Visible to the public A Model-Based Approach to Anomaly Detection Trading Detection Time and False Alarm Rate

TitleA Model-Based Approach to Anomaly Detection Trading Detection Time and False Alarm Rate
Publication TypeConference Paper
Year of Publication2020
AuthorsGonçalves, Charles F., Menasche, Daniel S., Avritzer, Alberto, Antunes, Nuno, Vieira, Marco
Conference Name2020 Mediterranean Communication and Computer Networking Conference (MedComNet)
Date PublishedJune 2020
ISBN Number978-1-7281-6248-5
KeywordsAnalytical models, anomaly detection, cloud computing, composability, cyber physical systems, Degradation, False Data Detection, Human Behavior, human factors, Markov processes, Modeling, pubcrawl, resilience, Resiliency, security, Throughput, virtualization
AbstractThe complexity and ubiquity of modern computing systems is a fertile ground for anomalies, including security and privacy breaches. In this paper, we propose a new methodology that addresses the practical challenges to implement anomaly detection approaches. Specifically, it is challenging to define normal behavior comprehensively and to acquire data on anomalies in diverse cloud environments. To tackle those challenges, we focus on anomaly detection approaches based on system performance signatures. In particular, performance signatures have the potential of detecting zero-day attacks, as those approaches are based on detecting performance deviations and do not require detailed knowledge of attack history. The proposed methodology leverages an analytical performance model and experimentation, and allows to control the rate of false positives in a principled manner. The methodology is evaluated using the TPCx-V workload, which was profiled during a set of executions using resource exhaustion anomalies that emulate the effects of anomalies affecting system performance. The proposed approach was able to successfully detect the anomalies, with a low number of false positives (precision 90%-98%).
Citation Keygoncalves_model-based_2020