Jian ZHANG,Yan TONG,Mingdi XU,Tao QIN

DOI: https://doi.org/10.7652/xjtuxb201704015

2017-01-01

Abstract:A new method for data collection and anomaly detection of hosts is proposed to focus on the problems that the methods based on signature matching cannot detect unknown anomaly and data collection agents occupy too many host resources.Intelligent mobile agents are employed to perform data collection so that the number of collection agents is greatly reduced.In order to achieve the goal of online anomaly detection,the principal component analysis method is employed to reduce the dimension of the data,and the clustering method is used to mine the abnormal events.The host anomaly detection method based on continuous time windows is adopted to eliminate the influence of random outliers.Experimental results show that the proposed method has lower computational complexity and higher detection accuracy,and for same number of records the time complexity is reduced by more than 50％ and the detection accuracy is above 95％,compared with conventional method.It is concluded that the method is suitable for real-time detection of host anomaly.

Feiyi Chen,Yingying zhang,Zhen Qin,Lunting Fan,Renhe Jiang,Yuxuan Liang,Qingsong Wen,Shuiguang Deng

DOI: https://doi.org/10.1109/icde60146.2024.00047

2024-01-01

Abstract:Anomaly detection significantly enhances the robustness of cloud systems.While neural network-based methods have recently demonstrated strongadvantages, they encounter practical challenges in cloud environments: thecontradiction between the impracticality of maintaining a unique model for eachservice and the limited ability to deal with diverse normal patterns by aunified model, as well as issues with handling heavy traffic in real time andshort-term anomaly detection sensitivity. Thus, we propose MACE, a multi-normal-pattern accommodated and efficientanomaly detection method in the frequency domain for time series anomalydetection. There are three novel characteristics of it: (i) a patternextraction mechanism excelling at handling diverse normal patterns with aunified model, which enables the model to identify anomalies by examining thecorrelation between the data sample and its service normal pattern, instead ofsolely focusing on the data sample itself; (ii) a dualistic convolutionmechanism that amplifies short-term anomalies in the time domain and hindersthe reconstruction of anomalies in the frequency domain, which enlarges thereconstruction error disparity between anomaly and normality and facilitatesanomaly detection; (iii) leveraging the sparsity and parallelism of frequencydomain to enhance model efficiency. We theoretically and experimentally provethat using a strategically selected subset of Fourier bases can not only reducecomputational overhead but is also profitable to distinguish anomalies,compared to using the complete spectrum. Moreover, extensive experimentsdemonstrate MACE's effectiveness in handling diverse normal patterns with aunified model and it achieves state-of-the-art performance with highefficiency.

Wei Xiong,Hanping Hu,Naixue Xiong,Laurence T. Yang,Wen-Chih Peng,Xiaofei Wang,Yanzhen Qu

DOI: https://doi.org/10.1016/j.ins.2013.04.009

IF: 8.1

2013-01-01

Information Sciences

Abstract:Cloud computing represents a new paradigm where computing resources are offered as services in the world via communication Internet. As many new types of attacks are arising at a high frequency, the cloud computing services are exposed to an increasing amount of security threats. To reduce security risks, two approaches of the network traffic anomaly detection in cloud communications have been presented, which analyze dynamic characteristics of the network traffic based on the synergetic neural networks and the catastrophe theory. In the former approach, a synergetic dynamic equation with a group of the order parameters is used to describe the complex behaviors of the network traffic system in cloud communications. When this equation is evolved, only the order parameter determined by the primary factors can converge to 1. Then, the anomaly can be detected. In the latter approach, a catastrophe potential function is introduced to describe the catastrophe dynamic process of the network traffic in cloud communications. When anomalies occur, the state of the network traffic will deviate from the normal one. To assess the deviation, an index named as catastrophe distance is defined. The network traffic anomaly can be detected by the value of this index. We evaluate the performance of these two approaches using the standard Defense Advanced Research Projects Agency data sets. Experimental results show that our approaches can effectively detect the network traffic anomaly and achieve the high detection probability and the low false alarms rate.

