Dual-Path Telemetry Anomaly Detection

• The paper introduces a dual-path architecture that decouples heterogeneous telemetry data to amplify relevant phenomena and suppress noise.
• It leverages complementary detectors—such as autoencoders and LSTM/TCN hybrids—to capture both slow drift and fast spike patterns in real-time signals.
• Empirical results show significant improvements in F1 scores, precision, and recall across diverse domains like manufacturing, vehicle telemetry, and network security.

A dual-path architecture for telemetry anomaly detection refers to a class of frameworks in which two distinct but complementary processing paths (or detectors) operate in parallel or sequence on the same data stream or correlated multisource telemetry, in order to improve the granularity, robustness, and interpretability of anomaly identification. These architectures are motivated by the heterogeneity of telemetry—including disparate physical signals (operational cycles vs. sensor streams), temporal scales (slow-varying drifts vs. fast spikes), operational contexts (normal vs. attack/fault conditions), or even feature types (flow-level vs. graph-derived features)—which challenge the detection capacity of conventional single-path/statistics or deep learning models. By decoupling heterogeneous aspects of telemetry, dual-path systems can selectively amplify relevant phenomena, suppress irrelevant variance, and enable fine-grained classification or root-cause diagnosis. This article surveys leading dual-path designs and situates them with respect to methodology, theoretical properties, practical outcomes, and application domains.

1. Architectural Paradigms

Dual-path telemetry anomaly detection systems can be broadly grouped according to the semantic or structural distinction between their two paths. Approaches detailed in recent literature include:

• Two-Stage Deep Models for Heterogeneous Time Series: The T-DAD framework processes operation-cycle signals via an autoencoder in the first stage to generate sparse anomaly candidates, followed by high-frequency sensor signal analysis via a sliding-window LSTM-autoencoder to filter candidates and assert temporal-local anomalies. This sequential, type-divided pipeline addresses the differing regularities and information densities of manufacturing signals (Jeong et al., 2022).
• Slow/Fast Dynamics Separation: STREAM-VAE introduces a dual-path routing structure in its latent space: one path learns low-frequency, smooth "drift" representations (via exponential moving average and slow attention), the other encodes spike-like fast deviations (via high-pass filtering and fast attention). A gated decoder fuses both paths, yielding localized anomaly scores sensitive to both gradual and transient deviations in vehicle telemetry (Özer et al., 19 Nov 2025).
• Structure/Task Split Paths: DTAAD utilizes a dual temporal convolutional network (TCN) backbone feeding into a light Transformer fusion, with each path serving a different modeling principle: an autoregressive (AR) branch forecasts the next step for temporal pattern modeling, while an autoencoder (AE) branch reconstructs the current window to capture static anomalies. Feedback mechanisms and differentiated objective weighting enable cross-path amplification of subtle anomalies (Yu, 2023).
• Dual-Side Redundant Detection: In cyber-physical applications, dual-path refers to the deployment of parallel detection units at both the controller and the plant sides. Each detector monitors distinct telemetry and computes residuals that allow the discrimination between faults and integrity attacks, exploiting the fact that attacks designed to evade one detector are unlikely to evade both due to non-overlapping residual spaces (Xue et al., 15 Oct 2025).
• Dual-Objective Deep Models: In security telemetry, a dual-autoencoder system consists of one path (Anomaly Detector, AD) trained on benign flow+graph features, and another (Novelty Detector, ND) trained on known attack classes to capture previously unseen (zero-day) threats. The system serially applies these detectors for coarse anomaly screening followed by fine-grained novelty detection (Redino et al., 2022).

A summary of representative architectures:

Dual-Path Principle	Domain	Primary Path 1	Primary Path 2
Heterogeneous type/timescale	Manufacturing	Operation-cycle AE	Sensor LSTM-AE
Drift/spike temporal separation	Vehicle telemetry	Drift (EMA+attention)	Spike (high-pass+attention)
Task specialization	Multivariate telemetry	AR-TCN	AE-Transformer
Redundant fault/attack viewpoint	Cyber-physical systems	Controller-side observer	Plant-side observer
Anomaly/novelty function	Network telemetry	Benign-trained AE (AD)	Attack-trained AE (ND)

2. Data Processing and Signal Preparation

Dual-path architectures are generally motivated by, and engineered for, heterogeneity in telemetry characteristics. The effectiveness of such systems depends crucially on preprocessing and input pipeline design.

