capturing, indexing, clustering, and retrieving system...
TRANSCRIPT
Capturing, Indexing, Clustering, and RetrievingSystem History
Ira Cohen1
[email protected] Zhang2
[email protected] Goldszmidt1
Julie Symons1
[email protected] Kelly1
[email protected] Fox2
1Hewlett-Packard Laboratories 2Computer Science Department1501 Page Mill Road Stanford University
Palo Alto, CA 94304 USA Palo Alto, CA 94305 USA
ABSTRACTWe present a method for automatically extracting from arunning system an indexable signature that distills the es-sential characteristic from a system state and that can besubjected to automated clustering and similarity-based re-trieval to identify when an observed system state is simi-lar to a previously-observed state. This allows operators toidentify and quantify the frequency of recurrent problems, toleverage previous diagnostic efforts, and to establish whetherproblems seen at different installations of the same site aresimilar or distinct. We show that the naive approach toconstructing these signatures based on simply recording theactual “raw” values of collected measurements is ineffective,leading us to a more sophisticated approach based on sta-tistical modeling and inference. Our method requires onlythat the system’s metric of merit (such as average trans-action response time) as well as a collection of lower-leveloperational metrics be collected, as is done by existing com-mercial monitoring tools. Even if the traces have no annota-tions of prior diagnoses of observed incidents (as is typical),our technique successfully clusters system states correspond-ing to similar problems, allowing diagnosticians to identifyrecurring problems and to characterize the “syndrome” of agroup of problems. We validate our approach on both syn-thetic traces and several weeks of production traces froma customer-facing geoplexed 24 × 7 system; in the lattercase, our approach identified a recurring problem that hadrequired extensive manual diagnosis, and also aided the op-erators in correcting a previous misdiagnosis of a differentproblem.
Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.SOSP’05, October 23–26, 2005, Brighton, United Kingdom.Copyright 2005 ACM 1-59593-079-5/05/0010 ...$5.00.
Categories and Subject DescriptorsC.4 [Performance of Systems]: Modeling Techniques
General TermsAlgorithms, Performance, Experimentation
KeywordsBayesian networks, clustering, information retrieval, perfor-mance objectives, signatures
“Those who cannot remember the past arecondemned to repeat it.” — George Santayana
1. INTRODUCTIONWhen complex software systems misbehave—whether they
suffer a partial failure, violate an established service-level ob-jective (SLO), or otherwise respond in an unexpected wayto workload—understanding the likely causes of the problemcan speed repair. While a variety of problems can be solvedby simple mechanisms such as rebooting [3], many cannot,including problems related to a misallocation or shortage ofresources that leads to a persistent performance problem orother anomaly that can be addressed only by a nontrivialconfiguration change. Understanding and documenting thelikely causes of such problems is difficult because they oftenemerge from the behavior of a collection of low-level metricssuch as CPU load, disk I/O rates, etc., and therefore sim-ple “rules of thumb” focusing on a single metric are usuallymisleading [5].
Furthermore, today there is no systematic way to leveragepast diagnostic efforts when a problem arises, even thoughsuch efforts may be expensive and are on the critical path ofcontinued system operation. To that end we would like tobe able to recognize and retrieve similar problem instancesfrom the past. If the problem was previously resolved, wecan try to justify the diagnosis and perhaps even apply therepair actions. Even if the problem remained unresolved,we could gather statistics regarding the frequency or evenperiodicity of the recurrence of that problem, accumulatingnecessary information for prioritizing or escalating diagnosis
and repair efforts. In order to do these things, we must beable to extract from the system an indexable description thatboth distills the essential system state associated with theproblem and that can be formally manipulated to facilitateautomated clustering and similarity based search. Meetingthese requirements would enable matching an observed be-havior against a database of previously observed ones bothfor retrieval and determining whether the problem is a re-current one.
Our contributions are as follows:
1. A formal representation or signature that captures theessential state of an enterprise system and is effec-tive for clustering and similarity based retrieval usingknown techniques from pattern recognition and infor-mation retrieval [6]. We show that the constructionof an effective signature is nontrivial—the naive ap-proach yields poor clustering and retrieval behaviors,but good results are obtained with an approach basedon our prior successful use of statistical methods tocapture relationships between low-level system metricsand high-level behaviors [22, 5].
2. The use of this representation to cluster and identifyperformance problems, and compute statistics aboutthe frequency of their occurrence. This in turn letsan operator distinguish a recurrent condition from atransient or first-time condition, and even annotate thecorresponding signature(s) with a repair procedure orother explanation for future reference when the sameproblem recurs.
3. A demonstration of how the representation and clus-tering can be used across different sites to aid diagno-sis.
Our experimental validation is conducted on a realistictestbed with injected performance faults, and on productiontraces from several weeks of operation of a real customer-facing Web application in our organization.
The rest of the paper is organized as follows. Section 2outlines our approach and methodology and provides somebackground on the statistical modeling technique used. Sec-tion 3 describes both our controlled testbed and the produc-tion traces used in our experiments. Section 4 presents ourresults. Specifically, Section 4.1 compares three methods ofsignature construction. Section 4.2 illustrates the use of ourmethod for identifying recurrent problems in a real produc-tion environment. Section 4.3 shows that signatures can beleveraged across sites. In Section 5 we review related work.We discuss some caveats and ramifications in Section 6 andoffer concluding remarks in Section 7.
2. PROBLEM STATEMENT, APPROACH,AND METHODOLOGY
We address three problems:
1. Signature construction: What representation shouldwe use to capture the essentials of the system stateand enable clustering (grouping) and retrieval?
2. Discovery and exploration: How do we facilitate theidentification of recurrent issues and the retrieval ofsimilar problems?
3. Evaluation methodology:
(a) How can we determine that our signatures are in-deed capturing the system state, that is, that theinformation contained in them effectively servesas a “fingerprint” of a high-level system conditionof interest such as a performance anomaly?
(b) How can we verify that clustering (based on thesesignatures) is meaningful, that is, that signaturesthat are similar according to some similarity met-ric are fingerprints of problems whose diagnosesare similar?
(c) How can we evaluate the quality of retrieval, thatis, how can we verify that a query to retrieve sim-ilar signatures is returning a high percentage ofactual matches with a low false positive rate?
The evaluation in particular has high practical importance:since our intent is to facilitate the exploration of the pasthistory of the system to identify recurrent problems andsimilar situations in different systems, the users of our tech-nology (system operators) must be confident that probleminstances reported as belonging to the same group or clusterare indeed related. This is why our evaluation criteria aredefined operationally, e.g., to say that clustering is “mean-ingful” is to say that similar signatures do indeed identifyproblems with similar root-cause diagnoses in practice.
Without loss of generality, when we refer to an “Internetservice” in the following discussion, we mean an external-request-driven, interactive application based on the stan-dard three-tier architecture [7] of a stateless Web server, atier containing application logic possibly running on top of amiddleware platform, and a persistence tier containing oneor more databases.
2.1 Sketch of the ApproachWe assume the system’s operational policy defines one
or more reference metrics (average response time, requestthroughput, etc.) and a threshold on each of these metrics(or a threshold over a collection of metrics). These referencemetrics and the thresholds define a service level objective
or SLO. We say the system is in violation of its SLO ifthe metric(s) exceed the policy threshold, and in compliance
with its SLO otherwise. The SLO may be defined as anaggregate, for example, “at least 60% of requests during a5-minute interval have a response time less than T”.1 Ourultimate objective is to understand the underlying causes ofhigh-level system behavior and how these causes manifestas SLO violation or compliance. We concentrate on thequestions stated above of identifying recurrent performanceissues, and the automatic retrieval of similar problems.
