详细信息    本馆镜像全文|  推荐本文 |  |   获取CNKI官网全文
With the rapid progress of computing techniques and communication techniques,the information service has been widely used in regular life. It persistently providestrusted service for7′24hours a week. The infrastructure of such service is usuallydistributed systems that are constructed with large amount of computing resources,handle large amount of user requests and storage large amount of user data. In order tobuild a large-scale trusted distributed system, the complexity of system behavior andsystem running environment would increase dramatically for the follow two reasons:software bugs are difficult to get rid of, and it is difficult to anticipate all the situationsthat could encountered at runtime. A direct result of such complexity is that the systemshould be persistently providing trusted service while the system composing componentpersistently fails, which seriously affects the7′24high trusted service requiremt.
     Monitoring-Action is a widely used runtime trust grantee mechanism. It uses thefault localization techniques to accurately diagnosis the root cause of system failure, andthen doing the corresponding actions to grantee the runtime trust property of the system.Event log has been widely used in fault localization techniques as an effectiveabstraction of system behavior. There are mainly two ways to localize a fault: use faultmodel to identify a known fault; use normal behavior model to identify the abnormalbehavior. However, due to the complexity system behavior and system environment,there still exist great challenges to localize fault by event logs: there exist large amountnoisy logs through the fault modeling process, which could lead to false positives andfalse negatives in the fault localization process; it is difficult to extract the normalbehavior model under distributed environment, and the low detection efficiency makesit difficult to detect runtime abnormal system behavior.
     In order to tame those challenges, we research the fault localization problems inboth fault model and normal behavior model method in typical large-scale distributedsoftware systems. By using the Haar wavelet transform techniques, similaritymeasurement and cluster index techniques, we try to solve the noisy event log filtering,continues fault behavior tracing and normal behavior modeling problem throughdifferent properties of event logs, including time series property, statistical property andevent property. Our main works including:
     (1) Time series similarity-based noisy event logs filtering
     To filter the noisy event logs during fault feature extraction process, we propose atime series similarity-based noisy log filtering method to filter out the event logs that arenot related to the injected fault. By modeling a specific type of event logs into timeseries, and use Haar wavelet transform to extract the occurring pattern of the time series.By comparing the similarity between noisy log templates and the target log time series, we successfully identify the event logs that are not related to the injected fault andincrease the effectiveness of the fault model. By conducting the experiment in an innerlarge-scale distributed software system of alibaba cloud computing company, we canimprove the fault accuracy to96%(when setting detection time window to50seconds)and the fault recall to94%(when setting the detection time window to100seconds).
     To improve the efficiency of the filtering process, we propose a skip-list basedcluster index to shorten the filtering time. By clustering the noisy temples with timeseries similarity measurement and use skip-list to index the noisy temples, wesuccessfully improve the filtering efficiency by43%.
     (2) Event log item state-based continues fault tracing
     In order to model the fault features outside the detection time window, we proposea companion state tracing mechanism to extract the fault feature. Traditional faultmodeling method uses the event logs that are observed within a fixed fault feature timewindow to model a fault and ignore the fault feature outside the time window. Sincedifferent types of fault are rather different in fault propagation time period and faultpropagation patterns, the fault feature could be mistakenly identified as false positivesand false negatives. By modeling fault into companion state machines, we can identifythe current event log pattern is caused by the previously detected fault or caused by anew fault. By conducting the experiment in an inner cluster of alibaba cloud computingcompany, we successfully increase the effectiveness of fault model up to90%(whensetting detection time window to6seconds).
     (3) Thread level event log sequence-based abnormal behavior detection
     In order to detect abnormal behavior from event log templates, we use the eventlogs within a thread as the system normal behavior templates, and model the abnormalevent log detection problem into sequence matching problem. To improve the efficiencyof traditional cluster-based sequence matching method, we use cosine similarity ofevent type feature vector to anticipate the sequence similarity, use Top-K searchingtechniques to limit the size of comparing set, and use invert index techniques to furtherfilter the target temples set. By conducting the experiment on Hadoop cluster, weincrease the comparing efficiency for8.6times (when setting similarity threshold to0.95and use Top50).
     To further improve the effectiveness of the thread level event log behavior model,we propose a sub-sequence feature vector-based cluster index method for sequencematching. Since the event type feature vector doesn’t contains temporal information, itmakes the similarity measurement doesn’t similar well to the original sequencesimilarity measurement. We use the repeat sub-sequence analyzing techniques to dividethe original sequence into sub-sequence. Then, we use the sub-sequence id to formfeature vector and use the cosine similarity method to cluster the original sequence. Thesub-sequence is a reasonable abstraction of localized temporal information of the original sequence, so we can acquire a better matching effectiveness than event typefeature vector-based method. By conducting the experiment in Hadoop cluster, weincrease the sequence matching actuary for15%(when setting the similarity thresholdto0.90and use Top40).