Wenyao Sha,Yongxin Zhu,Min Chen,Tian Huang

DOI: https://doi.org/10.1109/tcc.2015.2415813

IF: 5.697

2015-01-01

IEEE Transactions on Cloud Computing

Abstract:As a major strategy to ensure the safety of IT infrastructure, anomaly detection plays a more important role in cloud computing platform which hosts the entire applications and data. On top of the classic Markov chain model, we proposed in this paper a feasible multi-order Markov chain based framework for anomaly detection. In this approach, both the high-order Markov chain and multivariate time series are adopted to compose a scheme described in algorithms along with the training procedure in the form of statistical learning framework. To curb time and space complexity, the algorithms are designed and implemented with non-zero value table and logarithm values in initial and transition matrices. For validation, the series of system calls and the corresponding return values are extracted from classic Defense Advanced Research Projects Agency (DARPA) intrusion detection evaluation data set to form a two-dimensional test input set. The testing results show that the multi-order approach is able to produce more effective indicators: in addition to the absolute values given by an individual single-order model, the changes in ranking positions of outputs from different-order ones also correlate closely with abnormal behaviours.

Mingwei Lin,Shuyu Chen

DOI: https://doi.org/10.17706/jcp.10.3.155-165

2015-01-01

Journal of Computers

Abstract:Infrastructure as a Service (IaaS) is an important service type provided by cloud computing. Infrastructure resources are encapsulated into services and they are provided to users over the Internet in the form of virtual machines. A malicious user can upload malicious software into the virtual machine allocated by a cloud computing service provider and launch the side channel attacks to other virtual machines located in the same physical node by operating his own virtual machine. In order to address the above problem, this paper proposes an efficient anomaly detection framework for cloud computing environment to detect the virtual machines that present abnormal behaviors. A new feature extraction algorithm is designed to reduce the dimensionality of the collected data and a new anomaly detection algorithm is also designed to detect the abnormal virtual machines. A series of experiments are conducted on a cloud computing environment that is deployed using the open source project OpenStack to evaluate the proposed framework. Experimental results show that the proposed framework is better than other anomaly detection methods designed for cloud computing environment in terms of precision, recall, false alarm rate, and runtime.

Guojun Peng,Taige Wang,Yan Liu,Huanguo Zhang

DOI: https://doi.org/10.13245/j.hust.160304

2016-01-01

Abstract:A lightweight threat awareness system based on the combination of host and cloud analysis was proposed in this paper.The system captured sensitive behavior from hosts,and then analyzed the log in the cloud server.The advantage is that the process of capturing user′s behavior is impercepti-ble,and the complex analysis is achieved in server.The solution can reduce the pressure of perform-ance on host,and implement the correlation analysis in cloud as well.Our system has been deployed into 1.763 6×104 clients,and 114 malwares that are failed to be declared by current commercial anti-virus software has been detected.

Jin Gao,Jiaquan Liu,Sihua Guo,Qi Zhang,Xinyang Wang

DOI: https://doi.org/10.1155/2020/6343705

IF: 1.43

2020-11-19

Mathematical Problems in Engineering

Abstract:Aiming at problems such as slow training speed, poor prediction effect, and unstable detection results of traditional anomaly detection algorithms, a data mining method for anomaly detection based on the deep variational dimensionality reduction model and MapReduce (DMAD-DVDMR) in cloud computing environment is proposed. First of all, the data are preprocessed by a dimensionality reduction model based on deep variational learning and based on ensuring complete data information as much as possible, the dimensionality of the data is reduced, and the computational pressure is reduced. Secondly, the data set stored on the Hadoop Distributed File System (HDFS) is logically divided into several data blocks, and the data blocks are processed in parallel through the principle of MapReduce, so the k-distance and LOF value of each data point can only be calculated in each block. Thirdly, based on stochastic gradient descent, the concept of k-neighboring distance is redefined, thus avoiding the situation where there are greater than or equal to k-repeated points and infinite local density in the data set. Finally, compared with CNN, DeepAnt, and SVM-IDS algorithms, the accuracy of the scheme is increased by 10.3%, 18.0%, and 17.2%, respectively. The experimental data set verifies the effectiveness and scalability of the proposed DMAD-DVDMR algorithm.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Tao Qin,Bo Wang,Ruoya Chen,Zunying Qin,Lei Wang

DOI: https://doi.org/10.3390/s19040958

IF: 3.9

2019-01-01

Sensors

Abstract:System security monitoring has become more and more difficult with the ever-growing complexity and dynamicity of the Internet of Things (IoT). In this paper, we develop an Intelligent Maintenance and Lightweight Anomaly Detection System (IMLADS) for efficient security management of the IoT. Firstly, unlike the traditional system use static agents, we employ the mobile agent to perform data collection and analysis, which can automatically transfer to other nodes according to the pre-set monitoring task. The mobility is handled by the mobile agent running platform, which is irrelevant with the node or its operation system. Combined with this technology, we can greatly reduce the number of agents running in the system while increasing the system stability and scalability. Secondly, we design different methods for node level and system level security monitoring. For the node level security monitoring, we develop a lightweight data collection and analysis method which only occupy little local computing resources. For the system level security monitoring, we proposed a parameter calculation method based on sketch, whose computational complexity is constant and irrelevant with the system scale. Finally, we design agents to perform suitable response policies for system maintenance and abnormal behavior control based on the anomaly mining results. The experimental results based on the platform constructed show that the proposed method has lower computational complexity and higher detection accuracy. For the node level monitoring, the time complexity is reduced by 50% with high detection accuracy. For the system level monitoring, the time complexity is about 1 s for parameter calculation in a middle scale IoT network.

Junjie Cen,Yongbo Li

DOI: https://doi.org/10.1155/2022/6155925

2022-03-31

Wireless Communications and Mobile Computing

Abstract:To address the problem of poor detection performance of existing intrusion detection methods in the environment of high-dimensional massive data with uneven class distribution, a deep learning-based anomaly traffic detection method in cloud computing environment is proposed. First, the fuzzy C -means (FCM) algorithm is introduced and is combined with the general regression neural network (GRNN) to cluster the samples to be classified in the original space by FCM. Then, the GRNN model is trained and the center point is updated using the sample closest to the FCM clustering center until a stable cluster center is obtained. The parameters in FCM-GRNN are optimized using the global optimization feature of the modified fruit fly optimization algorithm (MFOA), and the optimal spread value is found using the three-dimensional search method through an iterative search. Finally, experiments are conducted based on the KDD CUP99 dataset, and the results demonstrate that the detection rate (DR) and false alarm rate (FAR) of the proposed FCM-MFOA-GRNN method are 91% and 1.176%, respectively, which are better than those of the comparison methods. Therefore, the proposed method has good anomaly traffic detection ability.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhi-Zhong WU,Xue-Hai ZHOU

DOI: https://doi.org/10.3969/j.issn.1003-3254.2015.04.032

2015-01-01

Abstract:In this paper, we present a distributed anomaly detection system for mobile devices. The proposed framework realizes a client-server architecture, the client continuously extracts various features of mobile device and transfers to the server, and the server’s major task is to detect anomaly using state-of-art detection algorithms. According to the regularity of human daily activity and the periodic of using mobile device, we also propose a novel user behavior cycle based statistical approach, in which the abnormal is determined by the distance from the undetermined feature vector to the similar time segments’ vectors of previous cycles. We use the Mahalanobis distance as distance metric since it is rarely affected by the correlate and value range of features. Evaluation results demonstrated that the proposed framework and novel anomaly detection algorithm could effectively improve the detection rate of malwares on mobile devices.

