Xiaozhen Zhou,Shanping Li,Zhen Ye

DOI: https://doi.org/10.1155/2013/179390

IF: 1.43

2013-01-01

Mathematical Problems in Engineering

Abstract:Computer systems are becoming extremely complex, while system anomalies dramatically influence the availability and usability of systems. Online anomaly prediction is an important approach to manage imminent anomalies, and the high accuracy relies on precise system monitoring data. However, precise monitoring data is not easily achievable because of widespread noise. In this paper, we present a method which integrates an improved Evidential Markov model and ensemble classification to predict anomaly for systems with noise. Traditional Markov models use explicit state boundaries to build the Markov chain and then make prediction of different measurement metrics. A Problem arises when data comes with noise because even slight oscillation around the true value will lead to very different predictions. Evidential Markov chain method is able to deal with noisy data but is not suitable in complex data stream scenario. The Belief Markov chain that we propose has extended Evidential Markov chain and can cope with noisy data stream. This study further applies ensemble classification to identify system anomaly based on the predicted metrics. Extensive experiments on anomaly data collected from 66 metrics in PlanetLab have confirmed that our approach can achieve high prediction accuracy and time efficiency.

Feiyi Chen,Yingying zhang,Zhen Qin,Lunting Fan,Renhe Jiang,Yuxuan Liang,Qingsong Wen,Shuiguang Deng

DOI: https://doi.org/10.1109/icde60146.2024.00047

2024-01-01

Abstract:Anomaly detection significantly enhances the robustness of cloud systems.While neural network-based methods have recently demonstrated strongadvantages, they encounter practical challenges in cloud environments: thecontradiction between the impracticality of maintaining a unique model for eachservice and the limited ability to deal with diverse normal patterns by aunified model, as well as issues with handling heavy traffic in real time andshort-term anomaly detection sensitivity. Thus, we propose MACE, a multi-normal-pattern accommodated and efficientanomaly detection method in the frequency domain for time series anomalydetection. There are three novel characteristics of it: (i) a patternextraction mechanism excelling at handling diverse normal patterns with aunified model, which enables the model to identify anomalies by examining thecorrelation between the data sample and its service normal pattern, instead ofsolely focusing on the data sample itself; (ii) a dualistic convolutionmechanism that amplifies short-term anomalies in the time domain and hindersthe reconstruction of anomalies in the frequency domain, which enlarges thereconstruction error disparity between anomaly and normality and facilitatesanomaly detection; (iii) leveraging the sparsity and parallelism of frequencydomain to enhance model efficiency. We theoretically and experimentally provethat using a strategically selected subset of Fourier bases can not only reducecomputational overhead but is also profitable to distinguish anomalies,compared to using the complete spectrum. Moreover, extensive experimentsdemonstrate MACE's effectiveness in handling diverse normal patterns with aunified model and it achieves state-of-the-art performance with highefficiency.

Waqas Haider,Jiankun Hu,Yi Xie,Xinghuo Yu,Qianhong Wu

DOI: https://doi.org/10.1109/tbdata.2017.2736555

2017-01-01

IEEE Transactions on Big Data

Abstract:Anomaly detection for cloud servers is important for detecting zero-day attacks. However, it is very challenging due to the large amount of accumulated data. In this paper, a new mathematical model for modeling dynamic usage behavior and detecting anomalies is proposed. It is constructed using state summarization and a novel nested-arc hidden semi-Markov model (NAHSMM). State summarization is designed to extract usage behavior reflective states from a raw sequence. The NAHSMM is comprised of exterior and interior hidden Markov chains. The exterior controls the propagation of raw sequences of system calls and, conditional on it, the interior one controls the summarized observation process from the transition less usage behavior reflective states. An anomaly detection algorithm is derived by integrating state summarization and NAHSMM. During training the algorithm is assisted by a forensic module to tune the behavioral threshold. Experimental data is collected using IXIA Perfect Storm in conjunction with the commercial security-test hardware platform cyber range. To evaluate the reliability of the proposed model, first, its accuracy and training costs are compared with those of existing machine-learning models and then its scalability and resistance capabilities are tested. The results indicate that this model could be used as a method for detecting anomalies in cloud servers.

