Online Anomaly Detection Methods

Updated 18 December 2025

Online anomaly detection is a real-time method that identifies deviations in streaming data using sequential statistical tests and adaptive learning to handle concept drift and class imbalance.
Key approaches include sequential hypothesis testing with cumulative evidence scores and online learning algorithms that update model parameters continuously for robust anomaly flagging.
Practical implementations leverage efficient memory techniques, distributed architectures, and statistical controls like FDR to ensure scalability and accurate detection in dynamic environments.

Online anomaly detection is the real-time identification of deviations from expected patterns in sequentially arriving data, without relying on fixed training sets or static environments. It is a critical methodology for rapid response and system dependability in domains such as cloud computing, high-performance computing, time series monitoring, industrial vision, security, and streaming graph analysis. Online methods must function under concepts such as concept drift, class imbalance, unlabeled or limited labeled data, high dimensionality, and the potential for complex dependencies among features or temporal points. This survey synthesizes the key algorithmic foundations, model families, theoretical advances, and practical deployments as established in the research literature.

1. Algorithmic Paradigms and Theoretical Foundations

Two main classes define the backbone of online anomaly detection: sequential statistical testing and online machine learning.

Sequential hypothesis testing dates to CUSUM, where adapted log-likelihood or evidence statistics are recursively accumulated and a change is detected when a threshold is exceeded. In the absence of known null and alternative distributions, nonparametric evidence is substituted, as in Geometric Entropy Minimization (GEM) and its CUSUM-like generalization (ODIT) (Yilmaz, 2017, Mozaffari et al., 2019, Doshi et al., 2020). Algorithms of this style iteratively compute an anomaly evidence score $D_t$ , update a decision statistic $\Delta_t = \max\{0, \Delta_{t-1} + D_t\}$ , and declare anomalies when $\Delta_t \geq h$ .

Online learning algorithms—such as SEAD's stochastic gradient updates (Wang et al., 2021), OGMEAN's margin-based Perceptron (Maurya et al., 2015), or OML-AD's online ARIMA/SGD (Wette et al., 15 Sep 2024)—table predictions at each timestep, observe or partially observe the true feedback (sometimes delayed or selectively sampled), and adjust model parameters in a streaming fashion. Such learners may directly target anomaly metrics robust to class imbalance (e.g., Gmean), handle concept drift by lightweight, continuous updates, and operate under stringent time/memory constraints.

Both paradigms have been substantially extended to incorporate structure (e.g., graphs (Khoa et al., 2011, Bhatia, 2023)), high-dimensional dependencies (Liu et al., 2023), and control guarantees (FDR) (Krönert et al., 5 Feb 2024, Krönert et al., 2023, Shiraishi et al., 16 Oct 2025).

2. Core Model Families and Detection Principles

The spectrum of online anomaly detection models includes:

Linear/regularized classifiers: SEAD uses $\ell_1$ -regularized least-squares for binary or multi-class detection, with updates performed only on administrator-verified anomalies, maintaining model adaptability and sparsity (Wang et al., 2021).

Autoencoders: HPC systems, social video streams, and industrial vision recognize anomalies via reconstruction error of normal-only or self-training autoencoders, often with additional sparsity or contrastive memory to ensure robust discrimination in high-dimensional settings (Borghesi et al., 2019, Gao et al., 2023, He et al., 2023).

Forecasting residuals: Time series approaches such as OML-AD and SGP-Q declare anomalies when the sequential forecast error exceeds a dynamic or statistically-calibrated threshold (Wette et al., 15 Sep 2024, Fei et al., 2019). These may use online ARIMA, sparse Gaussian processes, or incremental adaptation of predictive intervals.

Graph-based metrics: Methods based on commute time distance (CTD) and sketched graph statistics allow O(1) detection of structural anomalies in evolving networks. Real-time CTD estimation (eigen-incremental or hitting-time based) and sketch-based subgraph anomaly search effectively identify both global and local outliers (Khoa et al., 2011, Bhatia, 2023).

Pairwise and interaction models: CMAnomaly builds a collaborative-machine architecture that explicitly models sparse pairwise temporal-feature dependencies, achieving state-of-the-art F1 in multivariate cloud monitoring (Liu et al., 2023).

Transfer learning and memory mechanisms: Online-adaptive vision models (LeMO, LTOAD, etc.) use pretrained feature backbones plus online-learned memory banks or concept modules for defect detection and localization, operating with few-shot normal data (Gao et al., 2023, Yang et al., 22 Jul 2025). EfficientNet+Mahalanobis fits, concept-weighted VQ-branching, and contrastive-memory are prominent mechanisms.

Statistical testing and FDR control: Procedures such as BKAD and adaptive online BH variants extend multiple hypothesis testing to streaming data, providing provable control over FDR with empirically validated calibration and active-set management (Krönert et al., 5 Feb 2024, Krönert et al., 2023, Shiraishi et al., 16 Oct 2025).

3. Handling Class Imbalance, Concept Drift, and Label Scarcity

Online settings are characterized by scarcity or absence of anomaly labels, shifting data distributions, and significant class imbalance.

