Anomaly detection is the process of identifying nonconforming behaviour. Many approaches from machine learning to statistical methods exist to detect behaviour that deviate from its norm. These non-conformances of specifications can stem from failures in the system or undocumented changes of the system during its evolution. However, no generic solutions exist for classifying and identifying these non-conformances. In this paper, we present the CRI-Model (Cause, Reaction, Impact), which is a taxonomy based on a study of anomaly types in the literature, an analysis of system outages in major cloud companies and evolution scenarios which describe and implement changes in Cyber-Physical Production Systems. The goal of the taxonomy is to be usable for different objectives like discover gaps in the detection process, determine components most often affected by a particular anomaly type or describe system evolution. While the dimensions of the taxonomy are fixed, the categories can be adapted to different domains. We show and validate the applicability of the taxonomy to distributed cloud systems using a large data set of anomaly reports and cyber-physical production systems by categorizing common changes of an evolution benchmarking plant.
Anomaly Detection and Localization for Cyber-Physical Production Systems with Self-Organizing Maps
