Deep Dive

Anatomy of an
Anomaly.

No single signal is enough. A price spike could be news. A volume surge could be an ETF rebalance. But when 4 signals fire together — that's a pattern worth investigating.

See How It Works Read the Full Study
0
Trades Analyzed
0
Alerts Detected
0
Signal Types
65ms
Detection Time
The Problem

One Signal Lies. Many Signals Converge.

Each signal alone has a plausible innocent explanation. The question is not whether any single metric is abnormal — it is whether multiple weak signals fire simultaneously on the same instrument in the same time window.

High false positive

Price Spike

>5% in 30 min

Innocent cause: earnings release, news

High false positive

Volume Surge

>3× rolling avg

Innocent cause: index rebalance, block trade

Medium false positive

Buy Aggressor Dominance

>70% buy-side

Innocent cause: institutional accumulation

Medium false positive

Shrinking Trade Size

Consecutive decline

Innocent cause: normal intraday pattern

Low signal alone

Spread Stability

Tight spread during run-up

Innocent cause: low liquidity stock

Only meaningful after pump

Price Reversal

Sharp reversal after peak

Innocent cause: normal profit-taking

"Each signal is a weak classifier. But when a stock shows abnormal return AND volume surge AND buy-side dominance AND shrinking trade size — the probability of manipulation compounds."

The Method

Multi-Signal Scoring

Combine weak signals. Score the convergence. Rank by confidence.

10.4M Trades

Raw input

Signal 1

847 flagged

Signal 2

1,203 flagged

Signal 3

2,891 flagged

Signal 4

412 flagged

Composite Scorer

Join & rank

214 Alerts

Score ≥ 2

# Pseudocode — multi-signal anomaly detection
detector = MultiSignalDetector(data_path)
alerts = detector.detect(date)
# Score 1: noise (ignored)
# Score 2: worth investigating
# Score 3: high confidence
# Score 4: near-certain
Alert Score Distribution — 214 Alerts
The Evidence

The Top Alert: +28.6% Return, Score 4

A 25-minute window. Four signals. One story.

Multi-Signal View — Price, Volume, Aggressor Ratio, Trade Size
  • Price return +28.6% (threshold: 5%)
  • Volume 20.4× average (threshold: 3×)
  • Buy aggressor 97.7% (threshold: 70%)
  • Trade size declining 3 consecutive windows
  • Composite Score: 4 / 6
Detected in 65ms across all ~4,500 instruments

This is a flagged anomaly detected by the scoring engine — not investment advice.

"All detection results are from real production market data — 10.4 million trades from the Stock Exchange of Thailand. Detection parameters applied uniformly across all ~4,500 instruments."

Under the Hood

Each Signal is a Query. The Scoring is a Join.

Four signals, four queries, one composite score. All standard SQL — no proprietary extensions.

Signal 1: Price Return — 847 flagged

SELECT instrument, window_start,
  (last_value(price) - first_value(price))
    / first_value(price) * 100 AS return_pct
FROM trades
WHERE trade_date = '2025-01-02'
GROUP BY instrument,
  time_bucket('30 min', trade_time)
HAVING return_pct > 5

Signal 2: Volume Surge — 1,203 flagged

SELECT instrument, window_start,
  sum(quantity) AS window_vol,
  avg(daily_avg_vol) AS baseline
FROM trades
JOIN daily_stats USING (instrument)
GROUP BY instrument,
  time_bucket('30 min', trade_time)
HAVING window_vol > baseline * 3

Signal 3: Aggressor Imbalance — 2,891 flagged

SELECT instrument, window_start,
  sum(CASE WHEN side = 'buy'
    THEN quantity ELSE 0 END)
    / sum(quantity) AS buy_ratio
FROM trades
GROUP BY instrument,
  time_bucket('30 min', trade_time)
HAVING buy_ratio > 0.70

Signal 4: Trade Size Decline — 412 flagged

SELECT instrument, window_start,
  avg(quantity) AS avg_size,
  lag(avg(quantity), 1)
    OVER (w) AS prev_size,
  count(*) FILTER(
    WHERE avg_size < prev_size
  ) OVER (w ROWS 3 PRECEDING)
    AS decline_count
FROM trades
WINDOW w AS (PARTITION BY instrument
  ORDER BY window_start)
HAVING decline_count >= 3

