Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tokyo Research Laboratory © Copyright IBM Corporation 2003KDD 04 | 2004/08/24 | Eigenspace-based anomaly detection in computer systems IBM Research, Tokyo.

Published byTracy Dalton Modified over 9 years ago

Similar presentations

Presentation on theme: "Tokyo Research Laboratory © Copyright IBM Corporation 2003KDD 04 | 2004/08/24 | Eigenspace-based anomaly detection in computer systems IBM Research, Tokyo."— Presentation transcript:

1 Tokyo Research Laboratory © Copyright IBM Corporation 2003KDD 04 | 2004/08/24 | Eigenspace-based anomaly detection in computer systems IBM Research, Tokyo Research Laboratory Tsuyoshi Ide and Hisashi Kashima

2 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 2 Outline  Motivation  Modeling Web-based systems  Problem statement  Feature extraction  Anomaly detection  Experiment  Summary

3 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 3 Motivation: Fault detection in computer systems at the application layer  Faults at the application layer are hard to detect using existing technologies  This is especially true for Web-based systems with redundancy  Why?  The dependencies between servers make everything complicated  They are highly dynamic: Observed metrics greatly vary overtime. HTTP WAS DB HTTP WAS Computer system = strongly-correlated dynamic system

4 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 4 Motivation: Knowledge discovery from correlated (or structured) dynamic systems  Data mining from structured data has recently attracted attention  However, most of the graph mining studies focus mainly on static data  We address the dynamic correlated systems, and  We develop a tool suitable for analyzing these systems. HTTP WAS DB HTTP WAS knowledge discovery from dynamic systems

5 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 5 Modeling Web-based systems: definition  Service   contains two IP addresses  Service dependency  # of a service’s request for another service  log transform and symmetrize  Service dependency graph  nodes: services  edge weights: service dependencies  defined as an undirected graph HTTPWAS DB HTTPWAS

6 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 6 Modeling Web-based systems: How to find D

7 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 7 Modeling Web-based systems: considerations  # of edges is relatively large  e.g. more than 1000 edges for 50 services  the dependency (or adjacency) matrix might be sparse, but generally we do not know how sparse it is  Edge weights greatly vary over time  autoregressive models are inappropriate in a time scale of several minutes Service dependency between 9 &11 Services in a benchmark system count / 20s

8 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 8 Problem statement: Online anomaly detection from a time series of graphs  Given a time-dependent graph with a fixed structure,  detect anomalies online in an unsupervised manner. Practical requirements Use a simpler feature rather than the graph itself. Establish a simple thresholding policy. Edge weights are highly dynamic A change in individual edge weights does not necessarily indicates a fault We wish to detect a “phase transition” of the graph Why challenging ?

9 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 9  Definition of the “service activity vector (SAV)” Feature extraction: The principal eigenvector is the summary of the activity of services dependency matrix at t Why “activity”? If D 12 is large, then u 1 and u 2 should be large because of argmax (note: D is a positive matrix). So, if s 1 actively calls other services, then the weight in s 1 should be large. Mathematically, this equation is reduced to the eigenvalue equation:

10 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 10 Feature extraction: Also interpreted as the “stationary state” of the system  If we regard D as the time evolution operator, then the service activity vector can be interpreted as the stationary state of the system. the probability amplitude that the system is holding the control token at the service s2. s1 s2 Equation of motionstationary state Dependency matrix service activity vector = summary of the system

11 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 11 Feature extraction: M athematical properties  SAV is invariant with respect to uniform changes in traffic.  we can separate normal fluctuations in traffic from anomalies  SAV is a positive vector.  we never have negative activities.  SAV has no degeneracy.  we are free from such subtle problems as level crossings Perron-Frobenius theorem

12 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 12 Anomaly detection: From a graph sequence to a vector sequence  The problem was reduced to anomaly detection from a time sequence of directional data (normalized vector). Question 1: How can we define the anomaly metric? Question 2: How can we determine its threshold?

13 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 13 Anomaly detection: C osine-measure-like anomaly metric  Definition of anomaly metric  u (t) : activity vector at time t r (t -1) : typical activity pattern at t -1  To find the typical activity pattern,  We employ an LSI (Latent semantic indexing) like pattern extraction technique.  Perform SVD for U = [ u (t -1), u (t -2), …, u (t - W) ]  The principal left singular vector is the solution. u (t) r (t-1) SVD t - 1 t - W r (t -1)

14 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 14 Anomaly detection: A generative model for the anomaly metric  For directional data, Gaussian models do not work well  The distribution of u(t) degenerates on the surface of a hypersphere  Our starting point is the von Mises-Fisher distribution   We can approximately derive the pdf for z(t) itself. The pdf of z can be expressed as the chi-squared distribution with N-1 degrees of freedom.

15 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 15  Explicitly, the distribution of the anomaly metric, z, is given by   We wish to determine a threshold of z online  We need to construct an online algorithm to update the parameters  Seemingly, we have a single fitting parameter, ∑, but this model doesn’t work well because of the “curse of dimension”  We regard N as a fitting parameter n.  n : “effective dimension” the actual degrees of freedom in action this model works well when there are inactive degrees of freedom Anomaly detection: The notion of effective dimension angular variance u’s dimension effective dimension

16 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 16  Parameter estimation is still challenging  Because MLE has difficulties The gamma function makes everything difficult  Our approach: the moment method  The chi-squared distribution has explicit expressions for the 1 st and 2 nd moments  These can be easily solved wrt n and ∑  Online estimation for the moments are easy: Anomaly detection: A novel online algorithm to update n and ∑

