Shize Zhang,Yunfeng Zhao,Jianyuan Lu,Shuai Yang,Biao Lyu,Shunmin Zhu,Enhuan Dong,Zhiliang Wang,Jiahai Yang

DOI: https://doi.org/10.1109/issre52982.2021.00046

IF: 11.019

2024-01-01

IEEE Transactions on Services Computing

Abstract:Due to the sharing nature of public cloud, most of the cloud services use a sharing bandwidth package (sBwp) model to conduct inbound/outbound communication. The sBwp model allows users to purchase a sharing bandwidth for plenty of virtual machines instead of purchasing bandwidth for each virtual machine separately. The advantage of sBwp is that it can provide users with convenient configuration and lower economic cost. However, the sBwp model brings new challenges for operators to localize the root cause of traffic anomalies of a sharing bandwidth, especially for a globally distributed large-scale public cloud with millions of users. In this paper, we first formalize the sBwp problem on the cloud and propose CloudPin, a root cause localization framework for this problem. Our framework solves all the challenges by employing a multi-dimensional algorithm with three sub-models of prediction deviation, anomaly ampli-tude, and shape similarity, and an overall ranking algorithm. Evaluations on real-world data, from one of the world-renowned public cloud vendors, show that our algorithm precision reaches 97.8% for the top 1 of the ranking list, outperforming multiple baseline algorithms.

Xiaoze Liu,Zheng Yin,Chao Zhao,Congcong Ge,Lu Chen,Yunjun Gao,Dimeng Li,Ziting Wang,Gaozhong Liang,Jian Tan,Feifei Li

DOI: https://doi.org/10.1109/icde53745.2022.00236

2022-01-01

Abstract:Deploying database services on cloud systems has gained increasing popularity and has become a common practice in the industry. However, the complicated cloud environments make performance issues inevitable, which could violate the service level guarantee if not addressed in a timely manner. Among the various problems, anomalies in SQL queries are the most commonly reported sources that cause performance issues in database applications. These anomalous queries can be divided into High-impact SQLs (H-SQLs) and Root Cause SQLs (R-SQLs), representing the related SQLs that are correlated with the anomalies and the ones that are the root causes of the performance issue, respectively. In the presence of a large number of queries, to pinpoint the R-SQLs is far more difficult than to identify the H-SQLs. To address this challenge, we aim at automatically pinpointing the R-SQLs to resolve performance issues in cloud databases. This paper introduces PinSQL, an autonomous diagnosing system for Alibaba Cloud, which has four modules that are executed sequentially, including data collection and pre-processing, anomaly detection, root cause analysis, and repairing actions. First, the related performance metrics and query logs from monitored cloud database instances are collected and aggregated as the data sources. Then, based on these inputs, efficient anomaly detection is conducted in real-time. Upon the detection of an anomaly, the root cause SQLs are pinpointed through tracking the propagation chain of the involved SQLs. Finally, repairing actions are suggested and then executed on R-SQLs to address the anomalies. Extensive experiments on an Alibaba production system show that PinSQL can achieve an 80% accuracy for pinpointing the top-1 R-SQLs and successfully resolve the database performance issues resultantly.

Zhe Wang,Huanwu Hu,Linghe Kong,Xinlei Kang,Teng Ma,Qiao Xiang,Jingxuan Li,Yang Lu,Zhuo Song,Peihao Yang,Jiejian Wu,Yong Yang,Tao Ma,Zheng Liu,Xianlong Zeng,Dennis Cai,Guihai Chen

2024-01-01

Abstract:Timely detection and diagnosis of application-network anomalies is a key challenge of operating large-scale production clouds. We reveal three practical issues in a cloud-native era. First, impact assessment of anomalies at a (micro)service level is absent currently deployed monitoring systems. Ping systems are oblivious to the "actual weights" of application traffic, e.g., traffic volume and the number of connections/instances. Failures of critical (micro)services with large weights can be easily overlooked by probing systems under prevalent network jitters. Second, the efficiency of anomaly routing (to a blamed application/network team) is still low with multiple attribution teams involved. Third, collecting fine-grained metrics at a (micro)service level incurs considerable computational/storage overheads, however, is indispensable for accurate impact assessment and anomaly routing. We introduce the application-network diagnosing (AND) system in Alibaba cloud. AND exploits the single metric of TCP retransmission (retx) to capture anomalies at (micro)service levels and correlates applications with networks end-to-end. To resolve deployment challenges, AND further proposes three core designs: (1) a collecting tool to perform filtering/statistics on massive retxs at the (micro)service level, (2) a real-time detection procedure to extract anomalies from 'noisy' rem with millions of time series, (3) an anomaly routing model to delimit anomalies among multiple target teams/scenarios. AND has been deployed in Alibaba cloud for over three years and enables minute-level anomaly detection/routing and fast failure recovery.

Feilong Tang,Lu Li,Leonard Barolli,Can Tang

DOI: https://doi.org/10.1109/AINA.2017.125

2017-01-01

Abstract:Software defined networking (SDN) provides flexible management for datacenter networks with the flow-level control. Such the fine-grained management, however, consumes large amount of bandwidth between data and control planes, which results in the bottleneck in the scalability of SDN-based datacenters. "The elephant and mouse phenomenon" suggests that there are only very few elephant flows that carry the majority of bytes in datacenters so that it can improve management efficiency to detect and reroute elephant flows while leaving mice flows in data plane leveraging wildcard flow table in OpenFlow. Unfortunately, existing mechanisms for elephant flow detection suffer from high bandwidth consumption and long detection time. In this paper, we propose an efficient sampling and classification approach (ESCA) with the two-phase elephant flow detection. In the first phase, ESCA improves sampling efficiency by estimating the arrival interval of elephant flows and filtering out redundant samples using a filtering flow table. In the second phase, ESCA classifies samples with a new supervised classification algorithm based on correlation among data flows. The mathematical analysis proofs our ESCA outperforms related schemes. Extensive experiment results on real public datacenter traces further demonstrate that our ESCA can provide accurate detection with less sampled packets and shorter detection time.

Jianping Weng,Jessie Hui Wang,Jiahai Yang,Yang

DOI: https://doi.org/10.1109/tnet.2018.2843805

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:Anomalies of multitier services running in cloud platform can be caused by components of the same tenant or performance interference from other tenants. If the performance of a multitier service degrades, we need to find out the root causes precisely to recover the service as soon as possible. In this paper, we argue that cloud providers are in a better position than tenants to solve this problem, and the solution should be non-intrusive to tenants' services or applications. Based on these two considerations, we propose a solution for cloud providers to help tenants to localize root causes of any anomaly. We design a non-intrusive method to capture the dependency relationships of components, which improves the feasibility of root cause localization system. Our solution can find out root causes no matter they are in the same tenant as the anomaly or from other tenants. Our proposed two-step localization algorithm exploits measurement data of both application layer and underlay infrastructure and a random walk procedure to improve its accuracy. Our real-world experiments of a three-tier web application running in a small-scale cloud platform show a 38.9% improvement in mean average precision compared to current methods.

HaiBo Mi,HuaiMin Wang,YangFan Zhou,Michael R. Lyu,Hua Cai

DOI: https://doi.org/10.1007/s11432-012-4747-8

2012-01-01

Science China Information Sciences

Abstract:It is hard to localize the primary cause of performance anomalies in cloud computing systems because of the complexity of interactions between components.The hidden connections in the huge number of request execution paths in such systems usually contain useful information for diagnosing performance anomalies.We propose an approach to localize anomalous invoked methods and their physical locations by leveraging request trace logs,which involves two steps:（1） firstly,cluster the requests according to their corresponding call sequences,identify anomalous requests with principal component analysis,and then pick out anomalous methods with Mann-Whitney hypothesis test;（2） secondly,compare the behavior similarities of all replicated instances of the anomalous methods with Jensen-Shannon divergence,and select the ones whose behaviors are different from those of others,which will be chosen as the final culprits of performance anomalies.We conduct experiments with four real-world cases to validate our approach in Alibaba Cloud Computing Inc.The results demonstrate that our approach can locate the prime causes of performance anomalies with the low false-positive rate and false-negative rate.

Jia-Qi Wei,Qian-Li Zhang,Xing Li

DOI: https://doi.org/10.1109/iccwamtip.2016.8079795

2016-01-01

Abstract:With the increasing scale and complexity of the network, how to maintain a level of network performance and robustness for network operators to satisfy customers becomes more and more challenging. Network anomaly detection and localization are critical for ensuring network performance. In this paper, a novel framework for detecting and localizing network anomalies using active measurements is presented. The framework is composed of three steps: the first step is to detect network anomalies on network path under monitoring, the second step is to cluster destination IPs on the monitored path using unsupervised learning methods, the last step is to localize network anomalies that induce anomalous network performance and behaviors. The last step is designed to reveal the possible cause for each IP set clustered in the second step and localize root cause at every moment by analyzing the inclusion relation between detected anomalous destination IPs and clustered IP sets. The efficacy of the framework to diagnose network anomalies is demonstrated by several real-world cases, which have been recorded in three years of network monitoring experience.

