A Model-Based Approach to Anomaly Detection Trading Detection Time and False Alarm Rate

TL;DR

This paper introduces a model-based anomaly detection method that uses system performance signatures to identify zero-day attacks in cloud environments, effectively balancing detection accuracy and false alarm rates.

Contribution

It presents a novel analytical performance modeling approach that controls false positives and detects anomalies without prior attack data.

Findings

Successfully detected anomalies with 90%-98% precision.

Effective in identifying zero-day attacks through performance deviations.

Controlled false positive rate in anomaly detection.

Abstract

The complexity and ubiquity of modern computing systems is a fertile ground for anomalies, including security and privacy breaches. In this paper, we propose a new methodology that addresses the practical challenges to implement anomaly detection approaches. Specifically, it is challenging to define normal behavior comprehensively and to acquire data on anomalies in diverse cloud environments. To tackle those challenges, we focus on anomaly detection approaches based on system performance signatures. In particular, performance signatures have the potential of detecting zero-day attacks, as those approaches are based on detecting performance deviations and do not require detailed knowledge of attack history. The proposed methodology leverages an analytical performance model and experimentation and allows to control the rate of false positives in a principled manner. The methodology is evaluated using the TPCx-V workload, which was profiled during a set of executions using resource exhaustion anomalies that emulate the effects of anomalies affecting system performance. The proposed approach was able to successfully detect the anomalies, with a low number of false positives (precision 90%-98%).