Zhaoyang Yu,Qianyu Ouyang,Changhua Pei,Xin Wang,Wenxiao Chen,Liangfei Su,Huai Jiang,Xuanrun Wang,Jianhui Li,Dan Pei

DOI: https://doi.org/10.1109/ccgrid59990.2024.00018

2024-01-01

Abstract:Accurate and efficient root cause identification in online service systems is critical for service stability and user experience. When a system failure occurs, numerous alerts are generated, but existing methods fail to effectively integrate all these multi-modal data to pinpoint the root causes. Moreover, most existing approaches are inefficient for large-scale online services due to their high reliance on handcrafted rules and domain expertise. This paper introduces AlertRCA, an algorithm for Root Cause Analysis (RCA) based on Alert events. It utilizes a pre-trained Alert2Vec module to encode multi-modal alert information into vectors, and implements an RCA-oriented causality prediction graph attention network (CPGAT) to automatically gauge causal relationships between alerts. Further, we devise a novel dispersing and aggregating graph neural network (DAGNN) to identify root causes. Experiments on a real-world dataset collected from a top-tier e-commerce company reveal AlertRCA’s superior performance, achieving 83.9% top-1 and 96.8% top-3 accuracy on average. Our codes are available at https://github.com/NetManAIOps/AlertRCA.

Nengwen Zhao,Panshi Jin,Lixin Wang,Xiaoqin Yang,Rong Liu,Wenchi Zhang,Kaixin Sui,Dan Pei

DOI: https://doi.org/10.1109/infocom41043.2020.9155219

2020-01-01

Abstract:In large-scale online service system, to enhance the quality of services, engineers need to collect various monitoring data and write many rules to trigger alerts. However, the number of alerts is way more than what on-call engineers can properly investigate. Thus, in practice, alerts are classified into several priority levels using manual rules, and on-call engineers primarily focus on handling the alerts with the highest priority level (i.e., severe alerts). Unfortunately, due to the complex and dynamic nature of the online services, this rule-based approach results in missed severe alerts or wasted troubleshooting time on non-severe alerts. In this paper, we propose AlertRank, an automatic and adaptive framework for identifying severe alerts. Specifically, AlertRank extracts a set of powerful and interpretable features (textual and temporal alert features, univariate and multivariate anomaly features for monitoring metrics), adopts XGBoost ranking algorithm to identify the severe alerts out of all incoming alerts, and uses novel methods to obtain labels for both training and testing. Experiments on the datasets from a top global commercial bank demonstrate that AlertRank is effective and achieves the F1-score of 0.89 on average, outperforming all baselines. The feedback from practice shows AlertRank can significantly save the manual efforts for on-call engineers.

Nengwen Zhao,Junjie Chen,Zhou Wang,Xiao Peng,Gang Wang,Yong Wu,Fang Zhou,Zhen Feng,Xiaohui Nie,Wenchi Zhang,Kaixin Sui,Dan Pei

DOI: https://doi.org/10.1145/3368089.3409672

2020-01-01

Abstract:Incidents in online service systems could dramatically degrade system availability and destroy user experience. To guarantee service quality and reduce economic loss, it is essential to predict the occurrence of incidents in advance so that engineers can take some proactive actions to prevent them. In this work, we propose an effective and interpretable incident prediction approach, called eWarn, which utilizes historical data to forecast whether an incident will happen in the near future based on alert data in real time. More specifically, eWarn first extracts a set of effective features (including textual features and statistical features) to represent omen alert patterns via careful feature engineering. To reduce the influence of noisy alerts (that are not relevant to the occurrence of incidents), eWarn then incorporates the multi-instance learning formulation. Finally, eWarn builds a classification model via machine learning and generates an interpretable report about the prediction result via a state-of-the-art explanation technique (i.e., LIME). In this way, an early warning signal along with its interpretable report can be sent to engineers to facilitate their understanding and handling for the incoming incident. An extensive study on 11 real-world online service systems from a large commercial bank demonstrates the effectiveness of eWarn, outperforming state-of-the-art alert-based incident prediction approaches and the practice of incident prediction with alerts. In particular, we have applied eWarn to two large commercial banks in practice and shared some success stories and lessons learned from real deployment.

Nengwen Zhao,Junjie Chen,Xiao Peng,Honglin Wang,Xinya Wu,Yuanzong Zhang,Zikai Chen,Xiangzhong Zheng,Xiaohui Nie,Gang Wang,Yong Wu,Fang Zhou,Wenchi Zhang,Kaixin Sui,Dan Pei

DOI: https://doi.org/10.1145/3377812.3390809

2020-01-01

Abstract:Alert is a kind of key data source in monitoring system for online service systems, which is used to record the anomalies in service components and report to engineers. In general, the occurrence of a service failure tends to be along with a large number of alerts, which is called alert storm. However, alert storm brings great challenges to diagnose the failure, since it is time-consuming and tedious for engineers to investigate such an overwhelming number of alerts manually. To help understand alert storm, we conduct the first empirical study of alert storm based on large-scale real-world alert data and gain some valuable insights. Based on the findings, we propose a novel approach to handling alert storm. Specifically, this approach includes alert storm detection which aims to identify alert storm accurately, and alert storm summary which aims to recommend a small set of representative alerts to engineers for failure diagnosis. Our experimental study on real-world dataset demonstrates that our alert storm detection can achieve high F1-score (larger than 0.9). Besides, our alert storm summary can reduce the number of alerts that need to be examined by more than 98% and discover useful alerts accurately.

Hu Dong,Longjie Li,Dongwen Tian,Yiyang Sun,Yuncong Zhao

DOI: https://doi.org/10.1016/j.eswa.2023.122685

IF: 8.5

2024-05-01

Expert Systems with Applications

Abstract:Many real-world networks are dynamic, whose structure keeps changing over time. Link prediction, which can foretell the emergence of future links, is one crucial task in dynamic network analysis. Compared to link prediction in static networks, it is more challenging and complicated in dynamic ones due to the dynamic nature. On the other hand, effective use of the information carried out by dynamic networks can enhance prediction accuracy. In this study, we presents a new end-to-end solution for dynamic link prediction, in which the representations of node-pairs can be effectively learned via an improved graph neural network and a nonlinear function by leveraging the structural information of individual snapshots, historical features from network evolution, and global knowledge of the collapsed network. The proposed method can effectively cope with the challenge of dynamic link prediction. Extensive tests are implemented on several dynamic networks to assess the prediction performance of our proposed method. The results on these networks demonstrate that our proposed method achieves superior effectiveness compared to the baselines in most cases.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Yuan Li,Chuanchang Chen,Yubo Tao,Hai Lin

DOI: https://doi.org/10.1007/978-3-030-89363-7_41

2021-01-01

Abstract:This paper proposes a novel model for predicting subgraphs in dynamic graphs, an extension of traditional link prediction. This proposed end-to-end model learns a mapping from the subgraph structures in the current snapshot to the subgraph structures in the next snapshot directly, i.e., edge existence among multiple nodes in the subgraph. A new mechanism named cross-attention with a twin-tower module is designed to integrate node attribute information and topology information collaboratively for learning subgraph evolution. We compare our model with several state-of-the-art methods for subgraph prediction and subgraph pattern prediction in multiple real-world homogeneous and heterogeneous dynamic graphs, respectively. Experimental results demonstrate that our model outperforms other models in these two tasks, with a gain increase from \(5.02\%\) to \(10.88\%\).

Yi Li,Zhangbing Zhou,Shuiguang Deng,Xiao Sun,Xiao Xue,Sami Yangui,Walid Gaaloul

DOI: https://doi.org/10.1109/icws62655.2024.00077

2024-01-01

Abstract:Anomaly detection is a long-standing research topic to support the prompt remedy of potential risks for dependency-aware tasks, where Graph Neural Networks (GNNs) models have been adopted to differentiate anomalies from normal patterns. Generally, GNN models utilize time series data to construct graph structures for capturing task dependencies between Internet of Things (IoT) devices, such that deviations from predicted behaviours are assumed as anomalies. Current forecasting-based anomaly detection methods can hardly detect anomalies, which are uncovered by historical sensory data, but are explicitly specified by domain knowledge. To solve this issue, this paper proposes a Knowledge-enhanced graph attention-based Anomaly Detection (KeAD) method. Specifically, a knowledge-enhanced graph structure is constructed by incorporating domain-specific knowledge to represent spatio-temporal dependencies between IoT devices. Thereafter, a knowledge-enhanced graph attention-based forecasting network is developed to predict future behaviours of IoT devices. Anomalies are detected by analyzing deviations from these predicted behaviours, taking domain-specific knowledge into account. Extensive experiments are conducted based on publicly-available datasets, and evaluation results demonstrate that our KeAD outperform the state-of-the-art techniques in terms of the accuracy of anomaly detection.

Shaojun Zhang,Jianhua Li,Xiuzhen Chen,Lei Fan

DOI: https://doi.org/10.1016/j.cose.2008.05.005

IF: 5.105

2008-01-01

Computers & Security

Abstract:Most network administrators have got unpleasant experience of being overwhelmed by tremendous unstructured network security alerts produced by heterogeneous devices. To date, various approaches have been proposed to correlate security alerts, including the adoption of attack graphs to clarify their causal relationship. However, there still lacks an efficient and operational method to generate attack graphs tailored to alert causal correlation. In this paper, we propose a kind of ''one-step worst'' attack graph which can be built in polynomial time using an intuitive object-oriented method. Based on the graph, a principle is given out to correlate security alerts into scenarios. To prove its feasibility, we implemented a prototype system which can efficiently divide real-time alert streams into plausible attack scenarios.

Xiancheng Ou,Yuting Chen,Siwei Zhou,Jiandong Shi

DOI: https://doi.org/10.1108/ijwis-05-2023-0083

2023-09-08

International Journal of Web Information Systems

Abstract:Purpose With the continuous growth of online education, the quality issue of online educational videos has become increasingly prominent, causing students in online learning to face the dilemma of knowledge confusion. The existing mechanisms for controlling the quality of online educational videos suffer from subjectivity and low timeliness. Monitoring the quality of online educational videos involves analyzing metadata features and log data, which is an important aspect. With the development of artificial intelligence technology, deep learning techniques with strong predictive capabilities can provide new methods for predicting the quality of online educational videos, effectively overcoming the shortcomings of existing methods. The purpose of this study is to find a deep neural network that can model the dynamic and static features of the video itself, as well as the relationships between videos, to achieve dynamic monitoring of the quality of online educational videos. Design/methodology/approach The quality of a video cannot be directly measured. According to previous research, the authors use engagement to represent the level of video quality. Engagement is the normalized participation time, which represents the degree to which learners tend to participate in the video. Based on existing public data sets, this study designs an online educational video engagement prediction model based on dynamic graph neural networks (DGNNs). The model is trained based on the video's static features and dynamic features generated after its release by constructing dynamic graph data. The model includes a spatiotemporal feature extraction layer composed of DGNNs, which can effectively extract the time and space features contained in the video's dynamic graph data. The trained model is used to predict the engagement level of learners with the video on day T after its release, thereby achieving dynamic monitoring of video quality. Findings Models with spatiotemporal feature extraction layers consisting of four types of DGNNs can accurately predict the engagement level of online educational videos. Of these, the model using the temporal graph convolutional neural network has the smallest prediction error. In dynamic graph construction, using cosine similarity and Euclidean distance functions with reasonable threshold settings can construct a structurally appropriate dynamic graph. In the training of this model, the amount of historical time series data used will affect the model's predictive performance. The more historical time series data used, the smaller the prediction error of the trained model. Research limitations/implications A limitation of this study is that not all video data in the data set was used to construct the dynamic graph due to memory constraints. In addition, the DGNNs used in the spatiotemporal feature extraction layer are relatively conventional. Originality/value In this study, the authors propose an online educational video engagement prediction model based on DGNNs, which can achieve the dynamic monitoring of video quality. The model can be applied as part of a video quality monitoring mechanism for various online educational resource platforms.

Chang Guo,Dechang Pi,Jianjun Cao,Xixuan Wang,Hao Liu

DOI: https://doi.org/10.1007/s12652-022-04493-6

IF: 3.662

2022-12-20

Journal of Ambient Intelligence and Humanized Computing

Abstract:The control system is an important part of the industrial infrastructure. Once the abnormal is likely to cause equipment failure, production interruption and other serious consequences, a timely and effective anomaly detection method is of great significance to the industrial control system. This paper presents a predictive maintenance strategy–early warning model that includes two modules, prediction and alarm, which can also realize online status monitoring. In the prediction module, a two-channel input model using a graphical neural network and a temporal convolutional network, and the graph structure learning module in the graph neural network is improved to optimize the graph structure. For the alarm module, combining expert experience and mathematical statistics knowledge, a hierarchical alarm mechanism based on abnormal scores and abnormal interval accumulation is proposed. We use the real data to verify the performance of the prediction algorithm and the effectiveness of the early warning index. Experimental results with the real data and the open data show that the prediction performance of the proposed early-warning model is better than the state-of-the-art methods. On the real TRT dataset, the evaluation indicator MAPE is 6.5693%, and on the open dataset, MAPE is 1.3368%. At the same time, its early-warning performance is better than the existing automatic interpretation and manual interpretation methods on the industrial internet.

computer science, information systems,telecommunications, artificial intelligence

LILongying,LI Jinku,MAJianfeng,JIANGQi

DOI: https://doi.org/10.3969/j.issn.1001-2400.2014.05.015

2014-01-01

Abstract:The causal relation based alert correlation approach causes split scenario graphs and cannot process massive alerts in time.To address this issue,a comprehensive analysis approach of real-time alerts with attack strategy graphs is proposed.First,it gets rid of the splitting of the attack scenario graph by introducing hypothesizing alerts to the alert correlation process.Second,it leverages a novel sliding window mechanism,which maintains a window for each type of attacks and determines the window’s size according to both the time and number of the alerts.This new mechanism only introduces linear time complexity without sacrificing effectiveness.Third,the approach is extended to a comprehensive system to reconstruct attack scenarios,predict future alerts and fuse analytical results.Evaluation results indicate that our approach is effective and efficient.

Mengjie Zhao,Olga Fink

DOI: https://doi.org/10.1109/JIOT.2024.3381002

2024-01-26

Abstract:In the Industrial Internet of Things (IIoT), condition monitoring sensor signals from complex systems often exhibit nonlinear and stochastic spatial-temporal dynamics under varying conditions. These complex dynamics make fault detection particularly challenging. While previous methods effectively model these dynamics, they often neglect the evolution of relationships between sensor signals. Undetected shifts in these relationships can lead to significant system failures. Furthermore, these methods frequently misidentify novel operating conditions as faults. Addressing these limitations, we propose DyEdgeGAT (Dynamic Edge via Graph Attention), a novel approach for early-stage fault detection in IIoT systems. DyEdgeGAT's primary innovation lies in a novel graph inference scheme for multivariate time series that tracks the evolution of relationships between time series, enabled by dynamic edge construction. Another key innovation of DyEdgeGAT is its ability to incorporate operating condition contexts into node dynamics modeling, enhancing its accuracy and robustness. We rigorously evaluated DyEdgeGAT using both a synthetic dataset, simulating varying levels of fault severity, and a real-world industrial-scale multiphase flow facility benchmark with diverse fault types under varying operating conditions and detection complexities. The results show that DyEdgeGAT significantly outperforms other baseline methods in fault detection, particularly in the early stages with low severity, and exhibits robust performance under novel operating conditions.

Machine Learning,Artificial Intelligence

Shaojun Zhang,Jianhua Li,Xiuzhen Chen,Lei Fan

DOI: https://doi.org/10.1109/chinacom.2008.4685009

2008-01-01

Abstract:Most network administrators have got the unpleasant experience of being overwhelmed by tremendous unstructured network security alerts produced by heterogeneous network devices. To date, various approaches have been proposed to correlate security alerts, including the adoption of network attack graphs to clarify their causal relationship. However, there still lacks an operational method to generate attack graphs tailored for alert correlation, especially in large scale network environments. In this paper, we propose a kind of attack graph which can be built in polynomial time using an intuitive object-oriented method. Based on the graph, a criterion is given out to correlate security alerts into scenarios. As practice, a prototype system is implemented to testify the feasibility of the approaches.

