Self-Detection of Abnormal Event Sequences - PowerPoint Presentation

Slide1

Self-Detection of Abnormal Event Sequences

Project Lead:

Farokh

Bastani

, I-Ling Yen,

Latifur

Khan

Date: April 7, 2011

2010/Current Project Overview

Self-Detection of Abnormal Event Sequences

2

Tasks:

Prepare Cisco event sequence data for analysis tools.

Develop clustering,

local outlier factor, and

probabilistic finite state automata (PFSA) based technique for anomaly detection.

Apply the techniques on Cisco datasets, analyze and validate the results.Use streaming techniques, parallelization, and prefix tree method to handle large datasets from Cisco.Enhance the anomaly detection tools for on-the-fly anomaly detection.

Research Goals:Develop a diverse set of anomaly detection techniques for handling datasets with different characteristics.Handling large datasets is still a major issue in current data mining research and it is especially an issue in attributed event sequences.Develop run-time anomaly detection techniques to detect non-crashing faults in deployed systems to mitigate critical failures and ensure software reliability.

Benefits to Industry Partners:A comprehensive set of techniques and tools to allow best analysis of different datasets.Real-time on-the-fly anomaly detection capability.Rapid adaptation of the tools to handle other application specific datasets.

Project Schedule:

A

M

J J A S O N D J F M A

10

11

Task 1: preprocessor

Task 2/3/4:

varoius

anomaly

detection techniques and applying them

Task 1/2/3/4/5: Fine tuning

Task 5: on-the-fly detection

Project Results to Date

3

Task

Status

Progress and Accomplishment

1. Prepare Cisco event sequence data for analysis tools.



Use

lex/yacc to implement a flexible processor.

Refine the preprocessor to eliminate the noisy data.2. Develop clustering, local outlier factor (LOF), and probabilistic finite state automata (PFSA) based technique for anomaly detection.

Completed the program for clustering, LOF, and adapted MDI (minimal divergence inference) library for state based anomaly detection.3. Apply the techniques on Cisco datasets, analyze and validate the results.The results show high precision and recall in identifying injected anomalies. Currently working with Cisco on result validation.

4. Use streaming techniques, parallelization, and prefix tree method to handle large datasets from Cisco.



Invented the prefix tree based approach, which facilitates the analysis of large datasets, reduces processing time over 20 folds.5. Enhance the anomaly detection tools for on-the-fly anomaly detection.

Completed MDI and LOF approaches to detect anomalies on-the-fly. Updating preprocessor, filters, and diagnostic output. Need to integrate the software to Cisco Call Manager for online analysis.

Significant Finding/AccomplishmentTask CompleteTask Partially CompleteTask Not Started

Major Accomplishments, Discoveries, and Surprises

4

Various Methods for Comparison & integration

Real Time Processing Method:

Prefix Tree Based Methods

Experimental Results:

Data Set: 2GB Cisco SDL trace logs (197,628 signal flows with 18 manually injected anomalies). Conducted on a PC with Intel Core i5 Duo 2.67 GHz CPU and 8 GB RAM.

2

nd

closest neighbor

t

t+T

Collect D

t+T

Build A

t

Apply A

t–T

t+2T

Collect

D

t

Build A

t–T

Apply A

t–2T

t+3T

Collect D

t+2T

Build A

t+T

Apply A

t

Anomaly Detection for Event Sequences

Clustering

Density

Automata

MDI

Prefix-tree

based

K-Medoid

Prefix-tree based LOF

Use prefix tree traces as input

Developed

Tool

Optimized & Added Anomaly Detection Capability