How to Build a Full‑Chain Metric Anomaly Detection Framework for Business Operations

Background

As the life‑service business expands, metric complexity grows, monitoring dimensions increase, and indicator volatility becomes more sensitive to product changes. A full‑chain framework—"anomaly detection → attribution diagnosis → decision recommendation"—helps identify technical risks (data collection errors, calculation bugs) and real business signals (e.g., retention drop caused by a new feature).

1. Metric Anomaly Identification

1.1 Types of Anomalies

Absolute value anomaly : a data point deviates from the mean beyond a preset threshold.

Volatility anomaly : sudden large jumps or drops between adjacent points.

Trend anomaly : long‑term upward or downward drift hidden in the time series.

1.2 Detection Methods

1.2.1 Absolute Value Detection

3σ rule : simple but catches only extreme outliers (≈1% detection rate).

GESD test : iteratively computes extreme‑deviation statistics (R_i) and compares with critical values (λ_i) to flag one or more outliers in approximately normal data.

df['diff'] = y - y'
std = df['diff'].std()  # residual standard deviation
df['lower'] = df['EMA'] - 1.96 * std  # 95% confidence level (z≈1.96)
df['upper'] = df['EMA'] + 1.96 * std

1.2.2 IQR Method

An outlier is defined as x_i < Q1 - k·IQR or x_i > Q3 + k·IQR, where k is typically 1.5 or 3.

1.2.3 Volatility Detection

Methods include differencing, MBP (Maximum Bending Point) based on second‑order derivative and distance to a baseline, and trend‑based approaches.

MBP method steps :

Calculate volatility rate.

Compute second‑order derivative f''(x).

Construct a baseline line between the two ends of the series.

Measure vertical distance of each point to the baseline.

Select the point with the largest distance and significant second‑derivative change as the turning point.

1.2.4 Trend Anomaly Detection

Two families:

Mann‑Kendall test : non‑parametric rank‑based test for monotonic trends; significance if |Z| > 1.96 (α=0.05).

Prophet model : decomposes a series into trend g(t), seasonality s(t), holidays h(t), and error ε_t. Large deviations from the forecast (outside confidence intervals) signal anomalies.

2. Attribution Diagnosis

2.1 Attribution Levels

After detecting an anomaly, diagnosis can be split into three inference levels: deterministic (exact contribution), probabilistic (likelihood‑based), and speculative (hypothesis).

2.2 Attribution Methods

2.2.1 Deterministic – Contribution Decomposition

Metrics are broken down into additive or multiplicative components following MECE principles, allowing precise quantification of each part’s impact.

Additive/Subtract‑ive Decomposition : overall change = sum of sub‑metric changes.

Multiplicative Decomposition : uses logarithmic transformation to split products (e.g., conversion funnel: F = X × Y × Z).

2.2.2 Probabilistic – Machine Learning + SHAP

Train a regression model (e.g., XGBoost) on metric data, then apply SHAP to obtain per‑feature contributions for each prediction, revealing how each factor pushes the forecast up or down.

3. Practice – Enhanced Analytics Platform

The platform automates anomaly monitoring (rule‑based absolute detection, MBP, Prophet, Mann‑Kendall) and generates automatic attribution strategies. It supports both dimension‑level and metric‑level attribution, enabling rapid root‑cause identification for indicators such as “order‑abnormal count” or “net payment amount”.

Key challenges include threshold calibration, missing dimensions, and cross‑team coordination; solutions involve dynamic threshold tuning, human‑in‑the‑loop dimension enrichment, and unified metric definitions.

Since deployment, the platform monitors 14 core life‑service metrics with ~90% automation, providing day‑level and hour‑level anomaly detection and attribution, thereby reducing manual effort and fostering data‑driven operations.