Automatic Invariant Selection for Online Anomaly Detection

  • Leonardo Aniello
  • Claudio Ciccotelli
  • Marcello Cinque
  • Flavio FrattiniEmail author
  • Leonardo Querzoni
  • Stefano Russo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9922)


Invariants are stable relationships among system metrics expected to hold during normal operating conditions. The violation of such relationships can be used to detect anomalies at runtime. However, this approach does not scale to large systems, as the number of invariants quickly grows with the number of considered metrics. The resulting “background noise” for the invariant-based detection system hinders its effectiveness. In this paper we propose a general and automatic approach for identifying a subset of mined invariants that properly model system runtime behavior with a reduced amount of background noise. This translates into better overall performance (i.e., less false positives).



This work has been supported by the TENACE PRIN Project (no. 20103P34XC) funded by MIUR. The work by Cinque and Russo has also been partially supported by EU under Marie Curie IAPP grant no. 324334 CECRIS (CErtification of CRItical Systems).


  1. 1.
    Jiang, G., Chen, H., Yoshihira, K.: Discovering likely invariants of distributed transaction systems for autonomic system management. Cluster Comput. 9(4), 385–399 (2006)CrossRefGoogle Scholar
  2. 2.
    Lou, J.-G., et al.: Mining invariants from console logs for system problem detection. In: Proceedings of the USENIX Annual Technical Conference (2010)Google Scholar
  3. 3.
    Xu, X., Zhu, L., Weber, I., Bass, L., Sun, D.: POD-diagnosis: error diagnosis of sporadic operations on cloud applications. In: 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (2014)Google Scholar
  4. 4.
    Sharma, A.B., et al.: Fault detection and localization in distributed systems using invariant relationships. In: 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (2013)Google Scholar
  5. 5.
    Sarkar, S., Ganesan, R., Cinque, M., Frattini, F., Russo, S., Savignano, A.: Mining invariants from SaaS application logs. In: Tenth European Dependable Computing Conference (EDCC 2014) (May 2014)Google Scholar
  6. 6.
    Frattini, F., Sarkar, S., Khasnabish, J., Russo, S.: Using invariants for anomaly detection: the case study of a SaaS application. In: IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW) (2014)Google Scholar
  7. 7.
    Sahoo, S.K., et al.: Using likely program invariants to detect hardware errors. In: IEEE International Conference on Dependable Systems and Networks (DSN) (2008)Google Scholar
  8. 8.
    Ernst, M., Cockrell, J., Griswold, W.G., Notkin, D.: Dynamically discovering likely program invariants to support program evolution. IEEE Trans. Softw. Eng. 27(2), 99–123 (2001)CrossRefGoogle Scholar
  9. 9.
    Jain, R.: The Art of Computer Systems Performance Analysis. Wiley (1991)Google Scholar
  10. 10.
  11. 11.
  12. 12.
    Avizienis, A., et al.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secur. Comput. 1(1), 11–33 (2004)CrossRefGoogle Scholar
  13. 13.
    Zhang, J., et al.: Encore: exploiting system environment and correlation information for misconfiguration detection. SIGARCH Comput. Archit. News 42(1), 687–700 (2014)Google Scholar
  14. 14.
    Rice University - Division of Information Technology, Why Are My Jobs Not Running?, April 2013.
  15. 15.
    IGI - Italian Grid Infrastructure, Troubleshooting guide for CREAM, April 2013.
  16. 16.
    Bovenzi, A., Cotroneo, D., Pietrantuono, R., Russo, S.: Workload characterization for software aging analysis. In: IEEE 22nd International Symposium on Software Reliability Engineering (ISSRE) (2011)Google Scholar
  17. 17.
    Goldberg, D.: Genetic Algorithms in Search, Optimization, and Machine Learning. Addison-Wesley, Boston (1989)zbMATHGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Leonardo Aniello
    • 1
  • Claudio Ciccotelli
    • 1
  • Marcello Cinque
    • 2
  • Flavio Frattini
    • 2
    • 3
    Email author
  • Leonardo Querzoni
    • 1
  • Stefano Russo
    • 2
  1. 1.Università di Roma SapienzaRomeItaly
  2. 2.Università degli Studi di Napoli Federico IINaplesItaly
  3. 3.RisLab - Research and Innovation for Security LabNaplesItaly

Personalised recommendations