Jing Zhang

DOI: https://doi.org/10.48550/arXiv.1901.09294

2019-01-27

Abstract:Anomaly detecting as an important technical in cloud computing is applied to support smooth running of the cloud platform. Traditional detecting methods based on statistic, analysis, etc. lead to the high false-alarm rate due to non-adaptive and sensitive parameters setting. We presented an online model for anomaly detecting using machine learning theory. However, most existing methods based on machine learning linked all features from difference sub-systems into a long feature vector directly, which is difficult to both exploit the complement information between sub-systems and ignore multi-view features enhancing the classification performance. Aiming to this problem, the proposed method automatic fuses multi-view features and optimize the discriminative model to enhance the accuracy. This model takes advantage of extreme learning machine (ELM) to improve detection efficiency. ELM is the single hidden layer neural network, which is transforming iterative solution the output weights to solution of linear equations and avoiding the local optimal solution. Moreover, we rank anomies according to the relationship between samples and the classification boundary, and then assigning weights for ranked anomalies, retraining the classification model finally. Our method exploits the complement information between sub-systems sufficiently, and avoids the influence from imbalance dataset, therefore, deal with various challenges from the cloud computing platform. We deploy the privately cloud platform by Openstack, verifying the proposed model and comparing results to the state-of-the-art methods with better efficiency and simplicity.

Machine Learning

Wenhao Wang,Chen Zhang,Quan Zhang

DOI: https://doi.org/10.1007/978-3-662-43908-1_15

2014-01-01

Abstract:In order to solve non-real time problem in traditional intrusion detection technologies, this paper proposes an anomaly detection model based on cloud model and danger theory. First using cloud model as a tool to evaluate the diversity factors between test data and the standard data set, then covert it into signal input of DCA to detect abnormality degree of system. Meanwhile, a dendritic cell algorithm based on data segmented detection is proposed in order to raise real-time response of the system. The paper use KDDCUP99 data sets to validate membership of normal data and detection rate of this model. Experimental results show that the model can effectively distinguish between normal data and abnormal data, and also improve the system anomaly detection capabilities.

Zhengmin Li,Chunge Zhu,Xinran Liu,Xiufeng Sui

DOI: https://doi.org/10.1109/icnsc.2017.8000085

2017-01-01

Abstract:The combination of fast online anomaly detection and offline learning is a vital element of operations in large-scale datacenters and utility clouds. Given ever-increasing datacenter sizes coupled with the complexities of systems software, applications, and workload patterns, such anomaly detection must operate continuous and real-time at runtime. Further, detection should function for both hardware and software levels of abstraction, and for the multiple metrics used in cloud computing systems. In this paper, we present a novel, flexible framework to do anomaly detection for data center. The goal of our framework design is to combine online anomaly detection and offline learning automatically and iteratively. And the framework aims to have the capability to integrate different offline learning methodologies. We demonstrate this framework with two representative applications in datacenters, and explore three common scenarios during the applications runtime. Experiment results show that the proposed approach provides good accuracy and low overhead.

Jian Liu,Jie Li,Chentao Wu

DOI: https://doi.org/10.1109/globecom38437.2019.9013839

2019-01-01

Abstract:Log anomaly detection is a critical step towards building a secure and trustworthy cloud system. As more corporations turn to cloud system to store and process their most valuable data, the risk of a potential breach of those systems increases exponentially. However, conventional top-n log candidates anomaly detection methods, such as Deeplog and N-gram, often suffer from the limited scope of the top-n list, which rules out many potentially suitable candidates. In this paper, we propose Discounted Cumulative Gain (DCG) discriminative algorithm that ranks all the log candidates and calculates the dcg score to determine the number of log candidates. To demonstrate the effectiveness of our algorithm, we conduct comprehensive experiments under different log workloads. Experimental evaluations show that DCG has outperformed Deeplog and N-gram methods in cloud systems, and improved the F-score of Deeplog and N-gram by up to 3.8% and 11.6% respectively.

Yang Shi,Maoran Xu,Rongwen Zhao,Hao Fu,Tongshuang Wu,Nan Cao

DOI: https://doi.org/10.1109/THMS.2019.2925195

2019-01-01

IEEE Transactions on Human-Machine Systems

Abstract:Automatic anomaly detection techniques have been extensively used to support decision making in abnormal situations. However, existing approaches are limited in their capacity of effectively identifying anomalies due to the complexity of the real-world environment, the uncertainty of the data input, and the unavailability of ground truth. In this paper, we propose an interactive context-aware anomaly detection algorithm framework that incorporates human judgment in searching for anomalous regions within a large geographic environment. In specific, our framework, 1) estimates a focal region and detect anomalous situations in real time, through which the user can observe and analyze suspicious entities, 2) leverages user feedback to refine results and guide further analysis, and 3) tolerates potential fault feedback provided by the users and resignal dubious anomalous points. Based on the framework, we propose two algorithm implementations, respectively, employ Bayes’ theorem and metric learning. We demonstrate the effectiveness of the proposed framework and corresponding implementations through two controlled user studies and a case study with a domain expert.