• Operation-Cycle/Sensor Splitting: T-DAD uses min–max normalization for both operation-cycle signals (irregularly logged at cycle completion) and high-rate sensor signals, with careful imputation and feature selection to handle missingness and low-variance channels. Sensor signals are windowed into overlapping segments (window size 180s, stride 60s), which feed the LSTM-autoencoder, permitting fine temporal localization (Jeong et al., 2022).
• Slow/Fast Path Feature Extraction: STREAM-VAE computes encoder features using Bi-LSTM, then forms smoothed (EMA) and high-pass filtered features to separate slow drift from fast spike components. These are projected into separate query/key/value sets for subsequent attention mechanisms (Özer et al., 19 Nov 2025).
• Graph-Feature Integration: In security contexts, telemetry is augmented by per-asset graph statistics (degree centrality, PageRank, etc.), which are concatenated with flow-based features. Dual-path systems can jointly process this enriched input (e.g., both autoencoders in (Redino et al., 2022)).
• Temporal Convolution and Multi-Scale Context: DTAAD leverages parallel TCN branches: a local branch for short-term dependencies (small dilation), and a global branch (exponentially dilated convolution) for long-range context. Transformer fusion then enables cross-temporal and cross-sensor correlations to be captured (Yu, 2023).

3. Path-Specific Model Components

Each path in a dual-path architecture is usually specialized for its input data or its modeling task:

• Autoencoder/MLP and LSTM-DAE: T-DAD's first path is a denoising autoencoder (3-layer MLP, $\ell_1$ regularized) applied to operation-cycle features, outputting candidate anomaly times. The second path, an LSTM-DAE (stacked LSTM with dropout), reconstructs high-frequency sensor windows and computes the maximum frame-level reconstruction error, ensuring temporal consistency (Jeong et al., 2022).
• Dual-Attentive VAE Encoder/Decoder: STREAM-VAE builds parallel slow and fast paths post-encoding, applying attention to slow (EMA) and fast (high-pass) features, then fusing via gated blending in the decoder. The architecture includes a mixture-of-experts mean estimator and soft-thresholded event-residual path for transient deviations. Regularization enforces sparsity (event residual), entropy (MoE), and KL-divergence control (Özer et al., 19 Nov 2025).
• Autoregressive and AE Heads: DTAAD’s branches jointly consume TCN-Transformer-encoded features. The AE decoder reconstructs the present, while the AR decoder performs a 1-step-ahead forecast, receiving the AE residual as a feedback input (cross-path feedback mechanism). Loss functions for each branch are combined, with task-balancing and meta-learning to adapt to rare-event settings (Yu, 2023).
• Redundant State Observers: In cyber-physical frameworks, both controller- and plant-side observers maintain dynamic state estimates and generate residuals. Residuals are monitored through $\chi^2$ test statistics, with thresholds optimized via multi-stage procedures balancing fault versus attack sensitivity (Xue et al., 15 Oct 2025).
• Dual Fully-Connected AE Blocks: For zero-day threat detection, each autoencoder is a symmetric, fully-connected stack, trained on different data distributions (benign vs. “known” attacks) and equipped with independently optimized output thresholds. Flow and graph features are processed identically in both paths (Redino et al., 2022).

4. Inference, Decision, and Thresholding Strategies

Dual-path anomaly detection relies on combining the outputs of separate models in either a serial or parallel decision-making protocol.

• Candidate Selection and Filtering: In T-DAD, Stage I yields timestamps with operation-cycle AE score $a^{(o)}_t$ exceeding $\tau_1$. For each such candidate $t$, Stage II computes the maximum LSTM-DAE score $a^{(s)}_u$ in a window $[t-\eta, t+\eta]$; only those where $\max a^{(s)}_u \geq \tau_2$ are retained. Pseudocode in (Jeong et al., 2022) formalizes this sequential filtering.
• Window-Based Statistical Scoring: STREAM-VAE computes the negative log-likelihood (NLL) of each window under the reconstructed Gaussian, and applies Peaks-Over-Threshold (POT) fitting to determine stable anomaly cutoffs. The separation between slow and fast components enhances the detection of both gradual and abrupt anomalies (Özer et al., 19 Nov 2025).
• Residual Aggregation and Feedback: DTAAD computes reconstruction (AE) and prediction (AR) errors for each dimension. Thresholds are dynamically determined via extreme value theory/POT on training residuals. Multi-head attention enables per-dimension diagnostic assessment (Yu, 2023).
• Joint Residual Analysis: In dual-side detection for control systems, decision logic is based on threshold crossing in one or both detectors:
  • $(J_c > \gamma_c, J_p \leq \gamma_p)$ ⇒ fault;
  • $(J_c \leq \gamma_c, J_p > \gamma_p)$ ⇒ integrity attack;
  • $(J_c > \gamma_c, J_p > \gamma_p)$ ⇒ concurrent fault/attack;
  • $(J_c \leq \gamma_c, J_p \leq \gamma_p)$ ⇒ no anomaly (Xue et al., 15 Oct 2025).
• Coarse-to-Fine AE Inference: In zero-day security detection, a sample passing the threshold of the first (benign-trained) AE triggers evaluation by the second (novelty-trained) AE. Only if both residuals exceed their respective thresholds is a zero-day declared (Redino et al., 2022).