We begin by evaluating several candidates for represen-tations of the essentials of the system state, which we callsignatures. We then evaluate the use of automated clus-tering [6] for grouping SLO violations in terms of their sig-natures, identifying recurrent problems, and exposing col-lections of metrics that together can become a syndrome
of a performance problem. We then evaluate informationretrieval techniques for finding signatures based on simi-larity [20]. This ability will enable an operator to search
1Note that even SLOs expressed in terms of performance aredeeply connected to availability, because availability prob-lems often manifest early as performance problems and be-cause understanding how different parts of the system affectavailability is a similar problem to understanding how dif-ferent parts of the system affect high-level performance.
databases indexed with signatures and find past occurrencesof similar problems. This in turn will allow the operator toleverage past diagnoses and repair efforts.
In our evaluation we will use data from traces collectedfrom both a realistic testbed and workload, and from a pro-duction system that has suffered several SLO violations overa period of three months. In the case of the testbed we runthe system and periodically inject specific faults in order totrigger SLO violations. The testbed enables us to annotateeach SLO violation with its root cause, providing groundtruth for verifying the results of the automated clusteringand of similarity retrieval. For the real application, we haveannotations for only a subset of the instances of SLO viola-tions, and therefore it is only in these instances that we willverify the use of information retrieval techniques. We willdefine in Section 2.3 a notion called purity that will enableus to evaluate the use clustering even in cases with partialannotations.
Note that whether annotations are available or not, clus-tering enables us to group SLO violations in terms of similarsignatures, and discover different types of SLO violation in-stances, recurrent problems, etc. Similarly, retrieval enablesus to find and leverage past diagnoses and repairs. For ex-ample, as we report in Sections 4.2 and 4.3, we find that ifthe operators of the production system had had access to ourtechnology, a problem that was initially identified as uniquebut later found to be a recurrence of a prior problem couldhave been immediately identified as such. Also, one incidentthat was initially classified as a recurring problem exhibiteda very dissimilar signature (using our method) than the al-leged original problem; manual rediagnosis showed that ourmethod was correct, and indeed the second problem was nota repeated manifestation of the first problem.
2.2 Signatures: Capturing System StateThe first issue we address is that of a representation that
captures those aspects of system state that serve as a “fin-gerprint” of a particular system condition. Our goal is tocapture the essential system state that contributes to SLOviolation or compliance, and to do so using a representa-tion that provides information useful in the diagnosis ofthis state, in clustering (grouping) of this state with sim-ilar states, and in the retrieval process. We will call such arepresentation a signature of the system state. We make thefollowing assumptions:
1. We assume that we can continuously measure whetherthe system is in violation or compliance at any giventime with respect to the SLO. This can be done, forexample, by examining server logs containing timinginformation or by running probes.
2. We assume that we can continuously measure a col-lection of metrics that characterize the “low level” op-eration of the system, such as CPU utilization, queuelengths, I/O latencies, etc. This information can comefrom OS facilities, from commercial operations toolssuch as HP OpenView, from instrumented middleware(as was done in [4]), from server logs, etc.
Since we can by assumption collect low-level system met-rics, it would seem reasonable as a starting point to simplyuse these raw values as the signature. As will be seen inSection 4.1, our experiments allow us to conclude that sig-natures based on using raw values are not as effective as
an approach that builds on our prior work on metric attri-bution [22, 5]. In that work we automatically build modelsthat identify the set of low-level system and application met-rics that correlate with each particular instance of the SLOstate. We hypothesize that this attribution information isthe key to constructing signatures that correctly character-ize and distinguish different causes of SLO violations. Wetherefore spend the rest of this section reviewing the rele-vant aspects of that work and how it relates to signatureconstruction.
The metric attribution process goes as follows. The in-put is a data log containing vectors ~M of low-level systemand application metrics and the state Y (compliance or vi-olation) of the system. We divide time into regular epochs(e.g., five-minute intervals) and we have one such vector for
each epoch. Each element mi of the ~M for an epoch containsthe average value of the specific metric over the epoch, andY contains a discrete value depending on whether the SLOwas violated or not. Relying on pattern classification tech-niques and probabilistic modeling, the algorithms in [22, 5]yield as output an ensemble of probabilistic models charac-terizing the behavior of the metrics during intervals of bothcompliance and violation.
Each one of these models essentially represents the rela-tionship between the metrics and the SLO state as a jointprobability distribution. We use the Tree-Augmented NaiveBayes models (TAN) to represent the joint probability dis-tribution. Out of this distribution we can extract a char-acterization of each metric and its contribution to the SLOstate. Let the term P (mi|mpi
, s−) represent the resultingprobabilistic model for metric mi under violations (s−), andlet P (mi|mpi
, s+), represent a probabilistic model for thesame metric under an SLO state of compliance. The termmpi
represents a metric directly correlated with metric mi
in the Bayesian network representation; interested readersshould consult [5]. Using these models we can identify for a
given instance of ~M , which metrics (because of their values)are more likely to come from their characteristic distributionduring violation. This process is called metric attribution.Formally, for a given instance, a metric is flagged as “at-tributable” if:
P (mi|mpi, s−) > P (mi|mpi
, s+), (1)
that is, mi’s value is closer to its characteristic value for the“violation” distribution than to its characteristic value forthe “compliance” distribution. The interpretation is thatthe observed value of mi is more likely to come from thedistribution where the SLO state Y is that of violation. Inaddition, the methods in [5, 22] are able to identify metricsthat yield no information on the SLO state. We call suchmetrics irrelevant.
The process of constructing signatures is as follows. Givena system trace, we follow the procedure detailed in [22] tocontinuously learn an ensemble of models; for every epoch, asubset of models from the ensemble is selected by choosingmodels with a high accuracy score in estimating the SLOstate over a window in the past (the particular score weuse is called the Brier score, which is defined and explainedin [22]). From those models we extract a list of metricswhose values are “abnormal” (resp. “normal”), that is, thevalues are identified as being closer to their characteristic
values during periods of SLO violation (resp. compliance).2
We then extract the signatures, by yielding a transformeddata log containing a set of vectors ~S where:
• entry si = 1 if metric i is selected by the models andits value is deemed abnormal. We say the metric isattributed;
• entry si = −1 if the metric is selected by the subsetof models but is not found to be “abnormal”. We saythat the metric is not attributed;
• entry si = 0 if the metric is not selected by any of themodels at all—we say that the metric is irrelevant tothe SLO state.
Each vector ~S is then a signature for that epoch. Notethat we produce a signature for every epoch including thosein which the SLO was not violated. The intended semanticsof a signature are as follows. A metric receives a value of 1if its raw value is more likely to come from the distributionof values associated with SLO violation (i.e., Inequality 1is true). These semantics hold for both periods of violationand compliance. As will become apparent, these signaturesare useful both for characterization of the behavior of thesystem in compliance periods, and in violation periods.
Thus, given system traces collected on an Internet service,our approach generates a database consisting of the signa-tures describing the system state, coupled with the SLOstate.
2.3 Clustering SignaturesThe objective when applying clustering to a database of
signatures is to find the natural groupings or clusters of thesesignatures that characterize different performance problemsand normal operation regimes. The output of clustering is aset of clusters, plus a characterization of each cluster center.By inspecting the actual elements of the signature databasein each cluster we can identify different regions of normalityas well as recurrent problems. In addition, the centroid ofa cluster of problem behaviors can be used as a syndrome
for the problem, since it highlights the metrics that are ina sense characteristic of a set of manifestations of the sameproblem.
In order to render the description above operational, weneed to specify a distance metric and a clustering algo-rithm that minimizes the distortion (sum of distances ofeach signature to its nearest cluster center). In this paperwe explored both the L1 and L2 norms as distance met-rics (Lp = p
√∑
i|xi
1 − xi2|
p). As our basic clustering al-gorithm we will use the standard iterative algorithms [6]:k-medians for the L1 norm, and k-means for the L2 norm.These algorithms find k cluster centers (medians and meanrespectively) that minimize the distortion as defined above.We will report only on the results based on the L1 norm.Although the results for the L2 norm were quantitativelydifferent, they were qualitatively similar and offered no newinsight as far as making decisions about the signature rep-resentation. In addition the centers of the clusters in thek-medians case are represented by actual signatures thatare members of the cluster.3
2Mechanisms for fusing the information from different mod-els are described in detail in [22].3A complete analysis of these norms is well beyond the scopeof this paper and will be explored in future work.
