Zhengmin Li,Chunge Zhu,Xinran Liu,Xiufeng Sui

DOI: https://doi.org/10.1109/icnsc.2017.8000085

2017-01-01

Abstract:The combination of fast online anomaly detection and offline learning is a vital element of operations in large-scale datacenters and utility clouds. Given ever-increasing datacenter sizes coupled with the complexities of systems software, applications, and workload patterns, such anomaly detection must operate continuous and real-time at runtime. Further, detection should function for both hardware and software levels of abstraction, and for the multiple metrics used in cloud computing systems. In this paper, we present a novel, flexible framework to do anomaly detection for data center. The goal of our framework design is to combine online anomaly detection and offline learning automatically and iteratively. And the framework aims to have the capability to integrate different offline learning methodologies. We demonstrate this framework with two representative applications in datacenters, and explore three common scenarios during the applications runtime. Experiment results show that the proposed approach provides good accuracy and low overhead.

Jinbo Li,Hesam Izakian,Witold Pedrycz,Iqbal Jamal

DOI: https://doi.org/10.1016/j.asoc.2020.106919

IF: 8.7

2021-03-01

Applied Soft Computing

Abstract:Multivariate time series data come as a collection of time series describing different aspects of a certain temporal phenomenon. Anomaly detection in this type of data constitutes a challenging problem yet with numerous applications in science and engineering because anomaly scores come from the simultaneous consideration of the temporal and variable relationships. In this paper, we propose a clustering-based approach to detect anomalies concerning the amplitude and the shape of multivariate time series. First, we use a sliding window to generate a set of multivariate subsequences and thereafter apply an extended fuzzy clustering to reveal a structure present within the generated multivariate subsequences. Finally, a reconstruction criterion is employed to reconstruct the multivariate subsequences with the optimal cluster centers and the partition matrix. We construct a confidence index to quantify a level of anomaly detected in the series and apply Particle Swarm Optimization as an optimization vehicle for the problem of anomaly detection. Experimental studies completed on several synthetic and six real-world datasets suggest that the proposed methods can detect the anomalies in multivariate time series. With the help of available clusters revealed by the extended fuzzy clustering, the proposed framework can detect anomalies in the multivariate time series and is suitable for identifying anomalous amplitude and shape patterns in various application domains such as health care, weather data analysis, finance, and disease outbreak detection.

computer science, artificial intelligence, interdisciplinary applications

Xiaolan Wang,Md. Manjur Ahmed,Mohd Nizam Husen,Hai Tao,Qian Zhao

DOI: https://doi.org/10.1007/978-981-99-0405-1_5

2023-01-01

Abstract:The identification of anomalies in a data stream is a difficulty for decision-making in real time. A memory-constrained online detection system that is able to quickly detect the concept drift of streaming data is required because the constant arrival of massive amounts of streaming data with changing characteristics makes real-time and efficient anomaly detection a difficult task. This is because of the nature of the data itself, which is constantly changing. In this study, a novel model for detecting anomalies using dynamic micro-clusters scheme is developed. The macro-clusters are generated from a network of connected micro-clusters. When new data items are added, the normal patterns that are formed in macro-clusters will update in tandem with the dynamic micro-clusters in an incremental fashion. An outlier may be understood from both a global and a local perspective by examining the global and local densities respectively. The effectiveness of the suggested approach was evaluated with the use of three different datasets. The findings of the experiment demonstrate that the suggested method is superior to earlier algorithms in terms of both the accuracy of detection and the level of computing complexity it requires.

Gerard Shu Fuhnwi,Janet O. Agbaje,Kayode Oshinubi,Olumuyiwa James Peter

DOI: https://doi.org/10.46481/jnsps.2023.1364

2023-04-19

Journal of the Nigerian Society of Physical Sciences

Abstract:In data mining, and statistics, anomaly detection is the process of finding data patterns (outcomes, values, or observations) that deviate from the rest of the other observations or outcomes. Anomaly detection is heavily used in solving real-world problems in many application domains, like medicine, finance , cybersecurity, banking, networking, transportation, and military surveillance for enemy activities, but not limited to only these fields. In this paper, we present an empirical study on unsupervised anomaly detection techniques such as Density-Based Spatial Clustering of Applications with Noise (DBSCAN), (DBSCAN++) (with uniform initialization, k-center initialization, uniform with approximate neighbor initialization, and $k$-center with approximate neighbor initialization), and $k$-means$--$ algorithms on six benchmark imbalanced data sets. Findings from our in-depth empirical study show that k-means-- is more robust than DBSCAN, and DBSCAN++, in terms of the different evaluation measures (F1-score, False alarm rate, Adjusted rand index, and Jaccard coefficient), and running time. We also observe that DBSCAN performs very well on data sets with fewer number of data points. Moreover, the results indicate that the choice of clustering algorithm can significantly impact the performance of anomaly detection and that the performance of different algorithms varies depending on the characteristics of the data. Overall, this study provides insights into the strengths and limitations of different clustering algorithms for anomaly detection and can help guide the selection of appropriate algorithms for specific applications.