     Except for the above3contributions, we also built a set of tools namedLogAnalyzer for gathering and analyzing the event logs in large-scale distributedsoftware systems, which can help the system administrator to better understand thesystem runtime behavior through event logs.
[1] What is Web2.0[Z]. O. Reilly,2005.
    [4] CNNIC:截至2011年6月底网民规模与结构特征[Z].http://tech.cn.yahoo.com/ypen/20110719/477684.html.
    [5] Services A W. Amazon S3-More Than449Billion Objects[Z]. AmazonWeb Services Blog,2011.
    [Z]. http://research.cnnic.cn/html/1295343214d2557.html,2011.
    [7] Report: Google Uses About900,000Servers[Z].http://www.datacenterknowledge.com/archives/2011/08/01/report-google-uses-about-900000-servers/.
    [10] Pingdom. Best and Worst US Online Banks Revealed[Z]. Pingdom,2006.
    [11] Pingdom. Downtime for International Airline Websites[Z]. Pingdom,2009.
    [12] Barroso L A, Hozle U. The datacenter as a computer: An introduction to thedesign of warehouse-scale machines[J]. Synthesis Lectures on Computer Architecture.2009,4(1):1-108.
    [13] Chandra B, Dahlin M, Gao L, et al. Resource management for scalabledisconnected access to Web services[C]. Hong Kong, Hong Kong: ACM,2001.
    [14] Amazon. Amazon Elastic Compute Cloud[Z]. http://aws.amazon.com/ec2/.
    [15]5Lessons We've learned Using AWS[Z].http://techblog.netflix.com/2010/12/5-lessons-weve-learned-using-aws.html.
    [16] Northrop L, Feiler P, Gabriel R P, et al. Ultra-Large-Scale systems-thesoftware challenge of the future[J]. Technical report Software Engineering InstituteCarnegie Mellon University ISBN.2006.
    [17] Salehie M, Tahvildari L. Self-adaptive software: Landscape and researchchallenges[J]. ACM Trans. Auton. Adapt. Syst.2009,4(2):1-42.
    [18] Sigelman B H, Barroso L A, Burrows M, et al. Dapper, a large-scaledistributed systems tracing infrastructure[J]. Google Research.2010.
    [19] Chen M Y, Kiciman E, Fratkin E, et al. Pinpoint: Problem Determination inLarge, Dynamic Internet Services[C]. IEEE Computer Society,2002.
    [20] Fonseca R, Porter G, Katz R H, et al. X-trace: a pervasive network tracingframework[C]. Cambridge, MA: USENIX Association,2007.
    [21] Barham P, Donnelly A, Isaacs R, et al. Using magpie for request extractionand workload modelling[C]. San Francisco, CA: USENIX Association,2004.
    [22] Jones J A, Harrold M J, Stasko J. Visualization of test information to assistfault localization[C]. Orlando, Florida: ACM,2002.
    [23] Avizienis A, Laprie J, Randell B, et al. Basic Concepts and Taxonomy ofDependable and Secure Computing[J]. IEEE Trans. Dependable Secur. Comput.2004,1(1):11-33.
    [24] Katker S, Geihs K. A Generic Model for Fault Isolation inIntegratedManagement Systems[J]. J. Netw. Syst. Manage.1997,5(2):109-130.
    [25] Steinder M, Sethi A. The present and future of event correlation: A need forend-to-end service fault localization[C]. Citeseer,2001.
    [26] Kandula S, Mahajan R, Verkaik P, et al. Detailed diagnosis in enterprisenetworks[C]. Barcelona, Spain: ACM,2009.
    [27] Buskens R W, Bianchini Jr R P. Distributed on-line diagnosis in the presenceof arbitrary faults[C]. IEEE,1993.
    [28] Bagchi A, Hakimi S L. An optimal algorithm for distributed system leveldiagnosis[C]. IEEE,1991.
    [29] Maheshwari S N, Hakimi S L. On models for diagnosable systems andprobabilistic fault diagnosis[J]. Computers, IEEE Transactions on.1976,100(3):228-236.
    [30] Proc E, Jr. Pio Duarte, Nanya T. A Hierarchical Adaptive DistributedSystem-Level Diagnosis Algorithm[J]. IEEE Trans. Comput.1998,47(1):34-45.
