Hen Amar,Lingfeng Bao,Nimrod Busany,David Lo,Shahar Maoz

DOI: https://doi.org/10.1145/3236024.3236069

2018-01-01

Abstract:Much work has been published on extracting various kinds of models from logs that document the execution of running systems. In many cases, however, for example in the context of evolution, testing, or malware analysis, engineers are interested not only in a single log but in a set of several logs, each of which originated from a different set of runs of the system at hand. Then, the difference between the logs is the main target of interest. In this work we investigate the use of finite-state models for log differencing. Rather than comparing the logs directly, we generate concise models to describe and highlight their differences. Specifically, we present two algorithms based on the classic k-Tails algorithm: 2KDiff, which computes and highlights simple traces containing sequences of k events that belong to one log but not the other, and nKDiff, which extends k-Tails from one to many logs, and distinguishes the sequences of length k that are common to all logs from the ones found in only some of them, all on top of a single, rich model. Both algorithms are sound and complete modulo the abstraction defined by the use of k-Tails. We implemented both algorithms and evaluated their performance on mutated logs that we generated based on models from the literature. We conducted a user study including 60 participants demonstrating the effectiveness of the approach in log differencing tasks. We have further performed a case study to examine the use of our approach in malware analysis. Finally, we have made our work available in a prototype web-application, for experiments.

Jiusun Zeng,Uwe Kruger,Jaap Geluk,Xun Wang,Lei Xie

DOI: https://doi.org/10.1016/j.automatica.2014.09.005

IF: 6.4

2014-01-01

Automatica

Abstract:This article develops statistics based on the Kullback–Leibler (KL) divergence to monitor large-scale technical systems. These statistics detect anomalous system behavior by comparing estimated density functions for the current process behavior with reference density functions. For Gaussian distributed process variables, the paper proves that the difference in density functions, measured by the KL divergence, is a more sensitive measure than existing work involving multivariate statistics. To cater for a wide range of potential application areas, the paper develops monitoring concepts for linear static systems, that can produce Gaussian as well as non-Gaussian distributed process variables. Using recorded data from a glass melter, the article demonstrates the increased sensitivity of the KL-based statistics by comparing them to competitive ones.

Tong Sun,Bowen Jiang,Lewei Jin,Wenzhao Zhang,Yi Gao,Zhendong Li,Wei Dong

DOI: https://doi.org/10.1109/tmc.2024.3407867

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Mobile application updates occur frequently, and they continue to add considerable traffic over the Internet. Differencing algorithms, which compute a small delta between the new version and the old version, are often employed to reduce the update overhead. Researchers have proposed many differencing algorithms over the years. Unfortunately, it is currently unknown how these algorithms quantitatively perform for different categories of applications. It is also challenging to know the impacts of different techniques and whether a technique in one algorithm can be integrated into another algorithm for further performance improvement. This paper conducts the first systematic study to understand the performance of four widely used differencing algorithms for mobile application updates, including xdelta3, bsdiff, archive-patcher, and HDiffPatch with respect to five key metrics, including compression ratio, differencing time/memory overhead, and reconstruction time/memory overhead. We perform measurements for 200 mobile applications, and analyze key techniques (such as decompressing-before-differencing, sliding window, and copy instructions merging) that influence the performance of these algorithms. We have provided four important findings which give insights to further optimize for performance improvement. Guided by these insights, we have also proposed a novel algorithm, sdiff , which achieves the smallest compression ratio to state-of-the-art algorithms by combining an appropriately chosen set of key techniques.

Avijit Maji,Abhik Ghosh,Ayanendranath Basu

DOI: https://doi.org/10.48550/arXiv.1407.3961

2014-07-15

Abstract:This paper introduces a new superfamily of divergences that is similar in spirit to the S-divergence family introduced by Ghosh et al. (2013). This new family serves as an umbrella that contains the logarithmic power divergence family (Renyi, 1961; Maji, Chakraborty and Basu 2014) and the logarithmic density power divergence family (Jones et al., 2001) as special cases. Various properties of this new family and the corresponding minimum distance procedures are discussed with particular emphasis on the robustness issue; these properties are demonstrated through simulation studies. In particular the method demonstrates the limitation of the first order influence function in assessing the robustness of the corresponding minimum distance procedures.

