Research On Anomaly Detection Strategy And Algorithms Aware Of Running Environment For Virtual Machines In The Cloud Platform

Cloud computing technology derives from the integrating and developing of various techniques, representing the future direction of development of computing services. Now, virtualization technologies, especially the host virtualization technology, are now widely applied in cloud data centers. Compared with the situation in the traditional IT architecture, the anomaly detection system for virtualized cloud environment has more complex, a larger scale of and a wider variety of entities, e.g., hosts, virtual machine monitor, virtual machines and application systems, to detect. Therefore, in order to keep cloud data centers running dependably, an anomaly detection system is expected, which can detect the anomalies caused by the faults occurring in a large scale and wider variety of entities in cloud environment in time.Considering the fact that the running state of the virtual machines in a cloud data center are not only affected by the performance and status of the host them run on, but also affected by the running state of the application systems deployed in them. Thus, to discover the faults occurring in different types of entities in the cloud environment, it is desirable for an anomaly detection system to take the running state of the virtual machines, which are in intermediate layer, as the objects to detect.In this paper, we study and analyze the problems needed to be resolved in conducting anomaly detection on the virtual machines in the cloud environment. Based on the analyzing and summarizing of the existing anomaly detection techniques and related research achievements, this paper mainly studies the anomaly detection strategy aware of running environment for virtual machines in the cloud platform, the optimally constructing of collecting network of running state of the virtual machines and the optimally deploying of anomaly detection node.The concrete research contents and innovations of this paper include the following aspects:① For the interference of different running environment of virtual machines on anomaly detection accuracy, this paper proposes the anomaly detection strategy aware of virtual machine’s running environment, by which the original contextual anomaly detection problem can be reduced to a simple point anomaly detection problem in multiple detection domains, eliminating the adverse effect on the anomaly detection caused by virtual machines’ different running environment and improving anomaly detection accuracy.② The runtime is dynamicly change under cloud environment, which lead to the detection domain varies durning time. The real-time performance of detection on visual machines in detection domain will be influenced by the efficiency of partitioning detection domains. This paper present a detection domain partition algorithm based on the optimized k-medoids clustering, which improved k-medoids clustering algorithm in initial medoids selection and medoids replacement strategy during the iterative procedure, improved the partition efficiency of detection domain and the real-time performance of anomaly detection.③ During collecting the status information of large scale of virtual machines in detecting domains, the communication cost, especially the fixed overhead of communication(i.e., per massage cost), will soon exhaust the resources of the anomaly detection node and the anomaly detection node will become the bottleneck of anomaly detection system. For this problem, the dynamicly optimizational construction algorithm of the state information collection network in a anomaly detection domain are proposed in this paper, in which considering the resource usage of the detected nodes and anomaly detection node and the fixed overhead of communication during collection of the status information, the state information collection network is optimally construced giving consideration to both extendibility and collection efficiency of it.④ For the features of cloud data centers, resource sharing and complexity, as well as the dynamically changing of the size of detection domains, a type of anomaly detection node, called the detecting virtual machine, is introduced, in which the given anomaly detection application running. Being of features, such as, rapid deployment, encapsulation and easy migration, detecting virtual machines can prove the scalability and reliability of an anomaly detection system. This paper proposes the optimized deployment technology for detecting virtual machines. In this optimized deployment technology, two factors, resource usage of servers and the effect on the performance of detecting virtual machines caused by the contending for shared server resource, are taken into consideration during the deploying of detecting virtual machines, taking into account both the load balancing between servers and the resource usage balancing of servers, and the optimizing of the overall transaction processing ability of the anomaly detection system.⑤ When conducting anomaly detection on virtual machines in detection domains, because of virtual machines being large scale and dynamic in their deploying and running environment, it is more desirable for the anomaly detection system to be extendible, real-time and self-adaptive. However, the dynamic nature of the objects to detect will make it difficult obtaining adequate training data set, which would severely affecte the real-time and self-adaptive performance of the anomaly detection system. For this situation, this paper propose the dynamic adaptive anomaly detection mechanism based on the SOM, in which the unified behavior modeling method for all virtual machines in an anomaly detection domain is proposed to avoid the overhead caused by the behavior modeling for each individual virtual machine, improving the extendibility of the anomaly detection system and resolving the training data obtaining problem for SOM net at the same time. In addition, the improved training process and dyniamc adjustment mechanism for SOM net are also proposed to shorten the time cost during the SOM net’s training process and adjustment process against the dynamic changes of objects to detect, improving the real-time and self-adaptive performance of the anomaly detection system.