Many complex application services are deployed in virtualized Cloud environments. Cloud applications consist of multiple components and the data flow among these components tends to be highly complex and unpredictable. The complexity and heterogeneity make anomaly detection challenging. We propose FlowBox, a distributed anomaly detection system for Cloud applications. FlowBox considers each server component as a black box and detects performance anomalies using the flow analysis. The black box model addresses the challenge of accurately describing the complex system model. The flow analysis is based on a simple relationship of data flow in any given component of Cloud applications. Between any two components, the number of requests should always be equal to the number of responses within a given time interval during normal operations. FlowBox monitors traffic flow in each component and continually builds flow signatures in order to describe the normal application behavior. Using the flow signatures, FlowBox detects performance anomalies in Cloud applications. We evaluate FlowBox with several different kinds of Cloud applications in our datacenter. Experimental results show that FlowBox achieves 96.02% detection precision, 3.98% false positive, and 3.5% false negative in detecting various kinds of anomalies.