17 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 17 Anomaly detection: Summary of our algorithm Critical boundary, p c “0.5%” 1 st and 2 nd moments of z D(t)D(t) dependency matrix activity vector u(t)u(t) anomaly metric z(t) n and ∑ Find z th such that Raise an alert if input parameter to define anomaly

18 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 18 Experiment: A bug in one of the Web applications  Settings  On each of the two WAS, two applications are running (“Trade” and “Plants”)  Service dependency matrices are generated every 20 seconds  The principal eigencluster has 12 services  A bug  One of the “Trade” applications malfunctions at time t A and recovers at t B.  The server process itself continues running, so the network communication is normal at the TCP layer or below.  Potentially dangerous: The throughput is hardly affected for relatively low load HTTPWAS DB HTTPWAS load generation

19 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 19 Experiment: The malfunction could be detected  The malfunction started at t A and finished at t B  Time evolution of SAV  clearly visualizes the malfunction period  the malfunction of the single service (#11) causes a massive change  Anomaly metric  Two features clearly indicate the malfunction period The latter is the evidence that the online calculation works well  Calculated threshold value  dynamically adapted to the situation  n ~ 4 is much smaller than N=12 time [min]

20 Tokyo Research Laboratory © Copyright IBM Corporation 2004 KDD 04 | 2004/08/24 |Page 20 Summary  We have considered the issue of anomaly detection from a highly dynamic graph sequence.  We have introduced several new concepts service activity vector  We demonstrated the utility of our approach in a benchmark system. cosine-measure-like anomaly metric effective dimensionmoment method

Download ppt "Tokyo Research Laboratory © Copyright IBM Corporation 2003KDD 04 | 2004/08/24 | Eigenspace-based anomaly detection in computer systems IBM Research, Tokyo."

Similar presentations

Applications of one-class classification

Applications of one-class classification
Complex Networks for Representation and Characterization of Images For CS790g Project Bingdong Li 9/23/2009.

Complex Networks for Representation and Characterization of Images For CS790g Project Bingdong Li 9/23/2009.
Eigen Decomposition and Singular Value Decomposition

Eigen Decomposition and Singular Value Decomposition
Neural networks Introduction Fitting neural networks

Neural networks Introduction Fitting neural networks
Linear Regression.

Linear Regression.
ECE 8443 – Pattern Recognition ECE 8423 – Adaptive Signal Processing Objectives: The Linear Prediction Model The Autocorrelation Method Levinson and Durbin.

ECE 8443 – Pattern Recognition ECE 8423 – Adaptive Signal Processing Objectives: The Linear Prediction Model The Autocorrelation Method Levinson and Durbin.
Change Detection C. Stauffer and W.E.L. Grimson, “Learning patterns of activity using real time tracking,” IEEE Trans. On PAMI, 22(8):747-757, Aug 2000.

Change Detection C. Stauffer and W.E.L. Grimson, “Learning patterns of activity using real time tracking,” IEEE Trans. On PAMI, 22(8): , Aug 2000.
Fast Algorithms For Hierarchical Range Histogram Constructions

Fast Algorithms For Hierarchical Range Histogram Constructions
Chapter 7 Title and Outline 1 7 Sampling Distributions and Point Estimation of Parameters 7-1 Point Estimation 7-2 Sampling Distributions and the Central.

Chapter 7 Title and Outline 1 7 Sampling Distributions and Point Estimation of Parameters 7-1 Point Estimation 7-2 Sampling Distributions and the Central.
Tokyo Research Laboratory © Copyright IBM Corporation 2006 | 2006/09/19 | PKDD 2006 Why does subsequence time-series clustering produce sine waves? IBM.

Tokyo Research Laboratory © Copyright IBM Corporation 2006 | 2006/09/19 | PKDD 2006 Why does subsequence time-series clustering produce sine waves? IBM.
DFT/FFT and Wavelets ● Additive Synthesis demonstration (wave addition) ● Standard Definitions ● Computing the DFT and FFT ● Sine and cosine wave multiplication.

DFT/FFT and Wavelets ● Additive Synthesis demonstration (wave addition) ● Standard Definitions ● Computing the DFT and FFT ● Sine and cosine wave multiplication.
Supervised Learning Recap

Supervised Learning Recap
Online Social Networks and Media. Graph partitioning The general problem – Input: a graph G=(V,E) edge (u,v) denotes similarity between u and v weighted.

Online Social Networks and Media. Graph partitioning The general problem – Input: a graph G=(V,E) edge (u,v) denotes similarity between u and v weighted.
Lecture 17: Supervised Learning Recap Machine Learning April 6, 2010.

Lecture 17: Supervised Learning Recap Machine Learning April 6, 2010.
Communities in Heterogeneous Networks Chapter 4 1 Chapter 4, Community Detection and Mining in Social Media. Lei Tang and Huan Liu, Morgan & Claypool,

Communities in Heterogeneous Networks Chapter 4 1 Chapter 4, Community Detection and Mining in Social Media. Lei Tang and Huan Liu, Morgan & Claypool,
Support Vector Machines and Kernel Methods

Support Vector Machines and Kernel Methods
x – independent variable (input)

x – independent variable (input)
Probabilistic Aggregation in Distributed Networks Ling Huang, Ben Zhao, Anthony Joseph and John Kubiatowicz {hling, ravenben, adj,

Probabilistic Aggregation in Distributed Networks Ling Huang, Ben Zhao, Anthony Joseph and John Kubiatowicz {hling, ravenben, adj,
Principal Component Analysis

Principal Component Analysis
Chapter 5: Linear Discriminant Functions

Chapter 5: Linear Discriminant Functions

Similar presentations

Ads by Google