Nengwen Zhao,Junjie Chen,Xiao Peng,Honglin Wang,Xinya Wu,Yuanzong Zhang,Zikai Chen,Xiangzhong Zheng,Xiaohui Nie,Gang Wang,Yong Wu,Fang Zhou,Wenchi Zhang,Kaixin Sui,Dan Pei

DOI: https://doi.org/10.1145/3377812.3390809

2020-01-01

Abstract:Alert is a kind of key data source in monitoring system for online service systems, which is used to record the anomalies in service components and report to engineers. In general, the occurrence of a service failure tends to be along with a large number of alerts, which is called alert storm. However, alert storm brings great challenges to diagnose the failure, since it is time-consuming and tedious for engineers to investigate such an overwhelming number of alerts manually. To help understand alert storm, we conduct the first empirical study of alert storm based on large-scale real-world alert data and gain some valuable insights. Based on the findings, we propose a novel approach to handling alert storm. Specifically, this approach includes alert storm detection which aims to identify alert storm accurately, and alert storm summary which aims to recommend a small set of representative alerts to engineers for failure diagnosis. Our experimental study on real-world dataset demonstrates that our alert storm detection can achieve high F1-score (larger than 0.9). Besides, our alert storm summary can reduce the number of alerts that need to be examined by more than 98% and discover useful alerts accurately.

Ting Huang,Xiuli Ma,Xiaokang Ji,Shiwei Tang

DOI: https://doi.org/10.1109/FSKD.2013.6816293

2013-01-01

Abstract:In many large-scale real-time monitoring applications, such as water quality monitoring of large water distribution networks, massive streams flow out of multiple concurrent sensors continuously. Online detection of abnormal event, especially of those spreading in the area, is vital to such networks, as the event will influence a large number of nodes once breaking out. In this paper, we first define such event as abnormal cascading pattern, and propose an efficient, online approach to detection. Instead of analyzing the streams independently, we focus on the correlation among streams and its variation. We first summarize the evolving correlation between each pair of streams into a profile, distinguish the abnormal variation based on the profile, and then catch the cascading pattern through associating the abnormal pairs. Experiments indicate high detection sensitivity, low false alarm rate and background noise tolerance of our approach.

Jindong Zhao,Shouke Wei,Xuebin Wen,Xiuqin Qiu

DOI: https://doi.org/10.3233/ais-200571

2020-01-01

Journal of Ambient Intelligence and Smart Environments

Abstract:Large scale real-time water quality monitoring system usually produces vast amounts of high frequency data, and it is difficult for traditional water quality monitoring system to process such large and high frequency data generated by wireless sensor network. A real-time processing and early warning system framework is proposed to solve this problem, Apache Storm is used as the big data processing platform, and Kafka message queue is applied to classify the sample data into several data streams so as to reserve the time series data property of a sensor. In storm platform, Daubechies Wavelet is used to decompose the data series to obtain the trend of the series, then Long Short Term Memory Network (LSTM) model is used to model and predict the trend of the data. This paper provides a detailed description concerning the distribution mechanism of aggregated data in Storm, data storage format in HBase, the process of wavelet decomposition, model training and the application of mode for prediction. The application results in Xin’an River in Yantai City reveal that the prosed system framework has a very good ability to model big data with high prediction accuracy and robust processing capability.

Shaowei Liu

DOI: https://doi.org/10.1088/1742-6596/2814/1/012055

2024-08-06

Journal of Physics Conference Series

Abstract:To realize the monitoring and diagnosis of multi-source data in the power industry and meet the real-time processing requirements of the power system, the storm-distributed real-time computing platform is introduced to process the data. On this platform, the streaming data processing model based on a sliding window is deployed to realize the anomaly diagnosis of data flow. By calculating the predicted value of a point and the confidence interval of the predicted value of the point, we can judge whether the actual point is an abnormal value. By testing the data processing capacity of a cluster and a single machine, the experiment shows that in the cluster environment, reasonably setting the component parallelism can improve the throughput of flow computing.

