A survey of anomaly detection methodologies for web system

Transcript

1. A survey of anomaly detec2on
   methodologies for web system
   ΫοΫύουגࣜձࣾ ΠϯϑϥετϥΫνϟʔ෦ SRE άϧʔϓ
   ٢઒ ཽଠ ( @rrreeeyyy )
   Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 1
   

   View Slide

2. !SSSFFFZZZ
   !SSSFFFZZZ
   IUUQTSSSFFFZZZDPN
   :PTIJLBXB3ZPUB
   Me
   • Yoshikawa Ryota ( @rrreeeyyy [reɪ] )
   • ΫοΫύουגࣜձࣾ (2017/01 ʙ)
   • ΠϯϑϥετϥΫνϟʔ෦ SRE άϧʔϓ
   • ڵຯྖҬ
   • ϞχλϦϯάɾ࣌ܥྻσʔλϕʔε
   • ෼ࢄγεςϜɾϩʔυόϥϯα
   • झຯ
   • League of Legends, ΀Α΀Α, FF14
   Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 2
   

   View Slide

3. ໨࣍
   • എܠͱ໨త
   • ௐࠪख๏
   • ௐࠪ಺༰ͱ݁Ռ
   • ߟ࡯
   • ·ͱΊ
   Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 3
   

   View Slide

4. എܠͱ໨త
   Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 4
   

   View Slide

5. എܠ
   • SRE ۀ຿ͷओ໨తͷͰ͋Δ Web γεςϜͷ৴པੑͷ޲্
   • ো֐ͷະવͷ༧๷ͱฏۉ෮چ࣌ؒͷ୹ॖ͕ख๏ͷҰͭ
   • γεςϜͷϝτϦΫεͷҟৗΛਖ਼֬ʹૣ͘ݟ͚ͭΔඞཁ͕͋Δ
   • ༷ʑͳϝτϦΫεΛߴղ૾ͰऔಘͰ͖Δج൫͕੔͖ͬͯͨ
   • ҰํͰݱ৔ϨϕϧͰͷϝτϦΫεͷղੳʹର͢ΔΞϓϩʔν͸ະͩʹශऑ
   • ᮢ஋ϕʔεͷҟৗݕ஌ɾ୯७ͳճؼʹΑΔҟৗݕ஌ͳͲ...
   • Ұํɺ࣌ܥྻσʔλղੳࣗମͷ෼໺͸͋Δఔ౓੒ख़͍ͯ͠Δ/੒௕͠ଓ͚͍ͯΔ
   Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 5
   

   View Slide

6. ໨త
   • Web γεςϜͷϝτϦΫεͷಛੑΛ෼ੳ͢Δ
   • ಛੑ͔ΒͲ͏͍ͬͨղੳΛ͢Δͷ͕޲͍͍ͯΔͷ͔ௐࠪ͢Δ
   • ଞ෼໺ͷ࣌ܥྻσʔλղੳͷख๏ͷྑ͍ͱ͜ΖΛऔΓೖΕ͍ͨ
   • (ݸਓతͳཧ༝) αʔόϝτϦΫεͱ͍͏࣌ܥྻσʔλΛ৮͖ͬͯͨ
   • ҰํͰ࣌ܥྻσʔλղੳͷΑ͏ͳֶज़తͳΞϓϩʔνʹແ಴ணͩͬͨ
   • ࠓճͷΑ͏ͳௐࠪΛ௨ͯ࣌͡ܥྻσʔλղੳʹৄ͘͠ͳ͍͖͍ͬͯͨ
   • SRE ͷΑ͏ͳ৬छͷਓશମͰ࣌ܥྻσʔλղੳͷ͜ͱΛߟ͍͑ͨ
   Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 6
   

