How the MaxAlgorithm function works

The MaxAlgorithm function uses smoothed data over time to find the maximum value and calculate a baseline of "typical" data. By setting a high threshold based on this calculation, the number of false positives can be reduced. The agent generates alerts for extreme anomalies only.

The MaxAlgorithm function is best for data that has no limit on its maximum value, such as incoming network traffic.

Smoothing data

The MaxAlgorithm function uses the "simple moving average" algorithm to smooth data.

In general, data smoothing is the process of detecting and removing "noise" data, allowing important patterns to remain.

In its formula, the simple moving average algorithm reduces the influence of datapoints that are not similar to the others because it includes multiple datapoints in the calculation. In addition, at each subsequent measurement point, the new data point is added and the oldest data point is removed, so short-term anomalies are eventually removed from the calculation.

For example, consider a simple moving average that is calculated based on five datapoints. If incoming traffic rates—measured in packets per second at regular intervals—are 10, 11, 100, 4 and 5:

  • The highest datapoint, 100, is very different from the other datapoints. However the influence of that datapoint on the result is limited because the formula takes the average of five datapoints. In this case, the average is 26.

  • In addition, over time, the result will be a lower number if the additional datapoints are also lower.

Choosing a continuous learning window

The longer the learning window, the more datapoints that are collected, and the less influence a short-term fluctuation in data has on the result.

Consider the network traffic example. If the continuous learning window is 10 minutes, the new thresholds will be calculated based on traffic during that time. If, during that time, network traffic is low, the Baseline function calculates the new thresholds based on that value. When the traffic increases, the traffic rate quickly exceeds the threshold and the agent generates an alert. If the network traffic was unusually low during the learning period, the typical network traffic can result in an undesired alert (false positive).