Lilly Tech Systems
Advanced
Real-time Anomaly Detection
Build streaming detection pipelines that analyze network traffic in real time, processing millions of events per second with minimal latency.
Streaming Architecture
Real-time anomaly detection requires a streaming data pipeline that ingests, processes, and scores network events continuously:
- Data ingestion: Collect NetFlow, syslog, and packet data via Kafka, Fluentd, or dedicated collectors
- Feature extraction: Compute real-time features using sliding windows and incremental statistics
- Model inference: Score each event or window against pre-trained anomaly detection models
- Alert generation: Trigger alerts when anomaly scores exceed thresholds, with deduplication and correlation
Stream Processing Frameworks
| Framework | Latency | Throughput | ML Integration |
|---|---|---|---|
| Apache Kafka Streams | Low (ms) | Very High | Via ONNX/PMML |
| Apache Flink | Very Low | Very High | Native ML libraries |
| Apache Spark Streaming | Medium (seconds) | High | MLlib integration |
| Custom Python (asyncio) | Low | Medium | Full Python ML ecosystem |
Latency vs. accuracy tradeoff: Smaller time windows give faster detection but less context. Larger windows provide more accurate scoring but add latency. Most production systems use multiple window sizes (e.g., 1-second for volume spikes, 5-minute for behavioral shifts, 1-hour for slow attacks).
Incremental Feature Computation
In streaming mode, you cannot re-scan all historical data for each event. Use incremental algorithms:
- Running mean and variance: Welford's online algorithm for streaming statistics
- Count-Min Sketch: Probabilistic data structure for frequency estimation
- HyperLogLog: Approximate unique count of source/destination IPs
- Sliding window counters: Ring buffers for windowed aggregations
Model Serving for Real-time
Deploying ML models for real-time inference requires careful optimization:
- Model serialization: Export models to ONNX or TorchScript for optimized inference
- Batch scoring: Group events into micro-batches for GPU efficiency
- Model versioning: A/B test new models alongside existing ones
- Edge deployment: Run lightweight models on network devices for local detection
Alert Management
Raw anomaly detections must be processed into actionable alerts:
- Deduplication: Suppress repeated alerts for the same ongoing anomaly
- Correlation: Group related anomalies across devices into single incidents
- Severity scoring: Rank alerts by business impact, not just anomaly score
- Enrichment: Add context (device info, topology, recent changes) to each alert
Production tip: Implement a feedback loop where operators can mark alerts as true/false positives. Use this feedback to continuously tune thresholds and retrain models, reducing alert fatigue over time.