anomaly detection and troubleshooting of large scale
play

Anomaly Detection and Troubleshooting of Large Scale Systems from - PowerPoint PPT Presentation

Sep 05, 2023 •149 likes •689 views

Anomaly Detection and Troubleshooting of Large Scale Systems from Event Logs Presented By Niloy Ganguly Bivas Mitra, Subhendu Khatuya Also in collaboration with NetApp Department of Computer Science and Engineering Indian Institute of

  1. Anomaly Detection and Troubleshooting of Large Scale Systems from Event Logs Presented By Niloy Ganguly Bivas Mitra, Subhendu Khatuya Also in collaboration with NetApp Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

  2.  Prerequisite  Dataset  Objective  Challenges  Model Development  Anomaly detection framework  Building an automated troubleshooter  Results

  3.  Prerequisite  Dataset  Objective  Challenges  Model Development  Anomaly detection framework  Building an automated troubleshooter  Results

  4. Prerequisite EMS: Event Message System EMS supports a built-in logging facility that logs all activities on storage • appliance done by customer. The system writes out event indication descriptions using a generic text-based • log format. EMS System

  5. ONTAP Components Node/Data ONTAP WAFL Network Protocols RAID Storage Stack NVRAM Disks Clients HA (CFO/SFO) HA Interconnect HA Partner

  6. Prerequisite Case:

  7. Case Filed cannot find errors with environment/storage commands but getting messages say to replace the module

  8. Snapshot of a BURT

  9. Post Case Info Customer-Support Engg. Communication

  10.  Prerequisite  Dataset  Objective  Challenges  Model Development  Anomaly detection framework  Building an automated troubleshooter  Results

  11. Dataset • Daily Event message system (EMS) log • Customer support database Customer support portal provides the platform to report • cases, failures, communicate with support engineers Bug database • Internally oriented • Each case is associated with a bug •

  12. Dataset • Daily Event message system (EMS) log Module 2 Module 4 Module 1 Module 3 EMS log EMS log EMS log

  13. Dataset: A Typical EMS Log Raw EMS Data Extracted Information Field Log Entry Example Description Event Time Apr 01 2014 09:11:12 Day, date, timestamp System name cc-nas1 Name of the node in cluster that generated the event Event Message kern.uptime.filer Contains Subsystem name and event type Severity info Severity of the event

  14. Data filtering 2 1 1 1 Select the bugs with high priority Select the bugs with sufficient levels number of cases 3 1 Eliminate the cases with missing data

  15. Final EMS Dataset Raw EMS Data Extracted Information Apr 01 09:11:12 INFO kern_uptime_filer_1 … Dataset-info Number Total No of Bugs 48 Total No of Cases 4827 No of Customers 2691 No of unique 4305 system Case Filed Date No of Module 331 Types of Message ~8k For each filed case we have collected around 18 weeks prior Timeline January 2011 to data , and 1 weeks log after June 2016 case filed date.

  16. How to resolve? The support engineers use predefined rules to resolve the problem. Resolution period: Let’s assume customer filed case at To. It resolved on Tc Resolution period = (Tc - To)

  17. Motivation Reliable and fast customer support service is pre- requisite to the storage industry (CLUSTER NETWORK DEGRADED) ERROR There are some complain for which the resolution period is very high. Resolution period pretty high 50%

  18.  Prerequisite  Dataset  Objective  Challenges  Model Development  Anomaly detection framework  Building an automated troubleshooter  Results

  19. Objective 1 (Anomaly detection) • Leverage on the event logs generated by the subsystems/modules • Development of anomaly detection framework Anomaly Failure Detector Event log Days ADELE: Anomaly Detection from Event log Empiricism, accepted in INFOCOM’18

  20. Objective 2 (Troubleshooting) • Building a troubleshooter which can localize faulty components within a very short time. • Providing a ranked list of modules to the support engineers • Reducing the complexity of the diagnostic process GBTM: Graph Based Troubleshooting Method for Handing Customer Cases Using Storage system Log , accepted in PAKDD’18

  21.  Prerequisite  Dataset  Objective  Challenges  Model Development  Anomaly detection framework  Building an automated troubleshooter  Results

  22. Challenges (Anomaly detection) • Detection of abnormality from log becomes challenging in the noisy environment • where the log gets colluded with the messages from system misconfiguration • Do event log messages carry signals of anomaly? • Do the anomaly signals eventually lead to failure? • File-system fragmentation may cause performance slowdown • How many false alerts?