Tao Qin,Ruoya Chen,Lei Wang,Chao He

DOI: https://doi.org/10.1109/cns.2018.8433208

2018-01-01

Abstract:With ever-growing complexity and dynamically of cloud computing systems, security monitoring has become more and more important. In this paper, we propose a lightweight framework for host based real-time anomaly detection in cloud computing. Firstly, unlike the traditional host based anomaly detection methods in which data collection agents usually occupy too many host resources, we employ the intelligent mobile agent which can automatically transfer to other hosts to collect data according to the monitoring task requirements, in turn reduce the number of data collection agents running in the platform. Secondly, we employ Principal Component Analysis (PCA) to extract the main features from the collected data and further reduce the data dimension. Thirdly, to mine the abnormal behavior point candidates, DBSCAN clustering is applied to labeling and gathers the entire data into corresponding cluster sets based on the data characteristics. The clusters containing a very small number of instances and the isolated instance are regarded as anomaly candidates since normal instances usually present as highly coherent clusters. Finally, to better improve the accuracy of anomaly detection, we propose an analysis method based on continuous sliding time window to eliminate the influence of the noise caused by normal operations, the anomaly candidates are further analyzed to finally determine whether the host is in abnormal status or not. The experimental results based on the anomaly detection platform we constructed show that the proposed method has lower computational complexity and higher detection accuracy, which can reduce the time complexity by 50% with detection accuracy is above 95%.

XU Ming,CHEN Chun,YING Jing

DOI: https://doi.org/10.1360/jos160276

2005-01-01

Journal of Software

Abstract:On the basis of the current single layer Markov chain anomaly detection model, this paper proposes a new two-layer model. Two distinctly different processes, the different requests and the system call sequence in the same request section, are classified as two layers and dealt with by different Markov chains respectively. The two-layer frame can depict the dynamic activity of the protected process more exactly than the single layer frame, so that the two-layer detection model can promote the detection rate and degrade the false alarm rate. Furthermore, the detected anomaly will be limited in the corresponding request sections where anomaly happens. The new detection model is suitable for privileged processes, especially for those based on request-response.

Huorong Ren,Zhixing Ye,Zhiwu Li

DOI: https://doi.org/10.1016/j.ins.2017.05.021

IF: 8.1

2017-01-01

Information Sciences

Abstract:Anomaly detection in sequence data is becoming more and more important in a wide variety of application domains such as credit card fraud detection, health care in medical field, and intrusion detection in cyber security. In the existing anomaly detection approaches, Markov chain techniques are widely accepted for their simple realization and few parameters. However, the short memory property of a classical Markov model ignores the interaction among data, and the long memory property of a higher order Markov model clouds the relationship between the previous data and current test data, and reduces the reliability of the model. Besides, both of these models cannot successfully describe the sequences changing with a tendency. In this paper, we propose an anomaly detection approach based on a dynamic Markov model. This approach segments sequence data by a sliding window. In the sliding window, we define the states of data according to the value of the data and establish a higher order Markov model with a proper order consequently, to balance the length of the memory property and keep up with the trend of sequences. In addition, an anomaly substitution strategy is proposed to prevent the detected anomalies from impacting the building of the models and keep anomaly detection continuously. The experimental results using simulated datasets and real-world datasets have demonstrated that the proposed approach improves the adaptability and stability of anomaly detection in sequence data.

Wei Xiong,Hanping Hu,Naixue Xiong,Laurence T. Yang,Wen-Chih Peng,Xiaofei Wang,Yanzhen Qu

DOI: https://doi.org/10.1016/j.ins.2013.04.009

IF: 8.1

2013-01-01

Information Sciences

Abstract:Cloud computing represents a new paradigm where computing resources are offered as services in the world via communication Internet. As many new types of attacks are arising at a high frequency, the cloud computing services are exposed to an increasing amount of security threats. To reduce security risks, two approaches of the network traffic anomaly detection in cloud communications have been presented, which analyze dynamic characteristics of the network traffic based on the synergetic neural networks and the catastrophe theory. In the former approach, a synergetic dynamic equation with a group of the order parameters is used to describe the complex behaviors of the network traffic system in cloud communications. When this equation is evolved, only the order parameter determined by the primary factors can converge to 1. Then, the anomaly can be detected. In the latter approach, a catastrophe potential function is introduced to describe the catastrophe dynamic process of the network traffic in cloud communications. When anomalies occur, the state of the network traffic will deviate from the normal one. To assess the deviation, an index named as catastrophe distance is defined. The network traffic anomaly can be detected by the value of this index. We evaluate the performance of these two approaches using the standard Defense Advanced Research Projects Agency data sets. Experimental results show that our approaches can effectively detect the network traffic anomaly and achieve the high detection probability and the low false alarms rate.

