Real time detection of peaks of frequency of events

Question

In a web application, I get a trigger every time an event occurs. I want to detect 'violent' frequency peaks, which probably translate into abnormal behaviour.

I can think of two naive ways of achieving that:

• Fixed threshold - "If more than 500 events occur within a minute, sth's probably wrong". This method cannot handle smooth threshold breaches or steadily increasing traffic, unless the application can adjust the threshold periodically.

• Window-related heuristic - Divide the window into N equal (?) intervals. While N>0, calculate the frequency of events happened in [now-(N*interval_length), now]. Save it in a list. Decrease N by 1. Repeat. Detect list outliers. If there is an outlier larger than the mean frequency of [now-window_length, now], sth's probably wrong."

I'd like to know if there is instead a common/standard solution for this problem or if you can think of anything more efficient or elegant.

Thank you in advance.

EDIT -- Another suggestion

A friend of mine suggested aberrant behaviour detection with Holt-Winters forecasting. You can find more information about this methodology in the links below:

http://www.hpl.hp.com/news/events/csc/2005/jake_slides.pdf

http://www.usenix.org/events/lisa00/full_papers/brutlag/brutlag_html/

Answer 1

I am not expert. What I would do:

Let's say you keep only the last n results and x_n is the last sample (time difference from the previous event).

α_n x_n + α_{n-1}/2 x_{n-1} + ... + α_{1} 2^{-n} x_1 = T

If the difference T - T_{previous}, where T_{previous} is the previous value of T, surpass a limit, do something.

If your values of x_i are binary, you can nice tricks with shift and or operations, if speed is a matter.