Skip to main content

Automatic Invariant Selection for Online Anomaly Detection

  • Conference paper
  • First Online:
Computer Safety, Reliability, and Security (SAFECOMP 2016)

Abstract

Invariants are stable relationships among system metrics expected to hold during normal operating conditions. The violation of such relationships can be used to detect anomalies at runtime. However, this approach does not scale to large systems, as the number of invariants quickly grows with the number of considered metrics. The resulting “background noise” for the invariant-based detection system hinders its effectiveness. In this paper we propose a general and automatic approach for identifying a subset of mined invariants that properly model system runtime behavior with a reduced amount of background noise. This translates into better overall performance (i.e., less false positives).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    A false positive is an error in the detection, in which an anomaly is reported when no anomalies occurred. A false negative is an omission of the detector, which does not report an occurred anomaly.

References

  1. Jiang, G., Chen, H., Yoshihira, K.: Discovering likely invariants of distributed transaction systems for autonomic system management. Cluster Comput. 9(4), 385–399 (2006)

    Article  Google Scholar 

  2. Lou, J.-G., et al.: Mining invariants from console logs for system problem detection. In: Proceedings of the USENIX Annual Technical Conference (2010)

    Google Scholar 

  3. Xu, X., Zhu, L., Weber, I., Bass, L., Sun, D.: POD-diagnosis: error diagnosis of sporadic operations on cloud applications. In: 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (2014)

    Google Scholar 

  4. Sharma, A.B., et al.: Fault detection and localization in distributed systems using invariant relationships. In: 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (2013)

    Google Scholar 

  5. Sarkar, S., Ganesan, R., Cinque, M., Frattini, F., Russo, S., Savignano, A.: Mining invariants from SaaS application logs. In: Tenth European Dependable Computing Conference (EDCC 2014) (May 2014)

    Google Scholar 

  6. Frattini, F., Sarkar, S., Khasnabish, J., Russo, S.: Using invariants for anomaly detection: the case study of a SaaS application. In: IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW) (2014)

    Google Scholar 

  7. Sahoo, S.K., et al.: Using likely program invariants to detect hardware errors. In: IEEE International Conference on Dependable Systems and Networks (DSN) (2008)

    Google Scholar 

  8. Ernst, M., Cockrell, J., Griswold, W.G., Notkin, D.: Dynamically discovering likely program invariants to support program evolution. IEEE Trans. Softw. Eng. 27(2), 99–123 (2001)

    Article  Google Scholar 

  9. Jain, R.: The Art of Computer Systems Performance Analysis. Wiley (1991)

    Google Scholar 

  10. Ticket Monster. http://www.jboss.org/ticket-monster/

  11. Tsung. http://tsung.erlang-projects.org/

  12. Avizienis, A., et al.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secur. Comput. 1(1), 11–33 (2004)

    Article  Google Scholar 

  13. Zhang, J., et al.: Encore: exploiting system environment and correlation information for misconfiguration detection. SIGARCH Comput. Archit. News 42(1), 687–700 (2014)

    Google Scholar 

  14. Rice University - Division of Information Technology, Why Are My Jobs Not Running?, April 2013. http://rcsg.rice.edu/rcsg/shared/scheduling.html

  15. IGI - Italian Grid Infrastructure, Troubleshooting guide for CREAM, April 2013. https://wiki.italiangrid.it/twiki/bin/view/CREAM/TroubleshootingGuide

  16. Bovenzi, A., Cotroneo, D., Pietrantuono, R., Russo, S.: Workload characterization for software aging analysis. In: IEEE 22nd International Symposium on Software Reliability Engineering (ISSRE) (2011)

    Google Scholar 

  17. Goldberg, D.: Genetic Algorithms in Search, Optimization, and Machine Learning. Addison-Wesley, Boston (1989)

    MATH  Google Scholar 

Download references

Acknowledgments

This work has been supported by the TENACE PRIN Project (no. 20103P34XC) funded by MIUR. The work by Cinque and Russo has also been partially supported by EU under Marie Curie IAPP grant no. 324334 CECRIS (CErtification of CRItical Systems).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Flavio Frattini .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Aniello, L., Ciccotelli, C., Cinque, M., Frattini, F., Querzoni, L., Russo, S. (2016). Automatic Invariant Selection for Online Anomaly Detection. In: Skavhaug, A., Guiochet, J., Bitsch, F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2016. Lecture Notes in Computer Science(), vol 9922. Springer, Cham. https://doi.org/10.1007/978-3-319-45477-1_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45477-1_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45476-4

  • Online ISBN: 978-3-319-45477-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics