Feature Engineering for Time‑Series Anomaly Detection
Classical anomaly detection often succeeds or fails based on feature engineering. For time‑series data, good features can turn noisy signals into clear anomaly indicators.
This post outlines practical time‑series features and how to combine them.
1) Rolling statistics
Compute statistics over a sliding window:
- Mean / median
- Std dev / variance
- Min / max / range
These features help detect drift and spikes.
2) Lag features
Include previous values as features:
x(t‑1),x(t‑2), …- Useful when anomalies depend on sudden changes relative to history.
3) Differences and deltas
- First difference:
x(t) − x(t‑1) - Percent change:
(x(t) − x(t‑1)) / x(t‑1)
These capture abrupt transitions.
4) Seasonality features
Encode periodic patterns:
- Hour of day, day of week, month
- Sine/cosine transforms for cyclical time
This helps models avoid flagging normal daily/weekly spikes as anomalies.
5) Rolling z‑scores
Normalize values within a window:
z(t) = (x(t) − mean(window)) / std(window)
This standardizes anomalies relative to the local baseline.
6) Trend and slope
- Linear regression slope over a window
- Exponentially weighted moving average (EWMA)
Useful for slow drifts or creeping failures.
7) Frequency‑domain features
Transform series into frequency space:
- FFT peak frequency
- Spectral entropy
Useful for cyclical signals (e.g., machine vibrations).
Putting it together (example)
A typical feature set might include:
- Rolling mean, rolling std, rolling max
- Lagged values (t‑1, t‑2, t‑7)
- First difference and % change
- Hour‑of‑day and day‑of‑week embeddings
These features feed a classical model like Isolation Forest, One‑Class SVM, or GBDT.
Summary
Time‑series anomaly detection is more about features than models. Strong rolling, lag, and seasonal features often outperform complex models with weak feature design.