Automatic Invariant Selection for Online Anomaly Detection
Invariants are stable relationships among system metrics expected to hold during normal operating conditions. The violation of such relationships can be used to detect anomalies at runtime. However, this approach does not scale to large systems, as the number of invariants quickly grows with the number of considered metrics. The resulting “background noise” for the invariant-based detection system hinders its effectiveness. In this paper we propose a general and automatic approach for identifying a subset of mined invariants that properly model system runtime behavior with a reduced amount of background noise. This translates into better overall performance (i.e., less false positives).
This work has been supported by the TENACE PRIN Project (no. 20103P34XC) funded by MIUR. The work by Cinque and Russo has also been partially supported by EU under Marie Curie IAPP grant no. 324334 CECRIS (CErtification of CRItical Systems).
- 2.Lou, J.-G., et al.: Mining invariants from console logs for system problem detection. In: Proceedings of the USENIX Annual Technical Conference (2010)Google Scholar
- 3.Xu, X., Zhu, L., Weber, I., Bass, L., Sun, D.: POD-diagnosis: error diagnosis of sporadic operations on cloud applications. In: 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (2014)Google Scholar
- 4.Sharma, A.B., et al.: Fault detection and localization in distributed systems using invariant relationships. In: 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (2013)Google Scholar
- 5.Sarkar, S., Ganesan, R., Cinque, M., Frattini, F., Russo, S., Savignano, A.: Mining invariants from SaaS application logs. In: Tenth European Dependable Computing Conference (EDCC 2014) (May 2014)Google Scholar
- 6.Frattini, F., Sarkar, S., Khasnabish, J., Russo, S.: Using invariants for anomaly detection: the case study of a SaaS application. In: IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW) (2014)Google Scholar
- 7.Sahoo, S.K., et al.: Using likely program invariants to detect hardware errors. In: IEEE International Conference on Dependable Systems and Networks (DSN) (2008)Google Scholar
- 9.Jain, R.: The Art of Computer Systems Performance Analysis. Wiley (1991)Google Scholar
- 10.Ticket Monster. http://www.jboss.org/ticket-monster/
- 13.Zhang, J., et al.: Encore: exploiting system environment and correlation information for misconfiguration detection. SIGARCH Comput. Archit. News 42(1), 687–700 (2014)Google Scholar
- 14.Rice University - Division of Information Technology, Why Are My Jobs Not Running?, April 2013. http://rcsg.rice.edu/rcsg/shared/scheduling.html
- 15.IGI - Italian Grid Infrastructure, Troubleshooting guide for CREAM, April 2013. https://wiki.italiangrid.it/twiki/bin/view/CREAM/TroubleshootingGuide
- 16.Bovenzi, A., Cotroneo, D., Pietrantuono, R., Russo, S.: Workload characterization for software aging analysis. In: IEEE 22nd International Symposium on Software Reliability Engineering (ISSRE) (2011)Google Scholar