A survey of anomaly detection methodologies for web system

28e154e6e0351c70091997d2f574295a?s=47 rrreeeyyy
November 17, 2018

A survey of anomaly detection methodologies for web system

第 3 回 Web System Architecture 研究会 (2018/11/17) で発表したときのものです。

28e154e6e0351c70091997d2f574295a?s=128

rrreeeyyy

November 17, 2018
Tweet

Transcript

  1. A survey of anomaly detec2on methodologies for web system ΫοΫύουגࣜձࣾ

    ΠϯϑϥετϥΫνϟʔ෦ SRE άϧʔϓ ٢઒ ཽଠ ( @rrreeeyyy ) Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 1
  2. !SSSFFFZZZ !SSSFFFZZZ IUUQTSSSFFFZZZDPN :PTIJLBXB3ZPUB Me • Yoshikawa Ryota ( @rrreeeyyy

    [reɪ] ) • ΫοΫύουגࣜձࣾ (2017/01 ʙ) • ΠϯϑϥετϥΫνϟʔ෦ SRE άϧʔϓ • ڵຯྖҬ • ϞχλϦϯάɾ࣌ܥྻσʔλϕʔε • ෼ࢄγεςϜɾϩʔυόϥϯα • झຯ • League of Legends, ΀Α΀Α, FF14 Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 2
  3. ໨࣍ • എܠͱ໨త • ௐࠪख๏ • ௐࠪ಺༰ͱ݁Ռ • ߟ࡯ •

    ·ͱΊ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 3
  4. എܠͱ໨త Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota (

    @rrreeeyyy ) 4
  5. എܠ • SRE ۀ຿ͷओ໨తͷͰ͋Δ Web γεςϜͷ৴པੑͷ޲্ • ো֐ͷະવͷ༧๷ͱฏۉ෮چ࣌ؒͷ୹ॖ͕ख๏ͷҰͭ • γεςϜͷϝτϦΫεͷҟৗΛਖ਼֬ʹૣ͘ݟ͚ͭΔඞཁ͕͋Δ

    • ༷ʑͳϝτϦΫεΛߴղ૾ͰऔಘͰ͖Δج൫͕੔͖ͬͯͨ • ҰํͰݱ৔ϨϕϧͰͷϝτϦΫεͷղੳʹର͢ΔΞϓϩʔν͸ະͩʹශऑ • ᮢ஋ϕʔεͷҟৗݕ஌ɾ୯७ͳճؼʹΑΔҟৗݕ஌ͳͲ... • Ұํɺ࣌ܥྻσʔλղੳࣗମͷ෼໺͸͋Δఔ౓੒ख़͍ͯ͠Δ/੒௕͠ଓ͚͍ͯΔ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 5
  6. ໨త • Web γεςϜͷϝτϦΫεͷಛੑΛ෼ੳ͢Δ • ಛੑ͔ΒͲ͏͍ͬͨղੳΛ͢Δͷ͕޲͍͍ͯΔͷ͔ௐࠪ͢Δ • ଞ෼໺ͷ࣌ܥྻσʔλղੳͷख๏ͷྑ͍ͱ͜ΖΛऔΓೖΕ͍ͨ • (ݸਓతͳཧ༝)

    αʔόϝτϦΫεͱ͍͏࣌ܥྻσʔλΛ৮͖ͬͯͨ • ҰํͰ࣌ܥྻσʔλղੳͷΑ͏ͳֶज़తͳΞϓϩʔνʹແ಴ணͩͬͨ • ࠓճͷΑ͏ͳௐࠪΛ௨ͯ࣌͡ܥྻσʔλղੳʹৄ͘͠ͳ͍͖͍ͬͯͨ • SRE ͷΑ͏ͳ৬छͷਓશମͰ࣌ܥྻσʔλղੳͷ͜ͱΛߟ͍͑ͨ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 6
  7. ௐࠪख๏ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota (

    @rrreeeyyy ) 7
  8. ௐࠪख๏ • Web αʔϏεʹݱΕΔϝτϦΫεΛز͔ͭͷύλʔϯʹ෼ྨ • චऀͷܦݧ΍Ұൠతͳ Web αʔϏεͷ܏޲͔Β • Web

    αʔϏεʹݱΕΔҟৗʹ͍ͭͯز͔ͭͷύλʔϯʹ෼ྨ • ͪ͜Β΋චऀͷܦݧ΍Ұൠతͳ Web αʔϏεͷ܏޲͔Β • ҟৗݕ஌ͷख๏ࣗମͷௐࠪ࿦จͷख๏ͱরΒ͠߹ΘͤͯΈΔ • ෼ྨͨ͠ϝτϦΫεʹద͍ͯ͠Δ͔ • ൃੜ͠͏Δҟৗ͕ݕ஌Ͱ͖ͦ͏͔ • Ͳ͏͍ͬͨछྨͷϝτϦΫεʹ͸Ͳ͏͍ͬͨख๏ͷҟৗݕ஌͕޲͍͍ͯΔ͔·ͱΊΔ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 8
  9. ௐࠪ಺༰ͱ݁Ռ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota (

    @rrreeeyyy ) 9
  10. Web γεςϜͷϝτϦΫεύλʔϯ • Web γεςϜʹݱΕΔϝτϦΫεΛҎԼͷΑ͏ʹ෼ྨ͢Δ • Web αʔϏεʹΑ͘ݱΕΔมԽͷ֎తཁҼผ • ϢʔβͷΞΫηεʹ൐ͬͯେ͖͘มԽ͢ΔϝτϦΫε

    • ಛఆͷॲཧ͕࣮ߦ͞Ε͍ͯΔࡍʹେ͖͘มԽ͢ΔϝτϦΫε • ΞΫηε΍ಛఆͷॲཧʹؔΘΒͣมԽ͢ΔϝτϦΫε • ΋ͪΖΜ֎తཁҼ͕ 1 ϝτϦΫεͰෳ߹తʹൃੜ͢Δύλʔϯ΋͋Δ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 10
  11. ϢʔβͷΞΫηεʹ൐ͬͯେ͖͘มԽ͢ΔϝτϦΫε • ྫ͑͹ҎԼͷΑ͏ͳϝτϦΫεͳͲ͕ߟ͑ΒΕΔ • LB/Web/DB αʔόͷ CPU ࢖༻཰, Traffic, αʔό୆਺...

    ͳͲ • αʔϏεͷಛੑʹ΋ΑΔ͕ҎԼͷมಈཁҼΛ࣋ͭ͜ͱ͕ଟ͍ • ܏޲มಈɾ॥؀มಈɾقઅมಈɾෆنଇมಈ • ͜Ε͸ͦ΋ͦ΋ϢʔβͷΞΫηεʹมಈཁҼ͕͋ΔͨΊ • Web αʔϏεʹݱΕΔϝτϦΫεͷதͰ࠷΋ෳࡶʹมԽ͢Δͱߟ͑ΒΕΔ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 11
  12. όονॲཧ͕࣮ߦ͞Ε͍ͯΔࡍʹେ͖͘มԽ͢ΔϝτϦΫε • ྫ͑͹ҎԼͷΑ͏ͳϝτϦΫε͕ߟ͑ΒΕΔ • όοναʔόͷ CPU ࢖༻཰, Traffic, ... ͳͲ

    • αʔϏεͷಛੑʹ΋ΑΔ͕ҎԼͷมಈཁҼΛ࣋ͭ͜ͱ͕ଟ͍ • ܏޲มಈɾ॥؀มಈɾෆنଇมಈ • ಛఆͷपظͰॲཧ͕ߦΘΕΔͨΊ • όον࣌ؒதͷΈ஫ࢹ͢Ε͹Α͍͕όονຖʹಛੑ͕ҟͳΔՄೳੑ΋͋Δ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 12
  13. ΞΫηε΍όονॲཧʹؔΘΒͣมԽ͢ΔϝτϦΫε • ྫ͑͹ҎԼͷΑ͏ͳϝτϦΫε͕ߟ͑ΒΕΔ • σΟεΫ࢖༻ྔ, Swap ࢖༻ྔ, ... • σΟεΫ࢖༻ྔ͸αʔόͷಛੑʹΑΔ

