Module 2 Assignment: Anomaly detection foundations

Contents

Module 2 Assignment: Anomaly detection foundations#

Scenario#

You are advising a security operations center tuning AI-assisted detections before analyst rollout. The stakeholders are: SOC analyst, detection engineer, incident commander, and business system owner.

Task#

Answer the module question: How can models detect unknown patterns?

Use the module lab and course readings to produce: detection engineering packet with threat model, false-positive analysis, and triage workflow focused on anomaly detection foundations: Build a simple anomaly detector..

Required Evidence#

Define the decision or system boundary in one paragraph.
Identify the dataset, proxy data, or evidence source you used: synthetic security telemetry with login velocity, data transfer volume, process rarity, and threat labels.
Compare at least two alternatives, baselines, policies, or designs.
Report one quantitative result or structured scoring table.
Explain two failure modes and one mitigation for each.
State what additional evidence would be required before real deployment.

Submission#

Submit the completed notebook plus a 900-1200 word memo. The memo must include clear headings for context, method, evidence, risks, recommendation, and open questions.

# Assignment workspace for Module 2: Anomaly detection foundations
module = 2
decision = "How can models detect unknown patterns?"
artifact = "detection engineering packet with threat model, false-positive analysis, and triage workflow focused on anomaly detection foundations: Build a simple anomaly detector."

alternatives = [
    {"option": "baseline_or_manual_process", "strength": "", "risk": "", "evidence": ""},
    {"option": "ai_assisted_or_advanced_option", "strength": "", "risk": "", "evidence": ""},
]

recommendation = {
    "decision": decision,
    "recommended_option": "",
    "minimum_evidence_before_pilot": [],
    "monitoring_metric": "",
    "rollback_trigger": "",
}

{"module": module, "artifact": artifact, "alternatives": alternatives, "recommendation": recommendation}

{'module': 2,
 'artifact': 'detection engineering packet with threat model, false-positive analysis, and triage workflow focused on anomaly detection foundations: Build a simple anomaly detector.',
 'alternatives': [{'option': 'baseline_or_manual_process',
   'strength': '',
   'risk': '',
   'evidence': ''},
  {'option': 'ai_assisted_or_advanced_option',
   'strength': '',
   'risk': '',
   'evidence': ''}],
 'recommendation': {'decision': 'How can models detect unknown patterns?',
  'recommended_option': '',
  'minimum_evidence_before_pilot': [],
  'monitoring_metric': '',
  'rollback_trigger': ''}}

Acceptance Criteria#

Your submission is complete only if another reviewer can reproduce your reasoning from the evidence you provide. You do not need production-grade data, but you must be explicit about proxy-data limits and what would change with real institutional data.