5. Empirical Results and Performance Analysis

Dual-path architectures have demonstrated consistent improvement over single-path or monolithic baselines across domains.

• Industrial Manufacturing: T-DAD improves $F_1$ from 0.70 (single DAE) and 0.61–0.67 (DAGMM, USAD) to 0.77, with precision/recall of (0.71/0.84), emphasizing the benefit of Stage II filtering of spurious operation-cycle peaks (Jeong et al., 2022). Replacing either stage with alternate models (DAGMM, LSTM-VAE) still yields two-stage gains.
• Vehicle Telemetry: STREAM-VAE outperforms TFT-Residual, GDN, and other VAE and transformer baselines in Oracle PA-F1 (0.857 vs. 0.830 and 0.825) and AUC-PR (0.532 vs. 0.498), especially when evaluated at stable, automatically set thresholds (POT). Ablations confirm the necessity of the spike path and mixture-of-experts fusion for anomaly separability (Özer et al., 19 Nov 2025).
• Multivariate Time Series: DTAAD achieves a mean $F_1$ gain of +8.38% and 99% reduction in training time (ultra-light Transformer and minimal TCN) compared to prior state-of-the-art. Diagnostic metrics for root-cause identification based on residual ranking are also superior (Yu, 2023).
• Cyber-physical Systems: Dual residual detectors exhibit perfect discrimination in simulation studies (N=500), with detection delays halved relative to single-path detectors and controlled false-alarm rates. Single detectors detect only faults or only attacks; both are needed for full coverage (Xue et al., 15 Oct 2025).
• Network Telemetry Security: Dual-AE with graph features achieves AUC up to 0.99 on cross-network test sets, precision=0.96, recall=0.93. Single-path AE and classical ML baselines do not generalize to unseen attack classes or network domains (Redino et al., 2022).

6. Robustness, Adaptability, and Practical Considerations

Key operational advantages stem from dual-path design:

• Model Agnosticism: Performance benefits persist even with architectural substitutions in T-DAD’s stages or alternative regularization in other frameworks (Jeong et al., 2022).
• Threshold Sensitivity: Dual-path aggregation often reduces overall sensitivity to threshold variation, especially in the second stage. However, the primary stage threshold (e.g., $\tau_1$ in T-DAD) may still dominate $F_1$ fluctuations.
• Computational Efficiency: Lean designs (one-layer Transformer, shallow TCN) as in DTAAD, or fast-windowed scoring in STREAM-VAE, support low-latency inference suitable for real-time/embedded deployment.
• Cross-Domain Generalization: Asset graph features and staged novelty detection deliver near-perfect generalization in network security telemetry, while separate modeling of slow/fast and operational/sensor data is shown to be robust to changing process configurations.
• Optimization Strategies: Procedures for controller gain and residual-time constants (in dual-side detection) or for KL/entropy control (in deep generative models) further tune sensitivity-specificity trade-offs (Özer et al., 19 Nov 2025, Xue et al., 15 Oct 2025).

7. Limitations and Future Directions

Despite robust empirical advances, current dual-path frameworks exhibit certain limitations:

• Anomaly Diversity: Recall can degrade when the diversity of "novelty" classes exceeds the representational capacity of the secondary path (noted for ND in (Redino et al., 2022)).
• Complexity in Thresholding: Although dual-path systems can stabilize threshold selection, they sometimes require additional tuning or rare-event modeling (POT, EVT) to function optimally under shifting operation modes.
• Potential for under- or overfitting: Especially in ultra-light or shallow models (e.g., one-layer Transformer in DTAAD), model expressivity may bound ultimate anomaly detection granularity.

Future research directions include the integration of hierarchical or attention-enhanced novelty detectors in security, adaptive threshold retraining with continuous feedback, broader benchmarking in new application domains (e.g., supply-chain and lateral movement attack detection), and theoretical analysis of optimal residual partitioning in control-theoretic contexts (Xue et al., 15 Oct 2025, Redino et al., 2022).