机器学习异常情况检测 APIMachine Learning Anomaly Detection API

备注

此项处于维护状态。This item is under maintenance. 建议使用由 Azure 认知服务下的机器学习算法库支持的异常检测器 API 服务来检测业务、运营和 IoT 指标中的异常。We encourage you to use the Anomaly Detector API service powered by a gallery of Machine Learning algorithms under Azure Cognitive Services to detect anomalies from business, operational, and IoT metrics.

概述Overview

异常情况检测 API 是一个示例,使用 Azure 机器学习构建,检测时序数据和均匀分布在时间中的数字值的异常情况。Anomaly Detection API is an example built with Azure Machine Learning that detects anomalies in time series data with numerical values that are uniformly spaced in time.

此 API 可以检测时序数据中以下类型的异常模式:This API can detect the following types of anomalous patterns in time series data:

  • 正值和负值趋势:例如,监视计算向上趋势过程中的内存使用率可能会很有趣,因为可能会显示内存泄漏,Positive and negative trends: For example, when monitoring memory usage in computing an upward trend may be of interest as it may be indicative of a memory leak,
  • 值的动态范围的更改:例如,在监视云服务引发的异常情况时,值在动态范围内的任何更改可能表示该服务的运行状况不稳定,Changes in the dynamic range of values: For example, when monitoring the exceptions thrown by a cloud service, any changes in the dynamic range of values could indicate instability in the health of the service, and
  • 峰值和低值:例如,监视服务中的登录失败次数或电子商务网站中的签出数,其峰值和低值可以预测非正常行为。Spikes and Dips: For example, when monitoring the number of login failures in a service or number of checkouts in an e-commerce site, spikes or dips could indicate abnormal behavior.

这些机器学习检测程序跟踪值的更改,并将正在进行的更改报告为异常分数。These machine learning detectors track such changes in values over time and report ongoing changes in their values as anomaly scores. 它们不需要临时阈值优化,分数可用于控制误报率。They do not require adhoc threshold tuning and their scores can be used to control false positive rate. API 在几种情形中非常有用:通过跟踪 KPI 的服务监视、通过度量值(如大量搜索、点击)监视使用情况和通过计数器(如内存、CPU、文件读取等)监视性能。The anomaly detection API is useful in several scenarios like service monitoring by tracking KPIs over time, usage monitoring through metrics such as number of searches, numbers of clicks, performance monitoring through counters like memory, CPU, file reads, etc. over time.

异常检测产品附带帮助用户入门的有用工具。The Anomaly Detection offering comes with useful tools to get you started.

  • Web 应用程序可帮助评估和可视化数据上的异常情况检测 API。The web application helps you evaluate and visualize the results of anomaly detection APIs on your data.

备注

请尝试由 此 API 提供的“IT 异常 Insights 解决方案”Try IT Anomaly Insights solution powered by this API

API 部署API Deployment

要使用 API,必须将其部署到 Azure 订阅,在该订阅中它将作为 Azure 机器学习 Web 服务进行托管。In order to use the API, you must deploy it to your Azure subscription where it will be hosted as an Azure Machine Learning web service. 可以从 Azure AI 库执行此操作。You can do this from the Azure AI Gallery. 这会将两个 Azure 机器学习工作室(经典)Web 服务(及其相关资源)部署到 Azure 订阅:一个用于异常情况检测(包含季节性检测),另一个不包含季节性检测。This will deploy two Azure Machine Learning Studio (classic) Web Services (and their related resources) to your Azure subscription - one for anomaly detection with seasonality detection, and one without seasonality detection. 部署完成后,便能从 Azure 机器学习工作室(经典)Web 服务页管理 API。Once the deployment has completed, you will be able to manage your APIs from the Azure Machine Learning Studio (classic) web services page. 在该页中,能够查找终结点位置、API 密钥以及调用 API 的示例代码。From this page, you will be able to find your endpoint locations, API keys, as well as sample code for calling the API. 此处提供了更详细的说明。More detailed instructions are available here.