Ideally, we would like each cluster to contain signaturesbelonging to a single class of performance problems (SLO vi-olations), or else signatures belonging only to periods of SLOcompliance. We introduce a score determining the purity ofa clustering to formalize this intuition. In the case where wehave no annotations, we distinguish signatures only in termsof their corresponding SLO state (compliance or violation).We count the number of signatures in each cluster that de-scribe epochs of compliance and the number that describeepochs of violations. These counts are then normalized bythe total number of signatures (the sum of the two), to pro-duce probability estimates pc and pv (pc + pv = 1). Theseare used in turn to score “purity” of each cluster. A clusteris pure if it contains signatures of only compliance or onlyviolation epochs, i.e., if either pc or pv are 1. With theseprobabilities, we compute the entropy of each cluster, givenas: H = −pclog2(pc) − pvlog2(pv). For a pure cluster, en-tropy is 0, which is the best result. The entropy is 1 whenthe cluster is evenly split between the two types of signatures(pc = pv = 0.5). It is straightforward to generalize the def-inition of purity score when there are labels distinguishingdifferent annotations corresponding to SLO violations.
We compute the overall average entropy of the all of theclusters weighted by the normalized cluster size to give us ameasure of purity of the clustering result. Average entropyclose to 0 is a strong indication that indeed the signaturescaptured meaningful characteristics of the periods of vio-lations in contrast to periods of non-violation. Indeed, wewill use the purity score to compare different proposals forgenerating signatures (see Figures 2, and 3).
In order to include the purity information in the cluster-ing process, we added an iterative loop using the standardk-medians (k-means) as a building block.4 In the first stepk-medians is applied to the whole database D of signatures,yielding k clusters as its output. The purity score is ap-plied to each one of these clusters. If the score is above aninput threshold tp, then the procedure stops. Otherwise,k-medians is applied once more to the signatures for thoseclusters that didn’t pass the test. There are two parametersused to control these process: a number k which is the max-imum of clusters expected in each application of k-medians,and the total ktot of clusters expected. The process stopswhen ktot is reached. There are a number of procedures fordetermining these parameters, including score metrics withregularization components and search procedures which in-crease their value gradually until no significant improvementin the clustering distortion is achieved [6]. In this paperwe explore the space of ktot and set k = 5. These valueswere appropriate for evaluating the power of the signatureextraction process and displaying its properties. We alsochecked the amount by which our algorithm will affect theminimization in distortion with regards to a straightforwardapplication of the k-medians algorithm and found it to benegligible.
When we compare different candidate methods of signa-ture construction in Section 4.1, we will use the purity of theclustering process as providing evidence of the informationcontained in each approach. Signatures that enable cluster-ings with a higher degree of purity (lower entropy) will befavored as they clearly contain enough information to enable
4In the rest of the description we will mention only k-medians with the understanding that when the L2 normis used the actual algorithm is k-means.
the automated grouping of the different SLO related states(see Section 4.1.1).
2.4 Retrieving SignaturesUsing information retrieval techniques we can retrieve from
a database all previous instances that are “similar” to a spe-cific signature S. This capability enables us to leverage pastdiagnoses and repairs and in general all information aboutprevious instances displaying similar characteristics (as cap-tured in the signature vector).
As in the case of clustering, similarity is formalized in thecontext of a distance metric, and as in that case, we exploredboth L1 and L2 norms, displaying only the results for theL1 norm.
Our evaluation will follow the standard measures from themachine learning and information retrieval community [20].The evaluation focuses on the quality of the retrieval withrespect to the similarity and the quality of the signatures.If a specific annotation A is associated with a (set of) signa-ture(s) S we expect that when similar signatures are used,the retrieval process yields signatures also associated withannotation A. Therefore, in evaluating our retrieval results,we consider only those signatures associated with annota-tions (see Sections 3.1 and 3.3).
Formally the process of retrieval proceeds as follows: givena signature, return the N closest signatures to it from theexisting signature database. Given known annotations bothto the query signature and the signatures in the database,we compute the two standard measures of retrieval quality:Precision and Recall.
For a given query, precision measures what fraction ofthe N returned items have the matching annotation (1.0 isperfect); recall measures the percentage of signatures in thedatabase with the same annotation as the query that areactually retrieved. Note that the maximal value of 1.0 isachieved only when N is at least equal to the number ofsignatures with the same annotation as the query signature.As N increases recall goes up but precision typically goesdown, as it becomes harder to retrieve only signatures thathave a matching annotation.
Following the common practice in the information retrievalcommunity, we increase N and measure the precision/recallpair, until we achieve a recall of 1.0. We then plot precisionas a function of recall, to produce the Precision-Recall curve(see Figure 4 for an example). A perfect precision/recallcurve has precision of 1.0 for all values of recall. As in thecase of clustering, we will use precision and recall to evaluatethe different proposals for a signature (see Section 4.1.2).
3. TRACE COLLECTION AND CHARAC-TERIZATION
Our empirical results are based on large and detailed tracescollected from two distributed applications, one serving syn-thetic workloads in a controlled laboratory environment andthe other serving real customers in a globally-distributedproduction environment. These two traces allow us to val-idate our methods in complementary ways. The testbedtrace is annotated with known root causes of performanceproblems. Annotated data allows us to evaluate our signature-based diagnostic methods in terms of simple information-retrieval performance measures (e.g., precision, recall). Theproduction trace is not annotated as well or as thoroughly
as the testbed trace. By treating it as an unlabeled dataset, we can use it to evaluate the effectiveness of the sig-nature clustering, which in turn provides identification ofthe “syndromes” describing performance problems. Sincewe do have annotations for some of the signatures in theproduction trace, we can further validate the accuracy ofour retrieval on real-world data.
Our traces record two kinds of data about each appli-cation: application-level performance data for our models’SLO indicator, and system-level resource utilization metrics(e.g., CPU utilization). Our tools measure the latter as av-erages in non-overlapping windows.
3.1 Testbed TracesOur controlled experiments use the popular PetStore e-
commerce sample application, which implements an elec-tronic storefront with browsing, shopping cart and checkout.Each tier (Web, J2EE, database) runs on a separate HPNetServer LPr server (500 MHz Pentium II, 512 MB RAM,9 GB disk, 100 Mbps network cards, Windows 2000 ServerSP4) connected by a switched 100 Mbps full-duplex network.Apache’s extended HTTPD log format provides us withper-transaction response times and we obtain system-levelmetrics from HP OpenView Operations Agent running oneach host. A detailed description of our testbed’s hardware,software, networking, and workload generation is availablein [22]. We collect 62 individual metrics at 15-second in-tervals and aggregate them into one-minute windows con-taining their means and variances. We pre-process our rawmeasurements from the Apache logs to average transactionresponse times over the same windows and then join all datafrom the same application into a single trace for subsequentanalysis.
We use the standard load generator httperf [11] to gen-erate workloads in which simulated clients enter the site,browse merchandise, add items to a shopping cart, and check-out, with tunable probabilities governing the transition from“browse item” to “add item to cart” (probability Pb) andfrom “add item to cart” to “checkout cart” (probability Pc).We measure the average response time of client requests ineach 1 minute window and require that the average responsetime stay below 100 msec to maintain SLO compliance. Wecreated three handcrafted fault loads designed to cause SLOviolations. In the first, we alternate one-hour periods ofPb = Pc = 0.7 with one-hour periods of Pb = Pc = 1.0 (a“BuySpree”). In the second, we execute a parasitic programon the database server machine that consumes about 30% ofthe available CPU during alternating one hour intervals, butno other major resources (“DBCPU contention”). The thirdfaultload does the same thing but on the application serverrather than the database server (“APPCPU contention”).