    [31] Patel A, Mcdermott G, Mulvihill C. Integrating network management andartificial intelligence[J]. Integrated Network Management I, North-Holland, Amsterdam.1989:647-660.
    [32] Liu G, Mok A K, Yang E J. Composite events for network eventcorrelation[C]. IEEE,1999.
    [33] Lewis L M. A case-based reasoning approach to the resolution of faults incommunication networks[C]. North-Holland Publishing Co.,1993.
    [34] Hong P, Sen P. Incorporating Non-deterministic Reasoning in ManagingHeterogeneous Network Faults. Integrated Network Management II[Z]. North-Holland,Amsterdam,1991.
    [35] Aguilera M K, Mogul J C, Wiener J L, et al. Performance debugging fordistributed systems of black boxes[C]. Bolton Landing, NY, USA: ACM,2003.
    [36] Cohen I, Zhang S, Goldszmidt M, et al. Capturing, indexing, clustering, andretrieving system history[C]. Brighton, United Kingdom: ACM,2005.
    [37] Xu W, Huang L, Fox A, et al. Mining console logs for large-scale systemproblem detection[C]. San Diego, California: USENIX Association,2008.
    [38] Olszewski M, Ansel J, Amarasinghe S. Kendo: efficient deterministicmultithreading in software[C]. Washington, DC, USA: ACM,2009.
    [39] Hellerstein J L, Ma S, Perng C S. Discovering actionable patterns in eventdata[J]. IBM Systems Journal.2002,41(3):475-493.
    [40] Ma H, Hellerstein J L. Mining partially periodic event patterns with unknownperiods[C].2001.
    [41] Yamanishi K, Maruyama Y. Dynamic syslog mining for network failuremonitoring[C]. ACM,2005.
    [42] Lim C, Singh N, Yajnik S. A log mining approach to failure analysis ofenterprise telephony systems[C]. IEEE,2008.
    [43] Lou J, Fu Q, Wang Y, et al. Mining dependency in distributed systemsthrough unstructured logs analysis[J]. SIGOPS Oper. Syst. Rev.2010,44(1):91-96.
    [44] Xu W, Huang L, Fox A, et al. Detecting large-scale system problems bymining console logs[C]. Big Sky, Montana, USA: ACM,2009.
    [45] Tan J, Kavulya S, Gandhi R, et al. Visual, Log-Based Causal Tracing forPerformance Debugging of MapReduce Systems[C]. IEEE Computer Society,2010.
    [46] Lou J, Fu Q, Yang S, et al. Mining invariants from console logs for systemproblem detection[C]. Boston, MA: USENIX Association,2010.
    [47] Liang Y, Sivasubramaniam A, Moreira J. Filtering Failure Logs for aBlueGene/L Prototype[C]. IEEE Computer Society,2005.
    [48] Oliner A, Stearley J. What Supercomputers Say: A Study of Five SystemLogs[C]. IEEE Computer Society,2007.
    [49] Liang Y, Zhang Y, Sivasubramaniam A, et al. BlueGene/L Failure Analysisand Prediction Models[C]. IEEE Computer Society,2006.
    [50] Zheng Z, Lan Z, Park B H, et al. System log pre-processing to improvefailure prediction[C]. IEEE,2009.
    [51] Duraes J A, Madeira H S. Emulation of Software Faults: A Field Data Studyand a Practical Approach[J]. IEEE Trans. Softw. Eng.2006,32(11):849-867.
    [52] Agrawal R, Imieli T, Ski, et al. Mining association rules between sets ofitems in large databases[J]. SIGMOD Rec.1993,22(2):207-216.
    [53] Hasan M, Sugla B, Viswanathan R. A conceptual framework for networkmanagement event correlation and filtering systems[C]. IEEE,1999.
    [54] Yemini S A, Kliger S, Mozes E, et al. High speed and robust eventcorrelation[J]. IEEE Communications Magazine.1996,34(5):82-90.
    [55] Klinger S, Yemini S, Yemini Y, et al. A coding approach to eventcorrelation[C]. Chapman\& Hall, Ltd.,1995.
    [56] Natu M, Sethi A S. Probabilistic fault diagnosis using adaptive probing[C].San Jos\&\#233;, CA, USA: Springer-Verlag,2007.
    [57] Gruschke B. Integrated event management: Event correlation usingdependency graphs[C]. IEEE,1998.
    [58] Hp. HP Openview[Z]. http://www.openview.hp.com/.
    [59] Ibm. IBM Tivoli[Z]. http://www.ibm.com/software/tivoli/.
