Shili Yan,Bing Tang,Qing Yang,Yijia He,Xiaoyuan Zhang

DOI: https://doi.org/10.1109/ispa-bdcloud-socialcom-sustaincom57177.2022.00082

2022-01-01

Abstract:To ensure the stability and reliability of service quality, large Internet companies need to closely monitor various KPIs (Key Performance Indicators, such as network throughput, CPU usages) and trigger timely troubleshooting or mitigation when any anomaly occurs. However, the diversity and complexity of anomalies bring great challenges to this work, especially when there is no manual label and low delay is required. In this paper, we propose HS-VAE (Highly Sensitive Variational Auto-Encoders), an unsupervised, robust algorithm based on CVAE (Conditional Variational Auto-Encoders) with high sensitivity to anomalies for KPIs, which contains mainly 3 parts: a simple but important data filter before training, improved conditional VAE with two dropout layers and adjusted anomaly detection method based on reconstruction probability. Our experiments using real-world data show that, HS-VAE's best F1-score ranges from 0.91 to 0.98. In addition, HS- VAE is excellent in sensitivity to anomaly and works well even with low latency requirements.

Jingtao Li,Yanfei Zhong,Hengwei Zhao,Zhi Gao,Xinyu Wang

DOI: https://doi.org/10.1109/tgrs.2024.3439491

IF: 8.2

2024-01-01

IEEE Transactions on Geoscience and Remote Sensing

Abstract:Earth anomalies can locate valuable targets in an unsupervised manner for many defense and surveillance applications. Most models assign a continuous score at the pixel-level, resulting in object-agnostic results with higher false alarms than the instance level results. However, since the anomaly objects contain a variety of categories and have a large intraclass variance, the current state-of-the-art (SOTA) query-based models designed for certain categories perform unsatisfactorily when applied to the anomaly instances. The larger intraclass variance of anomalies makes the learning of general representation more difficult. To bridge this gap, we propose general adaptations guided by the pixel-level anomaly map for any query-based model, which adapts the model from learning certain category representation to learning anomaly-aware representation in different categories. The proposed adaptation first builds a separate branch to output the pixel-level anomaly map, where anomaly information is then extracted to guide the pixel embeddings and queries to focus on a variety of anomaly categories. Especially, the anomaly rank embeddings are devised to make the pixel embeddings aware of the anomaly rank order. The queries are dynamically selected from the anomaly candidates after aligning the anomaly map and pixel embeddings for better locating different anomalies. Finally, the selected queries dot-product the anomaly-aware pixel embeddings to output the anomaly instances. The proposed adaptations are simple, general, and additive, which bring the average improvements of +4.9 box AP and +5.1 mask AP in infrared, synthetic aperture radar (SAR), and hyperspectral modalities.

Bin Lin,Zheng Shi,Ye Chen

DOI: https://doi.org/10.1117/12.964384

2012-01-01

Abstract:Hotspot classification is an important step of hotspot management. Under possible center-shifting condition, conventional hotspot classification by calculating pattern similarity through overlaying two hotspot patterns directly is not effective. This paper proposes a hotspot classification method based on higher-order local autocorrelation (HLAC). Firstly, we extract the features of the hotspot patterns using HLAC method. Secondly, the principal component analysis (PCA) is performed on the features for dimension reduction. Thirdly, the simplified low dimensional vector features of the hotspot patterns are used in the pre-clustering step. Finally, detailed clustering using pattern similarity calculated by discrete 2-d correlation is carried out. Because the HLAC based features are shifting-invariant, the center-shifting problem caused by the defect location inaccuracy can be overcome during the pre-clustering process. Experiment results show that the proposed method can classify hotspots under center-shifting condition effectively and speed up the classification process greatly.