Note that these faultloads simulate both faults due to in-ternal problems (CPU contention) and faults resulting fromchanges in workload (extreme buying plateaus during Buy-Spree). In both cases, the injected faults correspond to an-
notations of known root causes of performance problems inthe final processed trace that we employ in our analyses andevaluations.
3.2 Production System TracesOur second trace is based on measurements collected at
several key points in a globally-distributed application thatwe call “FT” for confidentiality reasons. FT serves business-
client client client
WAN
App Srvr App Srvr
Loadbalancer
Primary DB Backup DB
client client client
WAN
App Srvr App Srvr
Loadbalancer
Primary DB Backup DB
client client client
WAN
App Srvr App Srvr
Loadbalancer
Primary DB Backup DB
(Singapore)ASIA/PACIFICEMEA
(Swinden)AMERICAS
(Atlanta)
failover if localDB unavailable
failover if localDB unavailable
WAN Auxilliary DBWAN
App
licat
ion
Serv
er P
rovi
der
Oracle DB replication
Figure 1: Architecture of the “FT” production system. FT is a globally-distributed multi-tiered applicationwith regional hubs in the Americas, Europe/Middle East/Africa, and Asia. Different organizations areresponsible for the FT application and the application server on which it runs; the latter is indicated bya shaded dashed rectangle in the figure. FT has a globally-distributed main database and an additionalauxiliary database, managed by a third organization, shown in the lower right.
# # # RAMRegion Role hosts CPUs disks (GB)
Amer App srvr 2 16 16 64Amer DB srvr 2 12 18 32
EMEA App srvr 3 16 10 32EMEA DB srvr 2 6 ? 16
Asia App srvr 2 12 63/22 20Asia DB srvr 2 6 8 16
Table 1: Key hardware and software components inFT. The two app server hosts in Asia have differentnumbers of disks. All app servers ran WebLogic andall DB servers ran Oracle 9i. Most of the DB servershad 550 MHz CPUs.
critical customers on six continents 24 hours per day, 365 daysper year. Its system architecture therefore incorporates re-dundancy and failover features both locally and globally, asshown in Figure 1. Table 1 summarizes key hardware andsoftware components in FT, and the transaction volumesrecorded by our traces (Table 2) demonstrate the non-trivialworkloads of the FT installations. All hosts at the applica-tion server and database server tiers are HP 9000/800 serversrunning the HP-UX B.11.11 operating system, except thatone database server in Asia is an HP rp7410 server.
HP OpenView Performance Agent (OVPA) provides sys-tem utilization metrics for application server and databasehosts. FT is instrumented at the application level withARM [18], providing transaction response times. OVPA and
transactions/min % SLOServer Dates mean 95 % max viol
AM1 12/14–1/14 208.6 456.4 1,387.2 23.6AM2 12/13–2/08 207.9 458.0 977.4 22.5
Asia1 12/17–1/05 39.9 118.2 458.4 26.2Asia2 12/17–1/30 52.1 172.8 775.0 13.1
Table 2: Summary of FT application traces. Thelast column is the percentage of transactions whichviolated their SLO in the data. Trace collection be-gan in late 2004 and ended in early 2005. “AM”and “Asia” servers were located in the Americasand Asia, respectively.
ARM data are aggregated into 5-minute windows in the pro-cessed traces we analyze. We have traces from the Americasand Asia/Pacific hubs but not from Europe. Table 2 sum-marizes our FT traces. Our criterion for SLO violation iswhether the average response time over all transactions in a5-minute period exceeded 4 seconds.
FT is well suited to our interests because its requirementsinclude high performance as well as high availability. Fur-thermore performance debugging in FT is particularly chal-lenging for two reasons. First, different organizations areresponsible for FT itself and for the application server in-frastructure in which crucial FT components run (the latteris delimited with a shaded dashed oval in Figure 1); opportu-nities for inter-organizational finger-pointing abound whenend-to-end performance is poor. Second, FT’s supporting
infrastructure is physically partitioned into three regionswith separate operational staffs. A performance problemthat occurs in the afternoon in each region, for example, willoccur three different times, will appear to be specific to a sin-gle region each time it occurs, and will demand the attentionof three separate teams of system operators. Cost-effectiveperformance debugging in FT requires that commonalitiesbe recognized across regions, across time, and across orga-nizational boundaries, and that different teams of humandiagnosticians leverage one another’s efforts.
Another attractive feature of our FT traces is that some ofour 5-minute samples are annotated, in the sense that theycorrespond to times when we know that a specific perfor-mance problem occurred whose root cause was subsequentlydiagnosed. In the next section we describe this problem,which illustrates both the challenges that we face and theopportunities that our approach attempts to exploit.
3.3 A Diagnosed Problem: Insufficient DatabaseConnections (IDC)
The FT production system experienced a recurrent per-formance problem mainly in the Americas domain duringDecember 2004 and January 2005. During episodes of thisproblem, business-critical customers experienced latenciesof several minutes on transactions that normally completewithin seconds. The operators who first detected the prob-lem described it as “stuck threads” in the application serverbecause WebLogic issued messages in a log file each timeit diagnosed a stuck thread. There can be many causes forthreads to become stuck, therefore it is necessary to look forother symptoms to diagnose the cause.
Due to the severity of the problem, a joint task forcecomprising both FT application developers and applicationserver administrators quickly formed to address it. Thisteam eventually diagnosed and repaired the root cause of theperformance problem, thus providing annotations for datapoints in our traces corresponding to episodes. Our accountof the problem is based on detailed bug-tracking databaseentries and e-mail correspondence among the troubleshoot-ers.
After several weeks of debugging, the problem was tracedto an overly-small pool of database connections. Underheavy load, application threads sometimes had to wait morethan 10 minutes to acquire a connection, and were thereforeflagged as “stuck threads” by WebLogic. The problem wassolved by increasing the connection pool size by 25%. Weuse the annotation IDC (Insufficient Database Connections)to refer to this problem.
4. RESULTSTo substantiate our claims, we analyze the data collected
from both the experimental testbed excited with syntheticworkloads and from the globally-distributed production en-vironment described in Section 3. We will use testbed toidentify traces in the first case and FT-trace for the sec-ond case. For the testbed experiments, we intentionallyinjected known faults into the system to cause performanceproblems. The testbed trace is therefore reliably annotated
with the appropriate fault per epoch. In the FT-trace
we have only partial annotations, related to one diagnosedproblem, as described in Section 3.3. These annotations aswell as the fact that we have an objective measure of per-formance as reflected by the SLO state of compliance and
Metric Raw Attr. Raw ValueName Value & Attr
transaction count 398.00 0 0gbl app cpu util 97.47 1 97.47gbl app alive proc 449 0 0gbl app active proc 357 0 0gbl app run queue 10.57 1 10.57gbl app net in packet rate 817 1 817gbl mem util 54.62 1 54.62gbl mem user util 26.32 1 26.32DB1 CPU util 25.96 -1 -25.96
Table 3: Examples of the different signature pro-posals, showing a subset of the metrics collected inthe production environment. The first column is ofraw values (not normalized to preserve the contextof these metrics), second is metric attribution (withpossible values in {+1, 0,−1}), and third is the prod-uct of raw values and metric attribution.
violation will provide ground truth against which we cancompare the results of the clustering and retrieval opera-tions.
4.1 Claim 1: Evaluating Proposalsfor Signatures
We evaluate and compare three possible approaches forcreating signatures. Let ~S denote the vector representingthe signature. In all cases the elements si in this vectorcorrespond to a specific system, application, or workloadmetric.
1. Raw values: in this case we represent a signature ~S
using the raw values of the metrics. In other words~S = ~M . Following common practice in data anal-ysis [6], we normalize these values to [0, 1], using therange of values ever seen, to prevent scaling issues frominfluencing similarity metrics and clustering.5 Thissignature is the most naive and requires no extra pro-cessing of the traces.