Hongyang Chen,Pengfei Chen,Benran Wang,Xian Yu,Xiaofan Chen,Dandan Ma,Zibin Zheng

DOI: https://doi.org/10.1016/j.comnet.2023.110135

IF: 5.493

2024-02-01

Computer Networks

Abstract:Software-Defined Network (SDN) has been widely employed in data center networks to host various software systems such as microservice systems. A microservice system is constructed by a microservice architecture composed of dozens of services running in different lightweight virtual machines (e.g., containers) and relying on overlay networks for connectivity. However, with the increase of the system scale and the network traffic volume, the network becomes more complex and common to behave anomalously. Therefore, it is error-prone to manually investigate anomalies. To tackle this problem, we propose a non-intrusive monitoring system to help network operators obtain deep insights from the network traffic generated by the running system. Based on the monitoring system, we propose an anomaly detection method to automatically detect network anomalies. The core idea is to learn behavior patterns of inter/intra-components by modeling spatial–temporal relationships amongst collected network metrics with the proposed model STCell-VAE. The pattern will be leveraged to reconstruct the input data. Subsequently, the reconstruction probability is used to determine anomalies. Additionally, STCell-VAE can assimilate network information from new components as the network evolves, eliminating the necessity for retraining. Experiments are conducted within a real networking system and four simulated large-scale networks. The results demonstrate that our system can detect anomalies with about 0.7 F1-score, which outperforms state-of-the-art methods.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Gang Yang,Chaojing Tang,Xingtong Liu

DOI: https://doi.org/10.3390/sym14102138

2022-10-14

Symmetry

Abstract:The exponential expansion of Internet interconnectivity has led to a dramatic increase in cyber-attack alerts, which contain a considerable proportion of false positives. The overwhelming number of false positives cause tremendous resource consumption and delay responses to the really severe incidents, namely, alert fatigue. To cope with the challenge from alert fatigue, we focus on enhancing the capability of detectors to reduce the generation of false alerts from the detection perspective. The core idea of our work is to train a machine-learning-based detector to grasp the empirical intelligence of security analysts to estimate the feasibility of an incoming HTTP request to cause substantial threats, and integrate the estimation into the detection stage to reduce false alarms. To this end, we innovatively introduce the concept of attack feasibility to characterize the composition rationality of an inbound HTTP request as a feasible attack under static scrutinization. First, we adopt a fast request-reorganization algorithm to transform an HTTP request into the form of interface:payload pair for further alignment of structural components which can reveal the processing logic of the target program. Then, we build a dual-channel attention-based circulant convolution neural network (DualAC2NN) to integrate the attack feasibility estimation into the alert decision, by comprehensively considering the interface sensitivity, payload maliciousness, and their bipartite compatibility. Experiments on a real-world dataset show that the proposed method significantly reduces invalid alerts by around 86.37% and over 61.64% compared to a rule-based commercial WAF and several state-of-the-art methods, along with retaining a detection rate at 97.89% and a lower time overhead, which indicates that our approach can effectively mitigate alert fatigue from the detection perspective.

Junjie Zha,Xinwen Shan,Jiaxin Lu,Jiajia Zhu,Zihan Liu

DOI: https://doi.org/10.3390/electronics13224425

IF: 2.9

2024-11-13

Electronics

Abstract:Alerts are an essential tool for the detection of anomalies and ensuring the smooth operation of online service systems by promptly notifying engineers of potential issues. However, the increasing scale and complexity of IT infrastructure often result in "alert storms" during system failures, overwhelming engineers with a deluge of often correlated alerts. Therefore, effective alert aggregation is crucial in isolating root causes and accelerating failure resolution. Existing approaches typically rely on either semantic similarity or statistical methods, both of which have significant limitations, such as ignoring causal relationships or struggling to handle infrequent alerts. To overcome these drawbacks, we propose a novel two-phase alert aggregation approach. We employ temporal–spatial clustering to group alerts based on their temporal proximity and spatial attributes. In the second phase, we utilize large language models to trace the cascading effects of service failures and aggregate alerts that share the same root cause. Experimental evaluations on datasets from real-world cloud platforms demonstrate the effectiveness of our method, achieving superior performance compared to traditional aggregation techniques.

