Publications | Yinfang CHEN

\* means co-primary authors.

2025

ICSE 2025

Large Language Models as Configuration Validators

Xinyu Lian*, Yinfang Chen*, Runxiang Cheng, Jie Huang, Parth Thakkar, and Tianyin Xu

In Proceedings of 47th International Conference on Software Engineering (ICSE’25), 2025

@inproceedings{lian2025configuration,
  title = {Large Language Models as Configuration Validators},
  author = {Lian*, Xinyu and Chen*, Yinfang and Cheng, Runxiang and Huang, Jie and Thakkar, Parth and Xu, Tianyin},
  year = {2025},
  booktitle = {Proceedings of 47th International Conference on Software Engineering (ICSE'25)},
}

ICSE 2025

Fidelity of Cloud Emulators: The Imitation Game of Testing Cloud-based Software

Anna Mazhar, Saad Sher Alam, William Zheng, Yinfang Chen, Suman Nath, and Tianyin Xu

In Proceedings of 47th International Conference on Software Engineering (ICSE’25), 2025

Bib

@inproceedings{mazhar2025fidelity,
  title = {Fidelity of Cloud Emulators: The Imitation Game of Testing Cloud-based Software},
  author = {Mazhar, Anna and Alam, Saad Sher and Zheng, William and Chen, Yinfang and Nath, Suman and Xu, Tianyin},
  year = {2025},
  booktitle = {Proceedings of 47th International Conference on Software Engineering (ICSE'25)},
}

2024

Preprint

AIOpsLab: A Holistic Framework to Evaluate AI Agents for Enabling Autonomous Clouds

Yinfang Chen, Manish Shetty, Gagan Somashekar, Minghua Ma, Yogesh Simmhan, Jonathan Mace, Chetan Bansal, Rujia Wang, and Saravan Rajmohan

Nov 2024

Bib PDF

@misc{chen2024aiopslab,
  title = {AIOpsLab: A Holistic Framework to Evaluate AI Agents for Enabling Autonomous Clouds},
  author = {Chen, Yinfang and Shetty, Manish and Somashekar, Gagan and Ma, Minghua and Simmhan, Yogesh and Mace, Jonathan and Bansal, Chetan and Wang, Rujia and Rajmohan, Saravan},
  year = {2024},
  booktitle = {Under submission},
  month = nov,
  url = {https://www.microsoft.com/en-us/research/publication/aiopslab-a-holistic-framework-for-evaluating-ai-agents-for-enabling-autonomous-cloud/}
}

EuroSys 2024
Automatic Root Cause Analysis via Large Language Models for Cloud Incidents

Yinfang Chen, Huaibing Xie, Minghua Ma, Yu Kang, Xin Gao, Liu Shi, Yunjie Cao, Xuedong Gao, Hao Fan, Ming Wen, Jun Zeng, Supriyo Ghosh, Xuchao Zhang, Chaoyun Zhang, Qingwei Lin, Saravan Rajmohan, Dongmei Zhang, and Tianyin Xu

In Proceedings of the 19th European Conference on Computer Systems (EuroSys’24), Apr 2024

Deployed at Microsoft

Abstract Bib PDF Slides Talk

Ensuring the reliability and availability of cloud services necessitates efficient root cause analysis (RCA) for cloud incidents. Traditional RCA methods, which rely on manual investigations of data sources such as logs and traces, are often laborious, error-prone, and challenging for on-call engineers. In this paper, we introduce RCACopilot, an innovative on-call system empowered by the large language model for automating RCA of cloud incidents. RCACopilot matches incoming incidents to corresponding incident handlers based on their alert types, aggregates the critical runtime diagnostic information, predicts the incident’s root cause category, and provides an explanatory narrative. We evaluate RCACopilot using a real-world dataset consisting of a year’s worth of incidents from Microsoft. Our evaluation demonstrates that RCACopilot achieves RCA accuracy up to 0.766. Furthermore, the diagnostic information collection component of RCACopilot has been successfully in use at Microsoft for over four years.
@inproceedings{chen2023automatic, title = {Automatic Root Cause Analysis via Large Language Models for Cloud Incidents}, author = {Chen, Yinfang and Xie, Huaibing and Ma, Minghua and Kang, Yu and Gao, Xin and Shi, Liu and Cao, Yunjie and Gao, Xuedong and Fan, Hao and Wen, Ming and Zeng, Jun and Ghosh, Supriyo and Zhang, Xuchao and Zhang, Chaoyun and Lin, Qingwei and Rajmohan, Saravan and Zhang, Dongmei and Xu, Tianyin}, booktitle = {Proceedings of the 19th European Conference on Computer Systems (EuroSys'24)}, year = {2024}, month = apr, }

