Baseline Learning
m1nd includes a statistical anomaly detection system that learns normal behaviour and flags deviations automatically.
How It Works
The BaselineManager computes rolling statistics over the last 100 test runs for each metric. Every new result is compared against the established baseline.
Anomaly Detection Rules
A result is flagged as anomalous if any of these conditions are met:
| Rule | Condition | Example |
|---|---|---|
| 3-sigma | value > mean + 3 × stddev | RTT spike beyond normal variance |
| 200% deviation | value > mean × 2 | Latency suddenly doubles |
| Packet loss delta | loss exceeds baseline by 5%+ | 0% → 6% packet loss |
Return Value
python
{
"is_anomaly": True,
"anomaly_reason": "3-sigma: rtt_avg 245.3 > 89.2 + 3×42.1",
"baseline_mean": 89.2,
"baseline_stddev": 42.1,
"baseline_p95": 156.8,
"anomaly_metrics": ["rtt_avg"]
}Integrated Tests
Baseline learning is integrated with all synthetic monitoring test types:
- Ping — RTT average, min, max, packet loss
- DNS — Resolution time per nameserver
- Speedtest — Download/upload bandwidth
- IPsec — Tunnel probe latency
- SNMP — CPU, memory, port utilisation
Configuration
Thresholds are defined as constants in the baseline module:
| Parameter | Default | Description |
|---|---|---|
HISTORY_SIZE | 100 | Number of runs in rolling window |
STDDEV_MULTIPLIER | 3.0 | Sigma threshold for anomaly |
PERCENT_DEVIATION | 2.0 | Max deviation ratio (200%) |
PACKET_LOSS_DELTA | 5.0 | Packet loss increase threshold (%) |
Database
Baselines are stored in the SQLite baselines table:
(check_type, target, metric, mean, stddev, p95)Performance
- First computation: O(n) — processes the initial 100 data points
- Subsequent checks: O(1) — cached baseline values, instant comparison
- Minimum data: 10+ successful runs required before a baseline is established
TIP
If anomalies seem too sensitive or too lenient, adjust STDDEV_MULTIPLIER and PERCENT_DEVIATION in the baseline module constants.