Umeå University's logo

Web application services and networks encounter a broad range of security and performance anomalies, necessitating sophisticated detection strategies. However, performing anomaly detection in edge cloud environments, often constrained by limited resources, presents significant computational challenges and demands minimized detection time for real-time response. In this paper, we propose a model selection approach for resource efficient anomaly detection in edge clouds by leveraging an adapted Deep Q-Network (DQN) reinforcement learning technique. The primary objective is to minimize the computational resources required for accurate anomaly detection while achieving low latency and high detection accuracy. Through extensive experimental evaluation in our testbed setup over different representative scenarios, we demonstrate that our adapted DQN approach can reduce resource usage by up to 45 % and detection time by up to 85 % while incurring less than an 8 % drop in F1 score. These results highlight the potential of the adapted DQN model selection strategy to enable efficient, low-latency anomaly detection in resource-constrained edge cloud environments.

Web servers are the backbone of modern Internet infrastructure, serving as the primary medium for online information distribution. Despite their critical role, web servers are susceptible to cyber-attacks. While current firewall mechanisms provide some level of protection against cyber threats, the evolving nature of these attacks and emerging vulnerabilities continue to pose significant risks. One of the most prevalent yet lethal attacks known today is DDoS (Distributed Denial of Service) attacks. These growing risks emphasize the urgent need for dynamic and robust threat detection and mitigation systems. This paper presents a comparative analysis of ensemble learning models (e.g., Random Forest, XGBoost, and LightGBM) and neural network-based models (e.g., Graph Neural Networks (GNN), Long Short-Term Memory networks (LSTM) with attention layers, and Gated Recurrent Units (GRU)) for DDoS attack detection and classification. Based on this analysis, we propose a real-time DDoS attack detection system integrated with a mitigation mechanism. The proposed system utilizes a two-tiered mitigation strategy assisted by UFW (Uncomplicated Firewall) and Apache server configuration files to block the incoming and outgoing traffic associated with suspicious IP addresses. The system's overall complexity, integrating both detection and response processes, ensures its efficiency in real-time environments while handling large volumes of traffic. Furthermore, the proposed approach achieves 15% improvement in detection accuracy and 20% reduction in false positives compared to traditional techniques, making it an effective and scalable solution for modern web server security.

Anomaly detection plays a vital role in ensuring the security and reliability of edge clouds, which are decentralized computing environments with limited resources. However, the unique challenges of limited computing power and lack of edge-related labeled training data pose significant obstacles to effective supervised anomaly detection. In this paper, we propose an innovative approach that leverages transfer learning to address the lack of relevant labeled data and knowledge distillation to increase computational efficiency and achieve accurate anomaly detection on edge clouds. Our approach exploits transfer learning by utilizing knowledge from a pre-trained model and adapting it for anomaly detection on edge clouds. This enables the model to benefit from the learned features and patterns from related tasks such as network intrusion detection, resulting in improved detection accuracy. Additionally, we utilize knowledge distillation to distill the knowledge from the previously mentioned high-capacity model, known as the teacher model, into a more compact student model. This distillation process enhances the student model's computational efficiency while retaining its detection power. Evaluations conducted on our developed real-world edge cloud testbed show that, with the same amount of edge cloud's labeled dataset, our approach maintains high accuracy while significantly reducing the model's detection time to almost half for non-sequential models, from 81.11μs to 44.34μs on average. For sequential models, it reduces the detection time to nearly a third of the baseline model's, from 331.54μs to 113.86μs on average. These improvements make our approach exceptionally practical for real-time anomaly detection on edge clouds.

Edge clouds have emerged as an essential architecture, revolutionizing data processing and analysis by bringing computational capabilities closer to data sources and end-users at the edge of the network. Anomaly detection is crucial in these settings to maintain the reliability and security of edge-based systems and applications despite limited computational resources. It plays a vital role in identifying unexpected patterns, which could indicate security threats or performance issues within the decentralized and real-time nature of edge cloud environments. For example, in critical edge applications like autonomous vehicles, augmented reality, and smart healthcare, anomaly detection ensures the consistent and secure operation of these systems, promptly detecting anomalies that might compromise safety, performance, or user experience. However, the adoption of anomaly detection within edge cloud environments poses numerous challenges.

This thesis aims to contribute by addressing the problem of anomaly detection in edge cloud environments. Through a comprehensive exploration of anomaly detection methods, leveraging machine learning techniques and innovative approaches, this research aims to enhance the efficiency and accuracy of detecting anomalies in edge cloud environments. The proposed methods intend to overcome the challenges posed by resource limitations, the lack of labeled data specific to edge clouds, and the need for accurate detection of anomalies. By focusing on machine learning approaches like transfer learning, knowledge distillation, reinforcement learning, deep sequential models, and deep ensemble learning, this thesis endeavors to establish efficient and accurate anomaly detection systems specific for edge cloud environments.