    • αʔϏεͷಛੑʹ΋ΑΔ͕ҎԼͷมಈཁҼΛ࣋ͭ͜ͱ͕ଟ͍ • ܏޲มಈɾෆنଇมಈ • ௕ظ܏޲͕Θ͔Ε͹Α͍ɾେ͖͘มԽ͢Δͱͦ΋ͦ΋ҟৗͳ͜ͱ͕ଟ͍ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 13
  14. Web γεςϜʹى͜ΓಘΔো֐ύλʔϯ • ো֐࣌ʹϝτϦΫε͕औΓಘΔಈ͖ͱͯ͠ҎԼͷύλʔϯʹ͍ͭͯߟ͑Δ • Spike/Falling ύλʔϯ • Flapping/Stopping ύλʔϯ

    • Satula1on ύλʔϯ • ϢʔβମݧʹӨڹ͕͋Δ࣌͸ԿΕ͔ͷϝτϦΫε্͕هͷಈ͖Λ͢ΔͱԾఆ • ো֐தʹϝτϦΫεʹมԽ͕ى͖ͳ͍৔߹͸औಘର৅Λݟ௚͢ඞཁ͕͋Δ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 14
  15. Web γεςϜʹى͜ΓಘΔো֐ύλʔϯ • Spike/Falling ύλʔϯ • ϝτϦΫε͕ٸܹʹ্ঢ΋͘͠͸Լ߱͢ΔΑ͏ͳύλʔϯ • ओʹ֎Ε஋΍มԽ఺͕෼͔Δ͜ͱͰݕग़Մೳ •

    Flapping/Stopping ύλʔϯ • ϝτϦΫε͕ٸʹ୹͍ظؒͰৼಈ࢝͠ΊΔΑ͏ͳύλʔϯ • पظӡಈ͕୹͘ͳ͚ͬͨͩͳͲͩͱ֎Ε஋͚ͩͰ͸ݕग़͕೉͍͠ • पظӡಈ͍ͯͨ͠ϝτϦΫε͕ٸʹҰఆ࣌ؒपظӡಈΛ΍ΊΔΑ͏ͳύλʔϯ • पظӡಈͷִ͕ؒ௕͘ͳ͚ͬͨͩͳͲͩͱ֎Ε஋͚ͩͰ͸ݕग़͕೉͍͠ • Satura2on ύλʔϯ • ϝτϦΫε͕ʢԿΒ͔ͷ੍ݶͰʣҰఆ্ݶͰఀ଺ͯ͠͠·͏ύλʔϯ • ୯ҰͷϝτϦΫε͚ͩͰ͸ͲͷཁҼͰఀ଺͍ͯ͠Δͷ͔ಛఆ͕ࠔ೉ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 15
  16. Spike ύλʔϯͷྫ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota

    ( @rrreeeyyy ) 16
  17. Flapping ύλʔϯͷྫ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota

    ( @rrreeeyyy ) 17
  18. Stopping ύλʔϯͷྫ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota

    ( @rrreeeyyy ) 18
  19. Satura&on ύλʔϯͷྫ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota

    ( @rrreeeyyy ) 19
  20. Web γεςϜͷϝτϦΫεɾো֐ಛੑ • ଟ͘ͷϝτϦΫεͰਓؒͷ࡞ۀͳͲʹΑΔසൟʹൃੜ͢Δෆنଇมಈ͕͋Δ • ྫ͑͹σϓϩΠɾΦϖϨʔγϣϯͳͲ ... • ςϨϏ์ө΍ SNS

