A Model-Based Approach to Anomaly Detection Trading Detection Time and False Alarm Rate
This work addresses practical implementation issues for anomaly detection in cloud systems, offering a method to manage false alarm rates, but it is incremental as it builds on existing performance signature techniques.
The paper tackled the challenge of anomaly detection in cloud environments by proposing a model-based approach that controls false positives, achieving a precision of 90%-98% in detecting resource exhaustion anomalies using the TPCx-V workload.
The complexity and ubiquity of modern computing systems is a fertile ground for anomalies, including security and privacy breaches. In this paper, we propose a new methodology that addresses the practical challenges to implement anomaly detection approaches. Specifically, it is challenging to define normal behavior comprehensively and to acquire data on anomalies in diverse cloud environments. To tackle those challenges, we focus on anomaly detection approaches based on system performance signatures. In particular, performance signatures have the potential of detecting zero-day attacks, as those approaches are based on detecting performance deviations and do not require detailed knowledge of attack history. The proposed methodology leverages an analytical performance model and experimentation and allows to control the rate of false positives in a principled manner. The methodology is evaluated using the TPCx-V workload, which was profiled during a set of executions using resource exhaustion anomalies that emulate the effects of anomalies affecting system performance. The proposed approach was able to successfully detect the anomalies, with a low number of false positives (precision 90%-98%).