2. Metric attribution: If the attribution as described inSection 2.2 flags the metric mi to be attributable, thensi = 1, otherwise si = −1. If the metric mi is not evenconsidered by the models for the attribution process,then the metric is considered to be irrelevant to theSLO state, and si = 0. This requires significant com-putation [5], but we have shown that the computationscould be done on millisecond timescales, allowing thisapproach to be used in real time [22].
3. Metric attribution and raw values: This is similar tothe previous approach except that the raw value of themetric is multiplied by its entry si as explained in theprevious item.6
We evaluate signature-generation approaches based on thequality of clustering and retrieval operations. We demon-strate that signatures based on metric attribution are su-perior for our purposes. This strongly implies that metricattribution captures information about system state that
5The results with unnormalized values were much worse forthe signatures relying on the raw values.6The intuition is that the information contained in the valueof the metric is added to the information in the attributionprocess.
goes beyond the raw values of the collected metrics, furthervalidating the results in [22, 5].
We also remark that in our experiments we see that somemetrics are consistently deemed irrelevant for all time epochsin the traces (e.g., in the FT-trace data the root CPU,memory and disk utilization on the application server werenever found to be relevant by any model, getting a value of 0for all epochs). In some cases such an observation can leadto reducing the number of metrics being collected, althoughthat loss of information can be detrimental in cases wherea dropped metric becomes relevant in future performanceproblems. In addition, because our modeling process rapidlynarrows down to a small number of metrics that are highlycorrelated with the SLO state, unless the expense of datacollection is significant, we discourage removing any metricsfrom the measurement apparatus.
4.1.1 Signatures and ClusteringWe cluster signatures as described in Section 2.3. To eval-
uate the quality of the clusters, we rely on the notion of pu-rity also described in the same section. Entropy is used as ameasure of purity with low entropy implying that the clus-ters contain only one type of annotated value (and hence areof a better quality). In the case of the testbed we have fourannotations: one refers to periods of SLO compliance andthe other three are given by the injected root-cause problem.For the FT-trace, we use SLO compliance and violation tocheck purity. In both cases we vary the number of clustersand check the variation in the weighted average entropy overthe clusters. Stable entropy across different cluster numbersis an indication of the robustness of the clustering output.Figures 2 and 3 show the resultant entropy for each signa-ture generation method and number of clusters. Note thatin both cases, testbed and FT-trace, the clustering usingattribution information clearly yields purer clusters than theclustering using only the raw value of the metrics.
Table 4 provides the counts of each annotation with 9clusters using signatures based on metric attribution on oneof the Americas production systems. Presenting the rawcounts in a cluster provides the application administratora sense of the intensity of the pure clusters, giving her thecapability to focus attention on the more prominent clus-ters of performance problem instances. It is worth notingthat one of the clusters (cluster 3) contained most of theinstances of the IDC problem (75%), which is significantsince the clustering algorithm did not have knowledge ofthe IDC annotation of these instances, but only knew thatthese were violation instances. Clusters 9 and 10 indicatethat for about 10% of the data the signatures were not ableto separate between periods of violation and compliance.
4.1.2 Signatures and RetrievalFigure 4 shows precision/recall curves of retrieval exer-
cises performed on the testbed traces using the three ap-proaches described above for the signatures (see Section 2.4for the definition of these curves). Precision/recall perfor-mance is better in direct proportion to the area under itscurve. Clearly the use of attribution provides an informa-tional advantage, as the curves using attribution are far su-perior.
Our real-world traces were collected during a period whena misconfiguration was causing a performance problem (the“IDC” problem discussed in Section 3). Overall, 269 epochs
Cluster # # vio # compl Entropy1 552 27 0.272 225 0 0.003 265 2 0.064 0 1304 0.005 1 1557 0.006 0 1555 0.007 0 1302 0.008 216 274 0.999 100 128 0.99
Table 4: Example of a clustering instance using sig-natures based on metric attribution. The first col-umn is a count of number of violation instances, thesecond shows the number of compliance instances,and the third shows the cluster entropy based onthe purity of the cluster. Cluster 3 contains almostall the instances corresponding to the IDC problem;201 instances of the 265 violation instances in cluster3 are annotated as the IDC problem, the remainder68 IDC annotated instances are distributed betweencluster 1 and 2.
were annotated with this problem. Figure 5 shows the lo-cation of these epochs over the month long trace, overlaidon the value of the reference metric (transactions averageresponse time). It can be seen that the issue occurred inter-mittently over that period.
Figure 6 shows the precision-recall graphs for retrievingsignatures of the IDC problem. The graph shows that highprecision is achieved for a relatively large range of the recallvalue. For example, of the top 100 signatures retrieved, 92are correctly retrieved, leading to a precision of 92% (andrecall of 34.2%). Such a precision would be more than suffi-cient for an operator to safely infer that the label attachedto the majority of signatures being retrieved matches theproblem described by the query signature. As in the caseof clustering, these results confirm that the use of attribu-tion in the generation of signatures provides the requiredinformation.
4.2 Claim 2: Identifying Recurrent ProblemsWe show that the clustering is meaningful: each cluster
groups signatures that would have the same annotations ifthey were provided, and the centroids can be used as the syn-drome that characterizes that group of signatures. There-fore clustering can be used to identify recurrent issues and togather statistics regarding their frequency and periodicity.
First, based on the results of the Subsection 4.1 we canassert that the clustering as applied to the data in the FT-
trace is robust. As Figure 3 indicates, the entropy ofthe clusters does not change significantly as we increase thenumber of clusters, implying that the existing clusters arebeing subdivided rather than completely new ones created.Recall that the entropy is an indication of the “purity” ofthe cluster, namely of the elements in the cluster what per-centage belong to the same annotation.
Second, we demonstrate that the clustering is meaningfulfor the case of nine clusters. Table 4 shows the number ofelements belonging to each annotation (compliance or vio-lation) in each cluster. Note that for most of the clusters,comprising of 90% of the 5 minute epochs in a trace collected
5 6 7 8 9 100
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8Raw valuesRaw values metric attributionMetric attribution
Figure 2: Clustering on the annotated data fromtestbed. The signature method relying on attribu-tion performs best and is more stable across differ-ent number of clusters. X axis denotes the numberof clusters.
over a month, the vast majority of elements in each clustercorrespond to one annotation. In addition these clusters aredifferent from one another. Table 5 depicts the cluster cen-troids (with a subset of the metrics) for four of the clustersfrom Table 4: clusters 4 and 7, which contained only com-pliance signatures, and clusters 1 and 3, which containedmostly violation signatures. Note that the compliance cen-troids deem most metrics as not attributed with a violationstate (values -1 for metrics), while the violation centroidsdeemed some of the metrics as attributed with a violationstate (value 1), and others as either irrelevant (value 0) ornon-attributed. We also see the difference between the cen-troids of the “violation” clusters (1 and 3) with respect tothe metrics that are deemed attributed. Cluster 1 deemedthe Database tier CPU utilization (DB1 cpubusy) as at-tributed but assigned a -1 value for the application serverCPU utilization (gbl cpu total util). In contrast, the cen-troid of cluster 3 deemed the application server CPU as at-tributed, together with the number of alive processes andactive processes on the application server. As discussed ear-lier, most members of cluster 3 were labeled as the IDCproblem, which had the symptom of high application serverCPU utilization and high number of alive and active pro-cesses. These differences point out to the symptoms of themembers in each cluster and define the syndrome of a groupof signatures.
Given this clustering, recurrent problems can be identi-fied by looking at the time of occurrence of the signaturesin each cluster. Figure 7 depicts the instances of cluster 1, 2and 3 overlaid in time on the performance indicator graph.Cluster 3 is recurrent, and as mentioned earlier, we verifiedwith the IT operators that the periods defined by “Clus-ter 3” coincided with the manifestation of the IDC problemaccording to their records. Thus, had they had this tool,they could have easily identified the problem as a recurringone since its symptoms matched those of the signatures. Inaddition, the clustering discovered another undiagnosed re-curring problem (Cluster 1), with the symptom of higher
8 10 12 14 16 18 200
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
# of clusters
Ave
rage
ent
ropy
of c
lust
ers
Raw ValuesRaw values metric attributionMetric attribution
8 10 12 14 16 18 200
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
# of clusters
Ave
rage
ent
ropy
of c
lust
ers
Raw ValuesRaw values metric attributionMetric attribution
Figure 3: Clustering of the data from FT-trace.Each graph corresponds to a different server. Thesignatures relying on information from metric attri-bution outperform those using only raw values.