   View Slide

7. ௐࠪख๏
   Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 7
   

   View Slide

8. ௐࠪख๏
   • Web αʔϏεʹݱΕΔϝτϦΫεΛز͔ͭͷύλʔϯʹ෼ྨ
   • චऀͷܦݧ΍Ұൠతͳ Web αʔϏεͷ܏޲͔Β
   • Web αʔϏεʹݱΕΔҟৗʹ͍ͭͯز͔ͭͷύλʔϯʹ෼ྨ
   • ͪ͜Β΋චऀͷܦݧ΍Ұൠతͳ Web αʔϏεͷ܏޲͔Β
   • ҟৗݕ஌ͷख๏ࣗମͷௐࠪ࿦จͷख๏ͱরΒ͠߹ΘͤͯΈΔ
   • ෼ྨͨ͠ϝτϦΫεʹద͍ͯ͠Δ͔
   • ൃੜ͠͏Δҟৗ͕ݕ஌Ͱ͖ͦ͏͔
   • Ͳ͏͍ͬͨछྨͷϝτϦΫεʹ͸Ͳ͏͍ͬͨख๏ͷҟৗݕ஌͕޲͍͍ͯΔ͔·ͱΊΔ
   Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 8
   

   View Slide

9. ௐࠪ಺༰ͱ݁Ռ
   Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 9
   

   View Slide

10. Web γεςϜͷϝτϦΫεύλʔϯ
    • Web γεςϜʹݱΕΔϝτϦΫεΛҎԼͷΑ͏ʹ෼ྨ͢Δ
    • Web αʔϏεʹΑ͘ݱΕΔมԽͷ֎తཁҼผ
    • ϢʔβͷΞΫηεʹ൐ͬͯେ͖͘มԽ͢ΔϝτϦΫε
    • ಛఆͷॲཧ͕࣮ߦ͞Ε͍ͯΔࡍʹେ͖͘มԽ͢ΔϝτϦΫε
    • ΞΫηε΍ಛఆͷॲཧʹؔΘΒͣมԽ͢ΔϝτϦΫε
    • ΋ͪΖΜ֎తཁҼ͕ 1 ϝτϦΫεͰෳ߹తʹൃੜ͢Δύλʔϯ΋͋Δ
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 10
    

    View Slide

11. ϢʔβͷΞΫηεʹ൐ͬͯେ͖͘มԽ͢ΔϝτϦΫε
    • ྫ͑͹ҎԼͷΑ͏ͳϝτϦΫεͳͲ͕ߟ͑ΒΕΔ
    • LB/Web/DB αʔόͷ CPU ࢖༻཰, Traffic, αʔό୆਺... ͳͲ
    • αʔϏεͷಛੑʹ΋ΑΔ͕ҎԼͷมಈཁҼΛ࣋ͭ͜ͱ͕ଟ͍
    • ܏޲มಈɾ॥؀มಈɾقઅมಈɾෆنଇมಈ
    • ͜Ε͸ͦ΋ͦ΋ϢʔβͷΞΫηεʹมಈཁҼ͕͋ΔͨΊ
    • Web αʔϏεʹݱΕΔϝτϦΫεͷதͰ࠷΋ෳࡶʹมԽ͢Δͱߟ͑ΒΕΔ
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 11
    

    View Slide

12. όονॲཧ͕࣮ߦ͞Ε͍ͯΔࡍʹେ͖͘มԽ͢ΔϝτϦΫε
    • ྫ͑͹ҎԼͷΑ͏ͳϝτϦΫε͕ߟ͑ΒΕΔ
    • όοναʔόͷ CPU ࢖༻཰, Traffic, ... ͳͲ
    • αʔϏεͷಛੑʹ΋ΑΔ͕ҎԼͷมಈཁҼΛ࣋ͭ͜ͱ͕ଟ͍
    • ܏޲มಈɾ॥؀มಈɾෆنଇมಈ
    • ಛఆͷपظͰॲཧ͕ߦΘΕΔͨΊ
    • όον࣌ؒதͷΈ஫ࢹ͢Ε͹Α͍͕όονຖʹಛੑ͕ҟͳΔՄೳੑ΋͋Δ
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 12
    