Zeyan Li,Chengyang Luo,Yiwei Zhao,Yongqian Sun,Kaixin Sui,Xiping Wang,Dapeng Liu,Xing Jin,Qi Wang,Dan Pei

DOI: https://doi.org/10.1109/issre.2019.00015

2019-01-01

Abstract:Operators of online software services periodically collect various measures with many attributes. When a measure becomes abnormal, indicating service problems such as reliability degrade, operators would like to rapidly and accurately localize the root cause attribute combinations within a huge multi-dimensional search space. Unfortunately, previous approaches are not generic or robust in that they all suffer from impractical root cause assumptions, handling only directly collected measures but not derived ones, handling only anomalies with signicant magnitudes but not those insignicant but important ones, requiring manual parameter ne-tuning, or being too slow. This paper proposes a generic and robust multi-dimensional root cause localization approach, Squeeze, that overcomes all above limitations, the first in the literature. Through our novel bottom-up then top-down searching strategy and the techniques based on our proposed generalized ripple effect and generalized potential score, Squeeze is able to reach a good trade off between search speed and accuracy in a generic and robust manner. Case studies in several banks and an Internet company show that Squeeze can localize root causes much more rapidly and accurately than the traditional manual analysis. Furthermore, our extensive experiments on semi-synthetic datasets show that the F1-score of Squeeze outperforms previous approaches by 0.4 on average, while its localization time is only about 10 seconds.

Yongqian Sun,Daguo Cheng,Pengxiang Jin,Quan Ding,Shenglin Zhang,Xu Chen,Yuzhi Zhang,Minghan Liang,Dan Pei,Jianyan Zheng,Sen Luo,Xinyu Tang

DOI: https://doi.org/10.1109/tsc.2022.3155500

IF: 11.019

2023-01-01

IEEE Transactions on Services Computing

Abstract:Anomaly clue localization of multi-dimensional derived measure is vitally important for the reliability of online video services. In this paper, we propose RobustSpot, an end-to-end framework for localizing the clues to anomalous multi-dimensional derived measures. RobustSpot integrates two novel indicators, i.e., “Anomaly Degree” and “Contribution Ability”, with a simple yet effective method, weighted association rule mining (WARM), to automatically mine the hidden relationships across data dimensions for localizing the most likely clues to the root cause. Using 135 real-world cases collected from a top-tier global online video service provider $H$ with 170+ million monthly active users, we demonstrate that RobustSpot achieves high accuracy (Top-5 accuracy of 98%), significantly outperforming state-of-the-art methods. The average localization time of RobustSpot is 1.83s, which is satisfying in our scenario. We have open-sourced the implementation of RobustSpot as well as the data used in the evaluation experiments.

Jinyang Liu,Wenwei Gu,Zhuangbin Chen,Yichen Li,Yuxin Su,Michael R. Lyu

2024-01-10

Abstract:Key Performance Indicators (KPIs) are essential time-series metrics for ensuring the reliability and stability of many software systems. They faithfully record runtime states to facilitate the understanding of anomalous system behaviors and provide informative clues for engineers to pinpoint the root causes. The unprecedented scale and complexity of modern software systems, however, make the volume of KPIs explode. Consequently, many traditional methods of KPI anomaly detection become impractical, which serves as a catalyst for the fast development of machine learning-based solutions in both academia and industry. However, there is currently a lack of rigorous comparison among these KPI anomaly detection methods, and re-implementation demands a non-trivial effort. Moreover, we observe that different works adopt independent evaluation processes with different metrics. Some of them may not fully reveal the capability of a model and some are creating an illusion of progress. To better understand the characteristics of different KPI anomaly detectors and address the evaluation issue, in this paper, we provide a comprehensive review and evaluation of twelve state-of-the-art methods, and propose a novel metric called salience. Particularly, the selected methods include five traditional machine learning-based methods and seven deep learning-based methods. These methods are evaluated with five multivariate KPI datasets that are publicly available. A unified toolkit with easy-to-use interfaces is also released. We report the benchmark results in terms of accuracy, salience, efficiency, and delay, which are of practical importance for industrial deployment. We believe our work can contribute as a basis for future academic research and industrial application.

Software Engineering,Artificial Intelligence,Machine Learning

Haiqi Zhu,Seungmin Rho,Shaohui Liu,Feng Jiang

DOI: https://doi.org/10.1109/tim.2023.3284920

IF: 5.6

2023-01-01

IEEE Transactions on Instrumentation and Measurement

Abstract:Anomaly detection on multivariate key performance indicators (KPIs) is a key procedure for the quality and reliability of large-scale cyber-physical systems (CPSs). Although extensive efforts have been paid in learning normal data distributions, the spatial dependence of different dimensional KPIs is barely explored to reasonably represent the complexity and time-varying nature of systems. In this article, we propose to model the spatial dependence of multivariate KPI by combining a more reasonable graph learning method with a graph attention mechanism to obtain the complex spatial dependence in an unsupervised manner. First, we transform the multivariate KPI into graph structures with a specially designed KPI graph learning module. Second, the graph attention mechanism extracts the spatial dependence in the KPI graphs. Finally, our method jointly trains forecasting-based model and reconstruction-based model to detect anomalies. Through a large number of related experiments on four real-world datasets, we demonstrate the feasibility of our method and the F1-score improves by 9% over the baseline model. Further analysis shows that the graph learning method in this article can more reasonably describe the dependence between multivariate KPI, and the graph attention mechanism can more accurately capture the correlation between them, which is helpful for fault diagnosis.