Database CPU utilization (average of approximately 60%compared to approximately 20% in most other times), whileat the same time all application server utilization metricswere not attributed, and were in fact normal. This problemremains undiagnosed to this date, and did not appear againin the following months, however, if it appears again, thesepast instances would be retrieved and perhaps help prioritizefinding a solution or the root cause of the problem.
4.3 Claim 3: Leveraging Signatures AcrossSites
In this section we provide evidence that the signaturescollected at various sites and systems can be leveraged dur-ing the diagnosis of performance problems. In particular, weshow that diagnosis of a performance problem can be aidedby querying for similar (or dissimilar) signatures collectedat different sites or machines.
In the process of diagnosing the IDC problem, which wasobserved on the Americas site, the debugging team investi-gated whether the same problem occurred in the Asia-Pacificregion as well. In particular, they hypothesized that it didoccur during a failover period on December 18, 2004, in
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1
Recall
Pre
cisi
on
Raw valuesRaw values attributed metricsMetric attribution
Figure 4: Using data from testbed we see that pre-cision/recall behavior is closest to ideal when metricattribution is used. A method’s performance is di-rectly proportional to the area under the curve.
Clust Clust Clust ClustMetric 1 3 4 7
gbl app cpu total util -1 1 -1 -1gbl app disk phys io 0 0 1 1gbl app alive proc 0 1 0 -1gbl app active proc 0 1 1 -1gbl app run queue -1 0 -1 -1gbl app net in packet rate 0 0 -1 1gbl app net out packet rate 1 1 -1 -1gbl app mem util 0 0 -1 -1gbl app mem sys util 0 0 -1 -1DB1 cpu util 1 1 -1 -1
Table 5: Comparison of the centroid values for fourclusters (clusters 1, 3, 4 and 7 from Table 4), twocontaining mostly compliance signatures (clusters 4and 7) and two containing mostly violation signa-tures (clusters 1 and 3). Cluster 3 contained mostlysignatures of the IDC problem. Note the differencebetween cluster 1 and cluster 3 in terms of metricsthat are attributed and those not attributed.
which the transactions from the Americas cluster were beingsent to the Asia systems hosting the FT application. A highpercentage of the transactions were violating their SLOs onone of the Asia cluster machines during the first 100 min-utes of the failover period. The debugging team suspectedthat the cause was the same IDC problem, and annotatedit as such. Our signature database included signatures ontraces collected on that day. We then performed the follow-ing query: are the signatures annotated as the IDC problemon the Americas site similar to the signatures collected dur-ing the failover period at the Asia site?
As Figure 8 shows, the result of the query was that thesignatures of the Asia failover period are very different fromthe signatures of the IDC problem. Key metrics that werehighly attributed in one were not attributed in the other. Ofthe metrics that were attributed in both, only transactionvolume (tt count) was similar in its attribution signal forthe signatures from the two sites.
12/19/04 12/25/04 12/31/04 01/06/05 01/12/05
100
101
102
103
Time
Ave
rage
Res
pose
Tim
e (s
ec)
Avg Response TimePerformance threshIDC instances
Figure 5: Temporal location of the instances of theIDC problem on one of the Americas machines, over-laid on the reference metric.
Upon close inspection of the attributed metrics from oneof the Asia machines and the transaction mix on that ma-chine, we quickly arrived at a different diagnostic conclusionfor the Asia problem. Due to the failover from the Americassystem, Asia1 was experiencing higher transaction volumes,and during the initial phase of the failover, it was experi-encing higher response times (see Figure 9). During thisinitial phase, Asia1 was seeing a high transaction volume ofone type of transaction (call it the XYZ transaction) thatit normally does not see (see Figure 10). The SQL state-ments associated with this unusual transaction type werenot prepared or cached on the Asia machines, leading tomore database overhead, as can be seen in Figure 11, lead-ing to higher response times, and ultimately SLO violation.This diagnosis was accepted by the diagnostics team; the re-pair consists of priming the database and middleware cachesfor the new transaction type before a planned failover. Asa result of this experience, we were able to replace the falseannotation originally provided for that trace data with anew and correct annotation explaining the problem and de-scribing the required repair.
5. RELATED WORKThe use of search and retrieval to find similar instances
and experiences of faults and performance problems is notnew. It is common practice for system operators to use Websearch engines to search for the text of error messages orconsole messages as part of their debugging, but such meth-ods are ad-hoc and imprecise. Redstone et al. advocate amachine-readable compact representation of system state inan attempt, among other things, to formalize the recordingof instances and that search [15]. Yet to the best of ourknowledge our work is the first to propose a concrete tech-nique for constructing the appropriate representation andevaluating its efficacy.
While others have attempted to use low-level metrics tocharacterize high-level system behavior, we believe that weare the first to propose an automatic method for generatinga compact, indexable representation of system state that
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1
Recall
Pre
cisi
on
Raw Values Raw Values ANDMetric AttributionMetric Attribution
Figure 6: Precision-recall graph for retrieval of thesignatures of the IDC issue in the web-service pro-duction environment. Methods based on metric at-tribution outperform the one relying on raw valuessignificantly.
facilitates syndrome identification and incident clustering.This section surveys recent research on related computerperformance diagnosis problems and reviews applications ofsignatures to diagnostic problems in other domains.
Aguilera et al. describe two algorithms for isolating perfor-mance bottlenecks in distributed systems of opaque softwarecomponents [1]. Their “convolution” algorithm employs sta-tistical signal-processing techniques to infer causal messagepaths that transactions follow among components, whichare not assumed to communicate via RPC-like request/replypairs. At the opposite extreme of this knowledge-lean ap-proach, Magpie characterizes transaction resource footprintsin fine detail but requires that application logic be meticu-lously encoded in “event schema” [2]. Cohen et al. employstatistical pattern classification techniques to identify sys-tem utilization metrics that correlate with performance [5].
Our research differs from these projects in that it is aimedat aiding root cause diagnosis by finding similar problems,rather than bottleneck detection or workload modeling. Whileour approach does not determine the root cause, findinga previously solved (annotated) problem may provide rootcause (or repair action) when the retrieval is accurate. LikeAguilera et al. and unlike Magpie, we assume little knowl-edge of application structure or logic and we rely heavily onstatistical methods. Like Cohen et al. we find that pattern-classification techniques are useful for identifying a smallsubset of system measurements that are relevant to perfor-mance. To us, however, this subset is useful not for its ownsake but rather for constructing signatures. For brevity, inthis section we do not discuss prior work already summa-rized in the above papers’ excellent literature reviews.Faults in distributed systems, as opposed to performance
problems, are the subject of a large literature. For com-munications networks, whose components have highly con-strained and well specified behavior, a wide range of faultlocalization techniques have been explored [16]. Yemini et al.describe an event correlation (root cause determination) pro-cedure that relies on an extensive library describing each
12/19/04 12/25/04 12/31/04 01/06/05 01/12/05
100
101
102
103
Time
Ave
rage
Res
pose
Tim
e (s
ec)
Avg Response TimePerformance threshCluster 1Cluster 2Cluster 3
recurring problem(mostly IDC)
Figure 7: Instances of the three “pure” abnormalclusters (clusters 1, 2 and 3 from Table 4), over-laid on the reference metric . Cluster 3 comprisesmostly of the instances annotated as the IDC prob-lem. Cluster 1 is another recurrent problem withthe symptom of high Database CPU load and lowApplication server utilization, while Cluster 2 hasmemory and disk utilization metrics on the Applica-tion server as attributed metrics to the performanceproblem.