    View Slide

13. ΞΫηε΍όονॲཧʹؔΘΒͣมԽ͢ΔϝτϦΫε
    • ྫ͑͹ҎԼͷΑ͏ͳϝτϦΫε͕ߟ͑ΒΕΔ
    • σΟεΫ࢖༻ྔ, Swap ࢖༻ྔ, ...
    • σΟεΫ࢖༻ྔ͸αʔόͷಛੑʹΑΔ
    • αʔϏεͷಛੑʹ΋ΑΔ͕ҎԼͷมಈཁҼΛ࣋ͭ͜ͱ͕ଟ͍
    • ܏޲มಈɾෆنଇมಈ
    • ௕ظ܏޲͕Θ͔Ε͹Α͍ɾେ͖͘มԽ͢Δͱͦ΋ͦ΋ҟৗͳ͜ͱ͕ଟ͍
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 13
    

    View Slide

14. Web γεςϜʹى͜ΓಘΔো֐ύλʔϯ
    • ো֐࣌ʹϝτϦΫε͕औΓಘΔಈ͖ͱͯ͠ҎԼͷύλʔϯʹ͍ͭͯߟ͑Δ
    • Spike/Falling ύλʔϯ
    • Flapping/Stopping ύλʔϯ
    • Satula1on ύλʔϯ
    • ϢʔβମݧʹӨڹ͕͋Δ࣌͸ԿΕ͔ͷϝτϦΫε্͕هͷಈ͖Λ͢ΔͱԾఆ
    • ো֐தʹϝτϦΫεʹมԽ͕ى͖ͳ͍৔߹͸औಘର৅Λݟ௚͢ඞཁ͕͋Δ
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 14
    

    View Slide

15. Web γεςϜʹى͜ΓಘΔো֐ύλʔϯ
    • Spike/Falling ύλʔϯ
    • ϝτϦΫε͕ٸܹʹ্ঢ΋͘͠͸Լ߱͢ΔΑ͏ͳύλʔϯ
    • ओʹ֎Ε஋΍มԽ఺͕෼͔Δ͜ͱͰݕग़Մೳ
    • Flapping/Stopping ύλʔϯ
    • ϝτϦΫε͕ٸʹ୹͍ظؒͰৼಈ࢝͠ΊΔΑ͏ͳύλʔϯ
    • पظӡಈ͕୹͘ͳ͚ͬͨͩͳͲͩͱ֎Ε஋͚ͩͰ͸ݕग़͕೉͍͠
    • पظӡಈ͍ͯͨ͠ϝτϦΫε͕ٸʹҰఆ࣌ؒपظӡಈΛ΍ΊΔΑ͏ͳύλʔϯ
    • पظӡಈͷִ͕ؒ௕͘ͳ͚ͬͨͩͳͲͩͱ֎Ε஋͚ͩͰ͸ݕग़͕೉͍͠
    • Satura2on ύλʔϯ
    • ϝτϦΫε͕ʢԿΒ͔ͷ੍ݶͰʣҰఆ্ݶͰఀ଺ͯ͠͠·͏ύλʔϯ
    • ୯ҰͷϝτϦΫε͚ͩͰ͸ͲͷཁҼͰఀ଺͍ͯ͠Δͷ͔ಛఆ͕ࠔ೉
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 15
    