ZHENG Jun,HU Ming-zeng,YUN Xiao-chun,ZHENG Zhong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2006.02.001

2006-01-01

Abstract:The anomaly detection algorithms of the large scale network(LSN) were required to analysis the vast network traffic of G bit level in real-time and on-the-fly.A novel monitoring mechanism of LSN anomaly detection based on the data stream approach was proposed.The main contributions included: the sketch data structure and the frequent sketch algorithm of data streams were designed for anomaly detection of LSN.Optimized query methods were designed for customizing the security monitoring and detection policy with the correlations of multi data streams.The data reduction was proposed to make it possible that the whole network traffic character could be got using a few of special data streams.The experiments of the real networking environments validate the effectivity of LSN anomaly detection methods.

Wenjie Yang,Xingang Liu,Lan Zhang,Laurence T. Yang

DOI: https://doi.org/10.1109/trustcom.2013.247

2013-01-01

Abstract:As the growth of Internet, Cloud Computing, Mobile Network and Internet of Things is increasing rapidly, Big Data is becoming a hot-spot in recent years. Big Data Processing is involved in our daily life such as mobile devices, RFID and wireless sensors, which aims at dealing with billions of users' interactive data. At the same time, real-time processing is eagerly needed in integrated system. In this paper, several technologies associated with real-time big data processing are introduced, among which the core technology called Storm is emphasized. An entire system is built based on Storm, associated with RabbitMQ, NoSQL and JSP. To ensure the practical applicability and high efficiency, a simulation system is established and shows acceptable performance in various expressions using data sheet and Ganglia. It is proved that the big data real-time processing based on Storm can be widely used in various computing environment.

XIAO San,YANG Yahui,SHEN Qingni

DOI: https://doi.org/10.3778/j.issn.1002-8331.1208-0286

2013-01-01

Abstract:Since online abnormal detection for backbone network with large flow currently is a research hotspot in network security field,an online network abnormal detection method is proposed to handle big data stream properly.The method processes big data stream into micro-clusters with density-based cluster method,and then micro-clusters absorb data stream directly to enhance the performance.The method regularly executes outlier detection process to find intrusion.The method does not require offline training process and can find any arbitrary clusters.It also supports big data stream and can balance between detection precision and resources with great performance.In the experiment,the prototype system finishes analysis task in 20 s over MIT Lincoln Laboratory LLS_DDOS_1.0 data,with 82% TPR and 6% FPR,which is equivalent to K-means.

Wenjun Qian,Qingni Shen,Yizhe Yang,Yahui Yang,Zhonghai Wu

DOI: https://doi.org/10.1007/978-3-319-89500-0_56

2018-01-01

Abstract:Storm has been a popular distributed real-time computation system for stream data processing, which currently provides an acker mechanism to enable all topologies to be processed reliably. In this paper, via the source code analysis, we point out that the acker failure and message retransmission result in the consumption of network resources. Even worse, adversary conducts a malicious topology to consume over unconstrained network resources, which seriously affects the average processing time of topology for normal users. Aiming at defending the vulnerability, we design an offline static detection against acker failure in Storm, mainly including the code decompile, the function call relationship and the judgement rules in offline module. Meanwhile, we validate the protection scheme in Storm 0.10.0 cluster, and experimental results show that our mentioned judgement rules can achieve well precision.

