Understanding SAM Anomaly Detection Results
Overview
SAM provides comprehensive anomaly detection outputs designed to support both technical analysis and strategic business decision-making. This guide explains how to interpret all metrics and visualizations and use them effectively for operational excellence and risk management.
Primary Outputs
1. Anomaly Data (CSV Export)
Standardized Multi-Column Format:
ID | Features | Anomaly_Score | Severity_Level | Algorithm_Consensus |
Confidence_Score | Business_Impact | Root_Cause_Features | Investigation_Priority
Key Features:
- Anomaly Scores: Normalized scores (0-1) indicating deviation strength
- Severity Classification: Critical/High/Medium/Low categorization
- Algorithm Consensus: Agreement level across selected detection methods
- Business Context: Impact assessment and priority ranking
- Feature Attribution: Which variables contribute most to anomaly classification
2. Visual Analytics Suite
Interactive Dashboard Components:
- Business Overview Dashboard: Executive-level anomaly summary with KPIs
- Geographic Visualizations: Location-based anomaly mapping and clustering
- Feature Analysis Charts: Variable contribution and importance visualization
- Clustering Views: Anomaly pattern groupings and relationship analysis
- Temporal Analysis: Time-based anomaly patterns and trend identification
3. Executive Summary (PDF Report)
Multi-Page Professional Report:
- Executive Overview: High-level findings and business implications
- Priority Anomalies: Critical issues requiring immediate attention
- Visual Analytics: All charts and visualizations with business context
- Investigation Roadmap: Structured approach to anomaly follow-up
- Technical Appendix: Methodology and algorithm performance details
Understanding Anomaly Scores
Primary Scoring Metrics
Anomaly Score (0-1 Scale)
What it measures: Strength of deviation from normal patterns
- 0.9-1.0: Extreme anomaly - immediate investigation required
- 0.7-0.9: Strong anomaly - high priority for review
- 0.5-0.7: Moderate anomaly - schedule investigation
- 0.3-0.5: Mild anomaly - monitor and track trends
- 0.0-0.3: Normal range - no action typically required
Business Interpretation:
Example: Transaction Anomaly Score = 0.85
• Strong deviation from normal transaction patterns
• Requires priority investigation within 24 hours
• Potential fraud indicator with high confidence
• Expected investigation time: 2-4 hours
Confidence Score (0-100)
What it measures: Reliability of anomaly classification
- 90-100: Extremely reliable - act with confidence
- 70-89: Good reliability - appropriate for most decisions
- 50-69: Moderate reliability - use additional validation
- Greater than 50: Low reliability - gather more evidence before acting
Business Interpretation:
Confidence Score = 78%
• Good reliability for business decision-making
• Suitable for operational responses and investigation
• Consider additional data sources for critical decisions
• Risk level: Moderate - proceed with standard protocols
Severity Classification System
Critical Anomalies (Score > 0.9, High Confidence)
Business Response: Immediate action required within 2-4 hours Typical Scenarios:
- Potential fraud transactions requiring immediate blocking
- Equipment failures requiring emergency maintenance
- Security breaches needing immediate containment
- Regulatory violations demanding urgent compliance action
High Priority Anomalies (Score 0.7-0.9, Moderate-High Confidence)
Business Response: Investigation required within 24 hours Typical Scenarios:
- Suspicious customer behavior patterns
- Process deviations requiring quality review
- Market anomalies affecting pricing strategies
- Operational inefficiencies impacting performance
Medium Priority Anomalies (Score 0.5-0.7, Moderate Confidence)
Business Response: Schedule investigation within 3-5 days Typical Scenarios:
- Customer behavior changes for relationship management
- Product performance variations for optimization
- Process improvements opportunities
- Market trend deviations for strategic planning
Low Priority Anomalies (Score 0.3-0.5, Variable Confidence)
Business Response: Monitor and track for patterns Typical Scenarios:
- Minor customer preference shifts
- Seasonal adjustment indicators
- Process variation within acceptable ranges
- Market noise requiring trend confirmation
Business Intelligence Metrics
Impact Assessment Framework
Business Impact Score (1-10)
Calculation: Combination of severity, confidence, and business context Interpretation Guidelines:
- 9-10: Critical business impact - executive attention required
- 7-8: High impact - senior management notification
- 5-6: Moderate impact - department-level response
- 3-4: Low impact - operational team monitoring
- 1-2: Minimal impact - automated tracking
Investigation Priority Ranking
Methodology: Multi-factor scoring combining:
- Anomaly severity and confidence levels