Hongxia He,Xi Li,Peng Chen,Juan Chen,Ming Liu,Lei Wu

DOI: https://doi.org/10.1186/s13677-024-00677-x

2024-01-01

Abstract:Cloud environment is a virtual, online, and distributed computing environment that provides users with large-scale services. And cloud monitoring plays an integral role in protecting infrastructures in the cloud environment. Cloud monitoring systems need to closely monitor various KPIs of cloud resources, to accurately detect anomalies. However, due to the complexity and highly dynamic nature of the cloud environment, anomaly detection for these KPIs with various patterns and data quality is a huge challenge, especially those massive unlabeled data. Besides, it’s also difficult to improve the accuracy of the existing anomaly detection methods. To solve these problems, we propose a novel Dynamic Graph Transformer based Parallel Framework (DGT-PF) for efficiently detect system anomalies in cloud infrastructures, which utilizes Transformer with anomaly attention mechanism and Graph Neural Network (GNN) to learn the spatio-temporal features of KPIs to improve the accuracy and timeliness of model anomaly detection. Specifically, we propose an effective dynamic relationship embedding strategy to dynamically learn spatio-temporal features and adaptively generate adjacency matrices, and soft cluster each GNN layer through Diffpooling module. In addition, we also use nonlinear neural network model and AR-MLP model in parallel to obtain better detection accuracy and improve detection performance. The experiment shows that the DGT-PF framework have achieved the highest F1-Score on 5 public datasets, with an average improvement of 21.6% compared to 11 anomaly detection models.

Weisong He,Rui Dai,Guangmin Hu

DOI: https://doi.org/10.6138/jit.2013.14.6.03

2013-01-01

Abstract:Network traffic analysis has received academic attention in recent years; nevertheless, few have investigated the case that the network traffic data collected may include missing values and sufficient network traffic data may not be acquired for privacy protection or the limitation of network storage equipment capacity. This paper investigates flow-level abnormal behavior trends prediction in large-scale IP networks by the means of analyzing small samples taken from massive data information. We propose an algorithm called Independent-Components-Analysis-Anomaly-Grey-Forecasting (ICA-AGF) and conduct experiments to evaluate the algorithm with Abilene network Net-flow data.

Yongqian Sun,Youjian Zhao,Ya su,Dapeng Liu,Xiaohui Nie,Yuan Meng,Shiwen Cheng,Dan Pei,Shenglin Zhang,Xianping Qu,Xuanyou Guo

DOI: https://doi.org/10.1109/access.2018.2804764

IF: 3.9

2018-01-01

IEEE Access

Abstract:Additive key performance indicators (KPIs) (such as page view (PV), revenue, and error count) with multi-dimensional attributes (such as ISP, Province, and DataCenter) are common and important in monitoring metrics in Internet companies. When an anomaly happens to an overall KPI, it is critical but challenging to localize the root cause, which is one (or more) combination of attribute values in multiple dimensions. For example, is the total PV decrease caused by the PV decrease from “Beijing”or “China Mobile in Beijing”, or “Beijing and Shanghai”? However, this task is very challenging for two major reasons. First, the PVs of different combinations are interdependent; thus, the PV anomalies at the root cause can cause the changes of many other PVs at different aggregation levels. Second, there could be tens of thousands of combinations to investigate in multi-dimensional attribute space. It is a difficulty to find the root cause from a huge search space. To address the first challenge, our approach HotSpot uses a novel potential score based on the ripple effect for anomaly propagation that we reveal. To address the second challenge, HotSpot adopts the Monte Carlo Tree Search algorithm and a hierarchical pruning strategy. Using the real-world data from a top global search engine, we show that HotSpot achieves a great improvement on effectiveness and robustness, i.e., 95% of all types of root cause cases using HotSpot (compared with only 15% using existing approaches) achieves an F-score over 90%. Operational experiences show that HotSpot can reduce the localization time from more than 1 h in manual efforts to less than 20 s.

