Automatic Detection of Abnormal Behavior in Virtual Machines with Consideration of Policy-Based Response
Abstract
This study tries to see if it is possible to design and develop an anomaly detection algorithm by using an algorithm based on the chi-squared test. It also looks at how that potential anomaly detection algorithm could be paired with a policy-based decision-making system. The goal of this research is to try and detect crashes and abnormal behaviors in virtual machines without having access to any personal or sensitive data, and doing so only by viewing the CPU usage. The second goal is to investigate how this could lessen the burden on the continuously growing cloud infrastructure by discussing how the this anomaly detection algorithm could work together with a policy-based decision-making system to free up resources and manpower. The scope of the project is to only work with this one algorithm to find out how it performs specifically.
To do this, a prototype which uses the leap detection algorithm which is the algorithm in question was designed and developed. It was used on data from real virtual machines. It underwent three different iteration based on test results before reaching its final form. At that point, it was made clear that it was not suited to reliably detect crashes but instead had potential to detect sudden increases in CPU usage. There was no way for the algorithm do reliably distinguish a sudden spike in CPU usage from an anomaly or crash. It was therefore suggested other use-cases such as monitoring CPU usage patterns and warning about sudden spikes in usage. It was then suggested that different algorithms should be explored for further research into the subject.