缩放 APIScaling the API

默认情况下,部署将使用一个免费的开发/测试计费计划,其中包括 1,000 次交易/月和 2 个计算小时/月。By default, your deployment will have a free Dev/Test billing plan that includes 1,000 transactions/month and 2 compute hours/month. 可以根据需求升级到其他计划。You can upgrade to another plan as per your needs. 此处的“生产 Web API 定价”下提供了有关不同计划的定价的详细信息。Details on the pricing of different plans are available here under "Production Web API pricing".

管理 AML 计划Managing AML Plans

可以在此处管理计费计划。You can manage your billing plan here. 计划名称将基于在部署 API 时选择的资源组名称,再加上一个订阅所独有的字符串。The plan name will be based on the resource group name you chose when deploying the API, plus a string that is unique to your subscription. 此处的“管理计费计划”部分下提供了有关如何升级计划的说明。Instructions on how to upgrade your plan are available here under the "Managing billing plans" section.

API 定义API Definition

该 Web 服务提供 HTTPS 上基于 REST 的 API,可以不同方式使用该 API,包括 Web 或移动应用程序、R、Python、Excel 等。可将时间系列数据通过 REST API 调用发送到此服务,此服务将运行下面介绍的三种异常类型的组合。The web service provides a REST-based API over HTTPS that can be consumed in different ways including a web or mobile application, R, Python, Excel, etc. You send your time series data to this service via a REST API call, and it runs a combination of the three anomaly types described below.

调用 APICalling the API

若要调用该 API,需要知道终结点位置和 API 密钥。In order to call the API, you will need to know the endpoint location and API key. 这两项要求以及调用该 API 的示例代码可从 Azure 机器学习工作室(经典)Web 服务页获得。These two requirements, along with sample code for calling the API, are available from the Azure Machine Learning Studio (classic) web services page. 导航到所需的 API,并单击“使用”选项卡可找到它们。Navigate to the desired API, and then click the "Consume" tab to find them. 可以像调用 Swagger API 一样调用该 API(即使用 URL 参数 format=swagger),也可以像调用非 Swagger API 一样调用该 API(即不使用 format URL 参数)。You can call the API as a Swagger API (that is, with the URL parameter format=swagger) or as a non-Swagger API (that is, without the format URL parameter). 代码示例使用 Swagger 格式。The sample code uses the Swagger format. 下面是采用非 Swagger 格式的示例请求和响应。Below is an example request and response in non-Swagger format. 这些示例针对季节性终结点。These examples are to the seasonality endpoint. 非季节性终结点与它类似。The non-seasonality endpoint is similar.

示例请求正文Sample Request Body

该请求包含两个对象:InputsGlobalParametersThe request contains two objects: Inputs and GlobalParameters. 在下面的示例请求中,某些参数是显式发送的,而其他参数则不是(向下滚动可找到每个终结点的完整参数列表)。In the example request below, some parameters are sent explicitly while others are not (scroll down for a full list of parameters for each endpoint). 未在请求中显式发送的参数将使用下面给出的默认值。Parameters that are not sent explicitly in the request will use the default values given below.

{
            "Inputs": {
                    "input1": {
                            "ColumnNames": ["Time", "Data"],
                            "Values": [
                                    ["5/30/2010 18:07:00", "1"],
                                    ["5/30/2010 18:08:00", "1.4"],
                                    ["5/30/2010 18:09:00", "1.1"]
                            ]
                    }
            },
    "GlobalParameters": {
        "tspikedetector.sensitivity": "3",
        "zspikedetector.sensitivity": "3",
        "bileveldetector.sensitivity": "3.25",
        "detectors.spikesdips": "Both"
    }
}

示例响应Sample Response

若要查看 ColumnNames 字段,必须在请求中包含 details=true 作为 URL 参数。In order to see the ColumnNames field, you must include details=true as a URL parameter in your request. 请参阅下表,了解下述每个字段背后的含义。See the tables below for the meaning behind each of these fields.