Methodology,Statistics Theory,Applications

Chungha Sung,Shuvendu Lahiri,Constantin Enea,Chao Wang

DOI: https://doi.org/10.48550/arXiv.1807.03777

2018-07-16

Abstract:When an evolving program is modified to address issues related to thread synchronization, there is a need to confirm the change is correct, i.e., it does not introduce unexpected behavior. However, manually comparing two programs to identify the semantic difference is labor intensive and error prone, whereas techniques based on model checking are computationally expensive. To fill the gap, we develop a fast and approximate static analysis for computing synchronization differences of two programs. The method is fast because, instead of relying on heavy-weight model checking techniques, it leverages a polynomial-time Datalog-based program analysis framework to compute differentiating data-flow edges, i.e., edges allowed by one program but not the other. Although approximation is used our method is sufficiently accurate due to careful design of the Datalog inference rules and iterative increase of the required data-flow edges for representing a difference. We have implemented our method and evaluated it on a large number of multithreaded C programs to confirm its ability to produce, often within seconds, the same differences obtained by human; in contrast, prior techniques based on model checking take minutes or even hours and thus can be 10x to 1000x slower.

Software Engineering,Programming Languages

Yintong Huo,Cheryl Lee,Yuxin Su,Shiwen Shan,Jinyang Liu,Michael R. Lyu

2023-08-15

Abstract:Software logs record system activities, aiding maintainers in identifying the underlying causes for failures and enabling prompt mitigation actions. However, maintainers need to inspect a large volume of daily logs to identify the anomalous logs that reveal failure details for further diagnosis. Thus, how to automatically distinguish these anomalous logs from normal logs becomes a critical problem. Existing approaches alleviate the burden on software maintainers, but they are built upon an improper yet critical assumption: logging statements in the software remain unchanged. While software keeps evolving, our empirical study finds that evolving software brings three challenges: log parsing errors, evolving log events, and unstable log sequences. In this paper, we propose a novel unsupervised approach named Evolving Log analyzer (EvLog) to mitigate these challenges. We first build a multi-level representation extractor to process logs without parsing to prevent errors from the parser. The multi-level representations preserve the essential semantics of logs while leaving out insignificant changes in evolving events. EvLog then implements an anomaly discriminator with an attention mechanism to identify the anomalous logs and avoid the issue brought by the unstable sequence. EvLog has shown effectiveness in two real-world system evolution log datasets with an average F1 score of 0.955 and 0.847 in the intra-version setting and inter-version setting, respectively, which outperforms other state-of-the-art approaches by a wide margin. To our best knowledge, this is the first study on localizing anomalous logs over software evolution. We believe our work sheds new light on the impact of software evolution with the corresponding solutions for the log analysis community.

Software Engineering

Shulei Kuang,Honghui Yang,Zijing Tan,Shuai Ma

DOI: https://doi.org/10.14778/3654621.3654624

2024-01-01

Abstract:Differential dependencies (DDs) are proposed to specify constraints on the differences between values, where the semantics of difference can be "similar", "dissimilar" and beyond. DDs subsume functional dependencies (FDs), and find valuable applications in tasks such as violation detection, duplicate identification, and quantitative data cleaning, among others. In this paper we present an efficient DD discovery method for finding hidden DDs from data. We encode differences between values in a novel structure called the "diff-set", and present a set of techniques for constructing the diff-set, discovering valid DDs with set cover enumeration of the diff-set, and eliminating non-minimal DDs. Our extensive experimental evaluation verifies that our method outperforms the existing DD discovery method up to orders of magnitude. Furthermore, our method is adapted to discover an important subclass of DDs, known as relaxed FDs (RFDs), and is also up to orders of magnitude faster than the state-of-the-art RFD discovery method.

Brock D Sherlock,Marko A A Boon,Maria Vlasiou,Adelle C F Coster

DOI: https://doi.org/10.1007/s11538-024-01331-y

2024-07-26

Abstract:While mean-field models of cellular operations have identified dominant processes at the macroscopic scale, stochastic models may provide further insight into mechanisms at the molecular scale. In order to identify plausible stochastic models, quantitative comparisons between the models and the experimental data are required. The data for these systems have small sample sizes and time-evolving distributions. The aim of this study is to identify appropriate distance metrics for the quantitative comparison of stochastic model outputs and time-evolving stochastic measurements of a system. We identify distance metrics with features suitable for driving parameter inference, model comparison, and model validation, constrained by data from multiple experimental protocols. In this study, stochastic model outputs are compared to synthetic data across three scales: that of the data at the points the system is sampled during the time course of each type of experiment; a combined distance across the time course of each experiment; and a combined distance across all the experiments. Two broad categories of comparators at each point were considered, based on the empirical cumulative distribution function (ECDF) of the data and of the model outputs: discrete based measures such as the Kolmogorov-Smirnov distance, and integrated measures such as the Wasserstein-1 distance between the ECDFs. It was found that the discrete based measures were highly sensitive to parameter changes near the synthetic data parameters, but were largely insensitive otherwise, whereas the integrated distances had smoother transitions as the parameters approached the true values. The integrated measures were also found to be robust to noise added to the synthetic data, replicating experimental error. The characteristics of the identified distances provides the basis for the design of an algorithm suitable for fitting stochastic models to real world stochastic data.