Chang Liu,Yanwei Liu,Zhen Xu,Liang Dai

DOI: https://doi.org/10.1109/dsn53405.2022.00041

2022-01-01

Abstract:As essential work in IT operations, anomaly localization, aiming to identify the affected scope of Internet infrastructure once an anomaly alarm occurs, is challenging due to the huge search space. The existing solutions usually show limited performances in the CDN scenario since they take the desirable assumptions that do not match with the practical anomaly pattern features. To address this issue, in this paper, we propose RAPMiner, which first uses a classification power-based redundant attribute deletion to prune the non-root cause attribute combinations, and then adopts an anomaly confidence-guided layer-by-layer top-down search to avoid searching for anomaly but non-root patterns. Both of them are effective in narrowing the search space. Experimental results show that RAPMiner can achieve comparable performance with the SOTA approach on the published Squeeze dataset according to F1-score and efficiency, as well as the best RC@k with stable parameter sensitivity on the RAPMD.

Qi Wang,Yongqian Sun,Dapeng Liu,Junjie Chen,Chengyang Luo,Zeyan Li,Xiping Wang,Yiwei Zhao,Yihao Chen,Xing Jin,Kaixin Sui,Dan Pei

DOI: https://doi.org/10.48550/arXiv.2305.03331

IF: 3.5

2023-05-01

Journal of Systems and Software

Abstract:Localizing root causes for multi-dimensional data is critical to ensure online service systems' reliability. When a fault occurs, only the measure values within specific attribute combinations are abnormal. Such attribute combinations are substantial clues to the underlying root causes and thus are called root causes of multidimensional data. This paper proposes a generic and robust root cause localization approach for multi-dimensional data, PSqueeze. We propose a generic property of root cause for multi-dimensional data, generalized ripple effect (GRE). Based on it, we propose a novel probabilistic cluster method and a robust heuristic search method. Moreover, we identify the importance of determining external root causes and propose an effective method for the first time in literature. Our experiments on two real-world datasets with 5400 faults show that the F1-score of PSqueeze outperforms baselines by 32.89%, while the localization time is around 10 seconds across all cases. The F1-score in determining external root causes of PSqueeze achieves 0.90. Furthermore, case studies in several production systems demonstrate that PSqueeze is helpful to fault diagnosis in the real world.

Engineering,Computer Science

Yongqian Sun,Daguo Cheng,Tiankai Yang,Yuhe Ji,Shenglin Zhang,Man Zhu,Xiao Xiong,Qiliang Fan,Minghan Liang,Dan Pei,Tianchi Ma,Yu Chen

DOI: https://doi.org/10.1109/TC.2023.3272288

IF: 3.183

2023-01-01

IEEE Transactions on Computers

Abstract:To ensure the performance of large-scale datacenters, operators need to monitor up to tens of millions of various-type KPIs, e.g., CPU utilization, memory utilization. For each KPI, it is crucial but challenging to detect outliers that deviate from its historical patterns or the patterns of other KPIs in the same period. In this work, we propose OutSpot, an unsupervised outlier detection framework that integrates hierarchical agglomerative clustering (HAC) with conditional variational autoencoder (CVAE), which significantly improves computational efficiency and comprehensively learns the above two patterns. Additionally, two simple yet effective techniques, soft threshold and median filter, are applied to precisely determine outlier KPIs. Using two real-world datasets collected from the datacenters owned by a top-tier global short video service provider and a top-tier domestic operator,respectively. It demonstrates that OutSpot achieves the best F1 score of 0.95 and 0.91, AUC of 0.99 and 0.99 on the two datasets, significantly outperforming seven baseline outlier detection methods.