Domenico Giordano,Matteo Paltenghi,Stiven Metaj,Antonin Dvorak

DOI: https://doi.org/10.1051/epjconf/202125102011

2021-01-01

EPJ Web of Conferences

Abstract:Anomaly detection in the CERN OpenStack cloud is a challenging task due to the large scale of the computing infrastructure and, consequently, the large volume of monitoring data to analyse. The current solution to spot anomalous servers in the cloud infrastructure relies on a threshold-based alarming system carefully set by the system managers on the performance metrics of each infrastructure’s component. This contribution explores fully automated, unsupervised machine learning solutions in the anomaly detection field for time series metrics, by adapting both traditional and deep learning approaches. The paper describes a novel end-to-end data analytics pipeline implemented to digest the large amount of monitoring data and to expose anomalies to the system managers. The pipeline relies solely on open-source tools and frameworks, such as Spark, Apache Airflow, Kubernetes, Grafana, Elasticsearch . In addition, an approach to build annotated datasets from the CERN cloud monitoring data is reported. Finally, a preliminary performance of a number of anomaly detection algorithms is evaluated by using the aforementioned annotated datasets.

Ashkan Aghdai,Kang Xi,H. Jonathan Chao

DOI: https://doi.org/10.48550/arXiv.1906.06388

2019-06-15

Abstract:Data centers play a key role in today's Internet. Cloud applications are mainly hosted on multi-tenant warehouse-scale data centers. Anomalies pose a serious threat to data centers' operations. If not controlled properly, a simple anomaly can spread throughout the data center, resulting in a cascading failure. Amazon AWS had been affected by such incidents recently. Although some solutions are proposed to detect anomalies and prevent cascading failures, they mainly rely on application-specific metrics and case-based diagnosis to detect the anomalies. Given the variety of applications on a multi-tenant data center, proposed solutions are not capable of detecting anomalies in a timely manner. In this paper we design an application-agnostic anomaly detection scheme. More specifically, our design uses a highly distributed data mining scheme over network-level traffic metrics to detect anomalies. Once anomalies are detected, simple actions are taken to mitigate the damage. This ensures that errors are confined and prevents cascading failures before administrators intervene.

Networking and Internet Architecture

Mohamed Allam,Noureddine Boujnah,Noel E. O'Connor,Mingming Liu

2024-07-21

Abstract:This paper proposes a framework for time series generation built to investigate anomaly detection in cloud microservices. In the field of cloud computing, ensuring the reliability of microservices is of paramount concern and yet a remarkably challenging task. Despite the large amount of research in this area, validation of anomaly detection algorithms in realistic environments is difficult to achieve. To address this challenge, we propose a framework to mimic the complex time series patterns representative of both normal and anomalous cloud microservices behaviors. We detail the pipeline implementation that allows deployment and management of microservices as well as the theoretical approach required to generate anomalies. Two datasets generated using the proposed framework have been made publicly available through GitHub.

Distributed, Parallel, and Cluster Computing,Machine Learning

Maciej Tobiasz,Joanna Kosinska

DOI: https://doi.org/10.1109/access.2022.3216080

IF: 3.9

2022-01-01

IEEE Access

Abstract:Due to the increasing complexity of computing clusters, it becomes more challenging to identify erroneous behavior inside them. Monitoring systems collect large amounts of data to provide analysis of cluster behavior. Their manual study is expensive and sometimes even impossible. Hence, a system capable of analyzing the gathered data and then, based on those data, detecting anomalies within the cluster is essential. Our paper proposes a system for detecting an anomaly in a Kubernetes cluster (KAD - Kubernetes Anomaly Detector). KAD uses machine learning techniques to diagnose problems that may arise. The novelty of our solution lies in proposing the concept of using various machine learning models that facilitate the detection of different types of anomalies. The user can choose which model to use for anomaly detection in the given situation. The KAD system can also automatically select the appropriate model. The selection is based on scoring procedures. The system trains the models using historical data that describe the usual behavior of the cluster. Then it detects anomalies based on the predictions of the trained model or signal reconstructions. Finally, in two groups of experiments, we evaluate the proposed concepts. The experiments confirm the importance of selecting the proper ML model to detect anomalies in different situations. Furthermore, the experiments assess the latency of the responses in a production-ready cluster.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xuedan Miao,Ying Liu,Haiquan Zhao,Chunguang Li