Dmytro Borysenkov,Adriano Vogel,Sören Henning,Esteban Perez-Wohlfeil

2024-11-08

Abstract:Logs are crucial for analyzing large-scale software systems, offering insights into system health, performance, security threats, potential bugs, etc. However, their chaotic nature$\unicode{x2013}$characterized by sheer volume, lack of standards, and variability$\unicode{x2013}$makes manual analysis complex. The use of clustering algorithms can assist by grouping logs into a smaller set of templates, but lose the temporal and relational context in doing so. On the contrary, Large Language Models (LLMs) can provide meaningful explanations but struggle with processing large collections efficiently. Moreover, representation techniques for both approaches are typically limited to either plain text or traditional charting, especially when dealing with large-scale systems. In this paper, we combine clustering and LLM summarization with event detection and Multidimensional Scaling through the use of Time Curves to produce a holistic pipeline that enables efficient and automatic summarization of vast collections of software system logs. The core of our approach is the proposal of a semimetric distance that effectively measures similarity between events, thus enabling a meaningful representation. We show that our method can explain the main events of logs collected from different applications without prior knowledge. We also show how the approach can be used to detect general trends as well as outliers in parallel and distributed systems by overlapping multiple projections. As a result, we expect a significant reduction of the time required to analyze and resolve system-wide issues, identify performance bottlenecks and security risks, debug applications, etc.

Software Engineering

Harshay Shah,Sung Min Park,Andrew Ilyas,Aleksander Madry

DOI: https://doi.org/10.48550/arXiv.2211.12491

2022-11-23

Abstract:We study the problem of (learning) algorithm comparison, where the goal is to find differences between models trained with two different learning algorithms. We begin by formalizing this goal as one of finding distinguishing feature transformations, i.e., input transformations that change the predictions of models trained with one learning algorithm but not the other. We then present ModelDiff, a method that leverages the datamodels framework (Ilyas et al., 2022) to compare learning algorithms based on how they use their training data. We demonstrate ModelDiff through three case studies, comparing models trained with/without data augmentation, with/without pre-training, and with different SGD hyperparameters. Our code is available at <a class="link-external link-https" href="https://github.com/MadryLab/modeldiff" rel="external noopener nofollow">this https URL</a> .

Machine Learning,Computer Vision and Pattern Recognition

Zian Liu,Zhi Zhang,Siqi Ma,Dongxi Liu,Jun Zhang,Chao Chen,Shigang Liu,Muhammad Ejaz Ahmed,Yang Xiang

2023-08-03

Abstract:Binary similarity detection is a critical technique that has been applied in many real-world scenarios where source code is not available, e.g., bug search, malware analysis, and code plagiarism detection. Existing works are ineffective in detecting similar binaries in cases where different compiling optimizations, compilers, source code versions, or obfuscation are deployed. We observe that all the cases do not change a binary's key code behaviors although they significantly modify its syntax and structure. With this key observation, we extract a set of key instructions from a binary to capture its key code behaviors. By detecting the similarity between two binaries' key instructions, we can address well the ineffectiveness limitation of existing works. Specifically, we translate each extracted key instruction into a self-defined key expression, generating a key-semantics graph based on the binary's control flow. Each node in the key-semantics graph denotes a key instruction, and the node attribute is the key expression. To quantify the similarity between two given key-semantics graphs, we first serialize each graph into a sequence of key expressions by topological sort. Then, we tokenize and concatenate key expressions to generate token lists. We calculate the locality-sensitive hash value for all token lists and quantify their similarity. %We implement a prototype, called SemDiff, consisting of two modules: graph generation and graph diffing. The first module generates a pair of key-semantics graphs and the second module diffs the graphs. Our evaluation results show that overall, SemDiff outperforms state-of-the-art tools when detecting the similarity of binaries generated from different optimization levels, compilers, and obfuscations. SemDiff is also effective for library version search and finding similar vulnerabilities in firmware.

Cryptography and Security

Andrzej Cichocki,Sergio Cruces,Shun-ichi Amari

DOI: https://doi.org/10.3390/e17052988

IF: 2.738

2015-05-08

Entropy

Abstract:This work reviews and extends a family of log-determinant (log-det) divergences for symmetric positive definite (SPD) matrices and discusses their fundamental properties. We show how to use parameterized Alpha-Beta (AB) and Gamma log-det divergences to generate many well-known divergences; in particular, we consider the Stein’s loss, the S-divergence, also called Jensen-Bregman LogDet (JBLD) divergence, Logdet Zero (Bhattacharyya) divergence, Affine Invariant Riemannian Metric (AIRM), and other divergences. Moreover, we establish links and correspondences between log-det divergences and visualise them on an alpha-beta plane for various sets of parameters. We use this unifying framework to interpret and extend existing similarity measures for semidefinite covariance matrices in finite-dimensional Reproducing Kernel Hilbert Spaces (RKHS). This paper also shows how the Alpha-Beta family of log-det divergences relates to the divergences of multivariate and multilinear normal distributions. Closed form formulas are derived for Gamma divergences of two multivariate Gaussian densities; the special cases of the Kullback-Leibler, Bhattacharyya, Rényi, and Cauchy-Schwartz divergences are discussed. Symmetrized versions of log-det divergences are also considered and briefly reviewed. Finally, a class of divergences is extended to multiway divergences for separable covariance (or precision) matrices.

physics, multidisciplinary

D. A. Khudyakov

DOI: https://doi.org/10.25205/1818-7900-2023-21-1-62-72

2023-08-28

Abstract:Software system developers must respond quickly to failures in order to avoid reputational and financial losses for their customers. Therefore, it is important to detect behavioral anomalies in the operation of software systems in a timely manner. At the moment, various tools for automatic monitoring of systems are being actively developed, but logs are the main tool for analyzing failures. Logs contain information about the operation of the system at various points of execution. Modern systems often have a distributed microservice architecture, which significantly complicates the task of analyzing logs. Logs of such systems are collected centrally from different microservices, forming a huge flow of information that is very difficult to analyze manually. However, the problem of identifying logs related to a specific request to the system is solved by distributed tracing, the use of which opens up wide opportunities for the introduction of automatic analysis. There are already many solutions for detecting anomalies in logs, but they do not take advantage of distributed tracing. The article is considered to solving the problem of detecting behavioral anomalies in the work of distributed software systems based on automatic analysis of log traces. The solution is based on the synthesis of machine learning methods. Log traces are preprocessed and cleaned using process mining methods. Next, vectorization and clustering of log messages is performed. After that, a long short-term memory network (LSTM) is used to analyze deviations in the sequences of processed logs. As a result of the work performed, a prototype of the anomaly detection system was developed and tested.

Arthur Gretton,Karsten Borgwardt,Malte J. Rasch,Bernhard Scholkopf,Alexander J. Smola

DOI: https://doi.org/10.48550/arXiv.0805.2368

2008-05-16

Abstract:We propose a framework for analyzing and comparing distributions, allowing us to design statistical tests to determine if two samples are drawn from different distributions. Our test statistic is the largest difference in expectations over functions in the unit ball of a reproducing kernel Hilbert space (RKHS). We present two tests based on large deviation bounds for the test statistic, while a third is based on the asymptotic distribution of this statistic. The test statistic can be computed in quadratic time, although efficient linear time approximations are available. Several classical metrics on distributions are recovered when the function space used to compute the difference in expectations is allowed to be more general (eg. a Banach space). We apply our two-sample tests to a variety of problems, including attribute matching for databases using the Hungarian marriage method, where they perform strongly. Excellent performance is also obtained when comparing distributions over graphs, for which these are the first such tests.

Machine Learning,Artificial Intelligence

Tsukasa Yagi,Shinpei Hayashi

DOI: https://doi.org/10.1109/SCAM63643.2024.00030

2024-09-26

Abstract:A source code difference (diff) indicates changes made by comparing new and old source codes, and it can be utilized in code reviews to help developers understand the changes made to the code. Although many diff generation methods have been proposed, existing automatic methods may generate nonoptimal diffs, hindering reviewers from understanding the changes. In this paper, we propose an interactive approach to optimize diffs. Users can provide feedback for the points of a diff that should not be matched but are or parts that should be matched but are not. The edit graph is updated based on this feedback, enabling users to obtain a more optimal diff. We simulated our proposed method by applying a search algorithm to empirically assess the number of feedback instances required and the amount of diff optimization resulting from the feedback to investigate the potential of this approach. The results of 23 GitHub projects confirm that 92% of nonoptimal diffs can be addressed with less than four feedback actions in the ideal case.