    Ͱͷ֦ࢄͳͲʹΑΔΞΫηεεύΠΫ͕͋Δ৔߹͕͋Δ • ֶशʹ͔͔Δ࣌ؒ͸͋Δఔ౓௕ͯ͘΋໰୊ͳ͍͕ҟৗͷݕ஌͸ߴ଎Ͱ͋Δඞཁ͕͋Δ • ෳ਺ͷϝτϦΫεΛಉ࣌ʹ֬ೝͯ͠ҟৗɾਖ਼ৗΛ൑அ͢Δ͜ͱ΋ଟ͍ • جຊతʹ͸ط஌ͷҟৗσʔλ͸े෼Ͱͳ͍͜ͱ͕ଟ͍ • ༩͑ΒΕͨਖ਼ৗσʔλΛϞσϦϯά͢ΔܗͰҟৗݕ஌Λߦ͏ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 20
  21. ҟৗݕ஌ͷख๏ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota (

    @rrreeeyyy ) 21
  22. ҟৗݕ஌ͷख๏ • ΞΫηε΍όονॲཧʹؔΘΒͣมԽ͢ΔϝτϦΫε • قઅੑ΍पظੑʹΑΔมಈ͕খ͍͞ͷͰ୯७ͳճؼϞσϧͰຬ଍Ͱ͖Δέʔε͕ଟͦ͏ • όονॲཧ͕࣮ߦ͞Ε͍ͯΔࡍʹେ͖͘มԽ͢ΔϝτϦΫε • ಛʹपظੑʹΑΔมಈ͕େ͖͍ͷͰपظੑͷഉআΛߦ͏ •

    पظੑͷഉআΛߦͬͯ͠·͑͹୯७ͳճؼϞσϧͰຬ଍Ͱ͖Δέʔε͕ଟͦ͏ • ϢʔβͷΞΫηεʹ൐ͬͯେ͖͘มԽ͢ΔϝτϦΫε • ༷ʑͳมಈཁҼ͕͋ΔͨΊ୯७ͳճؼϞσϧʹམͱ͢ͷ͸ࠔ೉ͦ͏ • ϐʔΫ࣌ɾฏৗ࣌ͳͲͰLOF, GMMͳͲΛ༻͍Δέʔε΋͋Δ • Spike ύλʔϯͳͲ͸े෼ʹݕ஌Ͱ͖Δέʔε͕ଟͦ͏ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 22
  23. ҟৗݕ஌ͷख๏ • Ұํ Flapping/Stopping, Satura1on ύλʔϯʹ͍ͭͯͷݕ஌͸೉͍͠ • ͍ΘΏΔ contextual anomaly

    ͱݺ͹ΕΔͰ͋Ζ͏΋ͷ • [1] ͷ (2008 ೥) ஈ֊Ͱ͸ contextual anomaly ͷจݙ͸গͳ͔ͬͨͱ͋Δ • ͜͏͍ͬͨ contextual anomaly ʹؔ͢Δݚڀ͸ۙ೥ਐΜͰ͖͍ͯΔ • CNN ͳͲΛ༻͍ͨੜ੒Ϟσϧͷֶश [6] • ࣌ܥྻσʔλΛ੒෼ʹ෼ղͯ͠ۂઢϑΟοςΟϯάͷ໰୊ͱͯ͠ղ͘෺ [7] Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 23
  24. ߟ࡯ • ͜Ε·Ͱ୯ҰతʹʮαʔόϝτϦΫεʯͱ͍ͯͨ͠΋ͷΛߋʹࡉ͔͘෼ྨͨ͠ • ࡉ͔͘෼ྨ͢Δ͜ͱͰ୯७ͳϞσϧͰఆࣜԽͰ͖ͦ͏ͳϝτϦΫεͷଘࡏΛࣔͨ͠ • ҰํͰΦϖϨʔγϣϯͳͲʹΑΔෆنଇมಈΛͲ͏ѻ͏͔͸ཁݕ౼ • ࣮ࡍͷো֐ମݧ͔Βো֐ύλʔϯΛز͔ͭʹ෼ྨͨ͠ •