Shiyong Dai,Yufei Zhao,Jinhua Huang,Xuxian Wang,Guifei Zhao,Lei Zhang,Ming Xie,Ziyue Guo

DOI: https://doi.org/10.1109/access.2023.3306243

IF: 3.9

2023-01-01

IEEE Access

Abstract:Network traffic anomaly detection methods can detect traffic that is significantly different from normal traffic by analyzing network traffic, and are seen as an effective means to detect unknown new attacks because they do not rely on static feature codes. However, most of the current network traffic anomaly detection methods have low accuracy and high false alarm rate. In this paper, an OS-ELM (Online Sequential Extreme Learning Machine) network traffic anomaly detection method is proposed. First, we use SMOTE to balance the data samples to improve the classification detection performance. In order to reduce the high dimensionality between data features and eliminate the redundancy, the Stacked Denoising Autoencoder (SDAE) network is adopt to reduce the dimension of the feature vectors. Finally, we test the real network traffic and analyze the effect of model structure and external noise on the detection performance, and the experimental results verify the correctness of our scheme. Compared with other detection methods based on data reconstruction, the proposed method has higher detection accuracy and better detection performance.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wei Xu,Ling Huang,Armando Fox,David Patterson,Michael Jordan

DOI: https://doi.org/10.1109/icdm.2009.19

2009-01-01

Abstract:We describe a novel application of using data mining and statistical learning methods to automatically monitor and detect abnormal execution traces from console logs in an online setting. Different from existing solutions, we use a two stage detection system. The first stage uses frequent pattern mining and distribution estimation techniques to capture the dominant patterns (both frequent sequences and time duration). The second stage use principal component analysis based anomaly detection technique to identify actual problems. Using real system data from a 203-node Hadoop [1] cluster, we show that we can not only achieve highly accurate and fast problem detection, but also help operators better understand execution patterns in their system.

Jin Fan,Yan Ge,Xinyi Zhang,ZheYu Wang,Huifeng Wu,Jia Wu

DOI: https://doi.org/10.1016/j.neunet.2024.106638

2024-08-21

Abstract:Identifying anomalies in multi-dimensional sequential data is crucial for ensuring optimal performance across various domains and in large-scale systems. Traditional contrastive methods utilize feature similarity between different features extracted from multidimensional raw inputs as an indicator of anomaly severity. However, the complex objective functions and meticulously designed modules of these methods often lead to efficiency issues and a lack of interpretability. Our study introduces a structural framework called SimDetector, which is a Local-Global Multi-Scale Similarity Contrast network. Specifically, the restructured and enhanced GRU module extracts more generalized local features, including long-term cyclical trends. The multi-scale sparse attention module efficiently extracts multi-scale global features with pattern information. Additionally, we modified the KL divergence to suit the characteristics of time series anomaly detection, proposing a symmetric absolute KL divergence that focuses more on overall distribution differences. The proposed method achieves results that surpass or approach the State-of-the-Art (SOTA) on multiple real-world datasets and synthetic datasets, while also significantly reducing Multiply-Accumulate Operations (MACs) and memory usage.

Yitong Liu,Caiyun Liu,Jun Li,Yan Sun

DOI: https://doi.org/10.1007/978-981-97-2757-5_49

2024-01-01

Abstract:In today's information age, with the rapid development of network technology and a large number of applications of sensors in daily life. The number of various types of data has shown a great growth. These data not only bring us convenience and benefits, but also pose a great challenge to us, that is, how to explore the information of the data and effectively analyze the specific significance contained in the data has become a hot research direction. In the large amount of data obtained, most of the data are in the normal state and only represent the basic "value" information. Compared with the data in the normal state, the information carried by a small part of the data is more worthy of attention. The emergence of these data is the so-called "exception". The occurrence of exceptions indicates that the system that should be running normally has changed, and these changes often have a negative impact on the system. Looking at these applications, it is not difficult to find that the actual frequency of these anomalies accounts for a very small proportion compared with a large number of normal time, but its value is very huge. Therefore, real-time online anomaly detection of convective data has very important value and significance for scientific research and industrial application. In the process of this research, I have a more comprehensive and detailed understanding of the research field of "anomaly detection of stream data" through theoretical learning, apply the deep learning model to anomaly detection of stream data, and test the performance of the model through experiments. By comparing the performance of traditional anomaly detection algorithms, unsupervised and semi supervised machine learning models and neural networks such as LSTM/HTM in stream data anomaly detection, we try to find an algorithm that can detect stream data information in real time and provide anomaly alarm in time.