- Business impact assessment and cost implications
- Resource availability and investigation complexity
- Regulatory and compliance considerations
Priority Levels:
- P1 (Critical): Drop everything and investigate immediately
- P2 (High): Complete current task, then investigate
- P3 (Medium): Schedule within current sprint/week
- P4 (Low): Include in next planning cycle
Root Cause Analysis
Feature Contribution Analysis
What it shows: Which data features drive the anomaly classification Business Use:
- Positive Contributors: Features that make the record more anomalous
- Negative Contributors: Features that make the record more normal
- Neutral Features: Variables with minimal impact on classification
Example Analysis:
Customer Transaction Anomaly:
• High Positive: Transaction Amount (+0.45), Time of Day (+0.32)
• Moderate Positive: Geographic Location (+0.18), Merchant Type (+0.12)
• Minimal Impact: Payment Method (+0.03), Day of Week (-0.01)
• Interpretation: Large late-night transaction in unusual location
Pattern Recognition Insights
- Similar Anomalies: Other records with comparable patterns
- Historical Context: How this anomaly compares to past occurrences
- Trend Analysis: Whether similar anomalies are increasing or decreasing
- Cluster Membership: Which group of anomalies this record belongs to
Advanced Analytics Visualizations
Business Dashboard Metrics
Anomaly Overview KPIs
- Total Anomalies Detected: Count and percentage of dataset
- Severity Distribution: Breakdown by Critical/High/Medium/Low
- Confidence Distribution: Reliability assessment across all detections
- Investigation Backlog: Current workload and capacity planning
Performance Indicators
- Detection Rate: Anomalies per unit of data processed
- False Positive Rate: Estimated incorrect classifications
- Investigation Resolution Time: Average time from detection to resolution
- Business Impact Prevented: Quantified value of anomaly detection
Geographic Visualization Insights
Location-Based Analysis
For Geographic Data:
- Anomaly Clusters: Geographic concentrations requiring regional investigation
- Spatial Patterns: Distance-based relationships between anomalous locations
- Regional Trends: Geographic-specific anomaly rates and characteristics
- Territory Risk Assessment: Area-based risk scoring for resource allocation
Business Applications:
- Fraud Prevention: Geographic fraud hotspots and travel pattern anomalies
- Supply Chain: Logistics anomalies and distribution center performance
- Retail: Store performance outliers and market penetration analysis
- Services: Service delivery anomalies and coverage optimization
Clustering Analysis Results
Anomaly Groupings
What it shows: How anomalies cluster into similar patterns Business Value:
- Root Cause Identification: Common factors across anomaly clusters
- Resource Planning: Similar anomalies may require similar investigation approaches
- Pattern Evolution: How anomaly clusters change over time
- Prevention Strategy: Targeted interventions for specific anomaly types
Cluster Characteristics:
- Cluster Size: Number of anomalies in each group
- Cluster Density: How tightly grouped the anomalies are
- Cluster Separation: How distinct different anomaly types are
- Cluster Stability: How consistent groupings are across time
Algorithm Performance Analysis
Multi-Algorithm Consensus
Consensus Score Interpretation:
- High Consensus (80-100%): Multiple algorithms agree - high reliability
- Moderate Consensus (60-79%): Majority agreement - good reliability
- Low Consensus (40-59%): Split decisions - requires additional validation
Algorithm Contribution Table
| Algorithm | Detection Rate | Confidence | Unique Detections | Best Use Case |
|---|---|---|---|---|
| Isolation Forest | 85% | High | 23% | Large mixed datasets |
| One-Class SVM | 78% | Medium | 15% | Complex boundaries |
| HDBSCAN | 82% | High | 31% | Clustered data |
| Local Outlier Factor | 76% | High | 19% | Local anomalies |
Performance Metrics
- Precision: Percentage of identified anomalies that are truly anomalous
- Recall: Percentage of actual anomalies successfully detected
- F1-Score: Balance between precision and recall
- Processing Time: Speed performance for different data sizes
Actionable Intelligence
AI-Generated Insights
Executive Summaries
What you get: Business-focused analysis for each anomaly category:
- Pattern Description: Clear explanation of what makes the data anomalous
- Business Context: Why this anomaly matters for operations
- Risk Assessment: Potential impact and urgency level
- Recommended Actions: Specific next steps for investigation
Example Summary:
"Customer Account #A47291 shows critical transaction anomalies (Score: 0.94, Confidence: 89%). Five large transactions in 30 minutes outside normal geographic area. Pattern matches known fraud indicators. Immediate account freeze recommended pending verification."