SoCC 2024

Building AI Agents for Autonomous Clouds: Challenges and Design Principles

Manish Shetty, Yinfang Chen, Gagan Somashekar, Minghua Ma, Yogesh Simmhan, Xuchao Zhang, Jonathan Mace, Dax Vandevoorde, Pedro Las-Casas, Shachee Mishra Gupta, Suman Nath, Chetan Bansal, and Saravan Rajmohan

In Proceedings of 15th ACM Symposium on Cloud Computing (SoCC’24), Apr 2024

Featured by Microsoft Research Blog

Bib PDF

@inproceedings{shetty2024building,
  title = {Building AI Agents for Autonomous Clouds: Challenges and Design Principles},
  author = {Shetty, Manish and Chen, Yinfang and Somashekar, Gagan and Ma, Minghua and Simmhan, Yogesh and Zhang, Xuchao and Mace, Jonathan and Vandevoorde, Dax and Las-Casas, Pedro and Gupta, Shachee Mishra and Nath, Suman and Bansal, Chetan and Rajmohan, Saravan},
  year = {2024},
  booktitle = {Proceedings of 15th ACM Symposium on Cloud Computing (SoCC'24)},
}

2023

NSDI 2023
Push-Button Reliability Testing for Cloud-Backed Applications with Rainmaker

Yinfang Chen, Xudong Sun, Suman Nath, Ze Yang, and Tianyin Xu

In Proceedings of the 20th USENIX Symposium on Networked Systems Design and Implementation (NSDI’23), Apr 2023

Featured by The Weekend Read

Abstract Bib PDF Code Slides Talk

Modern applications have been emerging towards a cloudbased programming model where applications depend on cloud services for various functionalities. Such “cloud native” practice greatly simplifies application deployment and realizes cloud benefits (e.g., availability). Meanwhile, it imposes emerging reliability challenges for addressing fault models of the opaque cloud and less predictable Internet connections. In this paper, we discuss these reliability challenges. We develop a taxonomy of bugs that render cloud-backed applications vulnerable to common transient faults. We show that (mis)handling transient error(s) of even one REST call interaction can adversely affect application correctness. We take a first step to address the challenges by building a “push-button” reliability testing tool named Rainmaker, as a basic SDK utility for any cloud-backed application. Rainmaker helps developers anticipate the myriad of errors under the cloud-based fault model, without a need to write new policies, oracles, or test cases. Rainmaker directly works with existing test suites and is a plug-and-play tool for existing test environments. Rainmaker injects faults in the interactions between the application and cloud services. It does so at the REST layer, and thus is transparent to applications under test. More importantly, it encodes automatic fault injection policies to cover the various taxonomized bug patterns, and automatic oracles that embrace existing in-house software tests. To date, Rainmaker has detected 73 bugs (55 confirmed and 51 fixed) in 11 popular cloud-backed applications.
@inproceedings{chen2023push-button, title = {Push-Button Reliability Testing for Cloud-Backed Applications with Rainmaker}, author = {Chen, Yinfang and Sun, Xudong and Nath, Suman and Yang, Ze and Xu, Tianyin}, booktitle = {Proceedings of the 20th USENIX Symposium on Networked Systems Design and Implementation (NSDI'23)}, year = {2023}, month = apr, url = {https://www.microsoft.com/en-us/research/publication/push-button-reliability-testing-for-cloud-backed-applications-with-rainmaker/}, }
S&P 2023
SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions

Muhammad Adil Inam, Yinfang Chen, Akul Goyal, Jason Liu, Jaron Mink, Noor Michael, Sneha Gaur, Adam Bates, and Wajih Ul Hassan

In Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P’23), May 2023

Abstract Bib PDF Talk

Auditing, a central pillar of operating system security, has only recently come into its own as an active area of public research. This resurgent interest is due in large part to the notion of data provenance, a technique that iteratively parses audit log entries into a dependency graph that explains the history of system execution. Provenance facilitates precise threat detection and investigation through causal analysis of sophisticated intrusion behaviors. However, the absence of a foundational audit literature, combined with the rapid publication of recent findings, makes it difficult to gain a holistic picture of advancements and open challenges in the area. In this work, we survey and categorize the provenance-based system auditing literature, distilling contributions into a layered taxonomy based on the audit log capture and analysis pipeline. Recognizing that the Reduction Layer remains a key obstacle to the further proliferation of causal analysis technologies, we delve further on this issue by conducting an ambitious independent evaluation of 8 exemplar reduction techniques against the recently-released DARPA Transparent Computing datasets. Our experiments uncover that past approaches frequently prune an overlapping set of activities from audit logs, reducing the synergistic benefits from applying them in tandem; further, we observe an inverse relation between storage efficiency and anomaly detection performance. However, we also observe that log reduction techniques are able to synergize effectively with data compression, potentially reducing log retention costs by multiple orders of magnitude. We conclude by discussing promising future directions for the field.
@inproceedings{inam2023sok, title = {SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions}, author = {Inam, Muhammad Adil and Chen, Yinfang and Goyal, Akul and Liu, Jason and Mink, Jaron and Michael, Noor and Gaur, Sneha and Bates, Adam and Hassan, Wajih Ul}, booktitle = {Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P'23)}, pages = {307--325}, year = {2023}, month = may, organization = {IEEE}, }