The results demonstrate the improvements achieved by employing machine learning methods for anomaly detection in edge clouds. Extensive testing and evaluation in real-world edge environments show how machine learning-driven anomaly detection systems improve identification of anomalies in edge clouds. The results highlight the capability of these methods to achieve a reasonable trade-off between accuracy and computational efficiency. These findings illustrate how machine learning-based anomaly detection approaches contribute to building resilient and secure edge-based systems.

Anomaly detection and resolution are crucial in edge clouds to ensure that distributed systems operate reliably and securely. This survey presents a comprehensive overview of anomaly detection and resolution strategies specifically designed for edge cloud environments, exploring their strengths, limitations, and applicability in different scenarios. It explores the unique challenges and characteristics of edge cloud systems, providing an in-depth analysis of existing works and tools. Evaluation metrics and datasets used by different methods are examined to provide insights into assessing the performance and efficacy of anomaly detection and resolution approaches. The paper concludes by identifying open challenges, future research directions, and offering practical recommendations, making it a valuable resource for researchers and practitioners involved in enhancing the reliability and security of edge cloud systems.

Edge cloud resources, just as many other computing resources, are prone to both performance and security anomalies due to their decentralized nature and real-time requirements for processing of data. Their behaviour initially observed as anomalous may, however, in many cases be rather generic and hard to detect. To be able to address such anomalies, it is instrumental to determine whether the anomaly is a "Security" threat or only a "Performance" concern. Therefore, in this paper, we develop an anomaly detection model capable of distinguishing between security and performance anomalies. The model is based on sequential modeling and Probabilistic Graphical Model (PGM), which leverage historical information and dependencies between previous predictions to classify future anomalies accurately. The evaluation of our proposed model shows its superior performance on our testbed and benchmark datasets. Accordingly, the model achieves an average 5%, and 3% higher F1 score compared to state-of-the-art methods in binary and multi-label anomaly detection cases, respectively. Moreover, our testing time analysis demonstrates the ability of the proposed model in early detection of such anomalies on the edge cloud.

Web application services and networks become a major target of low-rate Distributed Denial of Service (DDoS) attacks such as Very Short Intermittent DDoS (VSI-DDoS). These threats exploit the TCP congestion control mechanism to cause transient resource outage and impute delays for legitimate users’ requests, while they bypass the secure systems. Besides that, cross-layer VSI-DDoS attacks, where the performed attacks are towards the different layers of the edge cloud infrastructures, are able to cause violation of customers’ Service-Level Agreements (SLAs) with less visible behavioral patterns. In this work, we propose a novel Deep Ensemble Learning Approach named DELA for detection of cross-layer VSI-DDoS on the edge cloud. This approach is developed based on Long Short-Term Memory (LSTM), ensemble learning, and a new voting mechanism based on Feed-Forward Neural Network (FFNN). In addition, it employs a novel training and detection algorithm to combat such attacks in web services and networks. The model shows improved results due to the utilization of historical information in decision- making and also the usage of neural network as aggregator instead of a static threshold-based aggregation. Moreover, we propose a novel overlapped data chunking algorithm that is able to ameliorate the detection performance. Furthermore, the evaluation of DELA shows its superior performance over our testbed and benchmark datasets. Accordingly, DELA achieves on average 4.88% higher F 1 score compared to state-of-the-art methods.

The advent of crucial areas such as smart healthcare and autonomous transportation, bring in new requirements on the computing infrastructure, including higher demand for real-time processing capability with minimized latency and maximized availability. The traditional cloud infrastructure has several deficiencies when meeting such requirements due to its centralization. Edge clouds seems to be the solution for the aforementioned requirements, in which the resources are much closer to the edge devices and provides local computing power and high Quality of Service (QoS). However, there are still security issues that endanger the functionality of edge clouds. One of the recent types of such issues is Very Short Intermittent Distributed Denial of Service (VSI-DDoS) which is a new category of low-rate DDoS attacks that targets both small and large-scale web services. This attack generates very short bursts of HTTP request intermittently towards target services to encounter unexpected degradation of QoS at edge clouds. In this paper, we formulate the problem with a sequence modeling approach to address short intermittent intervals of DDoS attacks during the rendering of services on edge clouds using Long Short-Term Memory (LSTM) with local attention. The proposed approach ameliorates the detection performance by learning from the most important discernible patterns of the sequence data rather than considering complete historical information and hence achieves a more sophisticated model approximation. Experimental results confirm the feasibility of the proposed approach for VSI-DDoS detection on edge clouds and it achieves 2% more accuracy when compared with baseline methods.