    [60] Microsoft. Microsoft Operations Manager[Z].http://www.microsoft.com/mom/.
    [61] Kandula S, Katabi D, Vasseur J. Shrink: a tool for failure diagnosis in IPnetworks[C]. Philadelphia, Pennsylvania, USA: ACM,2005.
    [62] Bahl P, Chandra R, Greenberg A, et al. Towards highly reliable enterprisenetwork services via inference of multi-level dependencies[C]. Kyoto, Japan: ACM,2007.
    [63] Bahl P, Chandra R, Greenberg A, et al. Towards highly reliable enterprisenetwork services via inference of multi-level dependencies[C]. Kyoto, Japan: ACM,2007.
    [64] Kandula S, Mahajan R, Verkaik P, et al. Detailed diagnosis in enterprisenetworks[C]. Barcelona, Spain: ACM,2009.
    [65] Jiang G, Chen H, Yoshihira K, et al. Ranking the importance of alerts forproblem determination in large computer systems[C]. Barcelona, Spain: ACM,2009.
    [66] Lim C, Singh N, Yajnik S. A log mining approach to failure analysis ofenterprise telephony systems[C].2008.
    [67] Vaarandi R. A data clustering algorithm for mining patterns from eventlogs[C]. Citeseer,2003.
    [68] Vaarandi R. A breadth-first algorithm for mining frequent patterns from eventlogs[J]. Intelligence in Communication Systems.2004:293-308.
    [69] Stearley J. Towards informatic analysis of syslogs[C].2004.
    [70] Fisher K, Walker D, Zhu K Q, et al. From dirt to shovels: Fully automatictool generation from ad hoc data[C]. ACM,2008.
    [71] Makanju A, Zincir-Heywood A N, Milios E E. Clustering event logs usingiterative partitioning[C]. ACM,2009.
    [72] Yuan D, Mai H, Xiong W, et al. SherLog: error diagnosis by connecting cluesfrom run-time logs[C]. Pittsburgh, Pennsylvania, USA: ACM,2010.
    [73] Yuan D, Zheng J, Park S, et al. Improving software diagnosability via logenhancement[C]. Newport Beach, California, USA: ACM,2011.
    [74] Apache http server project[Z]. http://httpd.apache.org/.
    [75] Apache Logging Services-Log4j[Z].
    [76] Jiang G, Chen H, Yoshihira K. Discovering likely invariants of distributedtransaction systems for autonomic system management[J]. Cluster Computing.2006,9(4):385-399.
    [77] Jiang G, Chen H, Yoshihira K. Efficient and scalable algorithms for inferringlikely invariants in distributed systems[J]. IEEE Transactions on Knowledge and DataEngineering.2007,19(11).
    [78] Ayers A, Schooler R, Metcalf C, et al. TraceBack: first fault diagnosis byreconstruction of distributed control flow[C]. Chicago, IL, USA: ACM,2005.
    [79] Bodden E, Lam P, Hendren L. Finding programming errors earlier byevaluating runtime monitors ahead-of-time[C]. Atlanta, Georgia: ACM,2008.
    [80] Chen F, Ro G, U. Parametric Trace Slicing and Monitoring[C]. York, UK:Springer-Verlag,2009.
    [81] Chilimbi T M, Liblit B, Mehra K, et al. HOLMES: Effective statisticaldebugging via efficient path profiling[C]. IEEE Computer Society,2009.
    [82] Liblit B, Aiken A, Zheng A X, et al. Bug isolation via remote programsampling[C]. San Diego, California, USA: ACM,2003.
    [83] Fox G C, Guha R, Mcmullen D F, et al. Self-repairing computers[C]. Citeseer,2003.
    [84] Chen M Y, Accardi A, Kiciman E, et al. Path-based faliure and evolutionmanagement[C]. San Francisco, California: USENIX Association,2004.
    [85] Splunk. Splunk[Z]. http://www.splunk.com.
    [86] Arm. Application Response Measurement[Z]. http://www.opengroup.-org/tech/management/arm/.
    [87] Aguilera M K, Mogul J C, Wiener J L, et al. Performance debugging fordistributed systems of black boxes[C]. Bolton Landing, NY, USA: ACM,2003.
    [88] Dunagan J, Harvey N J A, Jones M B, et al. FUSE: lightweight guaranteeddistributed failure notification[C]. San Francisco, CA: USENIX Association,2004.
    [89] Hussain A, Bartlett G, Pryadkin Y, et al. Experiences with a continuousnetwork tracing infrastructure[C]. Philadelphia, Pennsylvania, USA: ACM,2005.
    [90] Bahl P, Barham P, Black R, et al. Discovering dependencies for networkmanagement[J]. IRVINE IS BURNING.2006:97.
    [91] Chanda A, Elmeleegy K, Cox A, et al. Causeway: support for controlling andanalyzing the execution of multi-tier applications[J]. Middleware2005.2005:42-59.
    [92] Yacoub S M, Ammar H H. A Methodology for Architecture-Level ReliabilityRisk Analysis[J]. IEEE Trans. Softw. Eng.2002,28(6):529-547.
    [93] Zheng A X, Lloyd J, Brewer E. Failure Diagnosis Using Decision Trees[C].IEEE Computer Society,2004.
    [94] Xu W, Huang L, Fox A, et al. Detecting large-scale system problems bymining console logs[C]. ACM,2009.
    [95] Agrawal R, Faloutsos C, Swami A N. Efficient Similarity Search In SequenceDatabases[C]. Springer-Verlag,1993.
    [96] Berndt D, Clifford J. Using dynamic time warping to find patterns in timeseries[C].1994.
    [97] Athitsos V, Papapetrou P, Potamias M, et al. Approximate embedding-basedsubsequence matching of time series[C]. ACM,2008.
    [98] Wencong C, Peng Z, Yan J, et al. Anomaly Detection over Pseudo PeriodData Steams Based on DTW Distance[J]. Journal of Computer Research andDevelopment.2010,47(5):893-902.
    [99] Pugh W. Skip lists: a probabilistic alternative to balanced trees[J].Communications of the ACM.1990,33(6):668-676.
    [100] Candea G, Kawamoto S, Fujiki Y, et al. Microreboot-A technique for cheaprecovery[C]. San Francisco, CA: USENIX Association,2004.
    [101] Reidemeister T, Munawar M A, Jiang M, et al. Diagnosis of recurrent faultsusing log files[C]. Ontario, Canada: ACM,2009.
    [102] Tan P N, Steinbach M, Kumar V. Introduction to data mining[M]. PearsonAddison Wesley Boston,2006.
    [103] Hunt E B. Concept learning: An information processing problem.[M]. JohnWiley&Sons Inc,1962.
    [104] Witten I H, Frank E, Trigg L, et al. Weka: Practical machine learning toolsand techniques with Java implementations[C].1999.
    [105] Pei J, Han J, Mortazavi-Asl B, et al. Mining Sequential Patterns byPattern-Growth: The PrefixSpan Approach[J]. IEEE Trans. on Knowl. and Data Eng.2004,16(11):1424-1440.
    [106] Carrasco R C, Jos, Oncina. Learning Stochastic Regular Grammars by Meansof a State Merging Method[C]. Springer-Verlag,1994.
    [107] Apache hadoop[Z]. http://hadoop.apache.org/.
    [108] Needleman S B, Wunsch C D. A general method applicable to the search forsimilarities in the amino acid sequence of two proteins[J]. Journal of molecular biology.1970,48(3):443-453.
    [109] The Apache Lucene[Z].
    [110] Baeza-Yates R A, Ribeiro-Neto B. Modern Information Retrieval[M].Addison-Wesley Longman Publishing Co., Inc.,1999.
    [111] Faloutsos C, Christodoulakis S. Description and performance analysis ofsignature file methods for office filing[J]. ACM Trans. Inf. Syst.1987,5(3):237-257.
    [112] Ooi B C, Mcdonell K J, Sacks-Davis R. Spatial kd-tree: An indexingmechanism for spatial databases[C].1987.
    [113] Babcock B, Olston C. Distributed top-k monitoring[C]. San Diego, California:ACM,2003.
    [114] Knuth D E, Morris Jr J H, Pratt V R. Fast pattern matching in strings[J].SIAM journal on computing.1977,6:323.
    [115] Rabin M O, Scott D. Finite automata and their decision problems[J]. IBMjournal of research and development.1959,3(2):114-125.
    [116] Foundation A S. Gridmix-Hadoop[Z].http://hadoop.apache.org/mapreduce/docs/current/gridmix.html.
    [117] Beck K. Test-driven development: by example[M]. Addison-WesleyProfessional,2003.
    [118] Zhu H, Hall P A V, May J H R. Software unit test coverage and adequacy[J].ACM Computing Surveys (CSUR).1997,29(4):366-427.
    [119] Gnu. gcov—a Test Coverage Program[Z].http://gcc.gnu.org/onlinedocs/gcc/Gcov.html.
    [120] Linux Test Project-Coverage lcov[Z].http://ltp.sourceforge.net/coverage/lcov.php.