How AIOps Transforms IT Monitoring with Dynamic Thresholds and Time‑Series Classification

ZTO Express, the first Chinese courier with annual volume over 300 billion, faces massive, high‑speed, multimodal monitoring data with low signal‑to‑noise, making traditional fixed‑threshold alerts insufficient.

AIOps (Artificial Intelligence for IT Operations) combines machine learning, data analysis and automation to improve IT operation management, enabling automatic anomaly detection, root‑cause analysis, fault discovery, localization and self‑healing.

The core AIOps technologies include data collection & analysis, anomaly detection & root‑cause analysis, fault discovery & localization, and automated fault remediation.

Metric Classification

Metric data shows diverse patterns such as periodicity, stability, trends, irregular fluctuations, peak and off‑peak periods, influenced by workdays, holidays and promotions.

Time‑series classification identifies these patterns to select appropriate detection algorithms. Common categories are periodic, stationary, trending, and random fluctuation series.

Figure 3 illustrates various metric time‑series types.

Dynamic Threshold

Dynamic thresholds adjust automatically based on historical data, reducing manual configuration and improving alarm accuracy.

n‑sigma Principle

For a normally distributed metric, values beyond μ ± 3σ occur with only 0.3 % probability and can be treated as anomalies.

Feature Engineering

Data smoothing to reduce noise.

Missing‑value handling (mean fill, interpolation).

Outlier handling for fault‑related labels.

Standardization to balance feature influence.

Baseline Prediction

Baseline models such as ARIMA, Exponential Smoothing, Prophet and LSTM are selected according to metric classification.

Baseline Calibration

Calibration adjusts baselines using historical feature values, considering workday/weekend differences and holiday or promotion effects.

Dynamic Threshold Calculation

Thresholds are computed from baseline and standard deviation:

Separate upper and lower sensitivity parameters and sliding windows handle different metric behaviors and drift.

Figure 5 shows typical anomaly patterns in metric data.

Figure 6 illustrates the dynamic‑threshold computation workflow.

Figure 7 demonstrates the effect of AI‑driven thresholds, showing more sensitive detection of sudden drops.

Field tests during major sales events (e.g., Double 11, 618) show that dynamic thresholds reduce false alarms, improve detection timeliness, and lower manual investigation effort.

Future work includes log‑level anomaly detection, root‑cause precision improvement, ChatGPT integration, and automated fault recovery.