Ping Lou,Yun Yang,Junwei Yan

DOI: https://doi.org/10.1145/3340997.3341005

2019-01-01

Abstract:The cloud service platform is an open platform designed to provide various users with application services. The reliability of the platform is threatened by anomalous access behaviors such as resource abuse, DDoS attacks etc. Detecting anomalous behaviors to access the cloud service platform is an essential task. In this paper, an anomaly detection method based on Max-min distance and Support vector data description (MMD-SVDD) is proposed. The method identifies anomalous user access behaviors using CPU/memory/disk/network related system resource metrics. It firstly uses MMD to divide servers in the cloud service platform into multi-clusters. The servers in each of the clusters have similar running environment and can share an anomaly detection model. This process can effectively reduce the detection scale and system resource consumption. Then, aiming at the problem of incomplete abnormal data samples, the anomaly detection models are built based on SVDD algorithm, which utilizes normal data samples to construct a hypersphere for each cluster. Finally, the anomalous behavior is identified via judging whether the target data falls outside the hypersphere. The method is applied in cloud service platform and the result shows that it can accurately identity anomalies with lower system resource consumption.

Waqas Haider,Jiankun Hu,Yi Xie,Xinghuo Yu,Qianhong Wu

DOI: https://doi.org/10.1109/tbdata.2017.2736555

2017-01-01

IEEE Transactions on Big Data

Abstract:Anomaly detection for cloud servers is important for detecting zero-day attacks. However, it is very challenging due to the large amount of accumulated data. In this paper, a new mathematical model for modeling dynamic usage behavior and detecting anomalies is proposed. It is constructed using state summarization and a novel nested-arc hidden semi-Markov model (NAHSMM). State summarization is designed to extract usage behavior reflective states from a raw sequence. The NAHSMM is comprised of exterior and interior hidden Markov chains. The exterior controls the propagation of raw sequences of system calls and, conditional on it, the interior one controls the summarized observation process from the transition less usage behavior reflective states. An anomaly detection algorithm is derived by integrating state summarization and NAHSMM. During training the algorithm is assisted by a forensic module to tune the behavioral threshold. Experimental data is collected using IXIA Perfect Storm in conjunction with the commercial security-test hardware platform cyber range. To evaluate the reliability of the proposed model, first, its accuracy and training costs are compared with those of existing machine-learning models and then its scalability and resistance capabilities are tested. The results indicate that this model could be used as a method for detecting anomalies in cloud servers.

He Cai,Cunqing Hua,Wenchao Xu

DOI: https://doi.org/10.1109/wcsp.2019.8928043

2019-01-01

Abstract:In this paper, we propose a collaborative anomaly detection system based on the Active Learning framework. In this system, multiple Edge nodes are responsible for monitoring and collecting data from the local users. To reduce the data to be transmitted, we adopt the Principal Component Analysis(PCA) method in the data preprocessing stage on each Edge node. Then each Edge node selects the most valuable samples based on the Uncertainty Sampling strategies. These samples are then uploaded to the Cloud server for anomaly detection based on the machine learning classification schemes. The samples are also used to train the sample selection model on the Cloud. The parameters of the Cloud classifier and sample selection model are then sent back to the Edge nodes to update their classifiers and sample selection models. This system allows us to reduce the cost in sample obtaining, shorten the bandwidth demand and lower the latency. We implement the proposed anomaly detection schemes in a practical system and provide experiment results to demonstrate the performances of the system.