    ࣮ࡍͷ࿦จͱԠ౴ੑͷ੍໿͔Βબ୒Ͱ͖Δҟৗݕ஌ͷख๏Λݕ౼ͨ͠ • ίϯςΩετΛؚΉҟৗݕ஌ͳͲʹؔͯ͠͸Ҿ͖ଓ͖ௐ͕ࠪඞཁ • ఆࣜԽ͕े෼ͱ͍͑ΔΘ͚Ͱ͸ͳ͍ͷͰࠓޙ΋ϝτϦΫε΍ো֐ύλʔϯΛݕ౼͢Δඞཁ • ߋʹ࣮ࡍʹ࢖͏ͨΊʹ͸ֶश଎౓΍ਪ࿦଎౓ɾෛՙʹ͍ͭͯ΋ݕ౼͕ඞཁ • શͯͷϝτϦΫεʹରͯ͠ҟৗݕ஌Λߦ͏ΑΓ steady-state ͷΑ͏ͳ΋ͷΛఆٛͨ͠΄͏͕ྑ͍͔ݕ౼ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 24
  25. ·ͱΊ • ͍͔ͭ͘ͷαʔόϝτϦΫεʹ͍ͭͯ·ͱΊ܏޲Λࣔͨ͠ • αʔόϝτϦΫεͷ܏޲͔Βҟৗݕ஌ͷख๏ͷબ୒ʹ͍ͭͯߟ࡯ͨ͠ • ো֐࣌ʹݱΕΔϝτϦΫεͷڍಈʹ͍ͭͯ·ͱΊ܏޲Λࣔͨ͠ • ݱΕͦ͏ͳҟৗΛݕ஌͢ΔͨΊʹͲͷΑ͏ͳख๏Λ༻͍Ε͹Α͍͔ߟ࡯ͨ͠ •

    ௐࠪΛ௨ͯ࣌͡ܥྻσʔλղੳʹ͔͚ᷮͩৄ͘͠ͳͬͨ • ࠓճௐࠪͨ͠෼Ͱ΋଍Γͳ͍ͷͰҾ͖ଓ͖ۙ୅ͷख๏ʹ͍ͭͯ΋ௐ͕ࠪඞཁ • ಛʹ contextual/collec-ve anomaly detec-on ʹ͍ͭͯ Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 25
  26. ࢀߟจݙ 1. CHANDOLA, Varun; BANERJEE, Arindam; KUMAR, Vipin. Anomaly detecCon:

    A survey. ACM compuCng surveys (CSUR), 2009, 41.3: 15. 2. KITAGAWA, G. Introducing to Time Series Modeling, Chapman & Hall. 2010. 3. HOCHENBAUM, Jordan; VALLIS, Owen S.; KEJARIWAL, Arun. AutomaCc anomaly detecCon in the cloud via staCsCcal learning. arXiv preprint arXiv:1704.07706, 2017. 4. ISLAM, Md Rafiqul, et al. A Comprehensive Survey of Time Series Anomaly DetecCon in Online Social Network Data. InternaConal Journal of Computer ApplicaCons, 2017, 180.3: 13-22. 5. HARVEY, Andrew C.; PETERS, Simon. EsCmaCon procedures for structural Cme series models. Journal of ForecasCng, 1990, 9.2: 89-108. 6. LAPTEV, Nikolay, et al. Time-series extreme event forecasCng with neural networks at uber. In: InternaConal Conference on Machine Learning. 2017. p. 1-5. 7. TAYLOR, Sean J.; LETHAM, Benjamin. ForecasCng at scale. The American StaCsCcian, 2018, 72.1: 37-45. Web System Architecture ݚڀձ (2018/11/17) | Yoshikawa Ryota ( @rrreeeyyy ) 26