Detecting anomalies in cluster-based parallel programs using a wavelet based approach

Anomaly detection has the potential to detect unusual behavior and novel attacks that have not been previously observed. Audits of many events including system calls, user command usage, credit card usage, etc. can be used as the basis for anomaly detection. Examination of these traces of ordered events allows classification of audit trails as normal or anomalous. This paper explores the utility of wavelets as a classification method for use in the context of anomaly detection in parallel programs run in a high performance cluster environment. The events considered are traces of function calls and system calls invoked by parallel programs. Two wavelet-based classification methods are described for anomaly detection. The wavelet-based approaches are sensitive to both order and frequency behavior of the events. The experimental results indicate that both wavelet-based classification methods are more effective in the detection of anomalies than sequence matching.