Haoyu Liu,Chongrong Fang,Yining Qi,Jian Bai,Shaozhe Wang,Xiong Xiao,Daxiang Kang,Biao Lyu,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/noms47738.2020.9110414

2020-01-01

Abstract:Core devices form the critical components of the cloud network and provide service to multiple tenants simultaneously. The anomalies that happened in core devices impact network availability of a large number of users, meanwhile, lead to the degradation of cloud providers' profits. However, direct monitoring of core devices needs to deploy massive heartbeat checking tools on numerous related components, which will be extremely laborious. In this paper, we deploy RAIN to reduce the number of devices that need to be detailed investigated for anomalies. The session traffic data among core devices and served virtual machines are utilized to conduct the analyzing. To guarantee near real-time monitoring, RAIN is designed as a two-step structure and incorporating four feature-based detection methods. RAIN has been deployed in Alibaba's production cloud network for over 6 months and is analyzing terabytes of traffic flow metrics per day.

Chongrong Fang,Haoyu Liu,Mao Miao,Jie Ye,Lei Wang,Wansheng Zhang,Daxiang Kang,Biao Lyu,Shunmin Zhu,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/tnet.2021.3137557

2022-01-01

IEEE/ACM Transactions on Networking

Abstract:Persistent packet loss in the cloud-scale overlay network severely compromises tenant experiences. Cloud providers are keen to diagnose such problems efficiently. However, existing work is either designed for the physical network or insufficient to present the concrete reason of packet loss. We propose to record and analyze the on-site forwarding condition of packets during packet-level tracing. The cloud-scale overlay network presents great challenges to achieve this goal with its high network complexity, multi-tenant nature, and diversity of root causes. To address these challenges, we present VTrace, an automatic diagnostic system for persistent packet loss over the cloud-scale overlay network. Utilizing the ''fast path-slow path'' structure of virtual forwarding devices (VFDs), e.g., vSwitches, VTrace installs several ''coloring-matching-logging'' rules in VFDs to selectively track the target packets and inspect them in depth. The detailed forwarding situation at each hop is logged and then assembled to perform analysis with an efficient path reconstruction scheme. Experiments are conducted to demonstrate VTrace's low overhead and quick response. Besides, based on the idea ''coloring-matching-counting'', VTrace can be easily extended to VTrace-stats to identify the culprit device for transient packet loss. We share experiences of how VTrace and VTrace-stats efficiently work after deploying them in Alibaba Cloud for years.

Minhui Ke,Qingsong Wen,L. Fan,Huajie Qian,Liang Sun,Leili Xu,Yingying Zhang,Zhengxiong Guan,Junwei Jiang,Hengbo Liu

DOI: https://doi.org/10.1145/3459637.3481903

2021-10-26

Abstract:As business of Alibaba expands across the world among various industries, higher standards are imposed on the service quality and reliability of big data cloud computing platforms which constitute the infrastructure of Alibaba Cloud. However, root cause analysis in these platforms is non-trivial due to the complicated system architecture. In this paper, we propose a root cause analysis framework called CloudRCA which makes use of heterogeneous multi-source data including Key Performance Indicators (KPIs), logs, as well as topology, and extracts important features via state-of-the-art anomaly detection and log analysis techniques. The engineered features are then utilized in a Knowledge-informed Hierarchical Bayesian Network (KHBN) model to infer root causes with high accuracy and efficiency. Ablation study and comprehensive experimental comparisons demonstrate that, compared to existing frameworks, CloudRCA 1) consistently outperforms existing approaches in f1-score across different cloud systems; 2) can handle novel types of root causes thanks to the hierarchical structure of KHBN; 3) performs more robustly with respect to algorithmic configurations; and 4) scales more favorably in the data and feature sizes. Experiments also show that a cross-platform transfer learning mechanism can be adopted to further improve the accuracy by more than 10%. CloudRCA has been integrated into the diagnosis system of Alibaba Cloud and employed in three typical cloud computing platforms including MaxCompute, Realtime Compute and Hologres. It saves Site Reliability Engineers (SREs) more than 20% in the time spent on resolving failures in the past twelve months and improves service reliability significantly.

