FRAPpuccino: Fault-detection through Runtime Analysis of Provenance
Xueyuan Han, Thomas Pasquier, Tanvi Ranjan, Mark Goldstein, Margo, Seltzer
TL;DR
FRAPpuccino (FRAP) is a provenance-based fault detection system for PaaS that models normal application behavior and detects anomalies through runtime provenance graph analysis.
Contribution
FRAP introduces a novel provenance-based approach for fault detection in PaaS environments, utilizing dynamic modeling and sliding window comparison.
Findings
Accurately detects application anomalies in PaaS environments.
Uses provenance graphs to model legitimate behavior.
Effective in large-scale cluster settings.
Abstract
We present FRAPpuccino (or FRAP), a provenance-based fault detection mechanism for Platform as a Service (PaaS) users, who run many instances of an application on a large cluster of machines. FRAP models, records, and analyzes the behavior of an application and its impact on the system as a directed acyclic provenance graph. It assumes that most instances behave normally and uses their behavior to construct a model of legitimate behavior. Given a model of legitimate behavior, FRAP uses a dynamic sliding window algorithm to compare a new instance's execution to that of the model. Any instance that does not conform to the model is identified as an anomaly. We present the FRAP prototype and experimental results showing that it can accurately detect application anomalies.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsNetwork Security and Intrusion Detection · Software System Performance and Reliability · Advanced Malware Detection Techniques