Composite Score — 214 alerts (score ≥ 2)

SELECT s1.instrument, s1.window_start,
  (CASE WHEN s1.instrument IS NOT NULL THEN 1 ELSE 0 END
  + CASE WHEN s2.instrument IS NOT NULL THEN 1 ELSE 0 END
  + CASE WHEN s3.instrument IS NOT NULL THEN 1 ELSE 0 END
  + CASE WHEN s4.instrument IS NOT NULL THEN 1 ELSE 0 END) AS score
FROM signal_price s1
FULL OUTER JOIN signal_volume s2
  USING (instrument, window_start)
FULL OUTER JOIN signal_aggressor s3
  USING (instrument, window_start)
FULL OUTER JOIN signal_tradesize s4
  USING (instrument, window_start)
HAVING score >= 2
ORDER BY score DESC

All 4 signals + scoring in 65ms on A, 82ms on B, 34ms on C — across 10.4M trades.

Beyond Markets

The Same Pattern. Different Data.

Multi-signal scoring isn't just for markets. Any domain where single metrics are noisy but combined signals are meaningful.

Component Capital Markets Fraud Detection Network Security IoT / Manufacturing
Event stream Trades Transactions Packets / logs Sensor readings
Time window 30 min 24 hours 5 min 1 hour
Signal 1 (Spike) Price return >5% Amount >10× avg Traffic >5× baseline Temp >3σ
Signal 2 (Volume) Volume >3× avg Frequency >3× Connection count spike Vibration >2×
Signal 3 (Composition) Buy aggressor >70% New payees >60% Foreign IP >80% Harmonic ratio shift
Signal 4 (Trend) Trade size declining Amounts escalating Payload size growing Efficiency declining
Verdict Pump & dump Account takeover Data exfiltration Bearing failure

"The detection engine doesn't change. The signals change. Replace 'price return' with 'temperature spike' and you have predictive maintenance."

The Math

Why Convergence Beats Threshold

A single signal with a 5% false positive rate flags thousands of instruments. Two independent signals firing together? The false positive rate drops to 0.25%. Three signals: 0.0125%. The math is simple multiplication — but the reduction is dramatic.

False Positive Probability vs. Number of Signals (log scale)
~5,000
Score 1 (noise)
~150
Score 2
~50
Score 3
~14
Score 4

Each additional signal cuts alert volume by 3-5×

Your Turn

Bring Your Signals

The method is domain-agnostic. Define your signals, set your thresholds, score the convergence.

1

Define Signals

"What are the weak indicators?"

Identify individual metrics that are noisy alone but meaningful in combination.

2

Set Thresholds

"Calibrate with your data"

Use historical data to find the right threshold for each signal — balancing sensitivity and noise.

3

Choose Windows

"ms, min, hours, or days"

Milliseconds for trading, minutes for network, hours for fraud, days for IoT.

4

Score Convergence

"How many must fire together?"

Define the minimum number of signals that must fire in the same window to trigger an alert.

5

Rank & Investigate

"Higher score = higher confidence"

Sort by composite score. Focus human attention on the highest-scoring alerts first.

# Domain-agnostic multi-signal detector
class MultiSignalDetector:
  def __init__(self, signals, window, min_score):
    self.signals = signals
    self.window = window
    self.min_score = min_score

# Capital markets
market = MultiSignalDetector(
  signals=["price_return", "volume_surge",
    "aggressor_ratio", "trade_size_decline"],
  window="30min", min_score=2)

# Fraud detection
fraud = MultiSignalDetector(
  signals=["amount_spike", "frequency_surge",
    "new_payee_ratio", "amount_escalation"],
  window="24h", min_score=2)

# IoT / predictive maintenance
iot = MultiSignalDetector(
  signals=["temp_spike", "vibration_surge",
    "harmonic_shift", "efficiency_decline"],
  window="1h", min_score=2)
Get Started

Have Noisy Signals?
Let's Build a Scoring Engine.

Whether it's market surveillance, fraud detection, network security, or IoT monitoring — the pattern is the same.

Start a Conversation

See the Full Data Study →     See FPGA Acceleration →

🌏 We welcome international engagements — serving clients across Southeast Asia and beyond.

contact@infozense.com  |  +66-82-242-4008  |  Bangkok, Thailand