Engineering,Computer Science

Ameen Alkasem,Hongwei Liu,Decheng Zuo

DOI: https://doi.org/10.1145/3034950.3034967

2017-01-01

Abstract:Diagnosis and self-healing anomalies are an important as pectin the operations for data centers and for computing in utility clouds. Data centers which offer greater size along with heterogeneous and complex applications, software and workload systems such as anomaly/fault detection require automatic operation with runtime self-healing. Moreover, they must do so without requirement of having previous knowledge regarding normal and/or anomalous performance. Diagnosis must function for levels of different abstraction such as hardware and software, along with multiple time-series metrics for the use in environments like cloud computing. By classifying and analyzing metrics that are qualitative can offer new methods for anomaly and fault diagnosis for their distribution instead of simply providing individual metric thresholds. Categorical counterparts (binning) and normal distribution are used as a measurement that captures the extent of the distributions for concentration or dispersion so that raw metric data can be gathered across the cloud stack to create a time-series for entropy (e.g. symptoms).These symptoms can be organized hierarchically and across many cloud-ecosystems to increase scalability. These symptoms can also address the uncertainty in anomaly data. This contribution is possible since the multi-value decision diagram (MDD) for the structure of Multiple-Valued Logic (MVL) is shown to be highly efficient in terms of rapid analytical performance and is adapted to integrate the effects of measurements for multiple values. Naive Bayes Classifier (NBC) with an influence diagram (ID) are used to create time-series diagnosis technique to categorize and detect anomalies/faults during runtime to approximate the influence of each self-healing system component as to systems functioning and reliability. For the utility cloud service scenarios, the results of experiment show the viability of the presented approach. With an average of 0.89% improvement in the accuracy of anomaly diagnosis on threshold methods and an average improvement of 0.04% for false alarm rates with the near-optimum threshold method the presented approach outperforms other methods.

Xuejiao Liu,Yingjie Xia,Yanbo Wang,Jing Ren

DOI: https://doi.org/10.1002/sec.855

IF: 1.968

2013-01-01

Security and Communication Networks

Abstract:A challenge faced by many system administrators in utilizing the intrusion detection system (IDS) is to sift out genuine alerts buried with overwhelming alerts of benign activities generated by the IDS, especially for IDS deployed in large networks. Existing methods propose to identify the real alerts to aid the administrators. In our paper, we extend the idea of filtering irrelevant alerts based on alert volumes. And we formulate the flow estimation of abrupt changes in feature distribution caused by anomalies, by computing Kullback-Leibler distance of alert feature values under observation in comparison with a reference distribution, which is the mixture of a distribution drawing a tread from historical alerts, and a distribution derived from expertise provided by administrators. Experimental studies on the Defense Advanced Research Projects Agency dataset as well as real-life data gathered from the IDS of a large network show that our method is able to distinguish and highlight genuine anomalies arising from the tremendous number of intrusion alerts, including different kinds of attacks and network failures. Application of this technique to alerts greatly helps the administrators in identifying real alerts and then reduces the alert load in the future. Copyright (C) 2013 John Wiley & Sons, Ltd.

Daniel Sun,Min Fu,Liming Zhu,Guoqiang Li,Qinghua Lu

DOI: https://doi.org/10.1109/tetc.2016.2520883

2016-01-01

IEEE Transactions on Emerging Topics in Computing

Abstract:Public clouds are a style of computing platforms, where scalable and elastic Information Technology-enabled capabilities are provided as a service to external customers using Internet technologies. Using public cloud services can reduce costs and increase the choices of technologies, but it also implies limited system information for users. Thus, anomaly detection at user end has to be non-intrusive and hence difficult, particularly during DevOps operations because the impacts from both anomalies and these operations are often indistinguishable, and hence, it is hard to detect the anomalies. In this paper, our work is specific to a successful public cloud, Amazon Web Service, and a representative DevOps operation, rolling upgrade, on which we report our anomaly detection that can effectively detect anomalies. Our anomaly detection requires only metrics data and logs supplied by most public clouds officially. We use support vector machine to train multiple classifiers from monitored data for different system environments, on which the log information can indicate the best suitable classifier. Moreover, our detection aims at finding anomalies over every time interval, called window, such that the features include not only some indicative performance metrics but also the entropy and the moving average of metrics data in each window. Our experimental evaluation systematically demonstrates the effectiveness of our approach.

