3. Baseline methodology

Status	Stable
Version	2.0.0
Last updated	2026-01-31
Authors	OpenALBA Working Group

3.1 Baseline philosophy

A baseline represents the statistical model of “normal” behavior. Effective baselines must:

Adapt to legitimate changes - Business growth, new features, seasonal patterns
Resist manipulation - Attackers gradually shifting behavior should not poison baselines
Handle cold starts - New entities need useful baselines quickly
Account for periodicity - Daily, weekly, monthly patterns
Maintain stability - Small fluctuations should not cause baseline drift

3.2 Baseline data structure

For each metric being profiled, implementations SHOULD maintain:

BaselineModel Structureyaml

BaselineModel:
  # Central tendency
  mean: float
  median: float

  # Dispersion
  standard_deviation: float
  median_absolute_deviation: float  # MAD - robust to outliers

  # Distribution shape
  q1: float                    # 25th percentile
  q3: float                    # 75th percentile
  p01: float                   # 1st percentile
  p99: float                   # 99th percentile

  # Seasonality (for metrics with patterns)
  hourly_factors: float[24]    # Hour-of-day multipliers
  daily_factors: float[7]      # Day-of-week multipliers

  # Metadata
  sample_count: integer
  last_updated: timestamp
  confidence: float            # 0.0 to 1.0

  # For categorical/set metrics
  value_frequencies: map<value, count>

3.3 Statistical methods

3.3.1 Rolling window statistics

For metrics without strong periodicity:

Rolling Window Algorithmpython

Algorithm:
1. Collect observations over window (e.g., 14 days)
2. Calculate:
   - mean = sum(observations) / count
   - median = middle value when sorted
   - stddev = sqrt(sum((x - mean)²) / count)
   - MAD = median(|x - median|) for all x
   - q1, q3 = 25th and 75th percentiles
3. confidence = min(1.0, sample_count / desired_samples)

3.3.2 Exponential weighted moving average (EWMA)

For baselines that should weight recent data more heavily:

EWMA Formulapython

Formula:
    EWMA(t) = α × value(t) + (1 - α) × EWMA(t-1)
    EWMA_variance(t) = α × (value(t) - EWMA(t))² + (1 - α) × EWMA_variance(t-1)

Where α (alpha) controls adaptation speed:
    α = 0.1: Slow adaptation, half-life ≈ 6.6 periods (resistant to manipulation)
    α = 0.3: Moderate adaptation, half-life ≈ 2.0 periods
    α = 0.5: Fast adaptation, half-life ≈ 1.0 periods

Recommended alpha by use case:
    User behavior: α = 0.1 (stable, manipulation-resistant)
    Service performance: α = 0.2
    Error rates: α = 0.3 (more responsive)

3.3.3 Seasonal decomposition (STL)

For metrics with daily/weekly patterns:

Seasonal Decompositionpython

Model: Value = Trend + Seasonal + Residual

Algorithm:
1. Calculate trend as moving average (window = seasonal period)
2. Detrend: Y_detrended = Y - Trend
3. For each seasonal position (e.g., hour 0-23):
   Seasonal[position] = median(detrended values at that position)
4. Normalize: Seasonal = Seasonal - mean(Seasonal)
5. Residual = Y - Trend - Seasonal
6. Apply anomaly detection to Residual component

Usage:
    expected = baseline.mean × hourly_factors[hour] × daily_factors[dow]
    deviation = (observed - expected) / baseline.stddev

3.3.4 Robust statistics

To prevent anomalies from corrupting baselines:

Robust Statisticspython

Trimmed Mean:
    Remove top/bottom 5-10% of observations before calculating mean
    More resistant to outliers than standard mean

Winsorized Statistics:
    Replace extreme values with boundary values:
    lower_bound = percentile(observations, 5)
    upper_bound = percentile(observations, 95)
    winsorized[i] = max(lower, min(upper, observations[i]))
    Calculate statistics on winsorized data

Median Absolute Deviation (MAD):
    More robust than standard deviation
    MAD = median(|x_i - median(X)|)
    For normal distribution: σ ≈ 1.4826 × MAD

Tip

Use winsorized statistics for baseline establishment and MAD-based deviation for anomaly scoring.

3.4 Machine learning methods

3.4.1 Isolation Forest

For multivariate behavioral profiling:

Isolation Forest Configurationyaml

Parameters:
  n_estimators: 100-200 trees
  max_samples: 256 (samples per tree)
  contamination: 0.01-0.05 (expected anomaly rate)

Training:
  features: [request_count, unique_endpoints, error_rate,
             avg_response_size, session_duration, ...]
  Normalize features to comparable scales
  Train on historical "normal" data

Scoring:
  raw_score = model.decision_function(observation)  # Range: [-1, 1]
  anomaly_score = (1 - raw_score) × 50  # Convert to [0, 100]

Update frequency: Retrain weekly

3.4.2 Autoencoder

For complex behavioral patterns:

Autoencoder Architectureyaml

Architecture:
  Input → Encoder → Bottleneck → Decoder → Reconstruction
  Example: 50 → 128 → 64 → 32 → 64 → 128 → 50

  Bottleneck forces compression of normal patterns
  Anomalies reconstruct poorly

Training:
  Train only on "normal" data
  Loss = Mean Squared Error between input and reconstruction

Anomaly Scoring:
  reconstruction_error = mean((input - output)²)
  threshold = percentile(validation_errors, 99)
  anomaly_score = min(100, (reconstruction_error / threshold) × 50)

3.5 Cold start handling

3.5.1 Confidence-weighted blending

When entity-specific data is insufficient:

Confidence-Weighted Blendingpython

Formula:
    confidence = min(1.0, entity_samples / required_samples)

    effective_baseline = confidence × entity_baseline +
                        (1 - confidence) × fallback_baseline

Fallback hierarchy:
    1. Peer group baseline (users with same role, services of same type)
    2. Population baseline (all entities of this type)
    3. Default baseline (conservative predefined values)

Example:
    New user, 3 days of data (108 samples)
    Required: 500 samples
    Confidence: 108/500 = 0.216

    effective_mean = 0.216 × user_mean + 0.784 × peer_mean

3.5.2 Progressive threshold adjustment

Widen thresholds when confidence is low:

Progressive Threshold Adjustmentpython

Formula:
    threshold_multiplier = 2.0 - confidence
    effective_threshold = base_threshold × threshold_multiplier

Example:
    Base threshold: 3.0 standard deviations
    Confidence: 0.3
    Multiplier: 2.0 - 0.3 = 1.7
    Effective threshold: 3.0 × 1.7 = 5.1 stddev

    As confidence increases to 0.9:
    Multiplier: 2.0 - 0.9 = 1.1
    Effective threshold: 3.0 × 1.1 = 3.3 stddev

3.6 Baseline update strategy

Baseline Type	Update Frequency	Notes
EWMA statistics	Every observation	Continuous
Rolling statistics	Hourly	Balance freshness vs. computation
Seasonal factors	Daily	Patterns shift slowly
ML models	Weekly	Expensive to retrain
Peer groups	Weekly	Role changes infrequent

3.7 Conformance

Implementations claiming conformance:

MUST implement at least one statistical baseline method (rolling or EWMA)
SHOULD implement robust statistics (MAD or winsorized)
SHOULD implement cold start handling with confidence adjustment
MAY implement ML-based methods for enhanced detection

Note

Continue to Section 4: Anomaly Score Calculation for details on how anomaly scores are computed.