tt_co
unt
gbl_c
pu_to
tal_u
til
gbl_a
live_p
roc
gbl_a
ctive_
proc
gbl_r
un_q
ueue
gbl_n
et_ou
t_pac
ket_r
ate
DB1__c
pubu
sy
DB1__c
purun
q
DB1__p
agere
q
DB1__d
iskuti
l
DB1__p
acke
ts
other_
user_
root__
app_
disk_
phys_
io
other_
_app
_cpu
_total
_time
other_
_app
_alive
_proc
other_
_app
_activ
e_pro
c
other_
_app
_cpu
_total
_util
AP1 FailoverIDC
-1
-0.8
-0.6
-0.4
-0.2
0
0.2
0.4
0.6
0.8
1
Met
ric A
ttrib
utio
n
Metrics
AP1 FailoverIDC
Figure 8: Comparing the signatures from the Asiafailover period and the IDC problem in the Ameri-cas. The bars for each metric show the mean attri-bution value for the signatures in each period. Formetrics where there are fewer than two bars shown,a missing bar means that the metric was not selectedby any model that predicted the violation for thisperiod. Metrics whose name does not begin with“DB1” are from the application server.
system component’s possible faults and the consequences ofeach fault [21]. These detailed component descriptions arecompiled into a codebook that reduces root cause analysisto a simple and efficient task of decoding observed symp-
12/18/04,08:53 12/19/04,01:33 12/19/04,18:13 12/20/04,10:53
10−1
100
101
Time
Ave
rage
Res
pons
e Ti
me SLO Threshold
Figure 9: Average response time during the Asia1failover period.
12/18/04,08:53 12/19/04,01:33 12/19/04,18:13 12/20/04,10:530
50
100
150
200
250
300
Time
XY
Z Tr
ansa
ctio
n co
unt
Figure 10: Throughput for the XYZ Transactionduring the Asia1 failover period. XYZ transactionsare usually never seen in Asia.
12/18/04,08:53 12/19/04,01:33 12/19/04,18:13 12/20/04,10:53
10
20
30
40
50
60
70
80
90
100
Time
DB
CP
U %
Figure 11: CPU utilization on the DB server wasunusually high at the beginning of the failover pe-riod. Once the caches are warmed, CPU utilizationreturns to 20% or lower.
toms into the faults that caused them. This approach hasbeen commercialized for communications systems [17] butis inappropriate for arbitrary distributed software becauseit is infeasible to enumerate the faults and symptoms of ar-bitrary computer programs. In addition, this approach hasno learning or adaptation aspects, which our probabilisticmodels provide.
The Pinpoint system of Chen et al. analyzes run-time ex-ecution paths of complex distributed applications to auto-matically detect failures by identifying statistically abnor-mal paths; faulty paths can then aid a human analyst in di-agnosing the underlying cause [4]. Kiciman & Fox describein greater detail the use of probabilistic context-free gram-mars to detect anomalous paths in Pinpoint [10]. Our ap-proach shares with Pinpoint the use of statistical techniques,but the instrumentation we require is more readily availableand we seek to diagnose performance problems rather thanfaults.
Jain describes a traditional performance debugging tech-nique that generates visual signatures of performance prob-lems [8]. Popular in the 1970s, “Kiviat graphs” display ahandful of utilization metrics in such a way that resourcebottlenecks and imbalances assume a distinctive appear-ance. Like our signatures, Kiviat graphs of different systems(or of different conditions on a single system) invite compar-ison and facilitate similarity matching. However our signa-tures differ in several ways from this classic technique: sig-natures are intended for automated indexing, retrieval, andsimilarity measurement; they do not rely on human visualinspection; they scale to dozens or hundreds of metrics; andthey incorporate application-level performance measures inaddition to utilization metrics.
Signatures have been used extensively in virus scanningand intrusion detection [12]. Statistical techniques are of-ten employed to flag anomalous activity automatically, butsignatures of malicious behavior are almost always definedmanually. Kephart et al. describe a statistical method forautomatically extracting virus signatures for a commercialdetection product [9].
Redstone et al. advocate automating the diagnosis of user-visible bugs by leveraging the efforts of troubleshooters world-wide [15]. These authors note that such problems have oftenalready been diagnosed and documented, e.g., in newsgroupsand vendor bug databases. The real problem is finding theright diagnosis by indexing into a vast disorganized knowl-edge base. Signatures can help us to realize the vision thatRedstone et al. sketch.
Modern systems software, middleware, and styles of ap-plication architecture bring obvious benefits but entail sub-stantial costs. Ours is one of several research attempts topreserve the benefits of modern architectural styles whilemitigating their problems. We briefly survey three suchproblems and corresponding research toward solutions.
Layers of modular re-usable components interacting throughnarrow interfaces allow us to divide and conquer increas-ingly complex problems at low cost. However they also con-ceal performance-critical information about each componentfrom its neighbors. For example, conventional operating sys-tems offer strong inter-process fault isolation but suffer sideeffects including redundant data buffering and copying. TheIO-Lite buffering/caching subsystem retains fault isolationwhile eliminating redundancy [13].
Resource virtualization permits application developers toignore congestion and scarcity, which they often do to thedetriment of performance. The SEDA framework encour-ages application designers to explicitly address overload andresource scarcity while retaining many of the benefits of vir-tualization [19].
Finally, decentralized management and geographic distri-bution allow different organizations to cooperatively servea global user base, but these trends also diffuse the knowl-edge required for performance debugging. Aguilera et al.
and Cohen et al. confront the opacity of complex modernapplications by illuminating performance bottlenecks andcorrelates of performance in unmodified distributed appli-cations [1, 5]. Our signature-based syndrome identificationmethods reduce redundant diagnostic effort across time, ge-ography, and organizational boundaries.
6. DISCUSSION
6.1 On Root Cause Analysis and DiagnosisThe statistical and pattern recognition techniques under-
lying the automated extraction of signatures capture corre-lation, not necessarily causation. Indeed, as is well knownin the statistics and other communities, the ability to infercausation from pure observation is limited and in most casesimpossible [14]. By pure observation we mean lack of directintervention into the system or additional information, com-ing from human experts regarding the causal relations andpaths in the system. In some instances, time informationand information about the sequence of events can be usedas heuristics to find causal connections. This has been at-tempted in many domains including this one, most notablyin [1]. We leave as future work the inclusion of this kindof information into our approach and the exploration of itsutility, although we remark that there is nothing in principlethat prevents us from considering “sequences” of signaturesor adding time information (including precedence informa-tion) into the creation of the signatures and the subsequentanalysis.
It follows from this discussion that we cannot claim (norhave we ever) that the approach advocated in this paperyields a root cause of the problem. Indeed, even with hu-man expert knowledge, root cause analysis is far from easy(recall the example of Section 3.3). Nevertheless, we pos-tulate that offering the capabilities of systematic similaritysearch and clustering of correlated metrics helps in narrow-ing down the possible causes and is therefore useful in thediagnosis process. In addition, it may not be necessary toreach a root cause to produce a repair. As difficult as rootcause analysis has proven to be over the years, perhaps amore pragmatic approach would be to automatically mapthe evidence for the faults and metric state to a finite set ofpossible repair actions.
6.2 On Annotations, the Real World, andClustering
It is a fact of life in the IT trenches that annotations arecurrently scarce and also imperfect. Part of the reason forimperfect annotations on real data results from the realitythat the administration of different subsystems or tiers ofan application may be delegated to different individuals dis-tributed across the organization, as we experienced wheninvestigating the problem and resolution described in Sub-
section 4.3. Our experience with other companies runningmulti-tier applications confirms that there is often no singleadministrator responsible for understanding the end-to-endpaths through the application. One result of this is a fre-quent lack of clear agreement on what the true cause of aproblem is or was: forensic data may be discarded beforeit’s needed, and each operator is typically focused on eitherdebugging or exonerating her/his piece of the system.