Mingwei Lin,Shuyu Chen

DOI: https://doi.org/10.17706/jcp.10.3.155-165

2015-01-01

Journal of Computers

Abstract:Infrastructure as a Service (IaaS) is an important service type provided by cloud computing. Infrastructure resources are encapsulated into services and they are provided to users over the Internet in the form of virtual machines. A malicious user can upload malicious software into the virtual machine allocated by a cloud computing service provider and launch the side channel attacks to other virtual machines located in the same physical node by operating his own virtual machine. In order to address the above problem, this paper proposes an efficient anomaly detection framework for cloud computing environment to detect the virtual machines that present abnormal behaviors. A new feature extraction algorithm is designed to reduce the dimensionality of the collected data and a new anomaly detection algorithm is also designed to detect the abnormal virtual machines. A series of experiments are conducted on a cloud computing environment that is deployed using the open source project OpenStack to evaluate the proposed framework. Experimental results show that the proposed framework is better than other anomaly detection methods designed for cloud computing environment in terms of precision, recall, false alarm rate, and runtime.

Mohamed Allam,Noureddine Boujnah,Noel E. O'Connor,Mingming Liu

2024-07-21

Abstract:This paper proposes a framework for time series generation built to investigate anomaly detection in cloud microservices. In the field of cloud computing, ensuring the reliability of microservices is of paramount concern and yet a remarkably challenging task. Despite the large amount of research in this area, validation of anomaly detection algorithms in realistic environments is difficult to achieve. To address this challenge, we propose a framework to mimic the complex time series patterns representative of both normal and anomalous cloud microservices behaviors. We detail the pipeline implementation that allows deployment and management of microservices as well as the theoretical approach required to generate anomalies. Two datasets generated using the proposed framework have been made publicly available through GitHub.

Distributed, Parallel, and Cluster Computing,Machine Learning

党倩,骆嘉伟,王东

DOI: https://doi.org/10.3969/j.issn.1001-3695.2009.10.036

2009-01-01

Abstract:In order to solve the problems that detection rate was low and the false positive rate was high,this paper proposed an anomaly detection algorithm based on cloud theory.The algorithm abstracted features and computed impact factors of individual attribute by applying chi-square method,introducing cloud generator to compute the feature value and error of attributes,judging intrusions according to integrated-value,which reduced the partial effect due to attribute abnormal overly.Taken the algorithm by tested though KDD'99 data set,the result of simulations demonstrates that excellent performance of the proposed algorithm's average detection rate is 98.66%,while the false positive rate is 1.87%.In a certain extent,the algorithm solves the problems in intrusion detection algorithms.

Youchang Xu,Ningjiang Chen,Hanlin Zhang,Birui Liang

DOI: https://doi.org/10.1007/978-981-13-2206-8_40

2018-01-01

Abstract:In complex and changeable cloud environment, the monitoring and anomaly detection of cloud platform become very important. Good anomaly detection can help cloud platform managers to make quick adjustments to ensure a good user experience. Although many anomaly detection models have been put forward by researchers in recent years, the application of these anomaly detection models to a given service still faces the challenge of parameter adjustment, which is time-consuming and exhausting, and still fails. In order to solve the problem of parameter adjusting, in this paper, an adaptive anomaly detection framework is proposed, the process of parameter adjustment is transformed into a general Markov decision process by means of reinforcement learning, which realized the automation of parameter adjustment, reducing the workload of operator and the effective detection rate of the anomaly detection model is improved, we compared it on three typical KPI (Key Performance Indicator) curves with artificial adjustment mode and other optimization strategies, in the end, we verified the effectiveness of the strategy used in this paper.