    View Slide

16. Spike ύλʔϯͷྫ
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 16
    

    View Slide

17. Flapping ύλʔϯͷྫ
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 17
    

    View Slide

18. Stopping ύλʔϯͷྫ
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 18
    

    View Slide

19. Satura&on ύλʔϯͷྫ
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 19
    

    View Slide

20. Web γεςϜͷϝτϦΫεɾো֐ಛੑ
    • ଟ͘ͷϝτϦΫεͰਓؒͷ࡞ۀͳͲʹΑΔසൟʹൃੜ͢Δෆنଇมಈ͕͋Δ
    • ྫ͑͹σϓϩΠɾΦϖϨʔγϣϯͳͲ ...
    • ςϨϏ์ө΍ SNS Ͱͷ֦ࢄͳͲʹΑΔΞΫηεεύΠΫ͕͋Δ৔߹͕͋Δ
    • ֶशʹ͔͔Δ࣌ؒ͸͋Δఔ౓௕ͯ͘΋໰୊ͳ͍͕ҟৗͷݕ஌͸ߴ଎Ͱ͋Δඞཁ͕͋Δ
    • ෳ਺ͷϝτϦΫεΛಉ࣌ʹ֬ೝͯ͠ҟৗɾਖ਼ৗΛ൑அ͢Δ͜ͱ΋ଟ͍
    • جຊతʹ͸ط஌ͷҟৗσʔλ͸े෼Ͱͳ͍͜ͱ͕ଟ͍
    • ༩͑ΒΕͨਖ਼ৗσʔλΛϞσϦϯά͢ΔܗͰҟৗݕ஌Λߦ͏
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 20
    

    View Slide

21. ҟৗݕ஌ͷख๏
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 21
    

    View Slide

22. ҟৗݕ஌ͷख๏
    • ΞΫηε΍όονॲཧʹؔΘΒͣมԽ͢ΔϝτϦΫε
    • قઅੑ΍पظੑʹΑΔมಈ͕খ͍͞ͷͰ୯७ͳճؼϞσϧͰຬ଍Ͱ͖Δέʔε͕ଟͦ͏
    • όονॲཧ͕࣮ߦ͞Ε͍ͯΔࡍʹେ͖͘มԽ͢ΔϝτϦΫε
    • ಛʹपظੑʹΑΔมಈ͕େ͖͍ͷͰपظੑͷഉআΛߦ͏
    • पظੑͷഉআΛߦͬͯ͠·͑͹୯७ͳճؼϞσϧͰຬ଍Ͱ͖Δέʔε͕ଟͦ͏
    • ϢʔβͷΞΫηεʹ൐ͬͯେ͖͘มԽ͢ΔϝτϦΫε
    • ༷ʑͳมಈཁҼ͕͋ΔͨΊ୯७ͳճؼϞσϧʹམͱ͢ͷ͸ࠔ೉ͦ͏
    • ϐʔΫ࣌ɾฏৗ࣌ͳͲͰLOF, GMMͳͲΛ༻͍Δέʔε΋͋Δ
    • Spike ύλʔϯͳͲ͸े෼ʹݕ஌Ͱ͖Δέʔε͕ଟͦ͏
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 22
    

    View Slide

23. ҟৗݕ஌ͷख๏
    • Ұํ Flapping/Stopping, Satura1on ύλʔϯʹ͍ͭͯͷݕ஌͸೉͍͠
    • ͍ΘΏΔ contextual anomaly ͱݺ͹ΕΔͰ͋Ζ͏΋ͷ
    • [1] ͷ (2008 ೥) ஈ֊Ͱ͸ contextual anomaly ͷจݙ͸গͳ͔ͬͨͱ͋Δ
    • ͜͏͍ͬͨ contextual anomaly ʹؔ͢Δݚڀ͸ۙ೥ਐΜͰ͖͍ͯΔ
    • CNN ͳͲΛ༻͍ͨੜ੒Ϟσϧͷֶश [6]
    • ࣌ܥྻσʔλΛ੒෼ʹ෼ղͯ͠ۂઢϑΟοςΟϯάͷ໰୊ͱͯ͠ղ͘෺ [7]
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 23
    

