Anomaly Detection
Overview
Anomaly Detection flags unusual telecommunications behavior for individuals observed inside a defined geographic area. You draw one or more polygons on the map, set an analysis time range, and compare activity in that period against a historical baseline. Outputs include a results table of flagged individuals, summary statistics, and an entity tagging workflow for follow-up. The scoring is model-driven and requires analyst review before you treat results as risk or intent.
When to Use This Application
- You need to identify individuals whose presence or movement in an area stands out from historical patterns.
- You need to compare a specific event window against prior activity to surface changes in behavior.
- You need to triage large volumes of activity into a smaller set of high-risk candidates for follow-up.
- You need to tag flagged entities by risk level so other teams can review them in Octostar.
- You need map-based context to understand where and when anomalous activity occurs.
Before You Begin
- Ensure telecommunications activity data is already available in Octostar for the area and time range you want to investigate.
- Decide the analysis period (the window you want to evaluate) and the lookback period (the baseline window).
- Confirm you have access to the Workspace where you want to apply tags.
Step-by-Step Walkthrough
Step 1 — Define your area of interest
Draw one or more polygons on the map to define the geographic area you want to analyze.
- Select Draw Polygon.
- Click on the map to place polygon vertices.
- Double-click, or select Complete, to finish the polygon.
- Press
Escape, or select Cancel, to abort drawing. To remove all polygons and start over, select Clear Polygons. You can draw multiple polygons to cover several areas.
Step 2 — Configure your analysis
Use the left sidebar to configure the analysis.
Select detection algorithms
Select up to three algorithms. Each algorithm detects a different type of anomaly.
Set the analysis period
Set Time Range to define the analysis period. This window is the activity you want to evaluate for anomalies.
Set the historical baseline
For each selected algorithm, set Historical Lookback Period in days (1–90). This baseline defines what “normal” looks like for comparison.
Set minimum frequency threshold (frequency-based only)
If you use the frequency-based algorithm, set Minimum Frequency Threshold (2–100). This sets the minimum number of visits required for an area to count as historically significant.
Step 3 — Run the analysis
After you draw polygons and set parameters, select Run Analysis. The app shows a progress bar in the sidebar with status and completion percentage.
Step 4 — Review results, statistics, and the map
When analysis completes, the results panel populates and the map updates.
Review the results table
Open the Results tab to see flagged individuals. Scores range from 0 to 1:
0indicates no anomaly.1indicates the highest anomaly level. You can sort by any column and change page size to20,30, or50.
Review summary statistics
Open the Statistics tab for an overview:
- Summary cards with counts (people, identifiers, call activity, online activity)
- Algorithm score cards (median, min, max per algorithm)
- Pie chart showing distribution across risk categories
- Histogram showing score distribution
Review map markers
After analysis, the map shows color-coded markers for detected positions. Hover over a marker to view a tooltip including:
- Owner name
- Identifier
- Coordinates
- Timestamp
- Anomaly score
Step 5 — Filter and refine results
Use filter controls in the sidebar to narrow results. Filters update the results table in real time. Clear a filter to return to the full results set.
Step 6 — Tag entities for follow-up
Use the Entity Tagging tab to apply tags to flagged individuals.
- In the Results table, select the rows you want to tag using the checkboxes.
- Open Entity Tagging.
- Select the Workspace where tags will be applied.
- Select an existing Tag Group or create a new one.
- Apply tagging. The app categorizes tags by risk level (High, Medium, Low) and shows a confirmation notification when complete.
Understanding the Output
Anomaly Detection produces outputs in the results panel and on the map.
- Anomaly score
- A normalized value from
0to1that represents how unusual an individual’s activity is compared to the historical baseline. - Combined score
- A weighted average across all active algorithm scores when you run multiple algorithms.
- Results table
- A list of flagged individuals with scores and risk categories. Use sorting and filters to prioritize follow-up.
- Statistics dashboard
- Summary counts and score distributions that help you validate whether the run produces a focused set of results or too many candidates.
- Map markers
- Spatial context for where anomalies occur. Use the tooltip to verify time and location before you draw conclusions.
Tips for Best Results
- Use multiple algorithms together to reduce false positives and improve combined scoring.
- Start with a longer Historical Lookback Period (for example
60–90days) for a more stable baseline. - Use the distance-based algorithm when you investigate individuals far outside their usual territory.
- Use “New Location” when you focus on entities new to the system.
- Apply filters before tagging so you tag only the most relevant candidates.
- Review map tooltips for time and coordinates before you treat a result as actionable.
Known Limitations
- Results depend on the quality and coverage of historical data. Short baselines reduce reliability.
- Risk categories summarize scores. They do not confirm intent or threat without supporting evidence.
- Multiple algorithms can produce different rankings. Use the combined score as a triage signal, not a conclusion.
- Polygons define scope. Incorrect polygon placement can include irrelevant activity or miss key positions.