Jing Zhang

DOI: https://doi.org/10.48550/arXiv.1901.09294

2019-01-27

Abstract:Anomaly detecting as an important technical in cloud computing is applied to support smooth running of the cloud platform. Traditional detecting methods based on statistic, analysis, etc. lead to the high false-alarm rate due to non-adaptive and sensitive parameters setting. We presented an online model for anomaly detecting using machine learning theory. However, most existing methods based on machine learning linked all features from difference sub-systems into a long feature vector directly, which is difficult to both exploit the complement information between sub-systems and ignore multi-view features enhancing the classification performance. Aiming to this problem, the proposed method automatic fuses multi-view features and optimize the discriminative model to enhance the accuracy. This model takes advantage of extreme learning machine (ELM) to improve detection efficiency. ELM is the single hidden layer neural network, which is transforming iterative solution the output weights to solution of linear equations and avoiding the local optimal solution. Moreover, we rank anomies according to the relationship between samples and the classification boundary, and then assigning weights for ranked anomalies, retraining the classification model finally. Our method exploits the complement information between sub-systems sufficiently, and avoids the influence from imbalance dataset, therefore, deal with various challenges from the cloud computing platform. We deploy the privately cloud platform by Openstack, verifying the proposed model and comparing results to the state-of-the-art methods with better efficiency and simplicity.

Machine Learning

Zhaoyang Yu,Minghua Ma,Chaoyun Zhang,Si Qin,Yu Kang,Chetan Bansal,Saravan Rajmohan,Yingnong Dang,Changhua Pei,Dan Pei,Qingwei Lin,Dongmei Zhang

DOI: https://doi.org/10.1145/3663529.3663826

2024-01-01

Abstract:In large-scale cloud service systems, monitoring metric data and conducting anomaly detection is an important way to maintain reliability and stability. However, great disparity exists between academic approaches and industrial practice to anomaly detection. Industry predominantly uses simple, effcient methods due to better interpretability and ease of implementation. In contrast, academically favor deep-learning methods, despite their advanced capabilities, face practical challenges in real-world applications. To address these challenges, this paper introduces MonitorAssistant, an end-to-end practical anomaly detection system via Large Language Models. MonitorAssistant automates model configuration recommendation achieving knowledge inheritance and alarm interpretation with guidance-oriented anomaly reports, facilitating a more intuitive engineer-system interaction through natural language. By deploying MonitorAssistant in Microsoft's cloud service system, we validate its effcacy and practicality, marking a significant advancement in the field of practical anomaly detection for large-scale cloud services.

Gao Cong,Yang Ping,Chen Yanping,Wang Zhongmin,Wang Yue

DOI: https://doi.org/10.1007/s40747-021-00442-6

IF: 6.7

2021-01-01

Complex & Intelligent Systems

Abstract:With large deployment of wireless sensor networks, anomaly detection for sensor data is becoming increasingly important in various fields. As a vital data form of sensor data, time series has three main types of anomaly: point anomaly, pattern anomaly, and sequence anomaly. In production environments, the analysis of pattern anomaly is the most rewarding one. However, the traditional processing model cloud computing is crippled in front of large amount of widely distributed data. This paper presents an edge-cloud collaboration architecture for pattern anomaly detection of time series. A task migration algorithm is developed to alleviate the problem of backlogged detection tasks at edge node. Besides, the detection tasks related to long-term correlation and short-term correlation in time series are allocated to cloud and edge node, respectively. A multi-dimensional feature representation scheme is devised to conduct efficient dimension reduction. Two key components of the feature representation trend identification and feature point extraction are elaborated. Based on the result of feature representation, pattern anomaly detection is performed with an improved kernel density estimation method. Finally, extensive experiments are conducted with synthetic data sets and real-world data sets.

Zhengmin Li,Chunge Zhu,Xinran Liu,Xiufeng Sui

DOI: https://doi.org/10.1109/icnsc.2017.8000085

2017-01-01

Abstract:The combination of fast online anomaly detection and offline learning is a vital element of operations in large-scale datacenters and utility clouds. Given ever-increasing datacenter sizes coupled with the complexities of systems software, applications, and workload patterns, such anomaly detection must operate continuous and real-time at runtime. Further, detection should function for both hardware and software levels of abstraction, and for the multiple metrics used in cloud computing systems. In this paper, we present a novel, flexible framework to do anomaly detection for data center. The goal of our framework design is to combine online anomaly detection and offline learning automatically and iteratively. And the framework aims to have the capability to integrate different offline learning methodologies. We demonstrate this framework with two representative applications in datacenters, and explore three common scenarios during the applications runtime. Experiment results show that the proposed approach provides good accuracy and low overhead.

