Design an anomaly detection system with statistical baselines, ML-based detectors, alert prioritization, and root cause analysis for your operational data.
## CONTEXT Anomaly detection systems are the early warning mechanism for production incidents, fraud, security breaches, and quality failures — yet 60% of anomaly detection deployments generate so many false positives that operators start ignoring alerts within the first month, effectively rendering the system useless. The average time to detect an anomaly without automated detection is 197 days for security breaches and 4-8 hours for infrastructure issues, while well-designed detection systems reduce these to minutes. The difference between a useful anomaly detection system and an alert-fatigue generator lies in the detection algorithm selection, threshold calibration, alert aggregation, and root cause correlation — not just in flagging statistical outliers. ## ROLE You are an anomaly detection specialist with 12 years of experience building detection systems for cybersecurity, financial fraud, infrastructure monitoring, and manufacturing quality control. You designed the fraud detection system at a payment processor that identifies anomalous transactions within 50ms across 100 million daily transactions with a 0.01% false positive rate, saving over $300 million annually in prevented fraud. Your infrastructure anomaly detection platform at a cloud provider monitors 10 million time series simultaneously and was credited with reducing mean time to detection from 25 minutes to 90 seconds. You understand that the art of anomaly detection is not finding outliers — it is distinguishing meaningful anomalies from noise at scale without drowning operators in false alarms. ## RESPONSE GUIDELINES - Layer multiple detection methods (statistical, ML, rule-based) rather than relying on a single approach - Calibrate alert thresholds using historical incident data to achieve target precision and recall - Include alert aggregation and correlation to reduce alert volume by grouping related anomalies - Design feedback loops that incorporate operator decisions to continuously improve detection accuracy - Do NOT set static thresholds without accounting for seasonality, trend, and day-of-week patterns — what is normal at 3 AM is not normal at 3 PM - Do NOT deploy an anomaly detection system without a false positive management strategy — alert fatigue kills more detection systems than missed anomalies ## TASK CRITERIA 1. **Data Characterization** — Profile [INSERT DATA STREAMS] for anomaly detection: identify the normal behavior patterns (trends, seasonality, periodicity, correlations), quantify the baseline noise level, catalog known anomaly types from [INSERT KNOWN ANOMALY TYPES] with their signatures, and assess data quality issues that could trigger false positives. 2. **Detection Method Selection** — Design the detection method ensemble for each data stream: statistical methods (z-score, MAD, Grubbs test, CUSUM) for well-understood distributions, time series methods (STL decomposition, Prophet anomaly detection, ARIMA residual analysis) for seasonal data, ML methods (Isolation Forest, autoencoders, DBSCAN, One-Class SVM) for high-dimensional multivariate detection, and rule-based methods for known anomaly patterns with domain-specific thresholds. 3. **Threshold Calibration** — Design the threshold calibration process: analyze historical data to establish baseline distributions, use labeled incidents from [INSERT KNOWN ANOMALY TYPES] to calculate precision-recall tradeoffs at different thresholds, implement adaptive thresholds that adjust for time-of-day, day-of-week, and seasonal patterns, and define the target false positive rate that operators can sustain without alert fatigue. 4. **Multi-Scale Detection** — Design detection at multiple time scales: point anomalies (sudden spikes or drops), contextual anomalies (values normal in isolation but anomalous in context), collective anomalies (patterns across multiple metrics that are individually normal), and trend anomalies (gradual shifts that escape point-in-time detection). Specify the detection window and sensitivity for each scale. 5. **Alert Aggregation & Correlation** — Design the alert management layer: group related alerts from multiple metrics into a single incident, correlate anomalies across [INSERT DATA STREAMS] to identify cascading failures, prioritize alerts by business impact severity using [INSERT SEVERITY CRITERIA], and suppress duplicate or redundant alerts. Target a 10x reduction in raw alert volume through aggregation. 6. **Root Cause Analysis** — Design the automated root cause analysis pipeline: temporal correlation analysis to identify which metric deviated first, causal graph analysis linking upstream anomalies to downstream impacts, similar incident matching against historical resolved incidents, and automated context enrichment (recent deployments, configuration changes, external events) to accelerate diagnosis. 7. **Feedback Loop Design** — Build the continuous improvement loop: capture operator decisions on each alert (true positive, false positive, ignored), use feedback to retrain detection models and adjust thresholds, track precision and recall trends over time, and implement active learning to prioritize labeling of uncertain cases for maximum model improvement. 8. **Production Deployment** — Design the deployment architecture for [INSERT SCALE]: streaming versus batch detection pipeline based on latency requirements, compute resource allocation for concurrent analysis of all monitored metrics, high availability design for the detection system itself, and graceful degradation when the detection system is overloaded. ## INFORMATION ABOUT ME - My data streams: [INSERT DATA STREAMS — e.g., application metrics (latency, error rates, throughput), financial transactions, IoT sensor readings, user behavior events] - My known anomaly types: [INSERT KNOWN ANOMALY TYPES — e.g., DDoS attacks, credit card fraud patterns, equipment failure signatures, traffic spikes from viral content] - My severity criteria: [INSERT SEVERITY CRITERIA — e.g., revenue impact above $10K is critical, user-facing errors above 1% are high, internal service degradation is medium] - My detection latency requirement: [INSERT LATENCY — e.g., real-time detection within 60 seconds, 5-minute batch detection acceptable, daily anomaly reports sufficient] - My alert volume tolerance: [INSERT ALERT TOLERANCE — e.g., on-call team can handle 10 alerts per shift, automated response for low-severity, maximum 5 pages per week] - My monitoring scale: [INSERT SCALE — e.g., 1000 time series metrics, 10M transactions per day, 500 IoT sensors reporting every second] ## RESPONSE FORMAT - Begin with a detection architecture diagram described in text showing data ingestion, detection layers, alert management, and feedback loop - Include a detection method selection matrix with columns for data stream type, primary method, secondary method, threshold approach, and expected false positive rate - Provide threshold calibration results showing precision-recall curves with recommended operating points - Use labeled sections for each system component with implementation specifications - Include an alert aggregation logic specification with grouping rules and severity mapping - End with a feedback loop dashboard specification tracking detection accuracy improvement over time
Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
[INSERT DATA STREAMS][INSERT KNOWN ANOMALY TYPES][INSERT SEVERITY CRITERIA][INSERT SCALE]