ebook img

Automatic Detection of Abnormal Behavior in Computing Systems PDF

62 Pages·2016·2.33 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Automatic Detection of Abnormal Behavior in Computing Systems

UUnniivveerrssiittyy ooff KKeennttuucckkyy UUKKnnoowwlleeddggee Theses and Dissertations--Computer Science Computer Science 2013 AAuuttoommaattiicc DDeetteeccttiioonn ooff AAbbnnoorrmmaall BBeehhaavviioorr iinn CCoommppuuttiinngg SSyysstteemmss James Frank Roberts University of Kentucky, [email protected] RRiigghhtt cclliicckk ttoo ooppeenn aa ffeeeeddbbaacckk ffoorrmm iinn aa nneeww ttaabb ttoo lleett uuss kknnooww hhooww tthhiiss ddooccuummeenntt bbeenneefifittss yyoouu.. RReeccoommmmeennddeedd CCiittaattiioonn Roberts, James Frank, "Automatic Detection of Abnormal Behavior in Computing Systems" (2013). Theses and Dissertations--Computer Science. 11. https://uknowledge.uky.edu/cs_etds/11 This Master's Thesis is brought to you for free and open access by the Computer Science at UKnowledge. It has been accepted for inclusion in Theses and Dissertations--Computer Science by an authorized administrator of UKnowledge. For more information, please contact [email protected]. SSTTUUDDEENNTT AAGGRREEEEMMEENNTT:: I represent that my thesis or dissertation and abstract are my original work. Proper attribution has been given to all outside sources. I understand that I am solely responsible for obtaining any needed copyright permissions. I have obtained and attached hereto needed written permission statements(s) from the owner(s) of each third-party copyrighted matter to be included in my work, allowing electronic distribution (if such use is not permitted by the fair use doctrine). I hereby grant to The University of Kentucky and its agents the non-exclusive license to archive and make accessible my work in whole or in part in all forms of media, now or hereafter known. I agree that the document mentioned above may be made available immediately for worldwide access unless a preapproved embargo applies. I retain all other ownership rights to the copyright of my work. I also retain the right to use in future works (such as articles or books) all or part of my work. I understand that I am free to register the copyright to my work. RREEVVIIEEWW,, AAPPPPRROOVVAALL AANNDD AACCCCEEPPTTAANNCCEE The document mentioned above has been reviewed and accepted by the student’s advisor, on behalf of the advisory committee, and by the Director of Graduate Studies (DGS), on behalf of the program; we verify that this is the final, approved version of the student’s dissertation including all changes required by the advisory committee. The undersigned agree to abide by the statements above. James Frank Roberts, Student Dr. Raphael A. Finkel, Major Professor Dr. Raphael A. Finkel, Director of Graduate Studies AutomaticDetectionofAbnormalBehaviorinComputingSystems THESIS Athesissubmittedinpartial fulfillmentoftherequirementsfor thedegreeofMasterofSciencein theCollegeofEngineeringatthe UniversityofKentucky By J.FrankRoberts Lexington,Kentucky Director: Dr. RaphaelA.Finkel,ProfessorofComputerScience Lexington,Kentucky2013 Copyright(cid:13)c J.FrankRoberts2013 ABSTRACTOFTHESIS AutomaticDetectionofAbnormalBehaviorinComputingSystems I present RAACD, a software suite that detects misbehaving computers in large computing systems and presents information about those machines to the system administrator. Ibuildthissystemusingpreexistinganomalydetectiontechniques. Ievaluatemymethodsusingsimplesynthesizeddata,realdatacontainingcoerced abnormalbehavior,andrealdatacontainingnaturallyoccurringabnormalbehav- ior. I find that the system adequately detects abnormal behavior and significantly reduces the amount of uninteresting computer health data presented to a system administrator. KEYWORDS: Anomalydetection,computersystemhealthmonitoring,SAX Author’ssignature: J.FrankRoberts Date: April30,2013 AutomaticDetectionofAbnormalBehaviorinComputingSystems By J.FrankRoberts DirectorofThesis: RaphaelA.Finkel DirectorofGraduateStudies: RaphaelA.Finkel Date: April30,2013 Idedicatethisthesistomygrandparents,JoeandLorettaRoberts. ACKNOWLEDGMENTS I’d like to thank Professor Hank Dietz, who encouraged me to engage in re- search early in my undergraduate career. Dr. Dietz conceived NodeScape and has helpedmemaintainapracticalfocusinmyresearchactivities. I’dliketothankProfessorRaphaelFinkelforguidingmyresearchandkeeping mefocused,andforteachingmetheproperstylefortechnicalwriting. I’d like to thank the Department of Computer Science and the KAOS research groupforallowingmetorunmymonitoringsoftwareontheirmachines. I’d like to thank my lab-mates Paul Eberhart and Matt Sparks for providing helpful discussion and general companionship as I’ve worked to complete my re- search. In particular, I’d like to thank Matt for providing the idea that eventually ledtothenameforRAACD. I’d like to thank my parents, James and Donna Roberts, for instilling in me the motivationanddisciplinenecessarytocompletethegoalsthatIsetformyself. I’dliketothankmygrandparents,JoeandLorettaRoberts,fortheirpatientand unconditionalsupport. iii TABLEOFCONTENTS Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii TableofContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv ListofTables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v ListofFigures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Chapter1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Chapter2 Relevance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Chapter3 RelatedWork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1 OtherMonitoringSystems . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2 AnomalyDetectionandTimeSeriesAnalysisMethods . . . . . . . . 6 3.3 OtherusesofSAX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.4 ConnectionstoRelatedWork . . . . . . . . . . . . . . . . . . . . . . . 9 Chapter4 AlgorithmsforAnomalyDetection . . . . . . . . . . . . . . . . . . 10 4.1 SymbolicAggregateApproximation . . . . . . . . . . . . . . . . . . . 10 4.2 ComputinganAnomalyScore . . . . . . . . . . . . . . . . . . . . . . . 11 4.3 CharacteristicsofSubword-countHistograms . . . . . . . . . . . . . . 12 4.4 Window-pairAnalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.5 BaselineAnalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.6 ProfileSearch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.7 Multi-propertySearch . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.8 ComputingIdealOffset . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Chapter5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Chapter6 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 6.1 DetectingAnomaliesinaSingleSeries . . . . . . . . . . . . . . . . . . 19 6.2 TestingMulti-PropertyDetection . . . . . . . . . . . . . . . . . . . . . 40 Chapter7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Chapter8 FutureWork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Vita . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 iv LISTOFTABLES 4.1 SAXconversionexample . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 4.2 Breakpointsbasedonthenormaldistribution . . . . . . . . . . . . . . . . 11 4.3 Computingananomalyscore . . . . . . . . . . . . . . . . . . . . . . . . . 12 6.1 Standardtestingconfigurations . . . . . . . . . . . . . . . . . . . . . . . . 25 6.2 Testingconfigurationnumber6 . . . . . . . . . . . . . . . . . . . . . . . . 27 6.3 Sinefunctiontestingconfigurations . . . . . . . . . . . . . . . . . . . . . . 35 6.4 RAACD-profileconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . 40 6.5 RAACD-searchconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . 40 v LISTOFFIGURES 2.1 AtemperaturedisplayfromNodeScapev1 . . . . . . . . . . . . . . . . . 2 4.1 Avisualizationofinspection-windowview . . . . . . . . . . . . . . . . . 16 6.1 Configuration1,impulsetest. . . . . . . . . . . . . . . . . . . . . . . . . . 20 6.2 Configuration2,impulsetest. . . . . . . . . . . . . . . . . . . . . . . . . . 21 6.3 Configuration3,impulsetest. . . . . . . . . . . . . . . . . . . . . . . . . . 22 6.4 Configuration4,impulsetest. . . . . . . . . . . . . . . . . . . . . . . . . . 23 6.5 Configuration5,impulsetest. . . . . . . . . . . . . . . . . . . . . . . . . . 24 6.6 Configuration1,noisyimpulsetest . . . . . . . . . . . . . . . . . . . . . . 28 6.7 Configuration2,noisyimpulsetest . . . . . . . . . . . . . . . . . . . . . . 29 6.8 Configuration3,noisyimpulsetest . . . . . . . . . . . . . . . . . . . . . . 30 6.9 Configuration4,noisyimpulsetest . . . . . . . . . . . . . . . . . . . . . . 31 6.10 Configuration5,noisyimpulsetest . . . . . . . . . . . . . . . . . . . . . . 32 6.11 Configuration6,noisyimpulsetest . . . . . . . . . . . . . . . . . . . . . . 33 6.12 Configuration7,long-periodbaseline,sinefunctiontest . . . . . . . . . . 36 6.13 Configuration8,long-periodbaseline,sinefunctiontest . . . . . . . . . . 36 6.14 Configuration7,short-periodbaseline,sinefunctiontest . . . . . . . . . 37 6.15 Configuration8,short-periodbaseline,sinefunctiontest . . . . . . . . . 37 6.16 Configuration9,long-periodbaseline,sinefunctiontest . . . . . . . . . . 38 6.17 Monitoringdatacapturedfromviolet.cs.uky.edu . . . . . . . . . . 41 6.18 Monitoringdatacapturedfromiris.cs.uky.edu . . . . . . . . . . . . 43 6.19 Monitoringdatacapturedfromconglomerate . . . . . . . . . . . . . . 44 6.20 Theoldprocesscountonconglomerate . . . . . . . . . . . . . . . . . . 44 vi

Description:
the College of Engineering at the. University of KEYWORDS: Anomaly detection, computer system health monitoring, SAX. Author's . I chose this name for two reasons: the purpose of the software is to auto- matically Ganglia was designed specifically for use in high-performance computing envi-.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.