Early Detection of Fraud Storms in the Cloud

  • Hani NeuvirthEmail author
  • Yehuda Finkelstein
  • Amit Hilbuch
  • Shai Nahum
  • Daniel Alon
  • Elad Yom-Tov
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9286)


Cloud computing resources are sometimes hijacked for fraudulent use. While some fraudulent use manifests as a small-scale resource consumption, a more serious type of fraud is that of fraud storms, which are events of large-scale fraudulent use. These events begin when fraudulent users discover new vulnerabilities in the sign up process, which they then exploit in mass. The ability to perform early detection of these storms is a critical component of any cloud-based public computing system.

In this work we analyze telemetry data from Microsoft Azure to detect fraud storms and raise early alerts on sudden increases in fraudulent use. The use of machine learning approaches to identify such anomalous events involves two inherent challenges: the scarcity of these events, and at the same time, the high frequency of anomalous events in cloud systems.

We compare the performance of a supervised approach to the one achieved by an unsupervised, multivariate anomaly detection framework. We further evaluate the system performance taking into account practical considerations of robustness in the presence of missing values, and minimization of the model’s data collection period.

This paper describes the system, as well as the underlying machine learning algorithms applied. A beta version of the system is deployed and used to continuously control fraud levels in Azure.


Cloud Computing Anomaly Detection Cloud System Offer Type Supervise Approach 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bhaduri, K., Das, K., Matthews, B.L.: Detecting abnormal machine characteristics in cloud infrastructures. In: 2011 IEEE 11th International Conference on Data Mining Workshops (ICDMW), pp. 137–144. IEEE (2011)Google Scholar
  2. 2.
    Zhu, Q., Tung, T., Xie, Q.: Automatic fault diagnosis in cloud infrastructure. In: 2013 IEEE 5th International Conference on Cloud Computing Technology and Science (CloudCom), pp. 467–474. IEEE (2013)Google Scholar
  3. 3.
    Hormozi, E., Hormozi, H., Akbari, M.K., Javan, M.S.: Using of machine learning into cloud environment (A Survey): managing and scheduling of resources in cloud systems. In: 2012 Seventh International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), pp. 363–368 (2012)Google Scholar
  4. 4.
    Beloglazov, A., Buyya, R.: Energy efficient resource management in virtualized cloud data centers. In: Proceedings of the 2010 10th IEEE/ACM International Conference on Cluster, Cloud and Grid Computing, pp. 826–831. IEEE Computer Society (2010)Google Scholar
  5. 5.
    Beloglazov, A., Abawajy, J., Buyya, R.: Energy-aware resource allocation heuristics for efficient management of data centers for cloud computing. Future Gener. Comput. Syst. 28, 755–768 (2012)CrossRefzbMATHGoogle Scholar
  6. 6.
    Hashizume, K., Rosado, D.G., Fernández-Medina, E., Fernandez, E.B.: An analysis of security issues for cloud computing. J. Internet Serv. Appl. 4, 1–13 (2013)CrossRefGoogle Scholar
  7. 7.
    Fernandes, D.A., Soares, L.F., Gomes, J.V., Freire, M.M., Inácio, P.R.: Security issues in cloud environments: a survey. Int. J. Inf. Secur. 13, 113–170 (2014)CrossRefGoogle Scholar
  8. 8.
    Bontempi, G., Ben Taieb, S., Le Borgne, Y.-A.: Machine learning strategies for time series forecasting. In: Aufaure, M.-A., Zimányi, E. (eds.) eBISS 2012. LNBIP, vol. 138, pp. 62–77. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  9. 9.
    Aggarwal, C.C.: Outlier analysis. Springer Science & Business Media (2013)Google Scholar
  10. 10.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: A survey. ACM Comput. Surv. CSUR. 41, 15 (2009)Google Scholar
  11. 11.
    Wang, C., Talwar, V., Schwan, K., Ranganathan, P.: Online detection of utility cloud anomalies using metric distributions. In: 2010 IEEE Network Operations and Management Symposium (NOMS), pp. 96–103. IEEE (2010)Google Scholar
  12. 12.
    Wang, C., Viswanathan, K., Choudur, L., Talwar, V., Satterfield, W., Schwan, K.: Statistical techniques for online anomaly detection in data centers. In: 2011 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 385–392 (2011)Google Scholar
  13. 13.
    Dean, D.J., Nguyen, H., Gu, X.: Ubl: unsupervised behavior learning for predicting performance anomalies in virtualized cloud systems. In: Proceedings of the 9th International Conference on Autonomic Computing, pp. 191–200. ACM (2012)Google Scholar
  14. 14.
    Vallis, O., Hochenbaum, J., Kejariwal, A.: A novel technique for long-term anomaly detection in the cloud. In: Proceedings of the 6th USENIX Conference on Hot Topics in Cloud Computing, USENIX Association, Berkeley, CA, USA, pp. 15–15 (2014)Google Scholar
  15. 15.
    Li, L., McCann, J., Pollard, N.S., Faloutsos, C.: Dynammo: Mining and summarization of coevolving sequences with missing values. In: Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 507–516. ACM (2009)Google Scholar
  16. 16.
    Wellenzohn, K., Mitterer, H., Gamper, J., Böhlen, M.H., Khayati, M.: Missing Value Imputation in Time Series using Top-k Case MatchingGoogle Scholar
  17. 17.
    Xie, Y., Huang, J., Willett, R.: Changepoint detection for high-dimensional time series with missing data. ArXiv Prepr. ArXiv12085062 (2012)Google Scholar
  18. 18.
    Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in Cloud. J. Netw. Comput. Appl. 36, 42–57 (2013)CrossRefGoogle Scholar
  19. 19.
    Bay, S., Saito, K., Ueda, N., Langley, P.: A framework for discovering anomalous regimes in multivariate time-series data with local models. In: Symposium on Machine Learning for Anomaly Detection, Stanford, USA (2004)Google Scholar
  20. 20.
    Rousseeuw, P.J., Driessen, K.V.: A fast algorithm for the minimum covariance determinant estimator. Technometrics 41, 212–223 (1999)CrossRefGoogle Scholar
  21. 21.
  22. 22.
    Genz, A., Bretz, F.: Computation of multivariate normal and t probabilities. Springer Science & Business Media (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Hani Neuvirth
    • 1
    Email author
  • Yehuda Finkelstein
    • 1
  • Amit Hilbuch
    • 1
  • Shai Nahum
    • 1
  • Daniel Alon
    • 1
  • Elad Yom-Tov
    • 2
  1. 1.Azure Cyber-Security Group, MicrosoftHerzeliaIsrael
  2. 2.Microsoft ResearchHerzeliaIsrael

Personalised recommendations