Automated Anomaly Detection

These models establish a baseline of normal activity using historical data and flag deviations beyond a defined threshold. Common approaches include:

• Z-score / Standard Deviation: Identifies outliers based on how many standard deviations a data point is from the mean.
• Interquartile Range (IQR): Flags data points that fall below Q1 - 1.5IQR or above Q3 + 1.5IQR.
• Moving Average: Detects sudden spikes or drops in metrics like transaction volume or gas price compared to a rolling average. These are foundational for detecting volume anomalies, fee spikes, or irregular transaction timing.

ML models learn complex patterns from data to detect sophisticated, non-linear anomalies.

• Isolation Forest: An ensemble method that isolates anomalies by randomly selecting features and split values, requiring fewer splits to isolate outliers.
• Autoencoders: Neural networks trained to reconstruct normal data; high reconstruction error indicates an anomaly. Effective for high-dimensional data like transaction graphs.
• Clustering (k-means, DBSCAN): Identifies data points that do not belong to any cluster or form very small, distant clusters, useful for spotting Sybil addresses or wash trading patterns. These models adapt to evolving attack vectors but require quality training data.

These systems use predefined logic and expert knowledge to flag specific suspicious patterns.

• Threshold Rules: Simple "if-then" logic (e.g., if tx.value > 10,000 ETH then flag).
• Temporal Pattern Rules: Detect sequences like rapid-fire transactions from a single address or cyclic arbitrage patterns.
• Graph-Based Heuristics: Identify structures associated with known threats, such as star topologies (one address funding many new wallets) or bipartite graphs indicative of mixing services. They provide high precision for known attack patterns but lack adaptability to novel threats.

Specialized for data indexed in time order, crucial for blockchain metrics.

• Seasonal-Trend Decomposition: Breaks data into trend, seasonal, and residual components; anomalies appear in the residual.
• Exponential Smoothing (ETS): Forecasts the next point; large forecast errors trigger alerts.
• Change Point Detection: Identifies abrupt shifts in the statistical properties of a time series, such as a sudden, sustained increase in failed transactions or contract deployments. This is essential for monitoring network health, throughput, and fee markets over time.

Combines multiple detection methods to improve accuracy and robustness.

• Voting Systems: An anomaly is flagged only if a majority of models (statistical, ML, rule-based) agree.
• Stacking: Uses predictions from multiple base models as input to a final "meta-model" for the final decision.
• Pipeline Architecture: Applies models sequentially; e.g., a rule-based filter first removes obvious noise, then an ML model analyzes the remaining data for subtle anomalies. Hybrid systems reduce false positives and can detect a broader range of anomaly types.

Analyzes the structure and dynamics of transaction networks to find suspicious subgraphs or node behaviors.

• Node/Edge Anomalies: Flags nodes with abnormally high degree (connections) or edges with anomalous weight (value).
• Community/Subgraph Detection: Identifies tightly-knit clusters that exhibit malicious behavior, like pump-and-dump groups or flash loan attack preparation networks.
• Dynamic Graph Analysis: Tracks how the network evolves, detecting sudden changes in connectivity or flow, which can signal an ongoing exploit or coordinated attack. This technique is fundamental for uncovering sophisticated, multi-address schemes.

The MemPool (Memory Pool) is a node's holding area for broadcasted but unconfirmed transactions. Monitoring it provides a real-time, pre-execution view of network activity, enabling:

• Detection of front-running or sandwich attack patterns before they land on-chain.
• Identification of sudden surges in transaction volume or gas bidding wars.
• Early warning for potential Denial-of-Service (DoS) attempts via transaction spam.

This involves tracking the evolving internal state of decentralized applications and core protocols. Key inputs include:

• Total Value Locked (TVL) fluctuations in DeFi protocols like Aave or Compound.
• Liquidity Pool ratios and reserves in Automated Market Makers (e.g., Uniswap).
• Collateralization ratios and liquidation thresholds in lending markets.
• Governance proposal states and voting patterns. Sudden changes can signal exploits or governance attacks.

Infrastructure-level data that reflects the health and performance of the blockchain itself. Anomalies here can indicate systemic issues. Critical metrics include:

• Peer Count and Network Hashrate/Power (for PoW chains).
• Block Production Times and Orphaned/Uncle Rate.
• Validator/Node Uptime and Slashing Events (for PoS chains).
• RPC Endpoint Latency and error rates, which can signal targeted node outages.

Not a raw data stream, but a critical processed input: historical baselines of normal behavior. Systems use this to define what constitutes an anomaly. This involves:

• Time-series analysis of past transaction volumes, gas fees, and protocol interactions.
• Address clustering to establish typical behavior for known entities (exchanges, whales).
• Machine learning models trained on historical attack signatures (e.g., flash loan attack patterns).

This EU regulation requires firms to monitor trading activity for market abuse, including insider trading and market manipulation. Automated surveillance systems analyze order books, trade executions, and communications for anomalies like:

• Spoofing or layering (placing orders to create false liquidity)
• Wash trading (trading with oneself to create artificial volume)
• Unusual trading patterns ahead of major announcements These systems generate alerts for compliance officers to investigate potential breaches.

Financial institutions must screen transactions against OFAC's Specially Designated Nationals (SDN) list. Automated systems perform real-time checks on transaction parties (names, addresses, wallet addresses in crypto) to detect potential matches. Anomaly detection flags:

• Transactions involving sanctioned jurisdictions
• Attempts to obfuscate the identity of a sanctioned entity
• Patterns of behavior designed to evade screening filters This is a critical component of Know Your Transaction (KYT) protocols.

The Basel Framework establishes international standards for bank risk management, including operational risk. BCBS 239 specifically addresses principles for effective risk data aggregation and reporting. Automated anomaly detection supports this by:

• Identifying data quality issues and inconsistencies in risk reports
• Detecting outliers in risk metrics that could indicate control failures or emerging risks
• Ensuring the integrity and accuracy of data used for capital calculation and stress testing.

GDPR's mandate for integrity and confidentiality (Article 5(1)(f)) and security of processing (Article 32) implicitly encourages automated monitoring. Anomaly detection systems help organizations:

• Detect data breaches by identifying unusual access or data exfiltration patterns
• Monitor for internal threats or unauthorized data processing activities
• Ensure the ongoing security of personal data, which is a core compliance requirement. Alerts must be investigated within strict notification timelines.