How to Detect and Resolve Time‑Series Anomalies in Modern AIOps

Zhang Rong Machine Learning Researcher Social Network Operations Department

I am a machine‑learning practitioner who has been involved in operations for about six months, focusing on social‑network monitoring, alerting, and anomaly detection.

1. Time Series Anomaly Detection

In monitoring, the most basic task is detecting anomalies in time series. Machine‑learning‑driven intelligent operations typically involve three stages:

Discover the problem – identify anomalies in time series, logs, devices, or network traffic.

Analyze the problem – after detection, diagnose the root cause.

Resolve the problem – actions such as scaling, scheduling, or optimization.

Effective detection requires understanding what each series represents (e.g., online user count, CPU usage, scheduled jobs). Traditional threshold‑based methods struggle with massive, diverse series, leading to high false‑alarm rates and maintenance overhead.

Statistical approaches like ARMA assume stationarity and may work for periodic metrics (e.g., DAU) but often fail when the series’ characteristics are unknown. High‑dimensional representations and machine‑learning models (RNN, LSTM, Isolation Forest, SVM) can capture complex patterns.

We combine unsupervised techniques (Isolation Forest, SVM, RNN) to filter large volumes of normal data, then apply supervised learning on the remaining suspicious samples to improve precision and recall.

The overall framework includes offline training (data storage, labeling, feature extraction) and online prediction, with A/B testing to iteratively deploy the better model.

Unsupervised methods such as Isolation Forest, SVM, and RNN each have strengths and limitations; therefore we integrate them with supervised models (Decision Tree, Random Forest, GBDT) after manual labeling.

Time‑series features are categorized into statistical features, fitting features (e.g., EWMA, Double EWMA), and classification features (shape or trend). These features feed ensemble models to achieve higher generality across diverse metrics.

2. Intelligent Multi‑Dimensional Drill‑Down Analysis

After detecting anomalies, we need to analyze them across dimensions (iOS/Android, client version, success/failure counts). Manual inspection does not scale, so we apply machine‑learning‑based root‑cause analysis in two layers: detection and analysis.

The analysis model must be interpretable; therefore we favor decision‑tree‑like approaches that produce explicit rules rather than black‑box deep networks.

3. Alarm Convergence Root‑Cause Analysis

When many time‑series alarms fire, we must identify which are truly abnormal and group correlated alerts. By extracting alarm sequences (0 = anomaly, 1 = normal) and measuring similarity (e.g., KPI‑based correlation), we can converge related alerts, reduce noise, and pinpoint root causes.

4. Future Planning for AIOps

The roadmap for AIOps includes three pillars: (1) problem discovery via advanced time‑series anomaly detection (clustering, similarity, key‑segment extraction), (2) root‑cause analysis with multi‑dimensional drill‑down and fault propagation, and (3) intelligent decision‑making for automated scaling, optimization, and scheduling.