Marcus Kalander

DOI: https://doi.org/10.48550/arXiv.2205.10004

IF: 5.414

2022-05-20

Machine Learning

Abstract:Failures and anomalies in large-scale software systems are unavoidable incidents. When an issue is detected, operators need to quickly and correctly identify its location to facilitate a swift repair. In this work, we consider the problem of identifying the root cause set that best explains an anomaly in multi-dimensional time series with categorical attributes. The huge search space is the main challenge, even for a small number of attributes and small value sets, the number of theoretical combinations is too large to brute force. Previous approaches have thus focused on reducing the search space, but they all suffer from various issues, requiring extensive manual parameter tuning, being too slow and thus impractical, or being incapable of finding more complex root causes. We propose RiskLoc to solve the problem of multidimensional root cause localization. RiskLoc applies a 2-way partitioning scheme and assigns element weights that linearly increase with the distance from the partitioning point. A risk score is assigned to each element that integrates two factors, 1) its weighted proportion within the abnormal partition, and 2) the relative change in the deviation score adjusted for the ripple effect property. Extensive experiments on multiple datasets verify the effectiveness and efficiency of RiskLoc, and for a comprehensive evaluation, we introduce three synthetically generated datasets that complement existing datasets. We demonstrate that RiskLoc consistently outperforms state-of-the-art baselines, especially in more challenging root cause scenarios, with gains in F1-score up to 57% over the second-best approach with comparable running times.

Guoping Rong,Hao Wang,Shenghui Gu,Yangchen Xu,Jialin Sun,Dong Shao,He Zhang

DOI: https://doi.org/10.1109/tdsc.2022.3181143

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Continuity and steadiness are vital for services with massive users, which requires the anomalies of services should be detected and resolved in a timely manner. Our previous work proposed a tool, namely ImpAPTr (Impact Analysis based on Pruning Tree), to identify the combination of multiple dimensional attributes as the clues leading to the root cause of service anomalies. However, ImpAPTr applies a threshold driven strategy, i.e. it needs to be triggered by a ≥ drop of the success rate of the service calls (abbr. SRSC), which may face problems in an atypical yet pervasive situation in field application. For example, the combination of trivial anomalies (i.e. each causes a drop less than 0.05% to SRSC) can lead to a far more than 0.05% drop on SRSC. Besides, a suitable threshold is usually hard to be determined, etc. To address these problems, we propose a new method, namely ImpAPTr+ in this paper to free the constraint of the 0.05% threshold. The basic idea is to involve time dimension and identify clues across multiple time intervals of data. We performed evaluation on three typical methods (i.e. ImpAPTr+, R-Adtributor and Squeeze) with both production environment dataset and simulation dataset. The former dataset is directly retrieved from the service monitoring data in Meituan, one of the largest on-line service providers worldwide. The latter dataset is fabricated also using the monitoring data from the same company. The results indicate: (1) ImpAPTr+ outperforms previous approaches to a large degree in terms of accuracy. (2) Both ImpAPTr+ and R-Adtributor are able to find proper clues within seconds. (3) ImpAPTr+ tends to find proper clues with shorter time intervals (i.e. less data), which implies that the method is more suitable for near real-time monitoring scenarios.

computer science, information systems, software engineering, hardware & architecture

Jiahao Bu,Ying Liu,Shenglin Zhang,Weibin Meng,Qitong Liu,Xiaotian Zhu,Dan Pei

DOI: https://doi.org/10.1109/pccc.2018.8711315

2018-01-01

Abstract:Internet-based services monitor and detect anomalies on KPIs (Key Performance Indicators, say CPU utilization, number of queries per second, response latency) of their applications and systems in order to keep their services reliable. This paper identifies a common, important, yet little-studied problem of KPI anomaly detection: rapid deployment of anomaly detection models for large number of emerging KPI streams, without manual algorithm selection, parameter tuning, or new anomaly labeling for any newly emerging KPI streams. We propose the first framework ADS (Anomaly Detection through Self-training) that tackles the above problem, via clustering and semi-supervised learning. Our extensive experiments using real-world data show that, with the labels of only the 5 cluster centroids of 70 historical KPI streams, ADS achieves an averaged best F-score of 0.92 on 81 new KPI streams, almost the same as a state-of-art supervised approach, and greatly outperforming a state-of-art unsupervised approach by 61.40% on average.