    View Slide

24. ߟ࡯
    • ͜Ε·Ͱ୯ҰతʹʮαʔόϝτϦΫεʯͱ͍ͯͨ͠΋ͷΛߋʹࡉ͔͘෼ྨͨ͠
    • ࡉ͔͘෼ྨ͢Δ͜ͱͰ୯७ͳϞσϧͰఆࣜԽͰ͖ͦ͏ͳϝτϦΫεͷଘࡏΛࣔͨ͠
    • ҰํͰΦϖϨʔγϣϯͳͲʹΑΔෆنଇมಈΛͲ͏ѻ͏͔͸ཁݕ౼
    • ࣮ࡍͷো֐ମݧ͔Βো֐ύλʔϯΛز͔ͭʹ෼ྨͨ͠
    • ࣮ࡍͷ࿦จͱԠ౴ੑͷ੍໿͔Βબ୒Ͱ͖Δҟৗݕ஌ͷख๏Λݕ౼ͨ͠
    • ίϯςΩετΛؚΉҟৗݕ஌ͳͲʹؔͯ͠͸Ҿ͖ଓ͖ௐ͕ࠪඞཁ
    • ఆࣜԽ͕े෼ͱ͍͑ΔΘ͚Ͱ͸ͳ͍ͷͰࠓޙ΋ϝτϦΫε΍ো֐ύλʔϯΛݕ౼͢Δඞཁ
    • ߋʹ࣮ࡍʹ࢖͏ͨΊʹ͸ֶश଎౓΍ਪ࿦଎౓ɾෛՙʹ͍ͭͯ΋ݕ౼͕ඞཁ
    • શͯͷϝτϦΫεʹରͯ͠ҟৗݕ஌Λߦ͏ΑΓ steady-state ͷΑ͏ͳ΋ͷΛఆٛͨ͠΄͏͕ྑ͍͔ݕ౼
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 24
    

    View Slide

25. ·ͱΊ
    • ͍͔ͭ͘ͷαʔόϝτϦΫεʹ͍ͭͯ·ͱΊ܏޲Λࣔͨ͠
    • αʔόϝτϦΫεͷ܏޲͔Βҟৗݕ஌ͷख๏ͷબ୒ʹ͍ͭͯߟ࡯ͨ͠
    • ো֐࣌ʹݱΕΔϝτϦΫεͷڍಈʹ͍ͭͯ·ͱΊ܏޲Λࣔͨ͠
    • ݱΕͦ͏ͳҟৗΛݕ஌͢ΔͨΊʹͲͷΑ͏ͳख๏Λ༻͍Ε͹Α͍͔ߟ࡯ͨ͠
    • ௐࠪΛ௨ͯ࣌͡ܥྻσʔλղੳʹ͔͚ᷮͩৄ͘͠ͳͬͨ
    • ࠓճௐࠪͨ͠෼Ͱ΋଍Γͳ͍ͷͰҾ͖ଓ͖ۙ୅ͷख๏ʹ͍ͭͯ΋ௐ͕ࠪඞཁ
    • ಛʹ contextual/collec-ve anomaly detec-on ʹ͍ͭͯ
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 25
    

    View Slide

26. ࢀߟจݙ
    1. CHANDOLA, Varun; BANERJEE, Arindam; KUMAR, Vipin. Anomaly detecCon: A survey. ACM compuCng surveys
    (CSUR), 2009, 41.3: 15.
    2. KITAGAWA, G. Introducing to Time Series Modeling, Chapman & Hall. 2010.
    3. HOCHENBAUM, Jordan; VALLIS, Owen S.; KEJARIWAL, Arun. AutomaCc anomaly detecCon in the cloud via
    staCsCcal learning. arXiv preprint arXiv:1704.07706, 2017.
    4. ISLAM, Md Rafiqul, et al. A Comprehensive Survey of Time Series Anomaly DetecCon in Online Social Network
    Data. InternaConal Journal of Computer ApplicaCons, 2017, 180.3: 13-22.
    5. HARVEY, Andrew C.; PETERS, Simon. EsCmaCon procedures for structural Cme series models. Journal of
    ForecasCng, 1990, 9.2: 89-108.
    6. LAPTEV, Nikolay, et al. Time-series extreme event forecasCng with neural networks at uber. In: InternaConal
    Conference on Machine Learning. 2017. p. 1-5.
    7. TAYLOR, Sean J.; LETHAM, Benjamin. ForecasCng at scale. The American StaCsCcian, 2018, 72.1: 37-45.
    Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 26
    

    View Slide