{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T15:19:01Z","timestamp":1778167141501,"version":"3.51.4"},"reference-count":40,"publisher":"MDPI AG","issue":"8","license":[{"start":{"date-parts":[[2021,8,3]],"date-time":"2021-08-03T00:00:00Z","timestamp":1627948800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Entropy"],"abstract":"<jats:p>Advances in technology and computing power have led to the emergence of complex and large-scale software architectures in recent years. However, they are prone to performance anomalies due to various reasons, including software bugs, hardware failures, and resource contentions. Performance metrics represent the average load on the system and do not help discover the cause of the problem if abnormal behavior occurs during software execution. Consequently, system experts have to examine a massive amount of low-level tracing data to determine the cause of a performance issue. In this work, we propose an anomaly detection framework that reduces troubleshooting time, besides guiding developers to discover performance problems by highlighting anomalous parts in trace data. Our framework works by collecting streams of system calls during the execution of a process using the Linux Trace Toolkit Next Generation(LTTng), sending them to a machine learning module that reveals anomalous subsequences of system calls based on their execution times and frequency. Extensive experiments on real datasets from two different applications (e.g., MySQL and Chrome), for varying scenarios in terms of available labeled data, demonstrate the effectiveness of our approach to distinguish normal sequences from abnormal ones.<\/jats:p>","DOI":"10.3390\/e23081011","type":"journal-article","created":{"date-parts":[[2021,8,4]],"date-time":"2021-08-04T02:16:07Z","timestamp":1628043367000},"page":"1011","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":15,"title":["A Framework for Detecting System Performance Anomalies Using Tracing Data Analysis"],"prefix":"10.3390","volume":"23","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7259-259X","authenticated-orcid":false,"given":"Iman","family":"Kohyarnejadfard","sequence":"first","affiliation":[{"name":"Department of Computer and Software Engineering, Polytechnique Montreal, Montreal, QC H3T 1J4, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Daniel","family":"Aloise","sequence":"additional","affiliation":[{"name":"Department of Computer and Software Engineering, Polytechnique Montreal, Montreal, QC H3T 1J4, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Michel R.","family":"Dagenais","sequence":"additional","affiliation":[{"name":"Department of Computer and Software Engineering, Polytechnique Montreal, Montreal, QC H3T 1J4, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mahsa","family":"Shakeri","sequence":"additional","affiliation":[{"name":"Department of Computer and Software Engineering, Polytechnique Montreal, Montreal, QC H3T 1J4, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2021,8,3]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"375","DOI":"10.1145\/1218063.1217972","article-title":"Automated known problem diagnosis with event traces","volume":"Volume 40","author":"Yuan","year":"2006","journal-title":"ACM SIGOPS Operating Systems Review"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Liu, D., Zhao, Y., Xu, H., Sun, Y., Pei, D., Luo, J., Jing, X., and Feng, M. (2015, January 28\u201330). Opprentice: Towards practical and automatic anomaly detection through machine learning. Proceedings of the 2015 Internet Measurement Conference, Tokyo, Japan.","DOI":"10.1145\/2815675.2815679"},{"key":"ref_3","unstructured":"Forrest, S., Hofmeyr, S.A., Somayaji, A., and Longstaff, T.A. (1996, January 6\u20138). A sense of self for unix processes. Proceedings of the 1996 IEEE Symposium on Security and Privacy, Oakland, CA, USA."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"14","DOI":"10.4304\/jsw.2.6.14-21","article-title":"Anomaly detection using system call sequence sets","volume":"2","author":"Varghese","year":"2007","journal-title":"J. Softw."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Suratkar, S., Kazi, F., Gaikwad, R., Shete, A., Kabra, R., and Khirsagar, S. (2019, January 26\u201328). Multi Hidden Markov Models for Improved Anomaly Detection Using System Call Analysis. Proceedings of the 2019 IEEE Bombay Section Signature Conference (IBSSC), Mumbai, India.","DOI":"10.1109\/IBSSC47189.2019.8973098"},{"key":"ref_6","unstructured":"Desnoyers, M., and Dagenais, M.R. (2021, May 03). The Lttng Tracer: A Low Impact Performance and Behavior Monitor for gnu\/linux. Available online: https:\/\/lttng.org\/files\/papers\/desnoyers-ols2006.pdf."