Class-imbalance learning: OGMEAN maximizes the geometric mean of true-positive and true-negative rates by an online, margin-modified Perceptron update. The approach is consistently competitive with cost-sensitive and second-order online algorithms (Maurya et al., 2015).
Concept drift adaptation: OML-AD updates both time series model parameters and error thresholds online; SGP-Q detects distributional drift by comparing short- and long-term error/likelihood statistics using a Q-function, dynamically deciding between concept-drift adaptation and anomaly flagging (Wette et al., 15 Sep 2024, Fei et al., 2019). MemStream maintains a denoising autoencoder and a memory module, updating only for sufficiently typical points to prevent memory poisoning and to ensure responsiveness to evolving trends (Bhatia, 2023).
Selective/active labeling: SEAD and similar frameworks operate in a selective labeling regime, where only a small fraction (≈21%) of flagged anomalies are verified and included for retraining, greatly reducing operational labeling requirements (Wang et al., 2021).
Label-free local adaptation: Many image-based streaming detectors utilize similarity-restricted memory replay or online memory incremental learning, adjusting only the relevant codebooks or prototypes for recent, visually related data (Gao et al., 2023, Shete et al., 18 Jun 2024, Yang et al., 22 Jul 2025).

4. Computational Efficiency and Scalability

Resource constraints dictate the practicality of online anomaly detection in high-frequency and high-volume streams.

Sketching and O(1) streaming: Methods based on Count-Min Sketch or its higher-order variants enable constant-time, constant-memory scoring for graph edges, records, or multi-aspect facts (Bhatia, 2023). These methods provide explicit error bounds and scale to millions of updates per second.
Distributed and neuromorphic architectures: Neuromorphic wireless sensor networks with spike-based sensing allow IR-transmitted event streams to be analyzed in real time with e-value hypothesis testing and adaptive sensor scheduling, providing both energy efficiency and rigorous FDR control (Shiraishi et al., 16 Oct 2025).
Memory and learning schedule: In all frameworks, memory usage is strictly controlled (prototype bank size, memory module size, or number of support vectors). Online incremental updates or selective retraining are approached either by fixed online schedules, drift-based triggers, or as-needed according to real-time performance monitoring.

5. Evaluation Metrics, Laboratory Benchmarks, and Empirical Results

Accuracy metrics: The primary measures are sensitivity (Recall), specificity, Precision, F1, AUROC, and task-appropriate delay metrics (e.g., average detection latency post-anomaly).
Cloud dependability: SEAD reports average sensitivity ≈88.9% and specificity ≈94.6% on multi-type failure injection in cloud systems, with ROC-AUC stabilizing above 0.94 and only ≈21% of points needing human labeling (Wang et al., 2021).
Multivariate services: CMAnomaly achieves F1≈0.95 on public datasets and ≈0.92 on industrial cloud streams, with 10–20× reduction in runtime over recurrent/deep baselines (Liu et al., 2023).
Vision and industrial: For online/streaming defect or anomaly detection, LeMO and LTOAD reach image-level AUROC in the 0.94–0.99 range, outperforming both offline and other online methods across both balanced and long-tailed benchmarks (Gao et al., 2023, Yang et al., 22 Jul 2025).
Time series: OML-AD attains F1=0.95, AUC=0.988 on weather datasets—exceeding batch baseline retraining approaches at a fraction of the resource cost (Wette et al., 15 Sep 2024).
Streaming graphs: MIDAS and successors show 13–62% AUC gains and 100–100,000× reductions in latency versus prior art in streaming network anomaly detection (Bhatia, 2023).
False discovery control: BKAD and FDR-controlled frameworks demonstrate that asymptotic and empirically realized FDR rarely exceed target levels. Adaptations for drift and calibration minimize the false negative impact (Krönert et al., 5 Feb 2024, Krönert et al., 2023, Shiraishi et al., 16 Oct 2025).

6. Practical Implementations and Recommendations

Parameterization: Essential practitioner tunables include learning rate schedules, regularization weights (λ≈0.01...1), window/batch sizes (100s for best adaptation), and thresholds (selected via validation, cross-validation, or FDR tuning).
Software: Real-world deployments leverage lightweight, online-compatible libraries (River, TensorFlow on embedded devices), GPU-accelerated pipeline elements, and robust monitoring of deployed detectors for auto-retraining on detected drift (Wette et al., 15 Sep 2024, Liu et al., 2023, Borghesi et al., 2019).
Labeling and feedback: Incorporating expert feedback, even on a small fraction of flagged points, substantively enhances adaptive retraining and domain adaptation (Wang et al., 2021, Liu et al., 2023).
Adaptive models: Concept-weighted and memory-driven approaches provide robustness in highly dynamic or long-tailed class scenarios, while explicit buffer or prototype memory stabilization is effective at mitigating catastrophic forgetting (Yang et al., 22 Jul 2025, Gao et al., 2023).

7. Open Problems, Limitations, and Future Directions

Extension to multi-modal, large-scale, and structured data: Current research targets expansion from static vector or image data to video, 3D, and multi-modal sensor streams (Gao et al., 2023, Shete et al., 18 Jun 2024).
Automated calibration: Dynamic, statistically guaranteed selection of thresholds or FDR parameters remains an active area, including for high-dependence, non-i.i.d. settings (Krönert et al., 2023, Krönert et al., 5 Feb 2024).
Scalable memory and lifelong learning: Improving memory and update strategies for fully online, bufferless or coreset-based operation, and longitudinal adaptation in the presence of concept evolution or adversarial drift (Gao et al., 2023, Yang et al., 22 Jul 2025).
Integration of user feedback and human-in-the-loop systems: Combining automatic online detection with user validation, feedback loops, and integration into monitoring/control panels (Liu et al., 2023, Wang et al., 2021).
Theory in high-dimensional, structured, and temporally-correlated streams: Closing the gap between parametric and nonparametric optimality in more complex data environments remains a challenge (Yilmaz, 2017, Mozaffari et al., 2019).

Online anomaly detection unites statistical, algorithmic, and empirical innovations to match the demands of real-time, large-scale, and evolving applications. Recent work demonstrates that well-designed online learning and sequential testing procedures offer rigorous, provably efficient, and practically effective solutions across a broadening array of scientific and industrial domains.