  23. Challenges (Troubleshooting) Most of the real systems are complex as various constituent system • components exhibit functional dependencies Each component has its own failure modes. For example, a storage • system failure can be caused by disks, physical interconnects, shelves, RAID controllers etc. It is extremely hard for support engineer to have a updated domain • knowledge in this evolving system. In such a large evolving complex system the prior knowledge of • dependency tree between modules is not available.

  24.  Prerequisite  Dataset  Objective  Challenges  Model Development  Anomaly detection framework  Building an automated troubleshooter  Results

  25. Model development: Attribute Extraction Attributes Description Event Count Total number of events generated by the subsystem Event Ratio Ratio of number of events generated by the subsystem to total number of messages Mean Inter-arrival Time Mean time between successive events generated of the particular subsystem Mean Inter-arrival Distance Mean number of other messages between successive events of the particular subsystem Severity Spread Eight features corresponding to event counts of each severity type for the subsystem Time-interval Spread Six features denoting event counts during six four-hour intervals of the day for the subsystem

  26. Observation1:Periodicity Weekly periodicity can be observed for attributes from event log planned maintenance, scheduled Number of messages backups, workload intensity generated from API changes module

  27. Anomaly Clues If one or more subsystem is going through an anomalous phase • it gets reflected in some attributes of logs generated for those subsystems •

  28. Model development: Overview Anomaly score Log transformation Extract 18 features from EMS log, for each module

  29. Model development : Log Transformation EMS log of each day is abstracted into a matrix (X d ) ▪ We fit a normal distribution • with the features of the last few weeks

  30. Model development: Score Matrix EMS log of each day is abstracted into a matrix (X d ) ▪ ▪ We transform the raw matrix (X d ) of d th day into score matrix (S t ) as follows

  31. Model development: Anomaly Detect S(i,j) contributes differently to overall anomaly of the system Score matrix Ridge regression W Weight matrix Event log of a day Anomaly score Below threshold Above threshold Anomaly No Anomaly

  32. True positive Vs False positive High anomaly detection rate with low false alert Step label Ramp label Comparison with Baseline ADELE: Anomaly Detection from Event log Empiricism, accepted in INFOCOM’18

  33.  Prerequisite  Dataset  Objective  Challenges  Model Development  Anomaly detection framework  Building an automated troubleshooter  Results

  34. Graph Construction Vertex: Each module is considered as vertex, we took all 331 possible modules. Edge: Edge is decided based on timestamp difference , if the timestamp difference between two module is less than 300 second , one directed edge is formed between them. Edge weight: Edge weight is as follows, where k is no of occurrences of edges and t i is timestamp difference.

  35. Sample Example Corresponding to each case, we collect 18 weeks of data - we construct a graph corresponding to each week -consequently, we get 18 graphs from a single case. The last two graphs we assume is Case Filed Date arising out of anomalous state of the system.

  36. Graph Encoding Verte tex encoding (vbits): ): ▪ log 2 𝑤 bits to encode the number of vertices 𝑤 in the graph ▪ 𝑤 ∗ log 2 𝑣 𝑐𝑗𝑢𝑡 𝑢𝑝 𝑓𝑜𝑑𝑝𝑒𝑓 𝑚𝑏𝑐𝑓𝑚𝑡 𝑝𝑔 𝑏𝑚𝑚 𝑤 𝑤𝑓𝑠𝑢𝑗𝑑𝑓𝑡 where u is total unique no of labels of vertices. 𝒘𝒄𝒋𝒖𝒕 = 𝐦𝐩𝐡 𝟑 𝒘 + 𝒘 ∗ 𝐦𝐩𝐡 𝟑 𝒗 Edge encoding (ebits): ): ebit eb its= 𝒇 ∗ 𝟐 + 𝐦𝐩𝐡 𝟑 𝒗 + 𝑳 ∗ 𝐦𝐩𝐡 𝟑 𝒏 + 𝐦𝐩𝐡 𝟑 𝒏 e is total no. of edges, K is total no. of 1’s in the adjacency matrix, m=max e(i,j) Row en encoding (rb rbits): ): 𝒘 𝒘 𝐰 ∗ log 𝟑 𝒄 σ 𝒋=𝟐 𝒔𝒄𝒋𝒖𝒕 = log 𝟑 𝒍 𝒋