{
    "Results": {
        "output1": {
            "type": "table",
            "value": {
                "Values": [
                    ["5/30/2010 6:07:00 PM", "1", "1", "0", "0", "-0.687952590518378", "0", "-0.687952590518378", "0", "-0.687952590518378", "0"],
                    ["5/30/2010 6:08:00 PM", "1.4", "1.4", "0", "0", "-1.07030497733224", "0", "-0.884548154298423", "0", "-1.07030497733224", "0"],
                    ["5/30/2010 6:09:00 PM", "1.1", "1.1", "0", "0", "-1.30229513613974", "0", "-1.173800281031", "0", "-1.30229513613974", "0"]
                ],
                "ColumnNames": ["Time", "OriginalData", "ProcessedData", "TSpike", "ZSpike", "BiLevelChangeScore", "BiLevelChangeAlert", "PosTrendScore", "PosTrendAlert", "NegTrendScore", "NegTrendAlert"],
                "ColumnTypes": ["DateTime", "Double", "Double", "Double", "Double", "Double", "Int32", "Double", "Int32", "Double", "Int32"]
            }
        }
    }
}

Score APIScore API

Score API 用于运行非季节性时序数据的异常情况检测。The Score API is used for running anomaly detection on non-seasonal time series data. Score API 对数据运行大量异常检测程序,并返回其异常分数。The API runs a number of anomaly detectors on the data and returns their anomaly scores. 下图显示 Score API 可检测到的异常情况示例。The figure below shows an example of anomalies that the Score API can detect. 此时间序列具有两个不同级别的更改和三个峰值。This time series has two distinct level changes, and three spikes. 红点显示检测到的更改级别的时间,而黑色的点显示检测到的峰值。The red dots show the time at which the level change is detected, while the black dots show the detected spikes. Score APIScore API

检测程序Detectors

异常情况检测 API 支持检测程序中的三个主要类别。The anomaly detection API supports detectors in three broad categories. 可在下表中找到特定输入的参数和每个检测程序输出结果的详细信息。Details on specific input parameters and outputs for each detector can be found in the following table.

检测程序类别Detector Category 检测程序Detector 说明Description 输入参数Input Parameters OutputsOutputs
峰值检测程序Spike Detectors TSpike 检测程序TSpike Detector 根据值与第一个和第三个四分位数的距离,检测峰值和低值Detect spikes and dips based on far the values are from first and third quartiles tspikedetector.sensitivity:取 1-10 范围内的整数值,默认值:3;更高的值会捕获更多极值,从而使敏感度降低tspikedetector.sensitivity: takes integer value in the range 1-10, default: 3; Higher values will catch more extreme values thus making it less sensitive TSpike:二进制值 – 如果检测到峰值或低值,显示“1”,否则为“0”TSpike: binary values – ‘1’ if a spike/dip is detected, ‘0’ otherwise
峰值检测程序Spike Detectors ZSpike 检测程序ZSpike Detector 根据数据点与平均值的距离,检测峰值和低值Detect spikes and dips based on how far the datapoints are from their mean spikedetector.sensitivity:取 1-10 范围内的整数值,默认值:3;更高的值会捕获更多极值,从而使敏感度降低zspikedetector.sensitivity: take integer value in the range 1-10, default: 3; Higher values will catch more extreme values making it less sensitive TSpike:二进制值 – 如果检测到峰值或低值,显示“1”,否则为“0”ZSpike: binary values – ‘1’ if a spike/dip is detected, ‘0’ otherwise
慢速趋势检测程序Slow Trend Detector 慢速趋势检测程序Slow Trend Detector 根据每组的敏感度,检测慢速正面发展趋势Detect slow positive trend as per the set sensitivity trenddetector.sensitivity:检测程序分数的阈值(默认值:3.25,3.25 – 5 是合理的取值范围;值越高敏感度越低)trenddetector.sensitivity: threshold on detector score (default: 3.25, 3.25 – 5 is a reasonable range to select from; The higher the less sensitive) tscore:浮动数字,表示趋势的异常分数tscore: floating number representing anomaly score on trend
级别更改检测程序Level Change Detectors 双向级别更改检测程序Bidirectional Level Change Detector 根据每组的敏感度,检测向下和向上级别的更改Detect both upward and downward level change as per the set sensitivity bileveldetector.sensitivity:检测程序分数的阈值(默认值:3.25,3.25 – 5 是合理的取值范围;值越高敏感度越低)bileveldetector.sensitivity: threshold on detector score (default: 3.25, 3.25 – 5 is a reasonable range to select from; The higher the less sensitive) rpscore:浮动数字,表示向上和向下级别更改的异常分数rpscore: floating number representing anomaly score on upward and downward level change

