A time-series anomaly detector running in a data center is three pieces in a trench coat. A sliding window becomes a tensor. The tensor goes through a model that outputs a reconstruction or a forecast. A second pass compares that output to the real signal and flags anything too far off. Each piece has its own failure mode. A trend shift confuses a forecaster trained on stationary data; noisy training data pollutes a reconstruction model's idea of normal; a poorly chosen threshold floods the dashboard with false alarms.

The system

At its core, the system answers one question: does this slice of time look like what came before? The answer is never a simple yes or no. Instead, the model produces an anomaly score for each point or window, and a human—or an upstream rule—decides where to draw the line. Most deep-learning approaches fall into two camps. Forecasting-based models predict the next few time steps and scream when the actual values land far from the prediction. Reconstruction-based models compress a window into a latent representation, expand it back, and flag windows that do not survive the round trip. A recent survey groups architectures this way, noting that the choice between forecasting and reconstruction is often the first fork in the road.

Each layer

Sensor: the raw signal

Before any model sees the data, something physical—a thermocouple, a network interface counter, a sales database query—produces a number. That number carries its own failure modes. A stuck sensor reports the same value for hours; a resampled metric hides gaps where the collector crashed; a daylight-saving jump looks like a sudden spike. If these are not handled in preprocessing, the model will learn to treat them as normal. Garbage in, garbage out is not a cliché here; it is the first design decision.

Model: the learning core

Once the signal is windowed and normalized, it hits the model. Forecasting architectures often use recurrent networks or, more recently, transformers. Transformers drop the sequential bottleneck and let every time step attend to every other, which helps when anomalies span long contexts. One paper proposes an encoder-only transformer for unsupervised representation learning on multivariate time series, showing it outperforms earlier methods on classification and regression tasks. Reconstruction architectures lean on autoencoders, sometimes with convolutional or residual blocks. A ResNet-style encoder with skip connections can preserve fine-grained patterns that a vanilla convolutional stack might wash out, which matters when the anomaly is a subtle shape change rather than a magnitude spike.

A newer design, the auto-encoder with regression (AER), tries to get the best of both worlds. It couples a reconstruction loss with a regression head that predicts future values, then blends the two anomaly scores. The authors also introduce bidirectional scoring—running the model forward and backward over the window—to clean up start-of-sequence false positives. That is the kind of trick that only matters when you have stared at enough dashboards to hate the first few points of every alarm.

App: the decision layer

The model outputs a number; the app has to decide if that number means something. A static threshold works until the workload changes. Dynamic thresholds—percentile-based, adaptive—work until they adapt to the anomaly itself. Masking is a small but effective add-on: if the smoothing function produces a spike right at the edge of a sequence, the system can suppress it, because edge artifacts are rarely real incidents. The AER paper applies masking to every baseline and sees consistent improvement, which suggests that a lot of detectors are crying wolf at window boundaries.

Edge cases

The interesting problems live where the assumptions break. A forecasting model trained on midnight-to-6 a.m. traffic will lose its mind when a daytime batch job fires. A reconstruction model that sees only healthy machine vibrations will reconstruct a cracked bearing as if it were normal, because the crack is in the training data too. Multivariate series add a combinatorial twist: an anomaly might be visible only in the relationship between two signals, not in either alone. Distance-based methods that treat time series as vectors in a transformed space can catch these, but they require a similarity measure that respects time ordering—a detail easy to miss until the false-negative report lands on your desk.

What breaks

Start-of-sequence false positives are the most annoying failure mode, because they trigger every time the system boots or a window slides. Masking helps, but the root cause is often that the model has no left context and extrapolates from noise. Another breakage is concept drift: the world changes, the training data does not, and the anomaly detector slowly turns into a change detector. Retraining on a schedule is the common fix, but that schedule is itself a hyperparameter you can get wrong. Finally, adversarial silence—an attacker or a bug that keeps the signal inside normal bounds while doing harm—defeats any model that only looks at magnitude. Rate-of-change features or frequency-domain transforms can surface these, at the cost of more complexity and more knobs to tune.

None of this is magic. It is a pipeline of choices, each with a failure mode, and the best result is not zero false positives but a system whose failures you understand well enough to work around.