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"3448","DOI":"10.1016\/j.comnet.2007.02.001","article-title":"An overview of anomaly detection techniques: Existing solutions and latest technological trends","volume":"51","author":"Patcha","year":"2007","journal-title":"Comput. Netw."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Wang, W., and Battiti, R. (2006, January 20\u201322). Identifying intrusions in computer networks with principal component analysis. Proceedings of the First International Conference on Availability, Reliability and Security (ARES\u201906), Vienna, Austria.","DOI":"10.1109\/ARES.2006.73"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1016\/j.cose.2008.08.003","article-title":"Anomaly-based network intrusion detection: Techniques, systems and challenges","volume":"28","year":"2009","journal-title":"Comput. Secur."},{"key":"ref_10","unstructured":"Ye, N. (2000, January 29). Probabilistic networks with undirected links for anomaly detection. Proceedings of the IEEE SMC Information Assurance and Security Workshop, West Point, NY, USA."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"116","DOI":"10.1109\/TR.2004.823851","article-title":"Robustness of the Markov-chain model for cyber-attack detection","volume":"53","author":"Ye","year":"2004","journal-title":"IEEE Trans. Reliab."},{"key":"ref_12","unstructured":"MacDonald, I.L., and Zucchini, W. (1997). Hidden Markov and Other Models for Discrete-Valued Time Series, CRC Press."},{"key":"ref_13","first-page":"70","article-title":"Data mining approaches for network intrusion detection: From dimensionality reduction to misuse and anomaly detection","volume":"3","author":"Syarif","year":"2012","journal-title":"J. Inf. Technol. Rev."},{"key":"ref_14","first-page":"799","article-title":"Survey paper on data mining techniques of intrusion detection","volume":"2","author":"Kaur","year":"2013","journal-title":"Int. J. Sci. Eng. Technol. Res."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"708","DOI":"10.1016\/j.procs.2015.08.220","article-title":"Survey on anomaly detection using data mining techniques","volume":"60","author":"Agrawal","year":"2015","journal-title":"Procedia Comput. Sci."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Canzanese, R., Mancoridis, S., and Kam, M. (2015, January 3\u20135). System call-based detection of malicious processes. Proceedings of the 2015 IEEE International Conference on Software Quality, Reliability and Security, Washington, DC, USA.","DOI":"10.1109\/QRS.2015.26"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Kolosnjaji, B., Zarras, A., Webster, G., and Eckert, C. (2016, January 5\u20139). Deep learning for classification of malware system call sequences. Proceedings of the Australasian Joint Conference on Artificial Intelligence, Hobart, Australia.","DOI":"10.1007\/978-3-319-50127-7_11"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Hou, S., Saas, A., Chen, L., and Ye, Y. (2016, January 13\u201316). Deep4maldroid: A deep learning framework for android malware detection based on linux kernel system call graphs. Proceedings of the 2016 IEEE\/WIC\/ACM International Conference on Web Intelligence Workshops (WIW), Omaha, NE, USA.","DOI":"10.1109\/WIW.2016.040"},{"key":"ref_19","unstructured":"Huang, Y., Kintala, C., Kolettis, N., and Fulton, N.D. (1995, January 27\u201330). Software rejuvenation: Analysis, module and applications. Proceedings of the Twenty-Fifth International Symposium on Fault-Tolerant Computing, Digest of Papers, Pasadena, CA, USA."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"975","DOI":"10.1016\/j.future.2017.08.051","article-title":"Aging-related performance anomalies in the apache storm stream processing system","volume":"86","author":"Ficco","year":"2018","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"37","DOI":"10.1109\/2.76285","article-title":"Real-time systems performance in the presence of failures","volume":"24","author":"Muppala","year":"1991","journal-title":"Computer"},{"key":"ref_22","unstructured":"Gregg, B. (2013). Systems Performance: Enterprise and The Cloud, Pearson Education."