参数Parameters

下表中列出了这些输入参数的更多详细信息:More detailed information on these input parameters is listed in the table below:

输入参数Input Parameters 说明Description 默认设置Default Setting 类型Type 有效的范围Valid Range 推荐的区域Suggested Range
detectors.historywindowdetectors.historywindow 用于记录异常分数计算结果(在数据点的 #)History (in # of data points) used for anomaly score computation 500500 integerinteger 10-200010-2000 时间序列依赖项Time-series dependent
detectors.spikesdipsdetectors.spikesdips 是仅检测峰值、仅检测 dip,还是两者都检测Whether to detect only spikes, only dips, or both 推送、请求和匿名Both 枚举enumerated 两者、峰值、DipBoth, Spikes, Dips 推送、请求和匿名Both
bileveldetector.sensitivitybileveldetector.sensitivity 双向级别更改检测程序的敏感度。Sensitivity for bidirectional level change detector. 3.253.25 doubledouble None 3.25-5(值越小,敏感度越高)3.25-5 (Lesser values mean more sensitive)
趋势检测程序敏感度trenddetector.sensitivity 正面发展趋势检测程序敏感度。Sensitivity for positive trend detector. 3.253.25 doubledouble None 3.25-5(值越小,敏感度越高)3.25-5 (Lesser values mean more sensitive)
tspikedetector.sensitivitytspikedetector.sensitivity TSpike 检测程序的敏感度Sensitivity for TSpike Detector 33 integerinteger 1-101-10 3-5(值越小,敏感度越高)3-5 (Lesser values mean more sensitive)
zspikedetector.sensitivityzspikedetector.sensitivity ZSpike 检测程序的敏感度Sensitivity for ZSpike Detector 33 integerinteger 1-101-10 3-5(值越小,敏感度越高)3-5 (Lesser values mean more sensitive)
postprocess.tailRowspostprocess.tailRows 保留输出结果中的最新数据点的数量Number of the latest data points to be kept in the output results 00 integerinteger 0(保留所有数据点),或指定要保留在结果中的点的数量0 (keep all data points), or specify number of points to keep in results 空值N/A

输出Output

API 在时间系列数据上运行所有检测程序,并及时返回异常的分数以及每个点的二进制峰值指示符。The API runs all detectors on your time series data and returns anomaly scores and binary spike indicators for each point in time. 下表列出了 API 的输出内容。The table below lists outputs from the API.

OutputsOutputs 说明Description
时间Time 应用聚合(和/或)缺失数据时,原始数据或聚合(和/或)数据估算中的时间戳Timestamps from raw data, or aggregated (and/or) imputed data if aggregation (and/or) missing data imputation is applied
数据Data 应用聚合(和/或)缺失数据时,原始数据或聚合(和/或)数据估算中的值Values from raw data, or aggregated (and/or) imputed data if aggregation (and/or) missing data imputation is applied
TSpikeTSpike 二进制指示符指示 TSpike 检测程序是否检测到峰值Binary indicator to indicate whether a spike is detected by TSpike Detector
ZSpikeZSpike 二进制指示符指示 ZSpike 检测程序是否检测到峰值Binary indicator to indicate whether a spike is detected by ZSpike Detector
rpscorerpscore 浮动数字表示双向级别更改上的异常分数A floating number representing anomaly score on bidirectional level change
rpalertrpalert 基于输入敏感度,指示存在双向级别更改异常的 1/0 值1/0 value indicating there is a bidirectional level change anomaly based on the input sensitivity
tscoretscore 浮动数字表示正面趋势的更改异常A floating number representing anomaly score on positive trend
talerttalert 1/0 值指示存在基于输入敏感度的、正面趋势异常1/0 value indicating there is a positive trend anomaly based on the input sensitivity