  37. Encoding example kern cmds kern_cmds wafl kern cmds raid disk cifs Kern_wafl 𝐰𝐜𝐣𝐮𝐭 = log 2 6 + 6 ∗ log 2 11 = 23.33 𝑐𝑗𝑢𝑡 wafl_raid wafl raid wafl_disk eb ebits = = 𝒇 ∗ 𝟐 + 𝐦𝐩𝐡 𝟑 𝒗 + 𝑳 ∗ 𝐦𝐩𝐡 𝟑 𝒏 =5*(1+ log 2 11 )+5* log 2 1 = 22.25 𝑐𝑗𝑢𝑡 disk_cifs disk cifs 𝒔𝒄𝒋𝒖𝒕 = 21.49 𝑐𝑗𝑢𝑡 No. of vertices: 6 Unique labels: 11 Total bits=67.07 bits e=5; K=5; m=1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Anomaly Detection for the CERN Large Hadron Collider injection magnets Armin Halilovic KU

Anomaly Detection for the CERN Large Hadron Collider injection magnets Armin Halilovic KU

Anomaly Detection for the CERN Large Hadron Collider injection magnets Armin Halilovic KU Leuven - Department of Computer Science In cooperation with CERN 2018-07-27 0 Outline 1 Context 2 Data 3 Preprocessing 4 Anomaly Detection 5

792 views • 51 slides
Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier) in a dataset is an instance that is abnormal or unlikely based on the rest of the dataset If the instances in the dataset are labeled as

760 views • 19 slides
What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

DataCamp Anomaly Detection in R ANOMALY DETECTION IN R What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining the term anomaly Anomaly: a data point or collection of data points that do not follow the

870 views • 21 slides
Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative Anomaly Detection Motivation Developing an anomaly detection system Anomaly detection vs. supervised learning Choosing what features

514 views • 34 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

905 views • 74 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

984 views • 72 slides
Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

575 views • 18 slides
<Title> Yiqun Hu, SP Group Agenda Condition monitoring & anomaly detection

<Title> Yiqun Hu, SP Group Agenda Condition monitoring & anomaly detection

Data Council Singapre 2019 Autoencoder Forest for Anomaly Detection from IoT Time Series <Title> Yiqun Hu, SP Group Agenda Condition monitoring & anomaly detection Autoencoder for anomaly detection Autoencoder

540 views • 27 slides
Context : Deployment of secure and reliable energy management devices Issues : Large

Context : Deployment of secure and reliable energy management devices Issues : Large

ANOMALY DETECTION USING HARDWARE PERFORMANCE COUNTERS ON A LARGE SCALE IOT DEPLOYMENT Context : Deployment of secure and reliable energy management devices Issues : Large scale deployment Resources constrained IoT devices

413 views • 3 slides
In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong, Alan Fern, Thomas G. Dietterich and Md Amran Siddiqui School of EECS Anomaly Detection Goal: Identify rare or strange objects 2 Anomaly

756 views • 51 slides
Structure of Talk Workload-sensitive Timing Behavior Anomaly Detection 1 Motivation in Large

Structure of Talk Workload-sensitive Timing Behavior Anomaly Detection 1 Motivation in Large

Workload-sensitive Timing Behavior Anomaly Detection in Large Software Systems Workload-sensitive Timing Behavior Anomaly Detection in Large Software Systems Structure of Talk Workload-sensitive Timing Behavior Anomaly Detection 1 Motivation

690 views • 12 slides
KDetect: Unsupervised Anomaly Detection for Cloud Systems Based on Time Series Clustering Swati

KDetect: Unsupervised Anomaly Detection for Cloud Systems Based on Time Series Clustering Swati

KDetect: Unsupervised Anomaly Detection for Cloud Systems Based on Time Series Clustering Swati Sharma, Amadou Diarra, Fredrico Alvares, Thomas Ropars 24-6-2020 1 Context Cloud Computing runs large part of IT Infrastructure. Large

528 views • 32 slides
Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The

Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The

Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The Pennsylvania State University Anomaly Intrusion Detection Systems Anomaly Intrusion Detection Systems Model normal behavior. Attack - Any

417 views • 20 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Efficient Anomaly Detection by Isolation using Nearest Neighbour Ensemble Tharindu

Efficient Anomaly Detection by Isolation using Nearest Neighbour Ensemble Tharindu

Information Technology Efficient Anomaly Detection by Isolation using Nearest Neighbour Ensemble Tharindu Rukshan Bandaragoda Kai Ming Ting David Albrecht Fei Tony Liu Jonathan R. Wells Outline Overview of anomaly detection

