Machine learning-based run-time anomaly detection in software systems: An industrial evaluation

Anomalies are an inevitable occurrence while operating enterprise software systems. Traditionally, anomalies are detected by threshold-based alarms for critical metrics, or health probing requests. However, fully automated detection in complex systems is challenging, since it is very difficult to distinguish truly anomalous behavior from normal operation. To this end, the traditional approaches may not be sufficient. Thus, we propose machine learning classifiers to predict the system's health status. We evaluated our approach in an industrial case study, on a large, real-world dataset of 7.5 • 106 data points for 231 features. Our results show that recurrent neural networks with long short-term memory (LSTM) are more effective in detecting anomalies and health issues, as compared to other classifiers. We achieved an area under precision-recall curve of 0.44. At the default threshold, we can automatically detect 70% of the anomalies. Despite the low precision of 31 %, the rate in which false positives occur is only 4 %.

[1]  Albert Fornells,et al.  A study of the effect of different types of noise on the precision of supervised learning techniques , 2010, Artificial Intelligence Review.

[2]  Foster Provost,et al.  The effect of class distribution on classifier learning: an empirical study , 2001 .

[3]  อนิรุธ สืบสิงห์,et al.  Data Mining Practical Machine Learning Tools and Techniques , 2014 .

[4]  Thomas G. Dietterich An Experimental Comparison of Three Methods for Constructing Ensembles of Decision Trees: Bagging, Boosting, and Randomization , 2000, Machine Learning.

[5]  Raymond J. Mooney,et al.  Experiments on Ensembles with Missing and Noisy Data , 2004, Multiple Classifier Systems.

[6]  Nitesh V. Chawla,et al.  Data Mining for Imbalanced Datasets: An Overview , 2005, The Data Mining and Knowledge Discovery Handbook.

[7]  Hamid H. Jebur,et al.  Machine Learning Techniques for Anomaly Detection: An Overview , 2013 .

[8]  Thomas Bartz-Beielstein,et al.  imputeTS: Time Series Missing Value Imputation in R , 2017, R J..

[9]  Irina Rish,et al.  An empirical study of the naive Bayes classifier , 2001 .

[10]  Gurpreet Singh,et al.  A Review of Machine Learning based Anomaly Detection Techniques , 2013, ArXiv.

[11]  Svein J. Knapskog,et al.  Attribute Normalization in Network Intrusion Detection , 2009, 2009 10th International Symposium on Pervasive Systems, Algorithms, and Networks.

[12]  Takaya Saito,et al.  The Precision-Recall Plot Is More Informative than the ROC Plot When Evaluating Binary Classifiers on Imbalanced Datasets , 2015, PloS one.

[13]  David E. Booth,et al.  A comparison of supervised and unsupervised neural networks in predicting bankruptcy of Korean firms , 2005, Expert Syst. Appl..

[14]  Haidar Osman,et al.  Automatic feature selection by regularization to improve bug prediction accuracy , 2017, 2017 IEEE Workshop on Machine Learning Techniques for Software Quality Evaluation (MaLTeSQuE).

[15]  Jürgen Schmidhuber,et al.  Long Short-Term Memory , 1997, Neural Computation.

[16]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[17]  Liming Zhu,et al.  Non-Intrusive Anomaly Detection With Streaming Performance Metrics and Logs for DevOps in Public Clouds: A Case Study in AWS , 2016, IEEE Transactions on Emerging Topics in Computing.

[18]  R. Yuste,et al.  Comparison Between Supervised and Unsupervised Classifications of Neuronal Cell Types: A Case Study , 2010, Developmental neurobiology.

[19]  B. Love Comparing supervised and unsupervised category learning , 2002, Psychonomic bulletin & review.

[20]  Ingo Weber,et al.  Experience report: Anomaly detection of cloud application operations using log and cloud metric correlation analysis , 2015, 2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE).