxonomy of Anomaly Detection Methods
We will then dive into anomaly detection methods proposed in the literature.As many papers appear every year proposing new methods for anomaly detection in time series based on different applications, it is beyond our scope to cover all proposed methods extensively here.In this tutorial, we will briefly summarize popular categories of methods, and we refer the attendees to three recent survey papers for detailed coverage of methods [29], [39], [40].
[Classification by Inputs] We will first mention the three categories of methods based on the external knowledge provided to them.First, unsupervised methods take time series as input and are not provided by any other information.Then, semi-supervised methods take as input time series without any anomalies and are trained on normal data only.Finally, supervised methods take as input separately both normal and abnormal data.Thus, the model is trained to discriminate the anomalies from the normality.
[Classification by methodologies] Then, we will describe the following categories of methods (cf. Figure 2).First, distancebased approaches analyze subsequences by utilizing distances to a given model to detect anomalies.For instance, discordbased approaches use the nearest neighbor distances among subsequences [41], [42], [43], [44], [45], [46], [47], [48].As another example, recent methods in this category first cluster data to obtain the normal behavior and compute the distance to the clusters to detect anomalies [49], [50], [51].Second, density-based methods focus on detecting recurring or isolated behaviors by evaluating the density of the points or subsequences space [52], [53], [54].Third, forecastingbased methods, such as recurrent or convolutional [55] neural network-based [56], have been proposed for this task.Such methods use the past values as input, predict the following, and use the forecasting error as an anomaly score.Last, reconstruction-based methods, such as the AutoEncoder-based approach [57], are trained to reconstruct the time series and use the reconstruction error as an anomaly score.We group these two aforementioned categories into prediction-based methods.

C. Evaluating Anomaly Detection Methods
After describing the methods proposed in the literature, we will focus on how to evaluate them.The choice of benchmarks and accuracy measures may significantly bias the evaluation.
[Evaluation Measures] Thus, we will start by describing the evaluation measures.Briefly, we will first discuss traditional measures, such as Precision, Recall, and F-score, that assess the methods by assuming each time-series point can be marked as an anomaly or not (e.g., by a threshold on an anomaly score).We will then discuss range-based variants [63] that aim to overcome shortcomings of traditional measures when evaluating time series containing subsequence anomalies.We will discuss AUC (Area Under the Curve) measures that, contrary to the previous measures, eliminate the need to define a threshold.We will finally discuss VUS [32] (Volume Under the Surface) measures, which provide more robustness.(e) GutenTAG system Fig. 3. Example of interactive systems that (a,b,d) allow the user to dive into computational steps [58], [59], [60], or (c,e) experimental results [61], [62].
[Experimental Evaluations] Then, we will discuss recent benchmarks proposed for anomaly detection in time series task [33], [31], [32], [64], [30].Such benchmarks provide an extensive collection of time series from various domains and evaluate multiple methods belonging to the aforementioned categories.In this tutorial, we will discuss the results and conclusions of these recent benchmarks, as well as the criticisms that have been expressed about the characteristics and suitability of some datasets for this task [65], [30].

D. New Perspectives for Anomaly Detection
In the last part of the tutorial, we will discuss the challenges and perspectives for improving interpretability and accuracy.
[Interpretability for the User] In contrast to the previous edition that focuses only on a lecture-style description of the anomaly detection methods [38], this tutorial employs interactive exploration to assist in understanding the concepts.Such interactive exploration is important for users to overcome the lack of interpretability that anomaly detection methods can have [56], [57].This is becoming possible by recently proposed prototype systems [59], [60], which enable users to interactively explore methods and their inner-workings, and thus, better understand the different computation steps.In this tutorial, we will discuss and demonstrate recently proposed systems for anomaly detection [58], [60], [59], as well as systems that allow the user to navigate and explore large experimental evaluation studies [62], [61].Figure 3 illustrates examples of these systems.We will use such systems during the tutorial, in order to explain interactively the anomaly detection methods introduced in Section II-B, and the experimental conclusions described in Section II-C.
[Model Selection for Time Series Anomaly Detection] Then, recent benchmarks and evaluation studies (described in the previous section) demonstrated that no overall best anomaly detection methods exist when applied on very heterogeneous time series (i.e., coming from very different domains).This tutorial will discuss possible solutions to overcome this accuracy limitation.We will first discuss ensembling solutions [66], but also model selection methods that select the best anomaly detection method to run based on time series characteristics.We will first describe recent research works related to Au-toML (Automatic Machine Learning) for the general case of anomaly detection [67], and also for time series [68].We will finally discuss the different strategies to apply model selection methods for the specific case of time series anomaly detection.

E. Challenges and Conclusions
We will conclude this tutorial by summarizing the main insights obtained from recent benchmarks on the performances anomaly detection methods [30] and the proper evaluation measures [32].Finally, we will summarize the new challenges that model selection can bring to the field and elaborate on research directions that could solve these new open problems.
III. PRESENTERS Paul Boniol is a researcher at Inria, member of the VALDA project-team.Previously, he worked at ENS Paris-Saclay (Centre Borelli), Université Paris Cité, EDF Research lab, and Ecole Polytechnique (LIX).His research interests lie between data analytics, machine learning, and time-series analysis.His Ph.D. dissertation focused on subsequence anomaly detection and time-series classification.His work has been published in the top data management and analytics venues.John Paparrizos is an assistant professor at The Ohio State University, leading The DATUM Lab.His research focuses on adaptive solutions for data-intensive and machine-learning applications.His doctoral work was recognized at the 2019 ACM SIGKDD Doctoral Dissertation Award competition.He has also received the inaugural ACM SIGMOD Research Highlight Award, a NetApp Faculty Award, and the 2023 IEEE TCDE Rising Star Award.His ideas have been widely adopted across scientific areas, Fortune 100-500 companies (e.g., Exelon and Nokia), and organizations such as ESA.Themis Palpanas is an elected Senior Member of the French University Insitute (IUF), and Distinguished Professor of computer science at the University of Paris (France).He is the author of 14 patents, has received 3 best paper awards and the IBM SUR award, has been Program Chair for VLDB 2025 and IEEE BigData 2023, General Chair for VLDB 2013, and has served Editor in Chief for BDR.He has been working in the fields of Data Series Management and Analytics for more than 15 years, and has developed several of the state of the art techniques.He has delivered 19 tutorials in top conferences.