657 views • 41 slides
S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps David Sounthiraraj Justin Sahs Garret Greenwood Zhiqiang Lin Latifur Khan University of Texas at Dallas February 26, 2014

671 views • 40 slides
SIMULATION AS THE THIRD PILLAR IN ENGINEERING SCIENCE REN DE BORST REGIUS PROFESSOR OF CIVIL

SIMULATION AS THE THIRD PILLAR IN ENGINEERING SCIENCE REN DE BORST REGIUS PROFESSOR OF CIVIL

SIMULATION AS THE THIRD PILLAR IN ENGINEERING SCIENCE REN DE BORST REGIUS PROFESSOR OF CIVIL ENGINEERING AND MECHANICS, UNIVERSITY OF GLASGOW JUBILEE SCIENTIFIC CONFERENCE PRACTICAL APPLICATIONS OF INNOVATIVE SOLUTIONS RESULTING FROM

405 views • 25 slides
Planning fieldwork for 2019 This document gives the year in which methods and concepts will be

Planning fieldwork for 2019 This document gives the year in which methods and concepts will be

04/10/2017 Method and concept Planning fieldwork for 2019 This document gives the year in which methods and concepts will be assessed Andy Owen (Subject Officer) Files are in date order and 2018 with advice for 2019 METHOD 2019

330 views • 9 slides
History of interpretations of quantum mechanics: 1950s through to 1970s Olival Freire Jr.

History of interpretations of quantum mechanics: 1950s through to 1970s Olival Freire Jr.

History of interpretations of quantum mechanics: 1950s through to 1970s Olival Freire Jr. Universidade Federal da Bahia - Brazil Seven Pines Symposium XVII The conceptual development of quantum physics May 1519, 2013 Outline: The 1950s -

275 views • 13 slides
EXTREME POVERTY ERADICATION IN THE LDCs AND THE POST-2015 DEVELOPMENT AGENDA For presentation at

EXTREME POVERTY ERADICATION IN THE LDCs AND THE POST-2015 DEVELOPMENT AGENDA For presentation at

EXTREME POVERTY ERADICATION IN THE LDCs AND THE POST-2015 DEVELOPMENT AGENDA For presentation at the Special Event Launch of the OHRLLS Flagship Report State of the Least Developed Countries 2014 Thursday, 23 October 2014, UN

340 views • 18 slides
SPECIAL MOBILITY STRAND FIRE SAFETY IN BUILDINGS MIRJANA LABAN JANUARY 16, 2019 Mirjana Laban,

SPECIAL MOBILITY STRAND FIRE SAFETY IN BUILDINGS MIRJANA LABAN JANUARY 16, 2019 Mirjana Laban,

SPECIAL MOBILITY STRAND FIRE SAFETY IN BUILDINGS MIRJANA LABAN JANUARY 16, 2019 Mirjana Laban, Suzana Dragani , Igor Dolev University of Novi Sad, Faculty of Technical Sciences, Novi Sad, Serbia The European Commission support for the

321 views • 30 slides
psychological construct of Religiosity as applied to a Filipino setting. Four Puzzles A. Is

psychological construct of Religiosity as applied to a Filipino setting. Four Puzzles A. Is

Puzzles in the Construction of a Religiosity Measure THEORETICAL and METHODOLOGICAL ISSUES Josefina Andrea R. Cantiller Department of Psychology University of the Philippines, Diliman Discuss theoretical & methodological issues related

638 views • 31 slides
Defining Gainful Employment General Overview U.S. Department of Education 1 Gainful Employment

Defining Gainful Employment General Overview U.S. Department of Education 1 Gainful Employment

Defining Gainful Employment General Overview U.S. Department of Education 1 Gainful Employment Measures Ratio above 8% of total income or 20% of Debt to Income discretionary income could be restricted. Ratio Ratio above 12% of

487 views • 4 slides
School Employer Advisory Committee Webinar August 5, 2020 1 Andrea Peters, Brad Hanson,

School Employer Advisory Committee Webinar August 5, 2020 1 Andrea Peters, Brad Hanson,

School Employer Advisory Committee Webinar August 5, 2020 1 Andrea Peters, Brad Hanson, Jennifer Rocco 2 Reana Hlawaty, Anastacia Movida, Meghan Korte 3 William Greenhalgh and Susan Forrer Employer Response Team 4 Legislative Update

882 views • 54 slides

More recommend