engineering, electrical & electronic,computer science, information systems,physics, applied

Anthony Palladino,Christopher J. Thissen

DOI: https://doi.org/10.48550/arXiv.1812.02848

2018-12-06

Cryptography and Security

Abstract:Intrusion detection systems (IDSs) generate valuable knowledge about network security, but an abundance of false alarms and a lack of methods to capture the interdependence among alerts hampers their utility for network defense. Here, we explore a graph-based approach for fusing alerts generated by multiple IDSs (e.g., Snort, OSSEC, and Bro). Our approach generates a weighted graph of alert fields (not network topology) that makes explicit the connections between multiple alerts, IDS systems, and other cyber artifacts. We use this multi-modal graph to identify anomalous changes in the alert patterns of a network. To detect the anomalies, we apply the role-dynamics approach, which has successfully identified anomalies in social media, email, and IP communication graphs. In the cyber domain, each node (alert field) in the fused IDS alert graph is assigned a probability distribution across a small set of roles based on that node's features. A cyber attack should trigger IDS alerts and cause changes in the node features, but rather than track every feature for every alert-field node individually, roles provide a succinct, integrated summary of those feature changes. We measure changes in each node's probabilistic role assignment over time, and identify anomalies as deviations from expected roles. We test our approach using simulations including three weeks of normal background traffic, as well as cyber attacks that occur near the end of the simulations. This paper presents a novel approach to multi-modal data fusion and a novel application of role dynamics within the cyber-security domain. Our results show a drastic decrease in the false-positive rate when considering our anomaly indicator instead of the IDS alerts themselves, thereby reducing alarm fatigue and providing a promising avenue for threat intelligence in network defense.

Shuang Geng,Wenli Zhang,Jiaheng Xie,Gemin Liang,Ben Niu,Sudha Ram

2024-06-15

Abstract:Online healthcare consultation in virtual health is an emerging industry marked by innovation and fierce competition. Accurate and timely prediction of healthcare consultation success can proactively help online platforms address patient concerns and improve retention rates. However, predicting online consultation success is challenging due to the partial role of virtual consultations in patients' overall healthcare journey and the disconnect between online and in-person healthcare IT systems. Patient data in online consultations is often sparse and incomplete, presenting significant technical challenges and a research gap. To address these issues, we propose the Dynamic Knowledge Network and Multimodal Data Fusion (DyKoNeM) framework, which enhances the predictive power of online healthcare consultations. Our work has important implications for new business models where specific and detailed online communication processes are stored in the IT database, and at the same time, latent information with predictive power is embedded in the network formed by stakeholders' digital traces. It can be extended to diverse industries and domains, where the virtual or hybrid model (e.g., integration of online and offline services) is emerging as a prevailing trend.

Machine Learning

Juntao Kang,Lei Wang,Wenbin Zhang,Jun Hu,Xingxiang Chen,Dong Wang,Zechuan Yu

DOI: https://doi.org/10.1177/14759217241265286

2024-08-27

Structural Health Monitoring

Abstract:Structural Health Monitoring, Ahead of Print. To alert upcoming structural failure is a critical task for structural health monitoring of bridges. Traditional methods mainly rely on thresholds, which are often fixed values and may cause missing or too sensitive reports. Identifying abnormal data, locating the source of anomalies and delivering proportional alerts require new, dynamic, and robust algorithms running on massively streaming monitoring data. This article proposes a new machine learning-based anomaly detection method for historical data mining as well as real-time alerting. The method transforms one-dimensional time series into two-dimensional tensors, enabling the encoder-like model to simultaneously learn the changes in multiple sensors within and between temporal cycles in a two-dimensional space. Training and validation of the proposed method are presented with data from a bridge monitoring system in service, and comparisons against traditional threshold-based alerting method are made. The proposed method can accurately identify abnormalities beyond the traditional thresholds and effectively detect abnormal deviations of sensors, thus constituting as a promising module for real-time alerting systems of bridges.

engineering, multidisciplinary,instruments & instrumentation