DOI: https://doi.org/10.1109/tcyb.2018.2804940

IF: 11.8

2019-01-01

IEEE Transactions on Cybernetics

Abstract:Anomaly detection has attracted much attention in recent years since it plays a crucial role in many domains. Various anomaly detection approaches have been proposed, among which one-class support vector machine (OCSVM) is a popular one. In practice, data used for anomaly detection can be distributively collected via wireless sensor networks. Besides, as the data usually arrive at the nodes sequentially, online detection method that can process streaming data is preferred. In this paper, we formulate a distributed online OCSVM for anomaly detection over networks and get a decentralized cost function. To get the decentralized implementation without transmitting the original data, we use a random approximate function to replace the kernel function. Furthermore, to find an appropriate approximate dimension, we add a sparse constraint into the decentralized cost function to get another one. Then we minimize these two cost functions by stochastic gradient descent and derive two distributed algorithms. Some theoretical analysis and experiments are performed to show the effectiveness of the proposed algorithms. Experimental results on both synthetic and real datasets reveal that both of the proposed algorithms achieve low mis-detection rates and high true positive rates. Compared with other state-of-the-art anomaly detection methods, the proposed distributed algorithms not only show good anomaly detection performance, but also require relatively short running time and low CPU memory consumption.

Anukampa Behera

DOI: https://doi.org/10.26483/ijarcs.v14i6.7036

2023-12-20

International Journal of Advanced Research in Computer Science

Abstract:In a process, to ensure increased reliability and better availability, it is very important to detect any anomalies that refer to any abnormality observed in the behaviour of a standard process. The breakdown of service(s) eventually leads to production loss, and at the same time, a system that is unreliable brings lots of challenges to the operations team. Anomaly detection plays a significant role to ensure that an application is reliable, secured and available for user requests. For the overall performance optimization of a cloud microservice based application without any disruption in service, and identification of possible security threat, it is much essential that the anomalies must be detected and responded to in time. In real life large microservice based production infrastructures environments, even though ample instance of normal activities is available, it is not possible to predict and create a dataset of anomalies. So these kind of data are not suitable for a supervised two-class classification. In this work, unsupervised one-class approaches such as Local Outlier Factor, Isolation Forest, and One Class SVM are used to find anomalies. On experimentation these models have obtained a high accuracy of 98% to 99%. On comparing the performance of the models, One-Class SVM is found to produce significantly higher number of False Positives in comparison to other two considered model

Dan Yang,Xiaohong Zhang,Yufu Chen,Ziliang Wang,Meng Yan

DOI: https://doi.org/10.1109/ICWS55610.2022.00062

2022-07-01

Abstract:Software architecture is undergoing a transition from monolithic architectures to microservices to achieve resilience, agility, and scalability in the software life circle. However, microservice architecture is not perfect and suffers from intermittent faults, leading to economic and user losses. Therefore, it is essential to detect anomalies in microservice systems accurately. The key limitation of current approaches lies in a lack of ability to detect multitype anomalies, excessive resource overhead, and requirements of expert knowledge. In this paper, we present a Deep Attentive anomaly detection approach with Multimodal data named DAM. With multimodal fusion, attentive LSTM, and a dynamic threshold selecting algorithm, DAM could detect anomalies accurately and efficiently in an unsupervised manner. We evaluate our approach by injecting six types of anomalies on a widely used microservice system, Train-Ticket. The result shows that DAM could detect multitype anomalies well, with 80.46% F-measure, achieving 16.76% and 29.52% improvement over two state-of-the-art baselines (Donut and DAGMM), respectively.

Computer Science

Zhongmin Cai,Xiaorong Chu,Xiaoqin Wang,Xiaoming Wang

2006-01-01

Abstract:Human Computer Interface is regarded as a "digital chasm" in computer systems engineering. There are many things that can easily go wrong. This paper focuses on anomaly detection of inappropriate behaviors in the complex human computer interaction process. A method is proposed. to identify the unauthorized users by analyzing their command sequence using clustering techniques. After calculating the frequency vector of the command sequence for different users, the shortest-distance system clustering and the longest-distance system clustering methods are applied respectively to find out who are the unauthorized users among the mixed command sequences. The two methods are compared experimentally based on real world data and the effect of the clustering analysis in the intrusion detection is evaluated.