Jinyang Liu,Tianyi Yang,Zhuangbin Chen,Yuxin Su,Cong Feng,Zengyin Yang,Michael R. Lyu

2023-08-19

Abstract:As modern software systems continue to grow in terms of complexity and volume, anomaly detection on multivariate monitoring metrics, which profile systems' health status, becomes more and more critical and challenging. In particular, the dependency between different metrics and their historical patterns plays a critical role in pursuing prompt and accurate anomaly detection. Existing approaches fall short of industrial needs for being unable to capture such information efficiently. To fill this significant gap, in this paper, we propose CMAnomaly, an anomaly detection framework on multivariate monitoring metrics based on collaborative machine. The proposed collaborative machine is a mechanism to capture the pairwise interactions along with feature and temporal dimensions with linear time complexity. Cost-effective models can then be employed to leverage both the dependency between monitoring metrics and their historical patterns for anomaly detection. The proposed framework is extensively evaluated with both public data and industrial data collected from a large-scale online service system of Huawei Cloud. The experimental results demonstrate that compared with state-of-the-art baseline models, CMAnomaly achieves an average F1 score of 0.9494, outperforming baselines by 6.77% to 10.68%, and runs 10X to 20X faster. Furthermore, we also share our experience of deploying CMAnomaly in Huawei Cloud.

Software Engineering,Machine Learning

Ke Xu,Yun Wang,Leni Yang,Yifang Wang,Bo Qiao,Si Qin,Yong Xu,Haidong Zhang,Huamin Qu

DOI: https://doi.org/10.1109/tvcg.2019.2934613

IF: 5.2

2019-01-01

IEEE Transactions on Visualization and Computer Graphics

Abstract:Detecting and analyzing potential anomalous performances in cloud computing systems is essential for avoiding losses to customers and ensuring the efficient operation of the systems. To this end, a variety of automated techniques have been developed to identify anomalies in cloud computing. These techniques are usually adopted to track the performance metrics of the system (e.g., CPU, memory, and disk I/O), represented by a multivariate time series. However, given the complex characteristics of cloud computing data, the effectiveness of these automated methods is affected. Thus, substantial human judgment on the automated analysis results is required for anomaly interpretation. In this paper, we present a unified visual analytics system named CloudDet to interactively detect, inspect, and diagnose anomalies in cloud computing systems. A novel unsupervised anomaly detection algorithm is developed to identify anomalies based on the specific temporal patterns of the given metrics data (e.g., the periodic pattern). Rich visualization and interaction designs are used to help understand the anomalies in the spatial and temporal context. We demonstrate the effectiveness of CloudDet through a quantitative evaluation, two case studies with real-world data, and interviews with domain experts.

Wenhao Wang,Chen Zhang,Quan Zhang

DOI: https://doi.org/10.1007/978-3-662-43908-1_15

2014-01-01

Abstract:In order to solve non-real time problem in traditional intrusion detection technologies, this paper proposes an anomaly detection model based on cloud model and danger theory. First using cloud model as a tool to evaluate the diversity factors between test data and the standard data set, then covert it into signal input of DCA to detect abnormality degree of system. Meanwhile, a dendritic cell algorithm based on data segmented detection is proposed in order to raise real-time response of the system. The paper use KDDCUP99 data sets to validate membership of normal data and detection rate of this model. Experimental results show that the model can effectively distinguish between normal data and abnormal data, and also improve the system anomaly detection capabilities.