Revisiting OmniAnomaly for Anomaly Detection: performance metrics and comparison with PCA-based models

Anomaly detection is an important field in data analysis, aiming to identify observations that significantly deviate from normal patterns. In multivariate time series, anomaly detection is particularly complex due to high dimensionality, temporal dependencies, and class imbalance. Traditional statistical methods like Principal Component Analysis (PCA) model normal behavior by estimating covariance structures and identifying deviations from a principal subspace. However, with the development of deep learning technologies, more research is focusing on how to use deep learning models to capture nonlinear relationships and temporal dynamics in data. OmniAnomaly is a stochastic recurrent model based on a variational autoencoder (VAE) that integrates Gated Recurrent Units (GRU) to capture temporal dynamics, widely used in multivariate time series anomaly detection (MTSAD). Despite the growing popularity of deep generative and recurrent models in MTSAD, the empirical benefits of such architectural complexity are not always systematically validated.

The core problem in multivariate time series anomaly detection (MTSAD) is how to effectively identify anomalies in high-dimensional and temporally dependent data. Traditional statistical methods like PCA, while simple, may not capture complex nonlinear relationships and temporal dynamics in data. Deep learning models like OmniAnomaly, although capable of capturing these complex relationships, do not always have their empirical benefits systematically validated. Additionally, differences in thresholding strategies and evaluation protocols make fair comparisons between different methods difficult. Therefore, how to compare the performance of different methods under a unified evaluation framework is an important issue in MTSAD research.

The core innovation of this study lies in the first systematic comparison of OmniAnomaly and PCA under identical evaluation conditions. Specifically, the study provides a more transparent assessment of anomaly detection methods by eliminating the effects of threshold selection and evaluation protocol. This innovation not only challenges the assumption of the universal superiority of complex models in anomaly detection but also reveals that simpler models may offer comparable performance to complex ones in certain scenarios. Additionally, the study underscores the critical role of evaluation methodology in anomaly detection research, calling for more transparent and consistent evaluation standards.

• �� Dataset: The Server Machine Dataset (SMD) was used, containing operational measurements from 28 distinct server machines.
• �� Model Selection: OmniAnomaly and PCA were compared, with the former being a stochastic recurrent model based on a variational autoencoder (VAE) and the latter a classical linear method.
• �� Evaluation Protocol: Identical thresholding and evaluation protocols were adopted to ensure fair comparisons.
• �� Experimental Design: 100 independent experiments were conducted on each machine, with evaluation metrics including precision, recall, and F1-score.
• �� Data Processing: Training and test sets were separately standardized to ensure data consistency.

The experimental design includes a systematic comparison of OmniAnomaly and PCA on the Server Machine Dataset (SMD). The SMD dataset contains operational measurements from 28 distinct server machines, with data divided into training and test sets for each machine. 100 independent experiments were conducted on each machine, with evaluation metrics including precision, recall, and F1-score. To ensure fair comparisons, identical thresholding and evaluation protocols were adopted. Specifically, the Peaks-Over-Threshold (POT) method and grid search (GS) strategy were used for threshold selection to evaluate model performance under different thresholds.

The experimental results show that OmniAnomaly and PCA perform comparably under identical thresholding and evaluation protocols, with PCA even outperforming OmniAnomaly without point adjustment. OmniAnomaly achieves an average F1-score of 0.746 (POT threshold) and 0.933 (GS threshold) on the SMD dataset, with PCA performing comparably under the same conditions. Additionally, the results show large variability across machines, with some achieving near-perfect F1-scores while others perform poorly, highlighting the importance of machine-level evaluation.

The results of this study have significant implications for various application scenarios. Firstly, in resource-constrained applications, choosing simpler models like PCA might be more cost-effective. Secondly, in scenarios requiring rapid deployment and real-time detection, the low computational complexity and efficiency of simple models make them ideal choices. Additionally, the study's findings can guide the design and optimization of anomaly detection systems, helping developers find the best balance between performance and complexity.

Despite the significance of the findings, there are also limitations. Firstly, the study is conducted only on the SMD dataset, and the results may not generalize to other datasets or domains. Secondly, other types of anomaly detection methods, such as graph-based or ensemble learning methods, are not considered. Additionally, the study does not explore the performance differences of models under different parameter settings. Future research could validate the findings on more datasets to assess their generalizability, explore methods that combine PCA and deep learning models, and focus on the impact of different evaluation protocols on anomaly detection performance.