Guo Pu,Lijuan Wang,Jun Shen,Fang Dong

DOI: https://doi.org/10.26599/tst.2019.9010051

2021-04-01

Abstract:In recent years, machine learning-based cyber intrusion detection methods have gained increasing popularity. The number and complexity of new attacks continue to rise; therefore, effective and intelligent solutions are necessary. Unsupervised machine learning techniques are particularly appealing to intrusion detection systems since they can detect known and unknown types of attacks as well as zero-day attacks. In the current paper, we present an unsupervised anomaly detection method, which combines Sub-Space Clustering (SSC) and One Class Support Vector Machine (OCSVM) to detect attacks without any prior knowledge. The proposed approach is evaluated using the well-known NSL-KDD dataset. The experimental results demonstrate that our method performs better than some of the existing techniques.

computer science, information systems,engineering, electrical & electronic, software engineering

ZHANG Qixun,HAN Jing,CHENG Li,ZHANG Baisheng,GONG Zican

DOI: https://doi.org/10.12142/ZTECOM.202203011

2022-01-01

Abstract:Microservices have become popular in enterprises because of their excellent scalability and timely update capabilities . However, while fine-grained modularity and service-orientation decrease the complexity of system development, the complexity of system operation and maintenance has been greatly increased, on the contrary. Multiple types of system failures occur frequently, and it is hard to detect and diag-nose failures in time. Furthermore, microservices are updated frequently. Existing anomaly detection models depend on offline training and cannot adapt to the frequent updates of microservices. This paper proposes an anomaly detection approach for microservice systems with multi-source data streams. This approach realizes online model construction and online anomaly detection, and is capable of self-updating and self-adapting. Experimental results show that this approach can correctly identify 78.85％of faults of different types.

Yuan Zuo,Yulei Wu,Geyong Min,Chengqiang Huang,Ke Pei

DOI: https://doi.org/10.1109/tccn.2020.2966615

IF: 6.359

2020-01-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:Service-oriented 5G mobile systems are commonly believed to reshape the landscape of the Internet with ubiquitous services and infrastructures. The micro-services architecture has attracted significant interests from both academia and industry, offering the capabilities of agile development and scale capacity. The emerging mobile edge computing is able to firmly maintain efficient resource utility of 5G systems, which can be empowered by micro-services. However, such capabilities impose significant challenges on micro-services system management. Although substantial data are produced for system maintenance, the interleaved temporal-spatial information has not been fully exploited. Additionally, the flooding data impose heavy pressures on automatic analysis tools. Automated digestion of data is in an urgent need for system maintenance. In this paper, we propose a new learning-based anomaly detection framework for service-provision systems with micro-services architectures using service execution logs (temporally) and query traces (spatially). It includes two major parts: logging and tracing representation, and two-stage identification via a sequential model and temporal-spatial analysis. The experimental results show that the temporal-spatial features can accurately capture the nature of operational data. The proposed framework performs well on anomaly detection, and helps gain in-depth insights of large-scale systems.

Iman Kohyarnejadfard,Daniel Aloise,Seyed Vahid Azhari,Michel R. Dagenais

DOI: https://doi.org/10.1186/s13677-022-00296-4

2022-08-14

Journal of Cloud Computing

Abstract:In recent years DevOps and agile approaches like microservice architectures and Continuous Integration have become extremely popular given the increasing need for flexible and scalable solutions. However, several factors such as their distribution in the network, the use of different technologies, their short life, etc. make microservices prone to the occurrence of anomalous system behaviours. In addition, due to the high degree of complexity of small services, it is difficult to adequately monitor the security and behavior of microservice environments. In this work, we propose an NLP (natural language processing) based approach to detect performance anomalies in spans during a given trace, besides locating release-over-release regressions. Notably, the whole system needs no prior knowledge, which facilitates the collection of training data. Our proposed approach benefits from distributed tracing data to collect sequences of events that happened during spans. Extensive experiments on real datasets demonstrate that the proposed method achieved an F_score of 0.9759. The results also reveal that in addition to the ability to detect anomalies and release-over-release regressions, our proposed approach speeds up root cause analysis by means of implemented visualization tools in Trace Compass.