Ameen Alkasem,Hongwei Liu,Decheng Zuo

DOI: https://doi.org/10.1145/3034950.3034967

2017-01-01

Abstract:Diagnosis and self-healing anomalies are an important as pectin the operations for data centers and for computing in utility clouds. Data centers which offer greater size along with heterogeneous and complex applications, software and workload systems such as anomaly/fault detection require automatic operation with runtime self-healing. Moreover, they must do so without requirement of having previous knowledge regarding normal and/or anomalous performance. Diagnosis must function for levels of different abstraction such as hardware and software, along with multiple time-series metrics for the use in environments like cloud computing. By classifying and analyzing metrics that are qualitative can offer new methods for anomaly and fault diagnosis for their distribution instead of simply providing individual metric thresholds. Categorical counterparts (binning) and normal distribution are used as a measurement that captures the extent of the distributions for concentration or dispersion so that raw metric data can be gathered across the cloud stack to create a time-series for entropy (e.g. symptoms).These symptoms can be organized hierarchically and across many cloud-ecosystems to increase scalability. These symptoms can also address the uncertainty in anomaly data. This contribution is possible since the multi-value decision diagram (MDD) for the structure of Multiple-Valued Logic (MVL) is shown to be highly efficient in terms of rapid analytical performance and is adapted to integrate the effects of measurements for multiple values. Naive Bayes Classifier (NBC) with an influence diagram (ID) are used to create time-series diagnosis technique to categorize and detect anomalies/faults during runtime to approximate the influence of each self-healing system component as to systems functioning and reliability. For the utility cloud service scenarios, the results of experiment show the viability of the presented approach. With an average of 0.89% improvement in the accuracy of anomaly diagnosis on threshold methods and an average improvement of 0.04% for false alarm rates with the near-optimum threshold method the presented approach outperforms other methods.

Bo Wang,Qingyi Hua,Haoming Zhang,Xin Tan,Yahui Nan,Rui Chen,Xinfeng Shu

DOI: https://doi.org/10.1016/j.aej.2021.12.061

IF: 6.626

2022-09-01

Alexandria Engineering Journal

Abstract:With the development of software, massive information systems generate large-scale data resources involving a large amount of log information, which is of lots of meaningful contents. Accurate analysis and anomaly prediction based on logs are particularly important for building safe and reliable systems. It is evident that current anomaly prediction is not accurate enough, and there are few applications to the study of real-time reliability evaluation. Therefore, this paper uses ensemble learning model to analyze and predict anomaly of the massive system logs based on the complete procedures of log processing, including log analysis, feature extraction, anomaly detection, prediction evaluation, and real-time reliability evaluation. Compared with the traditional machine learning methods, the proposed model is able to improve the accuracy, recall rate and F1 value of anomaly prediction. The evaluation results are used to correct the real-time reliability in view of the low predicted recall rate, which greatly improves the accuracy of real-time reliability and thus provides accurate data basis and anomaly location basis for Artificial Intelligence for IT Operations. In this paper we have made the following innovations and contributions in anomaly detection and reliability measurement. The whole process was established from original log to real-time reliability measurement. New methods were adopted to improve the accuracy, recall and F1 value of anomaly detection. A real-time reliability measurement method is proposed.

engineering, multidisciplinary

Haibo Mi,Huaimin Wang,Gang Yin,Hua Cai,Qi Zhou,Tingtao Sun,Yangfan Zhou

DOI: https://doi.org/10.1109/SCC.2011.25

2011-01-01

Abstract:In large-scale cloud computing systems, even a simple user request may go through numerous of services that are deployed on different physical machines. As a result, it is a great challenge to online localize the prime causes of performance degradation in such systems. Existing end-to-end request tracing approaches are not suitable for online anomaly detection because their time complexity is exponential in the size of the trace logs. In this paper, we propose an approach, namely Magnifier, to rapidly diagnose the source of performance degradation in large-scale non-stop cloud systems. In Magnifier, the execution path graph of a user request is modeled by a hierarchical structure including component layer, module layer and function layer, and anomalies are detected from higher layer to lower layer separately. In each layer every node is assigned a newly created identifier in addition to the global identifier of the request, which significantly decreases the size of parsing trace logs and accelerates the anomaly detection process. We conduct extensive experiments over a real-world enterprise system (the Alibaba cloud computing platform) providing services for the public. The results show that Magnifier can locate the prime causes of performance degradation more accurately and efficiently.

牛国林,管晓宏,龙毅,秦涛

DOI: https://doi.org/10.3969/j.issn.1009-3443.2009.04.009

2009-01-01

Abstract:Based on tradeoffs analysis of abnormal behavior and detection methods,a multi-source traffic features analysis and abnormal detection method was proposed.The distribution characteristics of the flow size,IP addresses and ports were analyzed and found to be efficacious in traffic patterns analysis.The Renyi entropy was employed to fuse the multi-source information captured by different traffic features,and an abnormal behavior detection method was presented.Beacause of using the multi-source information,the models could detect many kinds of abnormal behaviors,which was an impossible mission for many other traditional abnormal detection methods.The experimental results based on actual network data show that the proposed abnormal detection methods are effective in detecting known and unknown attacks with high-accuracy detection rate and low complexity.