Software Engineering

Canbin Zheng,Lijie Wen,Jianmin Wang

DOI: https://doi.org/10.1007/978-3-319-69462-7_33

2017-01-01

Abstract:Traditional process discovery algorithms assume processes to be in a steady state. However, process models tend to be dynamic due to various factors, which has brought challenges such as change point detection, change localization and change process discovery. Existing techniques to identify change points are sensitive to parameters and the accuracy is not satisfactory. This paper proposes a novel approach to deal with such concept drift phenomenon. Event logs can be characterized by the relationships between activities, which motivates us to transform a log into a relation matrix. By detecting the always and never intervals in each row of the relation matrix, we obtain candidate change points for each relation. Finally, all the candidate change points are combined into an overall result. The approach is also able to localize the changes between different phases. Experiments on synthetic logs show that our approach is accurate and performs better than the state of the art in detecting sudden drift.

Loong Kuan Lee,Geoffrey I. Webb,Daniel F. Schmidt,Nico Piatkowski

2023-10-13

Abstract:The ability to compute the exact divergence between two high-dimensional distributions is useful in many applications but doing so naively is intractable. Computing the alpha-beta divergence -- a family of divergences that includes the Kullback-Leibler divergence and Hellinger distance -- between the joint distribution of two decomposable models, i.e chordal Markov networks, can be done in time exponential in the treewidth of these models. However, reducing the dissimilarity between two high-dimensional objects to a single scalar value can be uninformative. Furthermore, in applications such as supervised learning, the divergence over a conditional distribution might be of more interest. Therefore, we propose an approach to compute the exact alpha-beta divergence between any marginal or conditional distribution of two decomposable models. Doing so tractably is non-trivial as we need to decompose the divergence between these distributions and therefore, require a decomposition over the marginal and conditional distributions of these models. Consequently, we provide such a decomposition and also extend existing work to compute the marginal and conditional alpha-beta divergence between these decompositions. We then show how our method can be used to analyze distributional changes by first applying it to a benchmark image dataset. Finally, based on our framework, we propose a novel way to quantify the error in contemporary superconducting quantum computers. Code for all experiments is available at: https://lklee.dev/pub/2023-icdm/code

Machine Learning

Kunal Taneja,Tao Xie

2007-01-01

Abstract:Software systems continue to evolve throughout their lifetime. Maintenance of such evolving systems (that include regression testing) is one of the most expensive activities in software development. We present an approach called DiffGen for automated unit-test generation and checking for regression testing of Java programs. Given two versions of a Java class, our approach instruments the code by adding new branches such that if these branches can be covered by a test generation tool, behavioral differences between the two classes are exposed. DiffGen then uses a coverage-based test generation tool to generate test inputs for covering the added branches to expose behavioral differences. We have evaluated DiffGen on finding behavioral differences between 8 data-structure subjects and their versions synthesized through mutation testing and 13 larger subjects and their versions from the Subject Infrastructure Repository. Experimental results show that our approach can effectively expose many behavioral differences that cannot be exposed by state-of-the-art techniques.

Sameer K. Deshpande,Soumya Ghosh,Tin D. Nguyen,Tamara Broderick

2024-01-19

Abstract:Test log-likelihood is commonly used to compare different models of the same data or different approximate inference algorithms for fitting the same probabilistic model. We present simple examples demonstrating how comparisons based on test log-likelihood can contradict comparisons according to other objectives. Specifically, our examples show that (i) approximate Bayesian inference algorithms that attain higher test log-likelihoods need not also yield more accurate posterior approximations and (ii) conclusions about forecast accuracy based on test log-likelihood comparisons may not agree with conclusions based on root mean squared error.

Machine Learning,Other Statistics

Luca Mattia Rolla

DOI: https://doi.org/10.48550/arXiv.2306.13963

2023-11-09

Abstract:This article proposes a novel test for the martingale difference hypothesis based on the martingale difference divergence function, a recently developed dependence measure suitable for measuring the degree of conditional mean dependence of a random variable with respect to another. First, we discuss the use of martingale difference divergence in a time series framework as an alternative to the autocovariance function for detecting the existence of forms of nonlinear serial dependence. In particular, the measure equals zero if and only if the considered time-series components are conditionally mean-independent. This characteristic makes it suitable for studying the behavior of white noise processes characterized by non-null mean conditional on the past. We discuss the asymptotic properties of sample martingale difference divergence in a univariate time series framework, refining some of the results existing in the literature. Doing this allows us to build a Ljung-Box-type test statistic by summing the sample martingale difference divergence function over a finite number of lags. Under suitable conditions, the asymptotic null distribution of our test statistic is also established. The finite sample performance is discussed via a Monte Carlo study as we demonstrate its consistency against uncorrelated non-martingale processes. Finally, we show an empirical application for our methodology in analyzing the properties of the Standard and Poor's 500 stock index.

Applications