Learning State Machines to Monitor and Detect Anomalies on a Kubernetes Cluster

TL;DR

This paper introduces a novel approach that learns state machine models to monitor and detect anomalies, including attacks, in a Kubernetes cloud environment with high accuracy, offering better interpretability than neural networks.

Contribution

It is the first work to apply state machine models to microservice architectures for anomaly detection in cloud environments.

Findings

Achieved 99.2% balanced accuracy in attack detection.

F1 score of 0.982 indicates high detection performance.

Demonstrated interpretability advantages over neural network approaches.

Abstract

These days more companies are shifting towards using cloud environments to provide their services to their client. While it is easy to set up a cloud environment, it is equally important to monitor the system's runtime behaviour and identify anomalous behaviours that occur during its operation. In recent years, the utilisation of \ac{rnn} and \ac{dnn} to detect anomalies that might occur during runtime has been a trending approach. However, it is unclear how to explain the decisions made by these networks and how these networks should be interpreted to understand the runtime behaviour that they model. On the contrary, state machine models provide an easier manner to interpret and understand the behaviour that they model. In this work, we propose an approach that learns state machine models to model the runtime behaviour of a cloud environment that runs multiple microservice applications. To the best of our knowledge, this is the first work that tries to apply state machine models to microservice architectures. The state machine model is used to detect the different types of attacks that we launch on the cloud environment. From our experiment results, our approach can detect the attacks very well, achieving a balanced accuracy of 99.2% and an F1 score of 0.982.