End-to-end anomaly detection of service function chain through multi-source data in cloud-native systems

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-04-03 DOI:10.1016/j.cose.2025.104461

Xuefei Chen , Jinfeng Kou , Haiqiang Li , Yuqi Zhang , Junchao Ma , Chen Li , Bibo Tu

{"title":"End-to-end anomaly detection of service function chain through multi-source data in cloud-native systems","authors":"Xuefei Chen , Jinfeng Kou , Haiqiang Li , Yuqi Zhang , Junchao Ma , Chen Li , Bibo Tu","doi":"10.1016/j.cose.2025.104461","DOIUrl":null,"url":null,"abstract":"<div><div>Cloud native technology enables Network Functions Virtualization (NFV) to dynamically provide and deploy network services to meet specific requirements in Industrial Internet of Things (IIoTs). However, compared to traditional hardware solutions, Service Function Chains (SFCs) are more prone to faults in complex and dynamically changing cloud environments. Existing anomaly detection methods exhibit several shortcomings, including high overhead, low accuracy, and limited detection scope. To address these challenges and ensure service quality, we propose an end-to-end SFC anomaly detection architecture, cSFCAD. First, to overcome the limitations of detection range and single-function detection, the cSFCAD architecture integrates multi-source data from both the data plane and control plane, enabling the effective detection of various types of SFC anomalies. Second, to better capture the spatial relationships of Cloud-Native Network Functions (CNFs) within the SFC, we adopt an encoder based on the self-attention mechanism, which models the behaviour of CNFs and their interdependencies. Finally, to improve the stability of model in dynamic cloud environment, we use adversarial training in order to achieve self-conditioning for robust multi-modal feature extraction and enhanced stability. Additionally, through data reconstruction, we can precisely identify the key metrics contributing most to the anomalies. The difference between the input data and its reconstructed output helps in analysing the underlying causes of the anomalies. Extensive experimental research on two public datasets demonstrates that cSFCAD architecture outperforms existing anomaly detection algorithms.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104461"},"PeriodicalIF":4.8000,"publicationDate":"2025-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001506","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Cloud native technology enables Network Functions Virtualization (NFV) to dynamically provide and deploy network services to meet specific requirements in Industrial Internet of Things (IIoTs). However, compared to traditional hardware solutions, Service Function Chains (SFCs) are more prone to faults in complex and dynamically changing cloud environments. Existing anomaly detection methods exhibit several shortcomings, including high overhead, low accuracy, and limited detection scope. To address these challenges and ensure service quality, we propose an end-to-end SFC anomaly detection architecture, cSFCAD. First, to overcome the limitations of detection range and single-function detection, the cSFCAD architecture integrates multi-source data from both the data plane and control plane, enabling the effective detection of various types of SFC anomalies. Second, to better capture the spatial relationships of Cloud-Native Network Functions (CNFs) within the SFC, we adopt an encoder based on the self-attention mechanism, which models the behaviour of CNFs and their interdependencies. Finally, to improve the stability of model in dynamic cloud environment, we use adversarial training in order to achieve self-conditioning for robust multi-modal feature extraction and enhanced stability. Additionally, through data reconstruction, we can precisely identify the key metrics contributing most to the anomalies. The difference between the input data and its reconstructed output helps in analysing the underlying causes of the anomalies. Extensive experimental research on two public datasets demonstrates that cSFCAD architecture outperforms existing anomaly detection algorithms.

查看原文本刊更多论文

云原生系统中基于多源数据的业务功能链端到端异常检测

云原生技术使NFV （Network Functions Virtualization）能够动态提供和部署网络服务，以满足工业物联网（iiot）的特定需求。但是，与传统硬件解决方案相比，sfc （Service Function Chains）在复杂、动态变化的云环境中更容易出现故障。现有的异常检测方法存在开销大、准确率低、检测范围有限等缺点。为了应对这些挑战并确保服务质量，我们提出了端到端的SFC异常检测体系结构cSFCAD。首先，为了克服检测范围和单一功能检测的限制，cSFCAD架构集成了来自数据平面和控制平面的多源数据，能够有效检测各种类型的SFC异常。其次，为了更好地捕捉云原生网络函数（cnf）在SFC中的空间关系，我们采用了基于自注意机制的编码器，该编码器对cnf的行为及其相互依赖性进行了建模。最后，为了提高模型在动态云环境下的稳定性，我们使用对抗训练来实现鲁棒多模态特征提取和增强稳定性的自调节。此外，通过数据重建，我们可以精确地识别对异常贡献最大的关键指标。输入数据与重建输出数据之间的差异有助于分析异常的潜在原因。在两个公共数据集上的大量实验研究表明，cSFCAD架构优于现有的异常检测算法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.