Detecting Anomalies Through Sequential Performance Analysis in Virtualized Environments

Abstract

Virtualization enables cloud computing, allowing for server consolidation with cost reduction. It also introduces new challenges in terms of security and isolation, which are deterrents for the adoption of virtualization in critical systems. Virtualized systems tend to be very complex, and multi-tenancy is the norm, as the hypervisor manages the resources shared among virtual machines. This paper proposes a methodology that uses performance modeling for the detection of anomalies in virtualized environments that can be caused, for instance, by cyberattacks. Experiments are conducted to profile the system operation under normal conditions for its business transactions. The results are used to calibrate a performance model and to understand the impact of its parameters on the false positive probability. During operation, the system is monitored, and deviations are detected by applying a sequential analysis algorithm (the bucket algorithm). The methodology is evaluated using a representative cloud workload (TPCx-V), which was profiled during a set of controlled executions. We consider resource exhaustion anomalies to emulate the effects of attacks affecting the performance of the system. Our results show that the proposed approach is able to successfully detect anomalies, with a lownumber of false positives, and spot possible residual effects of anomalies on the system.