The 9 ML Anomaly Detection Methods ThresholdIQ Uses — Explained in Plain English
When you upload a spreadsheet to ThresholdIQ, nine separate machine learning methods run simultaneously across every column in your data. Each one is looking for a different type of problem. Some catch sudden spikes. Others find slow drift. One looks for sensors that have frozen. Another watches for two metrics that normally move together suddenly moving apart.
Most people don't need to know how any of this works — they just want the anomaly flagged. But if you've ever wondered "why did ThresholdIQ flag that?" or "what would it miss?", this guide is for you. Each method gets a plain-English explanation, a concrete worked example, and an honest summary of what it catches and what it doesn't.
- Multi-Window Z-Score — the primary severity driver
- EWMA Spike Detection — sudden event catcher
- SARIMA Seasonal Residuals — seasonality-aware detection
- Isolation Forest — multivariate outlier detection
- Correlation Deviation — correlated failure detection
- DBSCAN Cluster Noise — behavioural outlier detection
- Seasonal Baseline — time-of-day / day-of-week context
- Trend Detection — gradual drift early warning
- Stuck & Zero Detection — sensor failure & line halt
How the 9 methods work together: Each method runs independently and produces a score. ThresholdIQ fuses these scores using a weighted formula — multi-window Z-score drives the primary severity, and the other 8 methods can only boost severity, never reduce it. This means a false positive from one method can't override a clean result from the others — but genuine anomalies that multiple methods agree on escalate quickly to Critical or Emergency.
A Z-score answers one question: "How far is this value from normal, measured in standard deviations?" A Z-score of 0 means perfectly average. A Z-score of 3 means three standard deviations above average — unusual for any distribution. Most single-metric alert systems use one Z-score window. ThresholdIQ runs four windows in parallel: 50 points (short-term), 100 points (mid-term), 200 points (long-term), and 500 points (very long-term). Each window has its own rolling mean and standard deviation.
The number of windows simultaneously breached maps directly to severity level:
- W50 breach only → Warning
- W50 + W100 both breached → Critical
- W50 + W100 + W200 all breached → Emergency
| Day | Cash inflow | W50 Z-score | W100 Z-score | W200 Z-score | Result |
|---|---|---|---|---|---|
| Mon | $142k | 0.3 | 0.2 | 0.1 | Normal |
| Tue | $138k | -0.1 | -0.2 | -0.1 | Normal |
| Wed | $41k | 3.4 | 1.8 | 1.2 | ⚠️ Warning (W50 only) |
| Thu | $38k | 3.8 | 3.1 | 1.9 | 🟠 Critical (W50+W100) |
| Fri | $29k | 4.2 | 3.7 | 3.2 | 🔴 Emergency (all 3) |
- Sudden large spikes or drops
- Sustained deviations that persist over time
- Values that are unusual at any time horizon
- Escalating anomalies (gets worse each period)
- Seasonal patterns (Sunday lows look anomalous)
- Gradual drift that's slow enough to shift the mean
- Multi-metric relationships between columns
EWMA (Exponentially Weighted Moving Average) is a special kind of average that gives more weight to recent data and less weight to older data. It creates a smoothed trend line through your data. Anything that deviates sharply from that smooth line — a sudden spike or crash — gets flagged.
Think of it as the difference between the trend and the actual value. EWMA subtracts the smoothed trend from each actual reading. What's left (the residual) tells you what's unexpected. When the residual exceeds 3 standard deviations, EWMA fires.
| Date | Actual revenue | EWMA trend | Residual | Result |
|---|---|---|---|---|
| Mar 18 | $14,200 | $13,980 | +$220 | Normal |
| Mar 19 | $13,900 | $13,960 | -$60 | Normal |
| Mar 20 | $2,100 | $13,850 | -$11,750 | 🔴 Emergency spike |
| Mar 21 | $13,600 | $13,740 | -$140 | Normal (resolved) |
- Sudden single-period spikes or crashes
- Events that resolve quickly (transient anomalies)
- Instantaneous sensor readings far from trend
- Fast-reacting — fires within the same reporting period
- Gradual drift (the trend line adapts to drift)
- Sustained long-term deviations
- Patterns that emerge across multiple metrics
SARIMA is a statistical forecasting model that understands seasonality — predictable patterns that repeat at regular intervals. It learns from your historical data: "Electricity usage is always high on Monday mornings. Revenue always dips on Sundays. Production throughput is always lower on night shifts." It builds a model of what your data should look like at any given time based on those patterns.
Once SARIMA has learned the seasonal model, it computes what it expected at each point, and compares that to what actually happened. The difference (the residual) is what gets analysed for anomalies. A Sunday revenue figure that looks low by absolute standards might be perfectly normal for a Sunday — SARIMA knows this and won't flag it.
| Date | Day | Actual GJ | SARIMA expected | Residual | Result |
|---|---|---|---|---|---|
| Jun 1 | Mon | 42.1 | 41.8 | +0.3 | Normal |
| Jun 7 | Sun | 31.4 | 32.1 | -0.7 | Normal (Sundays are always lower) |
| Jun 8 | Mon | 44.2 | 42.0 | +2.2 | Normal (slight winter increase) |
| Jun 9 | Tue | 29.3 | 41.9 | -12.6 | ⚠️ Warning (unexpected low) |
- Anomalies that break seasonal patterns
- Events that look normal in absolute terms but are wrong for the time period
- Day-of-week and hour-of-day deviations
- Anomalies that follow the seasonal pattern (a "seasonal" anomaly)
- Very short data histories (needs at least 2 full seasonal cycles)
- Multi-metric relationships
Isolation Forest is an unsupervised machine learning algorithm that works by trying to isolate each data point from the rest of the dataset using random cuts. Normal points — those that cluster with similar points — require many cuts to isolate because there are lots of similar points nearby. Anomalous points — those that are unusual — can be isolated in very few cuts because they're far from everything else.
Crucially, Isolation Forest looks at all your columns simultaneously. A reading might be within normal range on any single metric, but if the combination of values is unusual across three or four metrics together, Isolation Forest finds it. This is the key method for catching multi-metric anomalies that single-column monitoring would never detect.
| Shift | OEE % | Temp °C | Cycle time (s) | Reject % | Isolation score | Result |
|---|---|---|---|---|---|---|
| Day 1 | 87 | 68 | 42 | 1.2 | 0.42 | Normal |
| Day 2 | 86 | 69 | 43 | 1.4 | 0.40 | Normal |
| Day 3 | 83 | 74 | 47 | 2.1 | 0.71 | ⚠️ Warning (unusual combo) |
| Day 4 | 81 | 79 | 52 | 3.8 | 0.89 | 🔴 Emergency (globally isolated) |
- Multi-metric combinations that are globally unusual
- Anomalies that don't breach any individual threshold
- Patterns invisible to single-column analysis
- Anomalies in a single column where other columns are normal
- Seasonal patterns (doesn't account for time)
- Requires enough data to establish "normal" clusters
Some metrics in your data are naturally correlated — they tend to move up and down together. Revenue and units sold. Power consumption and production output. Delivery volume and fuel cost. Correlation Deviation monitors these relationships over time. When two metrics that have historically moved together suddenly diverge — or when two metrics that normally move independently start moving in lockstep — that's flagged as an anomaly.
This method is particularly powerful for catching process failures that don't show up in any single column. If your OEE stays flat but your reject rate climbs, something has changed in the relationship between those metrics — even if neither column individually looks alarming.
| Week | Order volume | On-time % | Historical corr. | Deviation | Result |
|---|---|---|---|---|---|
| Week 1 | 240 units | 96% | Strong positive | None | Normal |
| Week 2 | 255 units | 94% | Strong positive | Slight | Normal |
| Week 3 | 270 units | 87% | Breaking down | Moderate | ⚠️ Warning — volume up, OTD dropping |
| Week 4 | 290 units | 74% | Inverted | Large | 🟠 Critical — relationship fully inverted |
- Correlated metrics that diverge unexpectedly
- Process changes that affect metric relationships
- Multi-metric failures invisible to single-column rules
- Single-metric anomalies where all correlations hold
- Very weak or noisy correlations in the data
- Newly added columns with no correlation history
DBSCAN (Density-Based Spatial Clustering of Applications with Noise) groups your data into clusters based on density — regions where data points are close together. Points that belong to a dense cluster are normal. Points that sit far from any cluster, in low-density regions of the data space, are labelled "noise" — and those noise points are anomalies.
