ABSTRACT
Identifying and diagnosing anomalies in application behavior is critical to delivering reliable application-level performance. In this paper we introduce a strategy to detect anomalies and diagnose the possible reasons behind them. Our approach extends the traditional window-based strategy by using signal-processing techniques to filter out recurring, background fluctuations in resource behavior. In addition, we have developed a diagnosis technique that uses standard monitoring data to determine which related changes in behavior may cause anomalies. We evaluate our anomaly detection and diagnosis technique by applying it in three contexts when we insert anomalies into the system at random intervals. The experimental results show that our strategy detects up to 96% of anomalies while reducing the false positive rate by up to 90% compared to the traditional window average strategy. In addition, our strategy can diagnose the reason for the anomaly approximately 75% of the time.
- "Emulab Tutorial: http://www.emulab.net/tutorial/docwrapper.php3?docname=tutorial.html."Google Scholar
- G. Allen, W. Benger, T. Goodale, et al., "The Cactus Code: A Problem Solving Environment for the Grid," 9th IEEE International Symposium on High Performance Distributed Computing (HPDC9), 2000. Google ScholarDigital Library
- G. Allen, D. Angulo, I. Foster, et al., "The Cactus Worm: Experiments with Dynamic Resource Discovery and Allocation in a Grid Environment," University of Chicago, Chicago TR-2001-28, 2001.Google Scholar
- P. Barford, J. Kline, D. Plonka, et al., "A Signal Analysis of Network Traffic Anomalies," Proceedings of ACM SIGCOMM Internet Measurement Workshop, 2002. Google ScholarDigital Library
- J. D. Brutlag, "Aberrant Behavior Detection in Time Series for Network Monitoring," Proceedsing of the 14th Systems Administration Conference, 2000. Google ScholarDigital Library
- M. Burgess, "Probabilistic Anomaly Detection in Distributed Computer Networks," Science of Computer Programming, vol. 60, pp. 1--26, 2006. Google ScholarDigital Library
- K. Das, "Protocol Anomaly Detection for Network-based Intrusion Detection," 2001.Google Scholar
- S. Dash, R. Rengaswamy, and V. Venkatasubramanian, "Fuzzy-logic based trend classification for fault diagnosis of chemical processes," Computers and Chemical Engineering, pp. 347--362, 2002.Google Scholar
- A. B. Downey, "A Parallel Workload Model and its Implications for Processor Allocation," Cluster Computing, vol. 1, pp. 133--145, 1998. Google ScholarDigital Library
- D. Gunter, M. Rodriguez, B. Tierney, et al., "Dynamic Anomaly Detection of a Wide Area File Transfer Service," Submitted to SC06, 2006.Google Scholar
- J. M. House, W. Y. Lee, and D. R. Shin, "Classification Techniques for Fault Detection and Diagnosis of an Air-Handling Unit," ASHRAE Transactions, vol. 105, pp. 1987--1997, 1999.Google Scholar
- A. Igor, B. Constantine, D. E. R, et al., "Frequency domain median-like filter for periodic and quasi-periodic noise removal," International Society for Optical Engineering Proceedings Series, 2002.Google Scholar
- V. Jacobson and M. J. Karel, "Congestion Avoidance and Control," Proceedings of the SIGCOMM '88 Symposium, 1988. Google ScholarDigital Library
- M. Kano, K. Nagao, S. Hasebe, et al., "Comparison of Statistical Process Monitoring Methods: Application to the Eastman Challenge Problem," Computer and Chemical Engineering, vol. 24, pp. 175--181, 2000.Google ScholarCross Ref
- T. Kelly, "Detecting Performance Anomalies in Global Applications," Second USENIX Workshop on Real, Large Distributed Systems (WORLDS 2005), 2005. Google ScholarDigital Library
- K. R. Koch, R. S. Baker, and R. E. Alcouffe, "Solution of the First-order Form of the 3-D Discrete Ordinates Equation on a Massively Parallel Processor," Trans. Amer. Nuc. Soc., vol. 65, 1992.Google Scholar
- M. V. Mahoney, "Network Traffic Anomaly Detection Based on Packet Bytes," Proc. ACM-SAC, 2003. Google ScholarDigital Library
- A. S. Minhas and M. R. Reddy, "Neural Network Based Approach for Anomaly Detection in Lungs Region by Electrical Impedance Tomography," Physiological Measurement, vol. 26, pp. 489--502, 2005.Google ScholarCross Ref
- A. G. Parlos, K. Kim, and R. Bharadwaj, "Sensorless Detection of Mechanical Faults in Electromechanical Systems," Mechatronics, vol. 13, pp. 357--380, 2004.Google ScholarCross Ref
- A. G. Pennington, J. D. Strunk, J. L. Griffin, et al., "Storage-based Intrusion Detection: Watching Storage Activity for Suspicious Behavior," 12th USENIX Security Symposium, 2002. Google ScholarDigital Library
- M. Roughan, T. Griffin, Z. M. Mao, et al., "IP Forwarding Anomalies and Improving Their Detection Using Multiple Data Sources," Proceedings of the ACM SIGCOMM workshop on Network Troubleshooting: research, theory and operation practice meet malfunctioning reality, 2004. Google ScholarDigital Library
- V. A. Siris and F. Papagalou, "Application of anomaly detection algorithms for detecting SYN flooding attacks," Global Telecommunications Conference, 2004. GLOBECOM '04. IEEE, 2004.Google Scholar
- S. W. Smith, The Scientist and Engineer's Guild to Digital Signal Processing. San Diego, California: California Technical Publishing, 1999. Google ScholarDigital Library
- M. Welzi, Network Congestion Control: Managing Internet Traffic: Wiley, 2005. Google ScholarDigital Library
- B. White, J. Lepreau, L. Stoller, et al., "An Integrated Experimental Environment for Distributed Systems and Networks," 5th Symposium on Operating Systems Design and Implementation (OSDI), 2002. Google ScholarDigital Library
- R. Whiteson, F. Kelso, C. Baumgart, et al., "An Anomaly Detector Applied to a Materials Control and Accounting System," 35th Annual Meeting of the Institute of Nuclear Materials Management, 1994.Google Scholar
- L. Yang, J. M. Schopf, C. L. Dumitrescu, et al., "Statistical Data Reduction for Efficient Application Performance Monitoring," CCGrid 2006, 2006. Google ScholarDigital Library
- J. Zhang and F. C. Tsui, "Detection of Outbreaks from Time Series Data Using Wavelet Transform," AMIA Annu Symp Proceeding, 2003.Google Scholar
- S. Zhang, I. Cohen, M. Goldszmidt, et al., "Ensembles of Models for Automated Diagnosis of System Performance Problems," IEEE Conference on Dependable Systems and Networks (DSN), 2005. Google ScholarDigital Library
- Y. Zhou, J. Hahn, and M. S. Mannan, "Fault Detection and Classification in Chemical Processes Based on Neural Networks with Feature Extraction," ISA Transaction, vol. 42, pp. 651--664, 2003.Google ScholarCross Ref
Recommendations
Program Anomaly Detection: Methodology and Practices
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityThis tutorial will present an overview of program anomaly detection, which analyzes normal program behaviors and discovers aberrant executions caused by attacks, misconfigurations, program bugs, and unusual usage patterns. It was first introduced as an ...
Deep learning for anomaly detection in multivariate time series: Approaches, applications, and challenges
AbstractAnomaly detection has recently been applied to various areas, and several techniques based on deep learning have been proposed for the analysis of multivariate time series. In this study, we classify the anomalies into three types, ...
Highlights- The methods for anomaly detection on multivariate time series are reviewed.
- The ...
Comments