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"6","DOI":"10.1145\/1629087.1629089","article-title":"Automated anomaly detection and performance modeling of enterprise applications","volume":"27","author":"Cherkasova","year":"2009","journal-title":"ACM Trans. Comput. Syst. (TOCS)"},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/2791120","article-title":"Performance anomaly detection and bottleneck identification","volume":"48","author":"Ibidunmoye","year":"2015","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"ref_25","unstructured":"Compass, E.T. (2021, July 28). Trace Compass. Available online: https:\/\/www.eclipse.org\/tracecompass\/."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"70","DOI":"10.1016\/j.neucom.2017.11.077","article-title":"Feature selection in machine learning: A new perspective","volume":"300","author":"Cai","year":"2018","journal-title":"Neurocomputing"},{"key":"ref_27","unstructured":"Sayfullina, L. (2014). Reducing Sparsity in Sentiment Analysis Data Using Novel Dimensionality Reduction Approaches. [Ph.D. Thesis, Aalto University]."},{"key":"ref_28","unstructured":"Bishop, C.M. (2006). Pattern Recognition and Machine Learning, Springer Science + Business Media."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Kre\u00dfel, U.H.G. (1999). Advances in kernel methods, chapter Pairwise classification and support vector machines. Advances in Kernel Methods: Support Vector Learning, MIT Press.","DOI":"10.7551\/mitpress\/1130.003.0020"},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"928","DOI":"10.1109\/TDSC.2018.2821693","article-title":"Adaptive Performance Anomaly Detection in Distributed Systems Using Online SVMs","volume":"17","author":"Szabo","year":"2020","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"129","DOI":"10.1109\/TIT.1982.1056489","article-title":"Least squares quantization in PCM","volume":"28","author":"Lloyd","year":"1982","journal-title":"IEEE Trans. Inf. Theory"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Aytekin, C., Ni, X., Cricri, F., and Aksu, E. (2018, January 8\u201313). Clustering and unsupervised anomaly detection with l 2 normalized deep auto-encoder representations. Proceedings of the 2018 International Joint Conference on Neural Networks (IJCNN), Rio de Janeiro, Brazil.","DOI":"10.1109\/IJCNN.2018.8489068"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Campbell, A., Caudle, K., and Hoover, R.C. (2019, January 14\u201317). Examining Intermediate Data Reduction Algorithms for use with t-SNE. Proceedings of the 2019 3rd International Conference on Compute and Data Analysis, Kahului, HI, USA.","DOI":"10.1145\/3314545.3314549"},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"37","DOI":"10.1016\/0169-7439(87)80084-9","article-title":"Principal component analysis","volume":"2","author":"Wold","year":"1987","journal-title":"Chemom. Intell. Lab. Syst."},{"key":"ref_35","first-page":"226","article-title":"A density-based algorithm for discovering clusters in large spatial databases with noise","volume":"96","author":"Ester","year":"1996","journal-title":"Kdd"},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Aggarwal, C.C. (2015). Data Mining: The Textbook, Springer.","DOI":"10.1007\/978-3-319-14142-8"},{"key":"ref_37","unstructured":"King, C.I. (2018, March 28). Stress-ng. Available online: http:\/\/kernel.ubuntu.com\/git\/cking\/stressng.git\/."},{"key":"ref_38","unstructured":"Ledenev, A. (2020, August 23). Pumba-Chaos Testing and Network Emulation Tool for Docker. Available online: https:\/\/github.com\/alexei-led\/pumba."},{"key":"ref_39","first-page":"2825","article-title":"Scikit-learn: Machine Learning in Python","volume":"12","author":"Pedregosa","year":"2011","journal-title":"J. Mach. Learn. Res."},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"846","DOI":"10.1080\/01621459.1971.10482356","article-title":"Objective criteria for the evaluation of clustering methods","volume":"66","author":"Rand","year":"1971","journal-title":"J. Am. Stat. Assoc."}],"container-title":["Entropy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1099-4300\/23\/8\/1011\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T06:39:57Z","timestamp":1760164797000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1099-4300\/23\/8\/1011"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,8,3]]},"references-count":40,"journal-issue":{"issue":"8","published-online":{"date-parts":[[2021,8]]}},"alternative-id":["e23081011"],"URL":"https:\/\/doi.org\/10.3390\/e23081011","relation":{},"ISSN":["1099-4300"],"issn-type":[{"value":"1099-4300","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,8,3]]}}}