Unlike methods that flag values outside a threshold, DBSCAN doesn't need to know in advance what "normal" looks like. It discovers the natural clusters in your data and then identifies what doesn't fit. This makes it excellent at catching systematic patterns that are unusual — like a specific product SKU that consistently returns at a different rate from all similar products, or a meter that always reads in a pattern no other meter produces.
| SKU | Return rate % | Avg review | Cluster | Result |
|---|---|---|---|---|
| SKU-001 | 3.2 | 4.3 | Normal cluster A | Normal |
| SKU-002 | 4.1 | 4.1 | Normal cluster A | Normal |
| SKU-003 | 3.8 | 4.4 | Normal cluster A | Normal |
| SKU-004 | 2.9 | 4.6 | Normal cluster B | Normal |
| SKU-005 | 3.1 | 4.5 | Normal cluster B | Normal |
| SKU-006 | 18.7 | 2.1 | No cluster (noise) | 🔴 Emergency — isolated outlier |
- Entities (SKUs, meters, suppliers) unlike any normal group
- Systematic defect patterns in quality data
- Reverse-wiring and meter tampering patterns
- No prior knowledge of "normal" required
- Time-series anomalies (DBSCAN ignores time order)
- Anomalies that cluster with other anomalies
- Sparse datasets with too few points per cluster
The Seasonal Baseline method builds a separate statistical profile for each time bucket in your data. For hourly data, it calculates a normal mean and standard deviation for each hour of the day and each day of the week independently — so "normal for 3am on a Sunday" and "normal for 3pm on a Tuesday" are tracked separately.
This is simpler than SARIMA (it doesn't build a full forecasting model) but it's very effective at eliminating false positives caused by predictable time-based patterns. Night-shift throughput, weekend call volumes, Monday morning order surges — all of these are learned as patterns specific to their time bucket and excluded from anomaly detection.
| Time | Day | Tickets | Baseline for this slot | Deviation | Result |
|---|---|---|---|---|---|
| 09:00 | Monday | 47 | Mon 9am avg: 44 (±8) | +3 | Normal |
| 09:00 | Sunday | 12 | Sun 9am avg: 14 (±4) | -2 | Normal (Sundays are always quiet) |
| 14:00 | Wednesday | 89 | Wed 2pm avg: 38 (±9) | +51 (>5σ) | ⚠️ Warning — far above Wed 2pm normal |
- Values that are wrong for the time period even if typical overall
- Anomalies on predictably quiet periods (weekends, nights)
- Shift-specific deviations in manufacturing data
- Multi-week seasonal patterns (uses fixed day/hour buckets)
- Long-term trends (the baseline adapts slowly to drift)
- Multi-metric patterns
Trend Detection compares the mean value across consecutive rolling windows of 50 data points each. If the mean is consistently moving in one direction — each window's average is higher (or lower) than the previous window's average, across three or more consecutive windows — a trend is flagged. This is monotonic drift: not a spike, not a step change, but a steady, persistent movement in one direction.
This is the method that gives you weeks of advance warning on bearing wear, budget overruns that build slowly, and supplier performance that's eroding imperceptibly. No single period looks alarming. The direction across periods is the signal.
| Window | Period | Window mean temp | Change from prev. | Trend status |
|---|---|---|---|---|
| W1 | Week 1 | 67.2°C | — | Baseline |
| W2 | Week 2 | 68.4°C | +1.2°C | Monitoring |
| W3 | Week 3 | 69.9°C | +1.5°C | ⚠️ Warning — 3rd consecutive rise |
| W4 | Week 4 | 71.8°C | +1.9°C | 🟠 Critical — accelerating upward trend |
- Gradual drift that never triggers a single-point threshold
- Slowly accumulating budget or cost overruns
- Equipment wear and sensor calibration drift
- Performance erosion in supplier or sales data
- Sudden spikes (EWMA handles those)
- Oscillating or reversing trends
- Multi-metric anomalies
This is the most straightforward of the nine methods, but it catches some of the most expensive failures. It monitors for two specific patterns:
- Stuck values: The same number appearing repeatedly across a rolling window. A live sensor that outputs 47.3 for 20 consecutive readings isn't measuring anything — it's frozen. This indicates sensor failure, PLC communication loss, or a data pipeline that's stuck replaying stale data.