Jingjie Zhu,Karthik Sundaresan,Jason Rupe

DOI: https://doi.org/10.48550/arXiv.2007.08752

2020-07-17

Abstract:Proactive network maintenance (PNM) is the concept of using data from a network to identify and locate network faults, many or all of which could worsen to become service failures. The separation between the network fault and the service failure affords early detection of problems in the network to allow PNM to take place. Consequently, PNM is a form of prognostics and health management (PHM). The problem of localizing and classifying anomalies on 1-dimensional data series has been under research for years. We introduce a new algorithm that leverages Deep Convolutional Neural Networks to efficiently and accurately detect anomalies and events on data series, and it reaches 97.82% mean average precision (mAP) in our evaluation.

Computer Vision and Pattern Recognition,Machine Learning,Signal Processing

Huichu Zhang,Yu Zheng,Yong Yu

DOI: https://doi.org/10.1145/3191786

2018-01-01

Proceedings of the ACM on Interactive Mobile Wearable and Ubiquitous Technologies

Abstract:Urban anomalies, such as abnormal movements of crowds and accidents, may result in loss of life or property if not handled properly. It would be of great value for governments if anomalies can be automatically alerted in their early stage. However, detecting anomalies in urban area has two main challenges. First, the criteria to determine an anomaly on different occasions (e.g. rainy days vs. sunny days, or holidays vs. workdays) and in different places (e.g. tourist attractions vs. office areas) are distinctly different, as these occasions and places have their own definitions on normal patterns. Second, urban anomalies often exhibit complex forms (e.g. road closure may cause decrease in taxi flow and increase in bike flow). We need an algorithm that not only models the anomaly degree of individual data source but also the combination of changes in multiple data sources. In this paper, we propose a two-step method to tackle those challenges. In the first step, we use a similarity-based algorithm to estimate an anomaly score for each individual data source in each region and time slot based on the values of historically similar regions. Those scores are fed into the second step, where we propose an algorithm based on one-class Support Vector Machine to capture rare patterns occurred in multiple data sources, nearby regions or time slots, and give a final, integrated anomaly score for each region. Evaluations based on both synthetic and real world datasets show the advantages of our method beyond baseline techniques such as distance-based, probability-based methods.

Shifu Yan,Caihua Shan,Wenyi Yang,Bixiong Xu,Dongsheng Li,Lili Qiu,Jie Tong,Qi Zhang

DOI: https://doi.org/10.1145/3534678.3539109

2022-03-30

Abstract:In large-scale online services, crucial metrics, a.k.a., key performance indicators (KPIs), are monitored periodically to check their running statuses. Generally, KPIs are aggregated along multiple dimensions and derived by complex calculations among fundamental metrics from the raw data. Once abnormal KPI values are observed, root cause analysis (RCA) can be applied to identify the reasons for anomalies, so that we can troubleshoot quickly. Recently, several automatic RCA techniques were proposed to localize the related dimensions (or a combination of dimensions) to explain the anomalies. However, their analyses are limited to the data on the abnormal metric and ignore the data of other metrics which may be also related to the anomalies, leading to imprecise or even incorrect root causes. To this end, we propose a cross-metric multi-dimensional root cause analysis method, named CMMD, which consists of two key components: 1) relationship modeling, which utilizes graph neural network (GNN) to model the unknown complex calculation among metrics and aggregation function among dimensions from historical data; 2) root cause localization, which adopts the genetic algorithm to efficiently and effectively dive into the raw data and localize the abnormal dimension(s) once the KPI anomalies are detected. Experiments on synthetic datasets, public datasets and online production environment demonstrate the superiority of our proposed CMMD method compared with baselines. Currently, CMMD is running as an online service in Microsoft Azure.