Yu Kang,Xinting Wang,Xiu Cao,Yangfan Zhou,Zhichao Lai,Yuhao Li,Xuqi Zhang,Wei Geng

DOI: https://doi.org/10.1145/3230876.3230893

2018-01-01

Abstract:Anomalous user detection is an important concern in smart grid. Conduct the anomaly detection in real time with streaming data processing technology is a hot research field for smart grid maintenance. We first study the characteristics of power measurement data. Based on our findings, we adopt Clustream, an outlier detection model, for finding anomalous users. Combined with grid based DBSCAN algorithm, we achieve a two-phase flow processing architecture including offline and online phases for the goal of detecting anomalous user. The implementation details of our system are introduced. The experimental results show that our system can achieve better detection results.

Xiaochen Xian,Chen Zhang,Scott Bonk,Kaibo Liu

DOI: https://doi.org/10.1080/00224065.2019.1681924

IF: 2.182

2021-01-01

Journal of Quality Technology

Abstract:In many applications of modern quality control, process monitoring involves a large number of process variables and quality characteristics. Practitioners are desired to attain complete information about the process in order to assure quick detection of shifts that may possibly occur at any variable. However, full information is not always available during online monitoring of big data streams due to limitations of monitoring resources in practice. In this paper, a rank-based monitoring and sampling algorithm based on data augmentation is proposed to quickly detect the mean shifts in a process when only a limited portion of observations are available online. Specifically, at each observation time, the proposed method will automatically augment information for unobservable variables based on the online observations, and then intelligently allocate the monitoring resources to the most suspicious data streams. Comparing to the existing literature, this method is able to accurately infer the status of all variables in a process based on a small number of observable variables and effectively construct a global monitoring statistic with the proposed augmented vector, which leads to a quick detection of the out-of-control status even if limited shifted variables are observed in real time. Simulation studies as well as a real case study on real-time solar flare detection are conducted to demonstrate the efficacy and applicability of the proposed method.

Shiqi Lai,Fan Yang,Tongwen Chen

DOI: https://doi.org/10.1016/j.jprocont.2017.01.003

IF: 3.951

2017-01-01

Journal of Process Control

Abstract:Alarm floods are serious hazards for industrial process monitoring. In this paper, we propose an online algorithm to provide early prediction of an incoming alarm flood by matching an online alarm sequence with a pattern database and conducting similarity calculation. It overcomes three main challenges in online time-stamped pattern matching: the partial information (future events are unknown in the online sequence), the high computational efficiency requirement, and the segmentation of the online alarm sequence. New elements introduced in this algorithm include chattering and sequence window filters, modified time distance and similarity measurements, a modified gap penalty, and an incremental dynamic programming strategy. Potentially, the proposed algorithm could serve as the state identification stage in applications of predictive alarming, online alarm attribute modification, and online alarm suppression. A dataset from a real chemical plant is used to test both efficiency and accuracy of the proposed algorithm.

ZHANG Qixun,HAN Jing,CHENG Li,ZHANG Baisheng,GONG Zican

DOI: https://doi.org/10.12142/ZTECOM.202203011

2022-01-01

Abstract:Microservices have become popular in enterprises because of their excellent scalability and timely update capabilities . However, while fine-grained modularity and service-orientation decrease the complexity of system development, the complexity of system operation and maintenance has been greatly increased, on the contrary. Multiple types of system failures occur frequently, and it is hard to detect and diag-nose failures in time. Furthermore, microservices are updated frequently. Existing anomaly detection models depend on offline training and cannot adapt to the frequent updates of microservices. This paper proposes an anomaly detection approach for microservice systems with multi-source data streams. This approach realizes online model construction and online anomaly detection, and is capable of self-updating and self-adapting. Experimental results show that this approach can correctly identify 78.85％of faults of different types.