2022

S&P 2022
Shadewatcher: Recommendation-guided cyber threat analysis using system audit records

Jun Zeng, Xiang Wang, Jiahao Liu, Yinfang Chen, Zhenkai Liang, Tat-Seng Chua, and Zheng Leong Chua

In Proceedings of the 43rd IEEE Symposium on Security and Privacy (S&P’22), May 2022

Abstract Bib PDF Code Slides Talk

System auditing provides a low-level view into cyber threats by monitoring system entity interactions. In response to advanced cyber-attacks, one prevalent solution is to apply data provenance analysis on audit records to search for anomalies (anomalous behaviors) or specifications of known attacks. However, existing approaches suffer from several limitations: 1) generating high volumes of false alarms, 2) relying on expert knowledge, or 3) producing coarse-grained detection signals. In this paper, we recognize the structural similarity between threat detection in cybersecurity and recommendation in information retrieval. By mapping security concepts of system entity interactions to recommendation concepts of user-item interactions, we identify cyber threats by predicting the preferences of a system entity on its interactive entities. Furthermore, inspired by the recent advances in modeling high-order connectivity via item side information in the recommendation, we transfer the insight to cyber threat analysis and customize an automated detection system, SHADEWATCHER. It fulfills the potential of high-order information in audit records via graph neural networks to improve detection effectiveness. Besides, we equip SHADEWATCHER with dynamic updates towards better generalization to false alarms. In our evaluation against both real-life and simulated cyber-attack scenarios, SHADEWATCHER shows its advantage in identifying threats with high precision and recall rates. Moreover, SHADEWATCHER is capable of pinpointing threats from nearly a million system entity interactions within seconds.
@inproceedings{zeng2022shadewatcher, title = {Shadewatcher: Recommendation-guided cyber threat analysis using system audit records}, author = {Zeng, Jun and Wang, Xiang and Liu, Jiahao and Chen, Yinfang and Liang, Zhenkai and Chua, Tat-Seng and Chua, Zheng Leong}, booktitle = {Proceedings of the 43rd IEEE Symposium on Security and Privacy (S&P'22)}, pages = {489--506}, year = {2022}, month = may, organization = {IEEE}, }

2021

NDSS 2021
WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics

Jun Zeng, Zheng Leong Chua, Yinfang Chen, Kaihang Ji, Zhenkai Liang, and Jian Mao

In Proceedings of the 28th Annual Network and Distributed System Security Symposium (NDSS’21), Feb 2021

Abstract Bib PDF Slides Talk

Endpoint monitoring solutions are widely deployed in today’s enterprise environments to support advanced attack detection and investigation. These monitors continuously record system-level activities as audit logs and provide deep visibility into security incidents. Unfortunately, to recognize behaviors of interest and detect potential threats, cyber analysts face a semantic gap between low-level audit events and high-level system behaviors. To bridge this gap, existing work largely matches streams of audit logs against a knowledge base of rules that describe behaviors. However, specifying such rules heavily relies on expert knowledge. In this paper, we present WATSON, an automated approach to abstracting behaviors by inferring and aggregating the semantics of audit events. WATSON uncovers the semantics of events through their usage context in audit logs. By extracting behaviors as connected system operations, WATSON then combines event semantics as the representation of behaviors. To reduce analysis workload, WATSON further clusters semantically similar behaviors and distinguishes the representatives for analyst investigation. In our evaluation against both benign and malicious behaviors, WATSON exhibits high accuracy for behavior abstraction. Moreover, WATSON can reduce analysis workload by two orders of magnitude for attack investigation.
@inproceedings{zeng2021watson, title = {WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics}, author = {Zeng, Jun and Chua, Zheng Leong and Chen, Yinfang and Ji, Kaihang and Liang, Zhenkai and Mao, Jian}, booktitle = {Proceedings of the 28th Annual Network and Distributed System Security Symposium (NDSS'21)}, year = {2021}, month = feb, }