Knogin
[Developers]

Anomaly Detection Domain

A fraud analyst reviewing transaction records notices that one account's behaviour is unusual, but "unusual" is hard to define when you're looking at thousands of rows of data. The Anomaly Detection domain makes that def

Back to All Modules
Category: Api DomainsLast Updated: Feb 9, 2026
api-domainsaicompliance

Overview#

A fraud analyst reviewing transaction records notices that one account's behaviour is unusual, but "unusual" is hard to define when you're looking at thousands of rows of data. The Anomaly Detection domain makes that definition precise. Each data point receives a normalised anomaly score based on how far it deviates from the learned density of normal behaviour. Transactions at the extreme end of the distribution surface automatically. The analyst reviews exceptions, not everything.

The domain provides machine learning-based outlier detection for identifying suspicious patterns and behavioural anomalies across multi-dimensional data streams. Density-based algorithms score incoming data in real time, flagging unusual activity in security events, transaction behaviours, and system metrics. Analysts can focus on what genuinely warrants investigation rather than wading through the full data volume.

Key Features#

  • Density-Based Outlier Detection: Uses machine learning algorithms to identify data points that deviate significantly from normal patterns based on local density analysis.
  • Real-Time Behavioural Scoring: Assigns anomaly scores to incoming data in real time, enabling immediate identification of suspicious patterns.
  • Configurable Sensitivity: Adjustable contamination threshold controls the expected proportion of outliers, allowing tuning for different data characteristics.
  • Asynchronous Processing: Non-blocking analysis ensures that anomaly detection does not interrupt other platform operations.
  • Multi-Dimensional Analysis: Analyses data across multiple features simultaneously to detect complex anomalies that single-variable monitoring would miss.
  • Novelty Detection Mode: Trained models can score new, previously unseen data points to determine whether they fit established patterns.
  • In-Memory Efficiency: Operates without external database dependencies for detection, minimising latency and infrastructure overhead.
  • Confidence-Based Scoring: Provides normalised anomaly scores that indicate how unusual each data point is relative to the training population.
  • Privacy-Respecting Design: All data is processed transiently without persistent storage of source data, supporting compliance requirements.
  • Extensible Architecture: Designed to support additional detection algorithms including isolation forests, support vector methods, and neural network approaches.

Use Cases#

Financial crime analysts detect suspicious behavioural patterns across authentication events, transaction flows, and network activity by running anomaly detection on multi-dimensional security data, surfacing accounts with genuinely unusual behaviour rather than rule-triggered false positives.

Risk engines incorporate anomaly scores as a factor in overall risk calculations, amplifying risk ratings when anomalous patterns are detected alongside other indicators such as sanctions matches or adverse media.

Law enforcement cyber units use anomaly scoring to surface unusual access patterns in insider threat investigations, identifying employees whose data access behaviour deviates from their established baseline.

Aviation intelligence teams detect suspicious aircraft behaviour: unusual loitering patterns, unexpected route deviations, and anomalous flight characteristics that fall outside the density of normal traffic for a given corridor.

Critical infrastructure security teams run anomaly detection on SCADA telemetry to identify sensor readings that deviate from operational norms, flagging potential tampering or equipment failure before it escalates to an incident.

Integration#

The Anomaly domain feeds into the Risk Engine for composite risk scoring, the Alert System for anomaly-triggered notifications, and the AI Widgets service for dashboard insights. It also supports threat intelligence workflows by detecting anomalies in predictive threat patterns.

Open Standards#

  • EU AI Act (Regulation (EU) 2024/1689): The service is classified as a HIGH-RISK AI system under Annex III 6(d)/(e); response payloads carry mandatory human-oversight flags in compliance with Article 5(1)(d) and Article 14, prohibiting autonomous enforcement actions based solely on anomaly scores.
  • GraphQL (June 2018 specification): All detection requests and result retrieval are exposed as typed GraphQL mutations and queries, enabling strongly-typed, self-documenting API interactions.
  • JSON Web Token (RFC 7519) and JSON Web Key (RFC 7517): Every GraphQL operation is authorised via RS256-signed JWTs verified against a JWKS endpoint, enforcing authenticated access to anomaly detection capabilities.
  • OAuth 2.0 (RFC 6749): Bearer token authorisation is enforced on all operations, with the platform acting as a resource server that validates tokens issued by the authorisation service.
  • JSON (RFC 8259): Anomaly scores, binary labels, and raw data points are serialised and persisted as JSON/JSONB throughout the detection pipeline and API response payloads.
  • RFC 4122 (UUID): Detection run identifiers and individual anomaly event identifiers are Version 4 UUIDs, ensuring globally unique, collision-resistant references across multi-tenant runs.
  • STIX 2.1 (OASIS CTI TC): Anomaly detection results feed into the Alert System, which exports flagged events as STIX 2.1 bundles for downstream threat intelligence and information-sharing workflows.

Last Reviewed: 2026-02-09 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.