Investigation Recommendations
Categories of Recommendations:
- Immediate Actions: Steps to take within 2-4 hours
- Short-term Investigation: Actions for next 24-48 hours
- Long-term Monitoring: Ongoing surveillance and pattern tracking
- Process Improvements: System changes to prevent similar anomalies
Business Context Integration
- Industry Benchmarks: How detected anomalies compare to industry standards
- Historical Baselines: Comparison to your organization's normal patterns
- Seasonal Adjustments: Accounting for expected periodic variations
- Regulatory Considerations: Compliance implications and reporting requirements
Interpreting Visual Analytics
Dashboard Navigation
Primary Views Available:
- Executive Summary: High-level overview with key metrics and trends
- Detailed Analysis: Drill-down capability for specific anomalies
- Comparative Analysis: Before/after comparisons and trend analysis
- Investigation Workspace: Tools for detailed anomaly investigation
Chart Types and Interpretations
Scatter Plot Analysis
- Axis Interpretation: Features plotted against anomaly scores
- Color Coding: Severity levels or algorithm consensus
- Clustering Patterns: Visual identification of anomaly groupings
- Outlier Identification: Extreme points requiring immediate attention
Heatmap Visualizations
- Intensity Levels: Color gradients showing anomaly concentration
- Pattern Recognition: Visual identification of anomaly hotspots
- Correlation Analysis: Relationship between features and anomaly scores
- Trend Identification: Temporal and spatial anomaly patterns
Network Analysis (When Applicable)
- Node Interpretation: Individual entities or transactions
- Edge Relationships: Connections between potentially related anomalies
- Cluster Identification: Groups of connected anomalous entities
- Central Node Analysis: Key entities involved in multiple anomalies
Quality Assurance & Validation
Result Reliability Indicators
Built-in Quality Checks:
- Data Quality Score: Input data quality assessment
- Algorithm Stability: Consistency across multiple runs
- Statistical Significance: Confidence in anomaly classifications
- Business Logic Validation: Alignment with domain knowledge
False Positive Management
Minimization Strategies:
- Ensemble Consensus: Multi-algorithm agreement reduces false positives
- Business Rule Integration: Domain knowledge filters unlikely anomalies
- Historical Validation: Comparison with known true/false positives
- Feedback Loop: Continuous improvement based on investigation outcomes
Continuous Improvement Metrics
- Detection Accuracy Trends: Improvement over time with feedback
- Investigation Efficiency: Time reduction in anomaly resolution
- Business Impact: Quantified value of successful anomaly detection
- User Satisfaction: Feedback on result quality and usefulness
Quick Reference Guide
Immediate Action Checklist
- Review Priority Anomalies: Check P1 and P2 classifications first
- Assess Confidence Levels: Focus on high-confidence detections
- Check Business Impact: Prioritize based on potential financial/operational impact
- Review Algorithm Consensus: Higher consensus = higher reliability
- Examine Feature Contributions: Understand what drives each anomaly
Red Flags to Watch
- High Severity + High Confidence: Requires immediate investigation
- Low Consensus Scores: May indicate data quality issues or edge cases
- Unusual Geographic Patterns: Potential fraud or operational issues
- Temporal Clustering: Multiple anomalies in short time period
- Critical Business Impact: Anomalies affecting core business functions
Investigation Workflow
- Triage: Sort by priority and confidence levels
- Context Gathering: Review business intelligence and root cause analysis
- Validation: Confirm anomalies through additional data sources
- Action: Implement appropriate business response
- Documentation: Record findings and outcomes for future improvement
- Follow-up: Monitor for pattern recurrence and prevention effectiveness