Ruyue Xin,Hongyun Liu,Peng Chen,Zhiming Zhao

DOI: https://doi.org/10.1186/s13677-022-00383-6

2023-01-15

Journal of Cloud Computing

Abstract:Effectively detecting run-time performance anomalies is crucial for clouds to identify abnormal performance behavior and forestall future incidents. To be used for real-world applications, an effective anomaly detection framework should meet three main challenging requirements: high accuracy for identifying anomalies, good robustness when application patterns change, and prediction ability for upcoming anomalies. Unfortunately, existing research about performance anomaly detection usually focuses on improving detection accuracy, while little research tackles the three challenges simultaneously. We conduct experiments for existing detection methods on multiple application monitoring data, and results show that existing detection methods usually focus on different features in data, which will lead to their diverse performance on different data patterns. Therefore, existing anomaly detection methods have difficulty improving detection accuracy and robustness and predicting anomalies. To address the three requirements, we propose an Ensemble Learning-Based Detection (ELBD) framework which integrates existing well-selected detection methods. The framework includes three classic linear ensemble methods (maximum, average, and weighted average) and a novel deep ensemble method. Our experiments show that the ELBD framework realizes better detection accuracy and robustness, where the deep ensemble method can achieve the most accurate and robust detection for cloud applications. In addition, it can predict anomalies in the next four minutes with an F1 score higher than 0.8. The paper also proposes a new indicator to measure detection accuracy, robustness, and multi-step prediction ability. The of the deep ensemble method is 5.1821, which is much higher than other detection methods.

Simin Zhang,Bo Li,Jianxin Li,Mingming Zhang,Yang Chen

DOI: https://doi.org/10.1109/cscloud.2015.46

2015-01-01

Abstract:In recent years, web-based attacks increase and become the top threat in cloud environments. To detect unknown web-based attacks, many studies resort to anomaly detection through analyzing web logs. This paper presents an anomaly detection approach, which includes a transforming model and a classifier model. The transforming model converts every entry into a vector, and every value in vector is obtained by training extracted features in statistical techniques and Naive Bayes, which can analyze URI or URL without query in web logs and establish a unified normal standard for different websites. A big real-life dataset of about 50.1GB web logs has been used to verify the effectiveness of our approach, and the experimental results show that our approach can achieve detection rate over 98% and false alarm rate less than 1.5%.

Zhou Yanjun,Ren Huorong,Zhao Dan,Li Zhiwu,Pedrycz Witold

DOI: https://doi.org/10.1007/s10489-022-04016-y

IF: 5.3

2023-01-01

Applied Intelligence

Abstract:Anomaly detection is a challenging problem in science and engineering that appeals to numerous scholars. It is of great relevance to detect anomalies and analyze their potential implications. In this study, a multi-level anomaly detection framework with information granules of higher type and higher order is developed based on the principle of justifiable granularity and Fuzzy C-Means (FCM) clustering algorithm, including two different types of approaches, namely abstract level approach (ALA) and detailed level approach (DLA). The ALA approach is implemented at a comparatively abstract level (viz., level-1), in which two distinct types of information granules of order-1 (viz., information granules of type-1 and type-2) are employed for anomaly detection. The DLA approach is formulated and derived from the ALA approach at a more detailed level (viz., level-2), which generates more detailed information granules, namely information granules of order-2, through successive splitting information granules and the FCM clustering algorithm to refine the problem at various levels. Furthermore, a similarity measurement algorithm is designed for anomaly detection utilizing information granules of higher type and higher order. Comprehensive performance indexes are produced to quantify the performance of the proposed framework compared with the methods of two single-level approaches and two multi-level approaches. Synthetic data and several real-world data coming from various areas are engaged to demonstrate and support the superiority of the proposed approaches over other classical methods in terms of detection accuracy and data anomaly resolution.

Lu Xu,Zhongzhi Luan,Carol Fung,Da Ye,Depei Qian

DOI: https://doi.org/10.1109/globecom38437.2019.9014287

2019-01-01

Abstract:For a large and complex system that provides services to users, an exception can cause cascading failures if it is not detected and handled in time. System monitoring and anomaly detection can be used to identify system malfunctioning. However, as the size and the complexity of the online service system increases, anomaly detection becomes a challenging problem. This is because the size, complexity and correlation among the data bring great difficulties to anomaly detection process. To address the above challenges, we propose three context-aware sequential Long Short-Term Memory (LSTM) learning models for multi-dimensional anomaly detection, namely, LastLSTM model, AvgLSTM model and CirclLSTM model. In particular, the CirclLSTM model is a period-related LSTM model that can integrate cyclical system historical information into anomaly learning. We evaluated our methods based on three real-world datasets. Our experimental results show that our method can achieve a higher accuracy than other baseline methods such as the Gaussian Naive Bayes (GaussianNB) model, k-nearest neighbors (KNN) algorithm and Logistic Regression (LR) model.