Artificial Intelligence

Yanjun Shu,Tianrun Gao,Zhan Zhang,Jianhang Zhang

DOI: https://doi.org/10.1109/scc55611.2022.00027

2022-01-01

Abstract:To determine whether a Web service executes accurately, IT operation engineers must manually monitor multiple KPIs (Key Performance Indications). KPI anomaly detection is crucial to make sure undisrupted business. However, it is a burdensome task for IT operations engineers that analyze multivariate KPIs and detect the KPI exceptions. As a multiple time series, the KPIs of a service has two kinds of dependencies: temporal dependence and intermetric dependence. Existing forecasting-based models usually focus on temporal dependence and ignore intermetric dependencies between different KPI dimensions, which leads to low accuracy in the multivariate KPIs anomaly detection. Therefore, we propose a model, named GGIAnomaly, to consider both temporal dependence and intermetric dependence in KPI anomaly detection. GGIAmomaly is composed of four parts: KPIs pre-process, intermetric dependence processing, temporal dependence processing and anomaly detection. Specially, GAT (Graph Attention Network) is used in GGIAnomaly for capturing the relationship between different KPI sequences. To better model various patterns of temporal dependence, GGIAnomaly integrates a recent attention model, named Informer, with GRU (Gated Recurrent Unit Network). The experiments on open-source datasets show that GGIAnomaly has better performance on both univariate and multivariate KPI anomaly detection compared to the existing methods.

Yunfeng Zhao,Wenchi Zhang,Zhiliang Wang,Shize Zhang,Kaixin Sui,Enhuan Dong,Jiahai Yang

DOI: https://doi.org/10.1109/NOMS56928.2023.10154325

2023-01-01

Abstract:The failure of the online service system will seriously affect the user experience and bring huge economic losses. Therefore, the operators usually monitor service-level metrics and machine-level metrics to help quickly find failures, locate root-cause metrics, and reduce MTTR(mean time to repair). Many methods have emerged in recent years to automatically locate root-cause metrics. However, the existing methods cannot meet the requirements of efficiency, accuracy, and ease of deployment at the same time, and are difficult to use in practice. To overcome their limitations, we propose MetricMiner- a multi-stage location method for root-cause metrics in online service systems. Our approach is based on a key observation from numerous real-world cases: root-cause metrics tend to be unique in both the time dimension and the machine dimension. Therefore, we divide the root-cause metrics localization into three stages: first, quickly filter out normal metrics with limited historical data; second, obtain sufficient historical data to eliminate abnormal metrics; finally, according to the clustering of abnormal metrics between machines to sort and locate root-cause metrics. Experimental results on two real-world datasets with 194 cases show that our method can significantly outperform the state-of-the-art methods. Moreover, MetricMiner has been deployed to multiple banking services for more than six months, and we also shared some lessons learned from real deployment.

R. Maciejewski,S. Rudolph,R. Hafen,A. Abusalah,M. Yakout,M. Ouzzani,W.S. Cleveland,S.J. Grannis,D.S. Ebert

DOI: https://doi.org/10.1109/tvcg.2009.100

IF: 5.2

2010-03-01

IEEE Transactions on Visualization and Computer Graphics

Abstract:As data sources become larger and more complex, the ability to effectively explore and analyze patterns among varying sources becomes a critical bottleneck in analytic reasoning. Incoming data contain multiple variables, high signal-to-noise ratio, and a degree of uncertainty, all of which hinder exploration, hypothesis generation/exploration, and decision making. To facilitate the exploration of such data, advanced tool sets are needed that allow the user to interact with their data in a visual environment that provides direct analytic capability for finding data aberrations or hotspots. In this paper, we present a suite of tools designed to facilitate the exploration of spatiotemporal data sets. Our system allows users to search for hotspots in both space and time, combining linked views and interactive filtering to provide users with contextual information about their data and allow the user to develop and explore their hypotheses. Statistical data models and alert detection algorithms are provided to help draw user attention to critical areas. Demographic filtering can then be further applied as hypotheses generated become fine tuned. This paper demonstrates the use of such tools on multiple geospatiotemporal data sets.

computer science, software engineering

Jia-Qi Wei,Qian-Li Zhang,Xing Li

DOI: https://doi.org/10.1109/iccwamtip.2016.8079795

2016-01-01

Abstract:With the increasing scale and complexity of the network, how to maintain a level of network performance and robustness for network operators to satisfy customers becomes more and more challenging. Network anomaly detection and localization are critical for ensuring network performance. In this paper, a novel framework for detecting and localizing network anomalies using active measurements is presented. The framework is composed of three steps: the first step is to detect network anomalies on network path under monitoring, the second step is to cluster destination IPs on the monitored path using unsupervised learning methods, the last step is to localize network anomalies that induce anomalous network performance and behaviors. The last step is designed to reveal the possible cause for each IP set clustered in the second step and localize root cause at every moment by analyzing the inclusion relation between detected anomalous destination IPs and clustered IP sets. The efficacy of the framework to diagnose network anomalies is demonstrated by several real-world cases, which have been recorded in three years of network monitoring experience.