Detecting anomalies in a distributed application
Abstract
Anomalies are detected in a distributed application that runs on a plurality of nodes to execute at least first and second workloads. The method of detecting anomalies includes collecting first network traffic data of the first workload and second network traffic data of the second workload during a first period of execution of the first and second workloads, collecting third network traffic data of the first workload and fourth network traffic data of the second workload during a second period of execution of the first and second workloads, and detecting an anomaly in the distributed application based on a comparison of the third network traffic data against the first network traffic data or a comparison of the fourth network traffic data against the second network traffic data. Anomalies may also be detected by comparing network traffic data of two groups of containers executing the same workload.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method of detecting anomalies in a distributed application that runs on a plurality of nodes that include a first node and a second node, to execute at least first and second workloads, comprising:
executing the first workload on the first node by a first group of containers of a first pod and on the second node by a second group of containers of a second pod that is a replica of the first pod; executing the second workload by at least third and fourth groups of containers; collecting first network traffic data of the first group of containers and second network traffic data of the second group of containers; and determining whether or not an anomaly is present in the distributed application based on at least a comparison of the collected first network traffic data and the collected second network traffic data, wherein the anomaly is determined to be present in the first pod if the collected first network traffic data and the collected second network traffic data indicate that: (a) there is egress traffic from the first pod that is directed to public IP addresses during a first anomaly detection period but there is no egress traffic from the second pod that is directed to public IP addresses during the first anomaly detection period; or (b) there is ingress traffic that is received by the first pod from public IP addresses during a second anomaly detection period but there is no ingress traffic that is received by the second pod from public IP addresses during the second anomaly detection period.
2 . The method of claim 1 , wherein the distributed application is deployed onto a Kubernetes platform and the first, second, third, and fourth groups of containers are respectively first, second, third, and fourth pods of the Kubernetes platform.
3 . The method of claim 2 , wherein the first and second pods belong to a first replica set and the third and fourth pods belong to a second replica set.
4 . The method of claim 1 , wherein the first workload executed by at least the first and second groups of containers and the second workload executed by at least the third and fourth groups of containers are the same workload.
5 . A non-transitory computer readable medium comprising instructions that are executable in one or more computing devices to cause the computing devices to carry out a method of detecting anomalies in a distributed application that runs on a plurality of nodes that include a first node and a second node, to execute at least first and second workloads, wherein the first workload is executed by at least first and second groups of containers and the second workload is executed by at least third and fourth groups of containers, said method comprising:
collecting first network traffic data of the first group of containers and second network traffic data of the second group of containers; and determining whether or not an anomaly is present in the distributed application based on at least a comparison of the collected first network traffic data and the collected second network traffic data, wherein the first workload is executed on the first node by the first group of containers of a first pod and on the second node by the second group of containers of a second pod that is a replica of the first pod, and wherein the anomaly is determined to be present in the first pod if the collected first network traffic data and the collected second network traffic data indicate that: (a) there is egress traffic from the first pod that is directed to private IP addresses during a third anomaly detection period but there is no egress traffic from the second pod that is directed to private IP addresses during the third anomaly detection period; or (b) there is ingress traffic that is received by the first pod from private IP addresses during a fourth anomaly detection period but there is no ingress traffic that is received by the second pod from private IP addresses during the fourth anomaly detection period.
6 . The non-transitory computer readable medium of claim 5 , wherein the distributed application is deployed onto a Kubernetes platform and the first, second, third, and fourth groups of containers are respectively first, second, third, and fourth pods of the Kubernetes platform.
7 . The non-transitory computer readable medium of claim 6 , wherein the first and second pods belong to a first replica set and the third and fourth pods belong to a second replica set.
8 . The non-transitory computer readable medium of claim 5 , wherein the first workload executed by at least the first and second groups of containers and the second workload executed by at least the third and fourth groups of containers are the same workload.
9 . A computing system for detecting anomalies in a distributed application that runs on a plurality of nodes that include a first node and a second node, to execute at least first and second workloads, wherein the first workload is executed by at least first and second groups of containers and the second workload is executed by at least third and fourth groups of containers, said computing system comprising:
a storage device in which first network traffic data of the first group of containers and second network traffic data of the second group of containers are stored; and an anomaly detection server configured to collect the first network traffic data of the first group of containers and the second network traffic data of the second group of containers, and determine whether or not an anomaly is present in the distributed application based on at least a comparison of the collected first network traffic data and the collected second network traffic data, wherein the first workload is executed on the first node by the first group of containers of a first pod and on the second node by the second group of containers of a second pod that is a replica of the first pod, and the anomaly is determined to be present in the first pod if the collected first network traffic data and the collected second network traffic data indicate that: (a) there is egress traffic from the first pod that is directed to public IP addresses during a first anomaly detection period but there is no egress traffic from the second pod that is directed to public IP addresses during the first anomaly detection period; or (b) there is ingress traffic that is received by the first pod from public IP addresses during a second anomaly detection period but there is no ingress traffic that is received by the second pod from public IP addresses during the second anomaly detection period; or (c) there is egress traffic from the first pod that is directed to private IP addresses during a third anomaly detection period but there is no egress traffic from the second pod that is directed to private IP addresses during the third anomaly detection period; or (d) there is ingress traffic that is received by the first pod from private IP addresses during a fourth anomaly detection period but there is no ingress traffic that is received by the second pod from private IP addresses during the fourth anomaly detection period.
10 . The computing system of claim 9 , wherein the distributed application is deployed onto a Kubernetes platform and the first, second, third, and fourth groups of containers are respectively first, second, third, and fourth pods of the Kubernetes platform.
11 . The computing system of claim 10 , wherein the first and second pods belong to a first replica set and the third and fourth pods belong to a second replica set.
12 . The computing system of claim 9 , wherein the first workload executed by at least the first and second groups of containers and the second workload executed by at least the third and fourth groups of containers are the same workload.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.