- Zero values: A metric that has been producing non-zero readings suddenly drops to exactly zero. This indicates a complete equipment stoppage, a service disconnection, a tracking pixel going offline, or a meter that has stopped registering.
Both patterns immediately escalate to Emergency severity — not Warning, not Critical. They indicate that your monitoring data is no longer trustworthy, which is worse than a bad reading. You can act on an anomalous reading. You can't act on data that secretly stopped updating.
| Reading # | Pressure (bar) | Status |
|---|---|---|
| R-001 | 142.3 | Normal |
| R-002 | 141.8 | Normal |
| R-003 | 143.1 | Normal |
| R-004 to R-024 | 143.1 (repeated 21×) | 🔴 Emergency — sensor frozen |
| Hour | Completions | Status |
|---|---|---|
| 14:00 | 47 | Normal |
| 15:00 | 52 | Normal |
| 16:00 | 0 | 🔴 Emergency — checkout dead |
| 17:00 | 0 | 🔴 Emergency — ongoing |
- Sensor freeze and PLC communication failure
- Complete equipment or line stoppages
- Data pipeline failures serving stale data
- Tracking pixel and analytics disconnections
- Meter communication failures in utility data
- Partial failures (low values, not zero)
- Sensors that output random noise instead of zero
- Legitimate zero readings (planned shutdowns)
How all 9 methods combine into a single severity grade
Running nine separate detection methods is only useful if their results are combined intelligently. ThresholdIQ uses a score fusion formula that treats Multi-Window Z-Score as the primary driver, with the other eight methods acting as boosters:
final_score = multiWindow_score + min(0.25, ml_composite × 0.25)
/* ML composite weights */
ml_composite =
EWMA(0.12) + SARIMA(0.22) + IForest(0.20) +
Correlation(0.12) + DBSCAN(0.06) +
Seasonal(0.12) + Trend(0.10) + Stuck(0.06)
The key design principle: ML methods can only boost severity, never reduce it. If Multi-Window Z-Score says Warning, the combined ML composite can escalate it to Critical or Emergency, but it cannot declare it Normal. This prevents false negatives — genuine anomalies can't be overridden by other methods — while also preventing false positives from any single ML method firing alone.
Example of fusion in action: A meter reading fires a Warning from Multi-Window Z-Score (W50 breach). SARIMA flags it as unexpected for the time of day (+0.22 boost). Isolation Forest confirms it's a globally unusual reading (+0.20 boost). The combined ml_composite pushes the final score above the Critical threshold. The Warning automatically escalates to Critical — with the signals tab showing exactly which methods fired and why.
Why nine methods and not just one?
Every single one of these methods has failure modes when used alone. Z-Score fires false positives on seasonal data. SARIMA can't catch sudden spikes on new datasets. Isolation Forest doesn't understand time. EWMA can't detect gradual drift. No single method finds everything — but nine methods running in parallel, with intelligent fusion, catches the anomalies that cost real money.
The table below shows which method catches which type of anomaly:
| Anomaly type | Best method(s) |
|---|---|
| Sudden single-period spike or crash | EWMA, Multi-Window Z-Score |
| Sustained deviation over many periods | Multi-Window Z-Score, Trend Detection |
| Seasonally unexpected value | SARIMA, Seasonal Baseline |
| Multi-metric combination anomaly | Isolation Forest, Correlation Deviation |
| Gradual drift over weeks | Trend Detection |
| Behavioural cluster outlier | DBSCAN |
| Sensor freeze / line halt | Stuck & Zero Detection |
| Any of the above, with time context | Seasonal Baseline + all others |
ThresholdIQ offers a 7-day unlimited trial with all 9 detection methods, unlimited file sizes, full signal breakdown (showing exactly which methods fired on each anomaly), CSV and PDF export, and email reports. No credit card required. All ML processing runs in your browser — your data never leaves your machine.