Our acceptance of good clustering, given by low entropy/high purity, the difference in the centroids, and the use ofthe centroids as a “proxy” for annotated data, provides apragmatic approach when un-annotated data is all that wehave at our disposal. Note that we can still use the clusteringto identify recurring problems as this reduces to checkingwhether two data points belong to the same cluster, andthe size of a particular cluster reflects how many violationscan be attributed to the “syndrome” that cluster represents.Retrieval is still valuable in gathering all similar instancesthat are stored in the database, as can be seen from ourresults: clustering was able to recognize 75% of the IDCcases belonging to the same cluster, and we get excellentprecision-recall behavior when we do have annotations.
We hope that the availability of a systematic way to ex-ploit annotations, as proposed in this paper, will encourage achange in best practices that makes annotations more preva-lent. As a human operator investigates further, character-izes and names a syndrome that results from a clustering,the final diagnosis and repair procedures can be stored inthe database for future reliable retrieval.
6.3 Performance Impact of Our ApproachThere are five points where our approach adds computa-
tion cost or other overhead that may impact performanceconsiderations: overhead of collecting data, construction ofTAN models for metric attribution [5], signature computa-tion, clustering, and retrieval. Our system data is collectedby a commercial tool that is widely deployed in industry;the tool is designed to minimize performance impact on theobserved system, and at any rate the widespread use of suchtools represents a sunk cost. Updated system data is coa-lesced and reported periodically, generally in 1 or 5 minuteepochs. Building and maintaining an ensemble of TAN mod-els takes 5–10 seconds with our code, so it is practical to ap-ply the ensemble algorithm to system data in real time. Inour prototype implementation in Matlab, given an ensem-ble with approximately 41–67 models (generated using onemonth of system data), it takes about 200ms to computea signature for one epoch. Using the k-medians algorithm(with k=10) to cluster 7507 signatures (about one monthwhen using 5-minute epochs) takes less than 10 seconds.Finally, retrieving the top 100 matching signatures from adatabase of 7700 signatures takes less than one second. Weconclude that signature generation can proceed in real time,and analysis with clustering or retrieval is fast enough to bedone at will.
7. CONCLUSIONSA result in this paper with deep implications is that simply
recording the values of raw system metrics does not providean effective way to index and retrieve syndrome data: a moresophisticated way of generating “signatures” is required. Wefurther showed that it is sufficient to include informationregarding attribution and relevance of these metrics rela-
tive to performance objectives. We further demonstratedhow automated (but well known) techniques for clusteringand retrieval enable diagnosticians to leverage the results ofpast work and identify similar or recurring problems, evenwhen no problem annotations or application-specific knowl-edge are available. Our application of these techniques washelpful in correcting a misdiagnosis as well as correctly clas-sifying a recurrent problem in a real world geographicallydistributed system. The initial classification of this problemrequired the exchange of 80 pages of notes among adminis-trators over a period of a month.
This work opens several avenues of research in choices andproperties of different methods for signature construction,clustering, similarity metrics, etc. In addition, we wouldlike to extend this work to signatures that include tempo-ral sequences, and to further explore how to transfer thesignatures, syndromes, and annotations from one system toanother. Further research is also required to incorporatethe information inherent in partial and even in imperfectannotations in the clustering and retrieval techniques.
Our results suggest that systems can and should derivesignatures for observed undesirable behaviors and then in-dex those signatures for later retrieval during troubleshoot-ing. We believe that further research in this area will lead toimprovements in system scale and availability. These tech-niques and their further development will enable a system-atic way of capturing knowledge and expertise from opera-tors (through annotations of diagnoses and repair actions)that can be leveraged by other operators across geographyand across time.
8. ACKNOWLEDGMENTSWe would like to thank Vijay Machiraju and Richard
Stormo for pointing us toward the data set that made ourempirical work possible. We furthermore thank the FT ap-plication developers and support group for access to theirdata, expertise, and time. We would also like to thank ouranonymous reviewers and our shepherd, Mike Burrows, forhelping us to significantly improve this paper. Finally, wethank Rob Powers and Jeff Mogul for helpful comments.
9. REFERENCES[1] M. K. Aguilera, J. C. Mogul, J. L. Wiener,
P. Reynolds, and A. Muthitacharoen. Performancedebugging for distributed systems of black boxes. InProc. 19th ACM SOSP, 2003.
[2] P. Barham, A. Donnelly, R. Isaacs, and R. Mortier.Using Magpie for request extraction and workloadmodelling. In Proc. 6th USENIX OSDI, Dec. 2004.
[3] G. Candea, S. Kawamoto, Y. Fujiki, G. Friedman, andA. Fox. A microrebootable system – design,implementation, and evaluation. In Proc. 6th USENIX
OSDI, San Francisco, Dec. 2004.
[4] M. Chen, E. Kıcıman, E. Fratkin, E. Brewer, andA. Fox. Pinpoint: Problem determination in large,dynamic, Internet services. In Proc. International
Conference on Dependable Systems and Networks,pages 595–604, Washington, DC, June 2002.
[5] I. Cohen, M. Goldszmidt, T. Kelly, J. Symons, andJ. S. Chase. Correlating instrumentation data tosystem states: A building block for automateddiagnosis and control. In Proc. 6th USENIX OSDI,San Francisco, CA, Dec. 2004.
[6] R. O. Duda, P. E. Hart, and D. G. Stork. PatternClassification. Wiley, second edition, 2001.
[7] D. Jacobs. Distributed computing with BEAWebLogic server. In Proceedings of the Conference on
Innovative Data Systems Research, Asilomar, CA,Jan. 2003.
[8] R. Jain. The Art of Computer Systems PerformanceAnalysis. Wiley-Interscience, New York, NY, 1991.
[9] J. O. Kephart and W. C. Arnold. Signatures. In Proc.
4th Virus Bulletin International Conference, 1994.http://www.research.ibm.com/antivirus/
SciPapers/Kephart/VB94/vb94.html.
[10] E. Kıcıman and A. Fox. Detecting application-levelfailures in component-based internet services. IEEETransactions on Neural Networks, Spring 2005.
[11] D. Mosberger and T. Jin. httperf—a tool formeasuring web server performance. http://www.hpl.hp.com/personal/David Mosberger/httperf.html.
[12] B. Mukherjee, L. T. Heberlein, and K. N. Levitt.Network intrusion detection. IEEE Network,8(3):26–41, May 1994.
[13] V. S. Pai, P. Druschel, and W. Zwaenepoel. IO-Lite:A unified I/O buffering and caching system. ACMTrans. Comput. Sys., 18(1):37–66, Feb. 2000.
[14] J. Pearl. Causality: Models, Reasoning, and Inference.Cambridge University Press, 2000.
[15] J. A. Redstone, M. M. Swift, and B. N. Bershad.Using computers to diagnose computer problems. InProc. HotOS IX, pages 91–96, May 2003.
[16] M. Steinder and A. S. Sethi. A survey of faultlocalization techniques in computer networks. Scienceof Computer Programming, 53:165–194, 2004.
[17] System Management Arts (SMARTS) Inc.Automating root cause analysis, 2001.http://www.smarts.com.
[18] The Open Group. Application Response Measurement(ARM) 2.0 Technical Standard, July 1998. http://www.opengroup.org/onlinepubs/009619299/toc.pdf.
[19] M. Welsh, D. Culler, and E. Brewer. SEDA: Anarchitecture for well-conditioned, scalable Internetservices. In Proc. 18th ACM SOSP, 2001.
[20] I. H. Witten and E. Frank. Data Mining: Practical
Machine Learning Tools and Techniques with Java
Implementations. Academic Press, 2000.
[21] S. A. Yemini, S. Kliger, E. Mozes, Y. Yemini, andD. Ohsie. High speed and robust event correlation.IEEE Communications Magazine, pages 82–90, May1996.
[22] S. Zhang, I. Cohen, M. Goldszmidt, J. Symons, andA. Fox. Ensembles of models for automated diagnosisof system performance problems. In DSN, 2005.