English Else

Mohammad Bazm,Rida Khatoun,Youcef Begriche,Lyes Khoukhi,Xiuzhen Chen,Ahmed Serhrouchni

DOI: https://doi.org/10.1109/cloudtech.2015.7336986

2015-01-01

Abstract:Cloud computing aims to provide enormous resources and services, parallel processing and reliable access for users on the networks. The flexible resources of clouds could be used by malicious actors to attack other infrastructures. Cloud can be used as a platform to perform these attacks, a virtual machine(VM) in the Cloud can play the role of a malicious VM belonging to a Botnet and sends a heavy traffic to the victim. For cloud service providers, preventing their infrastructure from being turned into an attack platform is very challenging since it requires detecting attacks at the source, in a highly dynamic and heterogeneous environment. In this paper, an approach to detect these malicious behaviors in the Cloud based on the analysis of network parameters is proposed. This approach is a source-based attack detection, which applies both Entropy and clustering methods on network parameters. The environment of Cloud is simulated on Cloudsim. The data clustering allows achieving high performance, with a high percentage of correctly clustered VMs.

Mubashir Ali,Patrizia Scandurra,Fabio Moretti,Hafiz Husnain Raza Sherazi

DOI: https://doi.org/10.1109/tce.2024.3354189

2024-01-01

IEEE Transactions on Consumer Electronics

Abstract:The digitization of the energy industry enables the collection and analysis of vast amounts of consumption data for improved decision-making and efficient energy resource utilization. This big data represents an opportunity to address data quality issues and identify anomalies. The detection of anomalies in data that significantly deviates from normal behavior is critical, as they can lead to economic losses. To extract valuable insights and mitigate such challenges, big data analytics platforms and machine learning techniques are increasingly being adopted. Their practical use is crucial in defining consumer-centric, sustainable, and resilient technologies for Industry 5.0. In this article, we address the problem of anomaly detection in electricity consumption for public street lighting. We present our approach and experience in analyzing anomalous behavior of public street lighting plants using electric energy data collected and provided by the ENEA PELL smart city platform. To this end, we adopt three well-known unsupervised clustering techniques: k-means, DBSCAN, and OPTICS. We conduct a comparative analysis of these methods using a real benchmark data set and additional data with known anomalies, used as ground truth data, to verify the correctness of the methods. We synthetically generate additional data from the real data set by automatically injecting anomalies based on specific patterns of anomalous behavior identified for the public street lighting domain. We examine the clustering methods’ performance by calculating their accuracy in detecting synthetic anomalies, as well as their computation cost. The experiments show that while K-means runs faster, DBSCAN is more accurate than K-means and OPTICS in detecting synthetic anomalies.

telecommunications,engineering, electrical & electronic

Sean Doris,Iosif Salem,Stefan Schmid

2024-08-27

Abstract:With increasingly larger and more complex telecommunication networks, there is a need for improved monitoring and reliability. Requirements increase further when working with mission-critical systems requiring stable operations to meet precise design and client requirements while maintaining high availability. This paper proposes a novel methodology for developing a machine learning model that can assist in maintaining availability (through anomaly detection) for client-server communications in mission-critical systems. To that end, we validate our methodology for training models based on data classified according to client performance. The proposed methodology evaluates the use of machine learning to perform anomaly detection of a single virtualized server loaded with simulated network traffic (using SIPp) with media calls. The collected data for the models are classified based on the round trip time performance experienced on the client side to determine if the trained models can detect anomalous client side performance only using key performance indicators available on the server. We compared the performance of seven different machine learning models by testing different trained and untrained test stressor scenarios. In the comparison, five models achieved an F1-score above 0.99 for the trained test scenarios. Random Forest was the only model able to attain an F1-score above 0.9 for all untrained test scenarios with the lowest being 0.980. The results suggest that it is possible to generate accurate anomaly detection to evaluate degraded client-side performance.

Networking and Internet Architecture

Jinkun Geng,Daren Ye,Ping Luo,Pin Lv

DOI: https://doi.org/10.1007/978-3-319-28865-9_45

2015-01-01

Abstract:As a main method in database intrusion detection, database anomaly detection should be able to detect users’ operational behaviours for timely prevention of possible attacks and for guarantee of database security. Aiming at this, we apply cluster analysis techniques to anomaly detection and propose a novel density-based clustering algorithm called DBCAPSIC, which is adopted to clustering database users according to their behavior types and behavior frequencies. Privilege patterns are extracted from the clusters and serve as a reference in anomaly detection. The simulation experiment proves that the algorithm can recognize the anomalous operations with few mistakes.