ScoreWithSeasonality APIScoreWithSeasonality API

ScoreWithSeasonality API 用于对具有季节性模式的时序运行异常情况检测。The ScoreWithSeasonality API is used for running anomaly detection on time series that have seasonal patterns. 此 API 可用于检测季节性模式中的偏差。This API is useful to detect deviations in seasonal patterns. 下图显示在季节性时序中检测到的异常情况示例。The following figure shows an example of anomalies detected in a seasonal time series. 时间序列都有一个最大值(第一个黑点)、两个低值(第二个黑点和结尾处的黑点)和一个级别更改(红点)。The time series has one spike (the first black dot), two dips (the second black dot and one at the end), and one level change (red dot). 从序列中删除季节性组件后才可识别时间序列中间的低值和级别更改。Both the dip in the middle of the time series and the level change are only discernable after seasonal components are removed from the series. Seasonality APISeasonality API

检测程序Detectors

季节性终结点中的检测器类似于非季节性终结点中的检测器,但使用的参数名称(如下所列)略有不同。The detectors in the seasonality endpoint are similar to the ones in the non-seasonality endpoint, but with slightly different parameter names (listed below).

参数Parameters

下表中列出了这些输入参数的更多详细信息:More detailed information on these input parameters is listed in the table below:

输入参数Input Parameters 说明Description 默认设置Default Setting 类型Type 有效的范围Valid Range 推荐的区域Suggested Range
preprocess.aggregationIntervalpreprocess.aggregationInterval 聚合输入时间序列的聚合间隔单位为秒Aggregation interval in seconds for aggregating input time series 0(不执行任何聚合)0 (no aggregation is performed) integerinteger 0:跳过聚合,> 0 否则0: skip aggregation, > 0 otherwise 5 分钟到 1 天,时间系列依赖项5 minutes to 1 day, time-series dependent
preprocess.aggregationFuncpreprocess.aggregationFunc 用于将数据聚合到指定的 AggregationInterval 函数Function used for aggregating data into the specified AggregationInterval 平均值mean 枚举enumerated 平均值、总和、长度mean, sum, length 空值N/A
preprocess.replaceMissingpreprocess.replaceMissing 用户输入缺失的数据值Values used to impute missing data lkv(最近一次的值)lkv (last known value) 枚举enumerated 零、lkv、平均值zero, lkv, mean 空值N/A
detectors.historywindowdetectors.historywindow 用于记录异常分数计算结果(在数据点的 #)History (in # of data points) used for anomaly score computation 500500 integerinteger 10-200010-2000 时间序列依赖项Time-series dependent
detectors.spikesdipsdetectors.spikesdips 是仅检测峰值、仅检测 dip,还是两者都检测Whether to detect only spikes, only dips, or both 推送、请求和匿名Both 枚举enumerated 两者、峰值、DipBoth, Spikes, Dips 推送、请求和匿名Both
bileveldetector.sensitivitybileveldetector.sensitivity 双向级别更改检测程序的敏感度。Sensitivity for bidirectional level change detector. 3.253.25 doubledouble None 3.25-5(值越小,敏感度越高)3.25-5 (Lesser values mean more sensitive)
postrenddetector.sensitivitypostrenddetector.sensitivity 正面发展趋势检测程序敏感度。Sensitivity for positive trend detector. 3.253.25 doubledouble None 3.25-5(值越小,敏感度越高)3.25-5 (Lesser values mean more sensitive)
negtrenddetector.sensitivitynegtrenddetector.sensitivity 负面发展趋势检测程序敏感度。Sensitivity for negative trend detector. 3.253.25 doubledouble None 3.25-5(值越小,敏感度越高)3.25-5 (Lesser values mean more sensitive)
tspikedetector.sensitivitytspikedetector.sensitivity TSpike 检测程序的敏感度Sensitivity for TSpike Detector 33 integerinteger 1-101-10 3-5(值越小,敏感度越高)3-5 (Lesser values mean more sensitive)
zspikedetector.sensitivityzspikedetector.sensitivity ZSpike 检测程序的敏感度Sensitivity for ZSpike Detector 33 integerinteger 1-101-10 3-5(值越小,敏感度越高)3-5 (Lesser values mean more sensitive)
seasonality.enableseasonality.enable 是否要执行季节性分析Whether seasonality analysis is to be performed truetrue booleanboolean true、falsetrue, false 时间序列依赖项Time-series dependent
seasonality.numSeasonalityseasonality.numSeasonality 检测到的定期周期的最大数量Maximum number of periodic cycles to be detected 11 integerinteger 1, 21, 2 1-21-2
seasonality.transformseasonality.transform 是否应在应用异常检测前删除季节性(和)趋势组件Whether seasonal (and) trend components shall be removed before applying anomaly detection deseasondeseason 枚举enumerated none, deseason, deseasontrendnone, deseason, deseasontrend 空值N/A
postprocess.tailRowspostprocess.tailRows 保留输出结果中的最新数据点的数量Number of the latest data points to be kept in the output results 00 integerinteger 0(保留所有数据点),或指定要保留在结果中的点的数量0 (keep all data points), or specify number of points to keep in results 空值N/A

输出Output

API 在时间系列数据上运行所有检测程序,并及时返回异常的分数以及每个点的二进制峰值指示符。The API runs all detectors on your time series data and returns anomaly scores and binary spike indicators for each point in time. 下表列出了 API 的输出内容。The table below lists outputs from the API.

OutputsOutputs 说明Description
时间Time 应用聚合(和/或)缺失数据时,原始数据或聚合(和/或)数据估算中的时间戳Timestamps from raw data, or aggregated (and/or) imputed data if aggregation (and/or) missing data imputation is applied
原始数据OriginalData 应用聚合(和/或)缺失数据时,原始数据或聚合(和/或)数据估算中的值Values from raw data, or aggregated (and/or) imputed data if aggregation (and/or) missing data imputation is applied
ProcessedDataProcessedData 以下选项之一:Either of the following options:
  • 如果检测到重大季节性变化并选中非季节性选项,随季节波动调整时间序列;Seasonally adjusted time series if significant seasonality has been detected and deseason option selected;
  • 如果检测到重大季节性变化并选中非季节性选项,随季节波动调整时间序列,并去除其趋势seasonally adjusted and detrended time series if significant seasonality has been detected and deseasontrend option selected
  • 否则,此选项与 OriginalData 相同otherwise, this option is the same as OriginalData
TSpikeTSpike 二进制指示符指示 TSpike 检测程序是否检测到峰值Binary indicator to indicate whether a spike is detected by TSpike Detector
ZSpikeZSpike 二进制指示符指示 ZSpike 检测程序是否检测到峰值Binary indicator to indicate whether a spike is detected by ZSpike Detector
BiLevelChangeScoreBiLevelChangeScore 浮动数字,表示级别更改的异常分数A floating number representing anomaly score on level change
BiLevelChangeAlertBiLevelChangeAlert 1/0 值,指示存在基于输入敏感度的、级别更改异常1/0 value indicating there is a level change anomaly based on the input sensitivity
PosTrendScorePosTrendScore 浮动数字表示正面趋势的更改异常A floating number representing anomaly score on positive trend
PosTrendAlertPosTrendAlert 1/0 值指示存在基于输入敏感度的、正面趋势异常1/0 value indicating there is a positive trend anomaly based on the input sensitivity
NegTrendScoreNegTrendScore 浮动数字,表示负面趋势的异常分数A floating number representing anomaly score on negative trend
NegTrendAlertNegTrendAlert 1/0 值,指示存在基于输入敏感度的、负面趋势异常1/0 value indicating there is a negative trend anomaly based on the input sensitivity