Zhaoli Liu,Tao Qin,Xiaohong Guan,Hezhi Jiang,Chenxu Wang

DOI: https://doi.org/10.1109/ACCESS.2018.2843336

IF: 3.9

2018-01-01

IEEE Access

Abstract:Logs are generated by systems to record the detailed runtime information about system operations, and log analysis plays an important role in anomaly detection at the host or network level. Most existing detection methods require a priori knowledge, which cannot be used to detect the new or unknown anomalies. Moreover, the growing volume of logs poses new challenges to anomaly detection. In this paper, we propose an integrated method using K-prototype clustering and k-NN classification algorithms, which uses a novel clustering-filtering-refinement framework to perform anomaly detection from massive logs. First, we analyze the characteristics of system logs and extract 10 features based on the session information to characterize user behaviors effectively. Second, based on these extracted features, the K-prototype clustering algorithm is applied to partition the data set into different clusters. Then, the obvious normal events which usually present as highly coherent clusters are filtered out, and the others are regarded as anomaly candidates for further analysis. Finally, we design two new distance-based features to measure the local and global anomaly degrees for these anomaly candidates. Based on these two new features, we apply the k-NN classifier to generate accurate detection results. To verify the integrated method, we constructed a log collection and anomaly detection platform in the campus network center of Xi'an Jiaotong University. The experimental results based on the data sets collected from the platform show our method has high detection accuracy and low computational complexity.

Jinyang Liu,Tianyi Yang,Zhuangbin Chen,Yuxin Su,Cong Feng,Zengyin Yang,Michael R. Lyu

2023-08-19

Abstract:As modern software systems continue to grow in terms of complexity and volume, anomaly detection on multivariate monitoring metrics, which profile systems' health status, becomes more and more critical and challenging. In particular, the dependency between different metrics and their historical patterns plays a critical role in pursuing prompt and accurate anomaly detection. Existing approaches fall short of industrial needs for being unable to capture such information efficiently. To fill this significant gap, in this paper, we propose CMAnomaly, an anomaly detection framework on multivariate monitoring metrics based on collaborative machine. The proposed collaborative machine is a mechanism to capture the pairwise interactions along with feature and temporal dimensions with linear time complexity. Cost-effective models can then be employed to leverage both the dependency between monitoring metrics and their historical patterns for anomaly detection. The proposed framework is extensively evaluated with both public data and industrial data collected from a large-scale online service system of Huawei Cloud. The experimental results demonstrate that compared with state-of-the-art baseline models, CMAnomaly achieves an average F1 score of 0.9494, outperforming baselines by 6.77% to 10.68%, and runs 10X to 20X faster. Furthermore, we also share our experience of deploying CMAnomaly in Huawei Cloud.

Software Engineering,Machine Learning

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

Shengchao Liu,Jianping Weng,Jessie Hui Wang,Changqing An,Yipeng Zhou,Jilong Wang

DOI: https://doi.org/10.1109/tnet.2019.2918341

2019-01-01

IEEE/ACM Transactions on Networking

Abstract:As more and more applications need to analyze unbounded data streams in a real-time manner, data stream processing platforms, such as Storm, have drawn the attention of many researchers, especially the scheduling problem. However, there are still many challenges unnoticed or unsolved. In this paper, we propose and implement an adaptive online scheme to solve three important challenges of scheduling. First, how to make a scaling decision in a real-time manner to handle the fluctuant load without congestion? Second, how to minimize the number of affected workers during rescheduling while satisfying the resource demand of each instance? We also point out that the stateful instances should not be placed on the same worker with stateless instances. Third, currently, the application performance cannot be guaranteed because of resource contention even if the computation platform implements an optimal scheduling algorithm. In this paper, we realize resource isolation using Cgroup, and then the performance interference caused by resource contention is mitigated. We implement our scheduling scheme and plug it into Storm, and our experiments demonstrate in some respects our scheme achieves better performance than the state-of-the-art solutions.